AIT:Trojan.GenericTKA.499 (AdAware), Trojan.Win32.Swrort.3.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: f40e86f121154e140f4bf4334a0d7ed5
SHA1: fe33a93f1a58ce9b88aeaf89c95ecdc64be011ab
SHA256: b6acefe5457b2d0b039e8b4a1b2cd91b127980bfca9d6971c4c80f3df1d6f108
SSDeep: 49152:5shdalZe5fqeZGFSoiK7KdnRh0KDGslhcumBu/GhkjUu:61pZGFSIOdnfJCslhcju/xjUu
Size: 2258944 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-10-11 14:35:32
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The AIT creates the following process(es):
mbae-svc.exe:1912
mbae-svc.exe:2456
mbae-svc.exe:2468
%original file name%.exe:2168
~dsmkseu.tmp:140
~dsmkseu.tmp:192
mbae.exe:2440
mbae-uninstaller.exe:940
The AIT injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process mbae-svc.exe:1912 makes changes in the file system.
The AIT creates and/or writes to the following file(s):
C:\Windows\Temp\CabEBB5.tmp (51 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DCE3BDBF5BDD86E2AB5B471CB90709B4_85C433EFF754A27F977106953050D3D3 (1640 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5BF987767EE121EB773E3E93D13C2F30_0B2AEF4FE043D0F11F387BBA16F05698 (1 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DCE3BDBF5BDD86E2AB5B471CB90709B4_85C433EFF754A27F977106953050D3D3 (471 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0197CD123129A6D466C5F0FC1584EA2_4A88EB24CA5B01E154BD51ABA35F33B5 (1 bytes)
C:\Windows\Temp\TarEBB6.tmp (2712 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\mbae-service.log (132 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0197CD123129A6D466C5F0FC1584EA2_4A88EB24CA5B01E154BD51ABA35F33B5 (1680 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\exclusions.dat.new (1375 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB (1592 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5BF987767EE121EB773E3E93D13C2F30_0B2AEF4FE043D0F11F387BBA16F05698 (1696 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\mbae-protector.xpe (459 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB (471 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\mbae-default.log (8860 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\exclusions.dat (18992 bytes)
The AIT deletes the following file(s):
C:\Windows\Temp\CabEBB5.tmp (0 bytes)
C:\Windows\Temp\TarEBB6.tmp (0 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\exclusions.dat.new (0 bytes)
The process mbae-svc.exe:2456 makes changes in the file system.
The AIT creates and/or writes to the following file(s):
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1720 bytes)
C:\Windows\Temp\TarC959.tmp (2712 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\mbae-config.dat (108 bytes)
C:\Windows\Temp\CabC958.tmp (48 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\applications.dat (250 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\mbae-service.log (264 bytes)
C:\Windows\Temp\TarDECF.tmp (2712 bytes)
C:\Windows\Temp\CabDECE.tmp (51 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (51 bytes)
C:\Windows\Temp\CabC8F9.tmp (48 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\mbae-protector.xpe (176 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\mbae-default.log (7680 bytes)
C:\Windows\Temp\TarC8FA.tmp (2712 bytes)
The AIT deletes the following file(s):
C:\Windows\Temp\TarC959.tmp (0 bytes)
C:\Windows\Temp\CabC958.tmp (0 bytes)
C:\Windows\Temp\CabDECE.tmp (0 bytes)
C:\Windows\Temp\TarDECF.tmp (0 bytes)
C:\Windows\Temp\CabC8F9.tmp (0 bytes)
C:\Windows\Temp\TarC8FA.tmp (0 bytes)
The process mbae-svc.exe:2468 makes changes in the file system.
The AIT creates and/or writes to the following file(s):
%Program Files%\Malwarebytes Anti-Exploit\mbae64.exe (364 bytes)
%Program Files%\Malwarebytes Anti-Exploit\unins000.exe (720 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\mbae-default.log (1044 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae64.sys (69 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae.exe (146 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae.sys (53 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae.dll (368 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae.chm (839 bytes)
%Program Files%\Malwarebytes Anti-Exploit\changelog.txt (4 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae-uninstall.log (4 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae-api.dll (278 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae64.dll (438 bytes)
%Program Files%\Malwarebytes Anti-Exploit\license.rtf (237 bytes)
The process %original file name%.exe:2168 makes changes in the file system.
The AIT creates and/or writes to the following file(s):
C:\ProgramData\Malwarebytes Anti-Exploit\mbae-config.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autB0A9.tmp (15913 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autAE77.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Malwarebytes Anti-Exploit Premium.lnk (974 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~dsmkseu.tmp (13171 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dskdsei (3 bytes)
The AIT deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autB0A9.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autAE77.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~dsmkseu.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dskdsei (0 bytes)
The process ~dsmkseu.tmp:140 makes changes in the file system.
The AIT creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RNUM0.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit\Uninstall Malwarebytes Anti-Exploit.lnk (1 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-NKMSP.tmp (1425 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-S4QQ8.tmp (5873 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-RV3E9.tmp (50 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae-uninstaller.exe (77 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit\Malwarebytes Anti-Exploit.lnk (1 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-I7BH5.tmp (1281 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-7KUT6.tmp (601 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-M8ARN.tmp (25761 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-0OSA6.tmp (18248 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-5B33L.tmp (2105 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-529NH.tmp (2105 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-NJLUP.tmp (601 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-9VUBD.tmp (260 bytes)
%Program Files%\Malwarebytes Anti-Exploit\unins000.dat (4420 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-GSKGA.tmp (2321 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-STMMQ.tmp (5441 bytes)
The AIT deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RNUM0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RNUM0.tmp\_isetup\_shfoldr.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RNUM0.tmp\_isetup (0 bytes)
The process ~dsmkseu.tmp:192 makes changes in the file system.
The AIT creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-U7AEJ.tmp\~dsmkseu.tmp (1416 bytes)
The AIT deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-U7AEJ.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-U7AEJ.tmp\~dsmkseu.tmp (0 bytes)
The process mbae.exe:2440 makes changes in the file system.
The AIT creates and/or writes to the following file(s):
C:\ProgramData\Malwarebytes Anti-Exploit\mbae-report.dat (12 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae-uninstall.log (4 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\mbae-default.log (792 bytes)
The process mbae-uninstaller.exe:940 makes changes in the file system.
The AIT creates and/or writes to the following file(s):
%Program Files%\Malwarebytes Anti-Exploit\mbae-uninstall.log (873 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae-svc.exe (745 bytes)
Registry activity
The process mbae-svc.exe:1912 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 32 7F C4 47"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 04 00 00 00 09 00 00 00 00 00 00 00"
[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E]
"LanguageList" = "en-US, en"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The AIT deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"503006091D97D4F5AE39F7CBE7927D7D652D3431"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process mbae-svc.exe:2456 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\mbae-svc_RASMANCS]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\mbae-svc_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\mbae-svc_RASMANCS]
"MaxFileSize" = "1048576"
[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E]
"LanguageList" = "en-US, en"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\mbae-svc_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\mbae-svc_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\mbae-svc_RASMANCS]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\mbae-svc_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\mbae-svc_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\mbae-svc_RASAPI32]
"MaxFileSize" = "1048576"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The AIT deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Malwarebytes Anti-Exploit]
"l1_ropr64_mask"
"l0_vb_disable"
"l0_dah"
"l1_ropr64"
"l1_ropr32_mask"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Malwarebytes Anti-Exploit]
"l0_dah_mask"
"l1_ropr32"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKLM\SOFTWARE\Malwarebytes Anti-Exploit]
"l3_office_wmi"
"l0_vb_disable_mask"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKLM\SOFTWARE\Malwarebytes Anti-Exploit]
"l0_xmlhttp"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKLM\SOFTWARE\Malwarebytes Anti-Exploit]
"l0_xmlhttp_mask"
"l3_office_wmi_mask"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
The process mbae-svc.exe:2468 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Malwarebytes Anti-Exploit]
"uuid" = "9C03934C-9146-44A9-93F3-9CD73F3EEF09"
To automatically run itself each time Windows is booted, the AIT adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Exploit" = "%Program Files%\Malwarebytes Anti-Exploit\mbae.exe"
The process %original file name%.exe:2168 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Malwarebytes Anti-Exploit]
"key" = "GFTM-95T0-CFF2-R5RY"
"ID" = "9GO1-6CO5"
The process ~dsmkseu.tmp:140 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes Anti-Exploit_is1]
"URLInfoAbout" = "http://www.malwarebytes.org/"
"Inno Setup: Selected Tasks" = "trial"
"MinorVersion" = "8"
[HKLM\SOFTWARE\Malwarebytes Anti-Exploit]
"l0_xmlhttp_mask" = "16777215"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes Anti-Exploit_is1]
"Publisher" = "Malwarebytes"
"Inno Setup: App Path" = "%Program Files%\Malwarebytes Anti-Exploit"
"Inno Setup: Deselected Tasks" = ""
[HKLM\SOFTWARE\Malwarebytes Anti-Exploit]
"l0_vb_disable" = "65"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes Anti-Exploit_is1]
"QuietUninstallString" = "%Program Files%\Malwarebytes Anti-Exploit\unins000.exe /SILENT"
"NoRepair" = "1"
[HKLM\SOFTWARE\Malwarebytes Anti-Exploit]
"l0_dah_mask" = "16777215"
"l1_ropr32" = "0"
"l3_office_wmi" = "2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes Anti-Exploit_is1]
"EstimatedSize" = "6626"
"InstallDate" = "20161021"
"DisplayIcon" = "%Program Files%\Malwarebytes Anti-Exploit\mbae.exe"
"DisplayVersion" = "1.8.1.2563"
[HKLM\SOFTWARE\Malwarebytes Anti-Exploit]
"l1_ropr64_mask" = "16777215"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes Anti-Exploit_is1]
"Inno Setup: Language" = "en"
[HKLM\SOFTWARE\Malwarebytes Anti-Exploit]
"l1_ropr32_mask" = "16777215"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes Anti-Exploit_is1]
"HelpLink" = "http://www.malwarebytes.org/"
"DisplayName" = "Malwarebytes Anti-Exploit version 1.8.1.2563"
"URLUpdateInfo" = "http://www.malwarebytes.org/"
[HKLM\SOFTWARE\Malwarebytes Anti-Exploit]
"l0_vb_disable_mask" = "16777215"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes Anti-Exploit_is1]
"Inno Setup: Icon Group" = "Malwarebytes Anti-Exploit"
[HKLM\SOFTWARE\Malwarebytes Anti-Exploit]
"l3_office_wmi_mask" = "16777215"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes Anti-Exploit_is1]
"InstallLocation" = "%Program Files%\Malwarebytes Anti-Exploit\"
[HKLM\SOFTWARE\Malwarebytes Anti-Exploit]
"l1_ropr64" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes Anti-Exploit_is1]
"NoModify" = "1"
[HKLM\SOFTWARE\Malwarebytes Anti-Exploit]
"l0_dah" = "65"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes Anti-Exploit_is1]
"Inno Setup: Setup Version" = "5.5.6 (a)"
"MajorVersion" = "1"
"UninstallString" = "%Program Files%\Malwarebytes Anti-Exploit\unins000.exe"
[HKLM\SOFTWARE\Malwarebytes Anti-Exploit]
"l0_xmlhttp" = "65"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes Anti-Exploit_is1]
"Inno Setup: User" = "%CurrentUserName%"
The process mbae.exe:2440 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Malwarebytes Anti-Exploit]
"Path" = "%Program Files%\Malwarebytes Anti-Exploit\"
The process mbae-uninstaller.exe:940 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Malwarebytes Anti-Exploit]
"Path" = "%Program Files%\Malwarebytes Anti-Exploit"
Dropped PE files
MD5 | File path |
---|---|
3b10b94da6006e54c1ca9167cfef64f7 | c:\Program Files\Malwarebytes Anti-Exploit\mbae-api.dll |
94a5e35d81c121a74e6ac4dc58aa869b | c:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe |
6ffaf36199ed9f99dc96a44f2a7913ae | c:\Program Files\Malwarebytes Anti-Exploit\mbae-uninstaller.exe |
54a25ef96bf3ce8b8814465f722c7937 | c:\Program Files\Malwarebytes Anti-Exploit\mbae.dll |
54137098aa6c3b65df277130a9123ff5 | c:\Program Files\Malwarebytes Anti-Exploit\mbae.exe |
2ac0ff83258e8faa5215422e85397a90 | c:\Program Files\Malwarebytes Anti-Exploit\mbae.sys |
eb298df428ffbbeb705c45d95c8cb8bc | c:\Program Files\Malwarebytes Anti-Exploit\mbae64.dll |
2537dae3f1f4b3fb8a72312afa754564 | c:\Program Files\Malwarebytes Anti-Exploit\mbae64.exe |
67fa5ecd5a643cfcef30df4dd263cfa5 | c:\Program Files\Malwarebytes Anti-Exploit\mbae64.sys |
eee39b7aa09950e41f5e1ab30c944b9b | c:\Program Files\Malwarebytes Anti-Exploit\unins000.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
mbae-svc.exe:1912
mbae-svc.exe:2456
mbae-svc.exe:2468
%original file name%.exe:2168
~dsmkseu.tmp:140
~dsmkseu.tmp:192
mbae.exe:2440
mbae-uninstaller.exe:940 - Delete the original AIT file.
- Delete or disinfect the following files created/modified by the AIT:
C:\Windows\Temp\CabEBB5.tmp (51 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DCE3BDBF5BDD86E2AB5B471CB90709B4_85C433EFF754A27F977106953050D3D3 (1640 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5BF987767EE121EB773E3E93D13C2F30_0B2AEF4FE043D0F11F387BBA16F05698 (1 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DCE3BDBF5BDD86E2AB5B471CB90709B4_85C433EFF754A27F977106953050D3D3 (471 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0197CD123129A6D466C5F0FC1584EA2_4A88EB24CA5B01E154BD51ABA35F33B5 (1 bytes)
C:\Windows\Temp\TarEBB6.tmp (2712 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\mbae-service.log (132 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0197CD123129A6D466C5F0FC1584EA2_4A88EB24CA5B01E154BD51ABA35F33B5 (1680 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\exclusions.dat.new (1375 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB (1592 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5BF987767EE121EB773E3E93D13C2F30_0B2AEF4FE043D0F11F387BBA16F05698 (1696 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\mbae-protector.xpe (459 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB (471 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\mbae-default.log (8860 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1720 bytes)
C:\Windows\Temp\TarC959.tmp (2712 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\mbae-config.dat (108 bytes)
C:\Windows\Temp\CabC958.tmp (48 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\applications.dat (250 bytes)
C:\Windows\Temp\TarDECF.tmp (2712 bytes)
C:\Windows\Temp\CabDECE.tmp (51 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (51 bytes)
C:\Windows\Temp\CabC8F9.tmp (48 bytes)
C:\Windows\Temp\TarC8FA.tmp (2712 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae64.exe (364 bytes)
%Program Files%\Malwarebytes Anti-Exploit\unins000.exe (720 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae64.sys (69 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae.exe (146 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae.sys (53 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae.dll (368 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae.chm (839 bytes)
%Program Files%\Malwarebytes Anti-Exploit\changelog.txt (4 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae-uninstall.log (4 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae-api.dll (278 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae64.dll (438 bytes)
%Program Files%\Malwarebytes Anti-Exploit\license.rtf (237 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autB0A9.tmp (15913 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\autAE77.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Malwarebytes Anti-Exploit Premium.lnk (974 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~dsmkseu.tmp (13171 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\dskdsei (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-RNUM0.tmp\_isetup\_shfoldr.dll (47 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit\Uninstall Malwarebytes Anti-Exploit.lnk (1 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-NKMSP.tmp (1425 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-S4QQ8.tmp (5873 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-RV3E9.tmp (50 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae-uninstaller.exe (77 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit\Malwarebytes Anti-Exploit.lnk (1 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-I7BH5.tmp (1281 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-7KUT6.tmp (601 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-M8ARN.tmp (25761 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-0OSA6.tmp (18248 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-5B33L.tmp (2105 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-529NH.tmp (2105 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-NJLUP.tmp (601 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-9VUBD.tmp (260 bytes)
%Program Files%\Malwarebytes Anti-Exploit\unins000.dat (4420 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-GSKGA.tmp (2321 bytes)
%Program Files%\Malwarebytes Anti-Exploit\is-STMMQ.tmp (5441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-U7AEJ.tmp\~dsmkseu.tmp (1416 bytes)
C:\ProgramData\Malwarebytes Anti-Exploit\mbae-report.dat (12 bytes)
%Program Files%\Malwarebytes Anti-Exploit\mbae-svc.exe (745 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Exploit" = "%Program Files%\Malwarebytes Anti-Exploit\mbae.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Silentall Unattended Installer
Product Name: Silentall Unattended Installer
Product Version: 1.08.1.2563
Legal Copyright: (c) 2016 ronaldinho424
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.8.1.2563
File Description: Malwarebytes Anti-Exploit Premium
Comments: Silentall Unattended Installer
Language: English (United States)
Company Name: Silentall Unattended InstallerProduct Name: Silentall Unattended InstallerProduct Version: 1.08.1.2563Legal Copyright: (c) 2016 ronaldinho424Legal Trademarks: Original Filename: Internal Name: File Version: 1.8.1.2563File Description: Malwarebytes Anti-Exploit PremiumComments: Silentall Unattended InstallerLanguage: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 2437120 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 2441216 | 352256 | 352256 | 5.50045 | 05f739bace6d247779e9235fe8a1627b |
.rsrc | 2793472 | 1908736 | 1905664 | 5.5369 | 577216105e3ebafafb29648bca0517c7 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab | |
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/503006091D97D4F5AE39F7CBE7927D7D652D3431.crt | |
hxxp://e6913.dscx.akamaiedge.net/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTXgePhfsJco9hFmE0qWx1GtVqUPQQUKnCVOp/2k8XzisWoY7s9lCzmygcCBDhj6fw= | |
hxxp://e6913.dscx.akamaiedge.net/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTYqntZF2XfWd4vuxzYev4PhVs0zQQUHvGriQb4SQ8BM3fuFHruGXyTKE0CBEwhRy4= | |
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8= | |
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEAj4jlPwZIuvXpNNJR8w12Q= | |
hxxp://vip0x062.ssl.hwcdn.net/v2/mbae/consumer/version.chk | |
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/503006091D97D4F5AE39F7CBE7927D7D652D3431.crt | 212.30.134.176 |
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8= | 93.184.220.29 |
hxxp://data-cdn.mbamupdates.com/v2/mbae/consumer/version.chk | 205.185.208.98 |
hxxp://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEAj4jlPwZIuvXpNNJR8w12Q= | 93.184.220.29 |
hxxp://ocsp.entrust.net/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTXgePhfsJco9hFmE0qWx1GtVqUPQQUKnCVOp/2k8XzisWoY7s9lCzmygcCBDhj6fw= | |
hxxp://ocsp.entrust.net/MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTYqntZF2XfWd4vuxzYev4PhVs0zQQUHvGriQb4SQ8BM3fuFHruGXyTKE0CBEwhRy4= | |
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | 212.30.134.176 |
sirius.mwbsys.com | 52.20.157.221 |
cdn.mwbsys.com | 2.22.0.187 |
stats.mbamupdates.com | 54.204.0.64 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /v2/mbae/consumer/version.chk HTTP/1.1
Connection: Keep-Alive
Host: data-cdn.mbamupdates.com
HTTP/1.1 200 OK
Date: Fri, 21 Oct 2016 17:51:18 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1470170327"
Cache-Control: public, must-revalidate, max-age=20
Content-Length: 11
Content-Type: text/plain; charset=UTF-8
X-HW: 1477072278.dop003.fr7.t,1477072278.cds064.fr7.c
Last-Modified: Tue, 02 Aug 2016 20:38:47 GMT
1.08.1.2572HTTP/1.1 200 OK..Date: Fri, 21 Oct 2016 17:51:18 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1470170327"..Cache-Control: public, must-revalidate, max-age=20..Content-Length: 11..Content-Type: text/plain; charset=UTF-8..X-HW: 1477072278.dop003.fr7.t,1477072278.cds064.fr7.c..Last-Modified: Tue, 02 Aug 2016 20:38:47 GMT..1.08.1.2572..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=499345
Content-Type: application/ocsp-response
Date: Fri, 21 Oct 2016 17:51:12 GMT
Etag: "5809f279-1d7"
Expires: Fri, 28 Oct 2016 05:51:12 GMT
Last-Modified: Fri, 21 Oct 2016 10:48:25 GMT
Server: ECS (vie/F2D5)
X-Cache: HIT
Content-Length: 471
0..........0..... .....0......0...0.......>.i...G...&....cd ...20161020210000Z0s0q0I0... ............(..A...B..G@B.X....>.i...G...&....cd ........\..m. B.]......20161020210000Z....20161027210000Z0...*.H.............P....7'#...e..t4../......gX....x...a.&.@.. W.....MS..9.bE8.z.......,;r.Lo6i..N............Z.i.u.*6.P..A..]6.....K......]...2...gT..C...8=Q.D.$...gDf-...J....Q8.-!]......38.a....U..u.@P.mH.1v.....1..8.:... .P...Z.=6i/,.F[9....p....w..e.....o3.......*... ..dHTTP/1.1 200 OK..Accept-Ranges: bytes..Cache-Control: max-age=499345..Content-Type: application/ocsp-response..Date: Fri, 21 Oct 2016 17:51:12 GMT..Etag: "5809f279-1d7"..Expires: Fri, 28 Oct 2016 05:51:12 GMT..Last-Modified: Fri, 21 Oct 2016 10:48:25 GMT..Server: ECS (vie/F2D5)..X-Cache: HIT..Content-Length: 471..0..........0..... .....0......0...0.......>.i...G...&....cd ...20161020210000Z0s0q0I0... ............(..A...B..G@B.X....>.i...G...&....cd ........\..m. B.]......20161020210000Z....20161027210000Z0...*.H.............P....7'#...e..t4../......gX....x...a.&.@.. W.....MS..9.bE8.z.......,;r.Lo6i..N............Z.i.u.*6.P..A..]6.....K......]...2...gT..C...8=Q.D.$...gDf-...J....Q8.-!]......38.a....U..u.@P.mH.1v.....1..8.:... .P...Z.=6i/,.F[9....p....w..e.....o3.......*... ..d....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY+sl+j4yzQuAcL2oQno5fCgQUUWj/kK8CB3U8zNllZGKiErhZcjsCEAj4jlPwZIuvXpNNJR8w12Q= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=517181
Content-Type: application/ocsp-response
Date: Fri, 21 Oct 2016 17:51:18 GMT
Etag: "580a3c90-1d7"
Expires: Fri, 28 Oct 2016 05:51:18 GMT
Last-Modified: Fri, 21 Oct 2016 16:04:32 GMT
Server: ECS (vie/F2B5)
X-Cache: HIT
Content-Length: 471
0..........0..... .....0......0...0......Qh.....u<..edb...Yr;..20161021151600Z0s0q0I0... .........&....~...B../j..._...Qh.....u<..edb...Yr;.....S.d..^.M%.0.d....20161021151600Z....20161028143100Z0...*.H..............!\n..N2#.5.T.......5r...Iq......oF..?....1t.G..C..3.0&6H.:....nqNI"o_.CX.]....u...*..Q..".L...-....}v.........e.C.5...C.7......>.y.k.c...L......>S..!...[h..vQ..Q.^.xJ.,%...Z.....jh.rp......d;u.....moK. .V....3_H..........._..&U......A.g.....\S......k..f.]HTTP/1.1 200 OK..Accept-Ranges: bytes..Cache-Control: max-age=517181..Content-Type: application/ocsp-response..Date: Fri, 21 Oct 2016 17:51:18 GMT..Etag: "580a3c90-1d7"..Expires: Fri, 28 Oct 2016 05:51:18 GMT..Last-Modified: Fri, 21 Oct 2016 16:04:32 GMT..Server: ECS (vie/F2B5)..X-Cache: HIT..Content-Length: 471..0..........0..... .....0......0...0......Qh.....u<..edb...Yr;..20161021151600Z0s0q0I0... .........&....~...B../j..._...Qh.....u<..edb...Yr;.....S.d..^.M%.0.d....20161021151600Z....20161028143100Z0...*.H..............!\n..N2#.5.T.......5r...Iq......oF..?....1t.G..C..3.0&6H.:....nqNI"o_.CX.]....u...*..Q..".L...-....}v.........e.C.5...C.7......>.y.k.c...L......>S..!...[h..vQ..Q.^.xJ.,%...Z.....jh.rp......d;u.....moK. .V....3_H..........._..&U......A.g.....\S......k..f.]..
<<< skipped >>>
GET /MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTXgePhfsJco9hFmE0qWx1GtVqUPQQUKnCVOp/2k8XzisWoY7s9lCzmygcCBDhj6fw= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.entrust.net
HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Content-Transfer-Encoding: Binary
Content-Length: 1947
Last-Modified: Fri, 21 Oct 2016 16:49:09 GMT
ETag: "CB8130CC666376BBAB5A4878C96F893E4CE52AE2"
Cache-Control: public, no-transform, must-revalidate, max-age=2154
Expires: Fri, 21 Oct 2016 18:26:55 GMT
Date: Fri, 21 Oct 2016 17:51:01 GMT
Connection: keep-alive
0..........0..... .....0.....}0..y0..[...0..1.0...U....Entrust.net1@0>..U...7VVV.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0#..U....(c) 1999 Entrust.net Limited1301..U...*Entrust.net Certification Authority (2048)1%0#..U....Entrust Validation Authority..20161021164909Z0g0e0=0... ............~.\..E.M*[.F.Z.=..*p.:........c.=.,.....8c......20161021164909Z....20161028164909Z0...*.H.............3S..."9.A.B......EgS.5.W...}...V.z=-....<.n.J..:s.'2...i.......<5.a.."u?q&.{.......4{.Z...VF".5..%.o*$...R|.......l.[\e. ..b=..............Y.)7.8QDH.z>.1....2....$...a...v.#....;B. ...wE.p..CH..v.....*B..)............4%..b.O.#]}n4...{..O......i..d..w.....V....0...0...0..........Q...0...*.H........0..1.0...U....Entrust.net1@0>..U...7VVV.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0#..U....(c) 1999 Entrust.net Limited1301..U...*Entrust.net Certification Authority (2048)0...150629175734Z..180630000604Z0..1.0...U....Entrust.net1@0>..U...7VVV.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0#..U....(c) 1999 Entrust.net Limited1301..U...*Entrust.net Certification Authority (2048)1%0#..U....Entrust Validation Authority0.."0...*.H.............0...........U....L.^A."@m.i.7.A..%{........?.>......L.../.v.Q.N......Z.g)..A@.u..zoi.8.....L>m.6.h.;[^.k.X\........Uy.q...e...fB_6.T.6......".Y.."..|....D.*..~..|.....Wa.d......o..)Na.S.c..Q.......&E.....y..H......f.......XH`..x.[21.1,.#.Q.g...g......u.....D...^..3........0..0...U........0...U.%..0... .......0... .....0......02..U... 0)0'.%.#.!ht
<<< skipped >>>
GET /MEUwQzBBMD8wPTAJBgUrDgMCGgUABBTYqntZF2XfWd4vuxzYev4PhVs0zQQUHvGriQb4SQ8BM3fuFHruGXyTKE0CBEwhRy4= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.entrust.net
HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Content-Transfer-Encoding: Binary
Content-Length: 1939
Last-Modified: Fri, 21 Oct 2016 16:31:10 GMT
ETag: "F268C9A2A2357D28AF3DA40EF76537FFABEF6319"
Cache-Control: public, no-transform, must-revalidate, max-age=2087
Expires: Fri, 21 Oct 2016 18:25:53 GMT
Date: Fri, 21 Oct 2016 17:51:06 GMT
Connection: keep-alive
0..........0..... .....0.....u0..q0..X...0..1.0...U....US1.0...U....Entrust, Inc.1907..U...0VVV.entrust.net/rpa is incorporated by reference1.0...U....(c) 2009 Entrust, Inc.1.0,..U...%Entrust Certification Authority - L1C1%0#..U....Entrust Validation Authority..20161021163110Z0g0e0=0... ..........{Y.e.Y./...z...[4.........I..3w..z..|.(M..L!G.....20161020212303Z....20161028163110Z0...*.H..............@..e..ui../...M.a..C..i..H!...q.n"y..l:.'......5...:KO.~.?*..I.....7ve..p......'_.0$T........cza.i.F-...1..6.*.`.<....\.6._|)ZF.^.......?.^B..|....B.6...|.).U....W.T...".M.i..]...v....4.........u.}.........h|.*.2..{.6..V{.7..\.1...a. ...qc/X..*...?j.[........0...0...0..........L$..0...*.H........0..1.0...U....US1.0...U....Entrust, Inc.1907..U...0VVV.entrust.net/rpa is incorporated by reference1.0...U....(c) 2009 Entrust, Inc.1.0,..U...%Entrust Certification Authority - L1C0...150629123313Z..180630065727Z0..1.0...U....US1.0...U....Entrust, Inc.1907..U...0VVV.entrust.net/rpa is incorporated by reference1.0...U....(c) 2009 Entrust, Inc.1.0,..U...%Entrust Certification Authority - L1C1%0#..U....Entrust Validation Authority0.."0...*.H.............0...........U....L.^A."@m.i.7.A..%{........?.>......L.../.v.Q.N......Z.g)..A@.u..zoi.8.....L>m.6.h.;[^.k.X\........Uy.q...e...fB_6.T.6......".Y.."..|....D.*..~..|.....Wa.d......o..)Na.S.c..Q.......&E.....y..H......f.......XH`..x.[21.1,.#.Q.g...g......u.....D...^..3........0..0...U........0...U.%..0... .......0... .....0......03.. ........'0%0#.. .....0...hXXp://ocsp.ent
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/503006091D97D4F5AE39F7CBE7927D7D652D3431.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: VVV.download.windowsupdate.com
HTTP/1.1 200 OK
Content-Type: application/x-x509-ca-cert
Last-Modified: Thu, 23 Jul 2015 23:16:35 GMT
Accept-Ranges: bytes
ETag: "80b4b9e9dc5d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 1070
Date: Fri, 21 Oct 2016 17:50:55 GMT
Connection: keep-alive
X-CCC: RU
X-CID: 2
0..*0..........8c..0...*.H........0..1.0...U....Entrust.net1@0>..U...7VVV.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0#..U....(c) 1999 Entrust.net Limited1301..U...*Entrust.net Certification Authority (2048)0...991224175051Z..290724141512Z0..1.0...U....Entrust.net1@0>..U...7VVV.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0#..U....(c) 1999 Entrust.net Limited1301..U...*Entrust.net Certification Authority (2048)0.."0...*.H.............0.........MK...... ...d* K...JM...v.g.x@.sB.h..S .^.v.5....|.:..[....$......}..kK.......@$..t....).....w.U...~.jd.....[.2Po=..f.....I.v.I.......g/...q.`.-.,..vf{...x.eS]<....)../.P..H..2U...dL....u.....U`.0).{H.i..5?..]zz......"T...&...Ih...G...B..M.o&...!bfCp...........B0@0...U...........0...U.......0....0...U......U...........1..$...p0...*.H.............;..V.0.S.|zy.M.........3|Fc..f$.@.!'..rs.O.1....LhS.........]=..n.......?....../....W,.....D...O...}W./...Z..n..:....ly^y.....L.;e<..=..........^[..#.h....'\.-o0......Z....'..y..y.3W.....Bl..V..m....~....!...<y/^..L...."7..C.......g.oH..V... |^.v.Y..|.5.eQHTTP/1.1 200 OK..Content-Type: application/x-x509-ca-cert..Last-Modified: Thu, 23 Jul 2015 23:16:35 GMT..Accept-Ranges: bytes..ETag: "80b4b9e9dc5d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 1070..Date: Fri, 21 Oct 2016 17:50:55 GMT..Connection: keep-alive..X-CCC: RU..X-CID: 2..0..*0..........8c..0...*.H........0..1.0...U....Entrust.net1@0>..U...7VVV.entrust.net/CPS_2048 incorp. by ref. (limits liab.)1%0#..U....(c) 1
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86402
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Fri, 06 Apr 2012 21:14:57 GMT
If-None-Match: "805e67513a14cd1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: VVV.download.windowsupdate.com
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/vnd.ms-cab-compressed
Last-Modified: Fri, 16 Sep 2016 21:16:59 GMT
Accept-Ranges: bytes
ETag: "8017f9a85f10d21:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 51425
Date: Fri, 21 Oct 2016 17:50:46 GMT
Connection: keep-alive
X-CCC: RU
X-CID: 2
MSCF............,...................I.................0I;o .authroot.stl....7.8..CK...<Tk.......&{.-{.A......"K.P.,.M.$..E......^..*K...l..R.l...6......}....y.......}...4.....*.g.7..33d..-....0LdGYqL.\..BL..,M..*.`..Vg........(....4# . ...... ...ITC......(.x.w.f.F.......iW.0.T.M._..oC.........e.%. \..F...%L{}>.....d.$..<uC:[.]...*5..<...s.F...dRz..N.w..$;<.E.iw..%.B.....\.'p...s.FWN.......<vr.,..).]5..........y@.P ...5P(D...(.:....k...5........@a`.......P$.A(y.......`e`.t._.'..|....D..Td...........f....Y.<,F...'................qs.&D...T.V...2].X...i;.U29.....Dh....7..B...0....aA.ix.!.vT.}!.pyC.@V[0..Jm.$u.. 0..^...."y...y.......k...~$...R$..-..v2B..Z.8..}.kB..n..&.ox#.......%9.#..........O>.(9i./..{...K..*[.3....y..K#.*.<.-..y4,......X.B.hM.R#...9.l.&b4..^..z....L..d.N.-.......]....N.>.Z.......*....:.....TK...v"Ik.B.A..blI.h..&.6.I#..b.....)C(D....;..T.7.i~T..Z...'.,qQ2$..b....\S'.P..}./.{.,X.[.<C..x...i'.;........>p*.)t.c.,...^.0.jt...-..~..kDX..T......../....-.EF.k,..w0..l..a....,...y~v.O...U.>..G.H..JZ.......k..Pw.h30..,.$..).S.W..$.%.[zby..^.@X6U/..Y.i..C.. .Py... B.V..qQ....0./.._G._G8,..cF:.......|.&9'..L.&sGG.N$f....Q.i..!.".P)T..A. &..0....<.......2@...o.e)...v...R.p.:....."y.......,....Wor.;........W.m..;vnT..c;.pHeF.....X....,. R........Vb....YU.9g.<.X.3..jH..%..>0.....O....-....u.|...<..OQ.G......{&..E..-R::....G........!.(g.....i...UX"q....7...a{.?.=N.....]D..qD.........0}=..!..a...;..O..Ir.x!...................v....&..% Y.l......a).:V...p.S..7.?...
<<< skipped >>>
Map
The AIT connects to the servers at the folowing location(s):
Strings from Dumps
SearchProtocolHost.exe_2248:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
TQUERY.DLL
TQUERY.DLL
MSSHooks.dll
MSSHooks.dll
IMM32.dll
IMM32.dll
SHLWAPI.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSLogin
SrchDSSPortManager
SrchDSSPortManager
SrchPHHttp
SrchPHHttp
SrchIndexerQuery
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerClient
SrchIndexerSchema
SrchIndexerSchema
Msidle.dll
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyW
RegDeleteKeyExW
RegDeleteKeyExW
8%uiP
8%uiP
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
0xx=
0xx=
%s(%d)
%s(%d)
tid="0x%x"
tid="0x%x"
pid="0x%x"
pid="0x%x"
tagname="%s"
tagname="%s"
tagid="0x%x"
tagid="0x%x"
el="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
time="d/d/d d:d:d.d"
logname="%s"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
SHELL32.dll
PROPSYS.dll
PROPSYS.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ReportEventW
ReportEventW
_amsg_exit
_amsg_exit
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
SearchProtocolHost.pdb
2 2(20282|2
2 2(20282|2
4%5S5
4%5S5
Software\Microsoft\Windows Search
Software\Microsoft\Windows Search
https
https
kernel32.dll
kernel32.dll
msTracer.dll
msTracer.dll
msfte.dll
msfte.dll
lX-X-X-XX-XXXXXX
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
tquery.dll
tquery.dll
%s\%s
%s\%s
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
Windows Search Service
Windows Search Service
0xx%p%S%d
0xx%p%S%d
advapi32.dll
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
Software\Microsoft\Windows Search\Tracing\EventThrottleState
%S(%d)
%S(%d)
tagname="%S"
tagname="%S"
logname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s.mui
.\%s\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
SearchProtocolHost.exe
Windows
Windows
7.00.7601.17610
7.00.7601.17610
SearchFilterHost.exe_564:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
TQUERY.DLL
TQUERY.DLL
IMM32.dll
IMM32.dll
MSSHooks.dll
MSSHooks.dll
mscoree.dll
mscoree.dll
SHLWAPI.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyW
RegDeleteKeyExW
RegDeleteKeyExW
8%uiP
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ReportEventW
ReportEventW
_amsg_exit
_amsg_exit
SearchFilterHost.pdb
SearchFilterHost.pdb
version="5.1.0.0"
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
name="Microsoft.Windows.Search.MSSFH"
3 3(30383|3
3 3(30383|3
kernel32.dll
kernel32.dll
Software\Microsoft\Windows Search
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
Windows Search Service
Windows Search Service
tquery.dll
tquery.dll
advapi32.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
0xx%p%S%d
0xx%p%S%d
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
Software\Microsoft\Windows Search\Tracing\EventThrottleState
0xx=
0xx=
%S(%d)
%S(%d)
tid="0x%x"
tid="0x%x"
pid="0x%x"
pid="0x%x"
tagname="%S"
tagname="%S"
tagid="0x%x"
tagid="0x%x"
el="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
time="d/d/d d:d:d.d"
logname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s.mui
.\%s\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s\%s.mui
%s\%s
%s\%s
winhttp.dll
winhttp.dll
Microsoft Windows Search Filter Host
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
SearchFilterHost.exe
Windows
Windows
7.00.7601.17610
7.00.7601.17610
WMIADAP.EXE_1828:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
msvcrt.dll
msvcrt.dll
wbemcomn.dll
wbemcomn.dll
OLEAUT32.dll
OLEAUT32.dll
ole32.dll
ole32.dll
loadperf.dll
loadperf.dll
FEw.AEw]FEw
FEw.AEw]FEw
`.bik
`.bik
PSSSSSSh
PSSSSSSh
WMIADAP.exe
WMIADAP.exe
?CloseSubKey@CRegistry@@AAEXXZ
?CloseSubKey@CRegistry@@AAEXXZ
?CreateOpen@CRegistry@@QAEJPAUHKEY__@@PBGPAGKKPAU_SECURITY_ATTRIBUTES@@PAK@Z
?CreateOpen@CRegistry@@QAEJPAUHKEY__@@PBGPAGKKPAU_SECURITY_ATTRIBUTES@@PAK@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBG@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBG@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPBG@Z
?DeleteCurrentKeyValue@CRegistry@@QAEKPBG@Z
?DeleteKey@CRegistry@@QAEJPAVCHString@@@Z
?DeleteKey@CRegistry@@QAEJPAVCHString@@@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGPAEPAK@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGPAEPAK@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGPAEPAK@Z
?GetCurrentBinaryKeyValue@CRegistry@@QAEKPBGPAEPAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?GetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?GetCurrentRawKeyValue@CRegistry@@AAEKPAUHKEY__@@PBGPAXPAK3@Z
?GetCurrentRawKeyValue@CRegistry@@AAEKPAUHKEY__@@PBGPAXPAK3@Z
?GetCurrentRawSubKeyValue@CRegistry@@AAEKPBGPAXPAK2@Z
?GetCurrentRawSubKeyValue@CRegistry@@AAEKPBGPAXPAK2@Z
?GetCurrentSubKeyCount@CRegistry@@QAEKXZ
?GetCurrentSubKeyCount@CRegistry@@QAEKXZ
?GetCurrentSubKeyName@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyName@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyPath@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyPath@CRegistry@@QAEKAAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAK@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGPAXPAK@Z
?GetCurrentSubKeyValue@CRegistry@@QAEKPBGPAXPAK@Z
?GetLongestSubKeySize@CRegistry@@QAEKXZ
?GetLongestSubKeySize@CRegistry@@QAEKXZ
?GethKey@CRegistry@@QAEPAUHKEY__@@XZ
?GethKey@CRegistry@@QAEPAUHKEY__@@XZ
?LocateKeyByNameOrValueName@CRegistrySearch@@QAEHPAUHKEY__@@PBG1PAPBGKAAVCHString@@3@Z
?LocateKeyByNameOrValueName@CRegistrySearch@@QAEHPAUHKEY__@@PBG1PAPBGKAAVCHString@@3@Z
?NextSubKey@CRegistry@@QAEKXZ
?NextSubKey@CRegistry@@QAEKXZ
?Open@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?Open@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?OpenAndEnumerateSubKeys@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?OpenAndEnumerateSubKeys@CRegistry@@QAEJPAUHKEY__@@PBGK@Z
?OpenLocalMachineKeyAndReadValue@CRegistry@@QAEJPBG0AAVCHString@@@Z
?OpenLocalMachineKeyAndReadValue@CRegistry@@QAEJPBG0AAVCHString@@@Z
?OpenSubKey@CRegistry@@AAEKXZ
?OpenSubKey@CRegistry@@AAEKXZ
?RewindSubKeys@CRegistry@@QAEXXZ
?RewindSubKeys@CRegistry@@QAEXXZ
?SearchAndBuildList@CRegistrySearch@@QAEHVCHString@@AAVCHPtrArray@@00HPAUHKEY__@@@Z
?SearchAndBuildList@CRegistrySearch@@QAEHVCHString@@AAVCHPtrArray@@00HPAUHKEY__@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHStringArray@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAK@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHString@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?SetCurrentKeyValue@CRegistry@@QAEKPBGAAVCHStringArray@@@Z
?SetCurrentKeyValueExpand@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?SetCurrentKeyValueExpand@CRegistry@@QAEKPAUHKEY__@@PBGAAVCHString@@@Z
?myRegCreateKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKPAGKKQAU_SECURITY_ATTRIBUTES@@PAPAU2@PAK@Z
?myRegCreateKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKPAGKKQAU_SECURITY_ATTRIBUTES@@PAPAU2@PAK@Z
?myRegDeleteKey@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegDeleteKey@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegDeleteValue@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegDeleteValue@CRegistry@@AAEJPAUHKEY__@@PBG@Z
?myRegEnumKey@CRegistry@@AAEJPAUHKEY__@@KPAGK@Z
?myRegEnumKey@CRegistry@@AAEJPAUHKEY__@@KPAGK@Z
?myRegEnumValue@CRegistry@@AAEJPAUHKEY__@@KPAGPAK22PAE2@Z
?myRegEnumValue@CRegistry@@AAEJPAUHKEY__@@KPAGPAK22PAE2@Z
?myRegOpenKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPAPAU2@@Z
?myRegOpenKeyEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPAPAU2@@Z
?myRegQueryInfoKey@CRegistry@@AAEJPAUHKEY__@@PAGPAK22222222PAU_FILETIME@@@Z
?myRegQueryInfoKey@CRegistry@@AAEJPAUHKEY__@@PAGPAK22222222PAU_FILETIME@@@Z
?myRegQueryValueEx@CRegistry@@AAEJPAUHKEY__@@PBGPAK2PAE2@Z
?myRegQueryValueEx@CRegistry@@AAEJPAUHKEY__@@PBGPAK2PAE2@Z
?myRegSetValueEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPBEK@Z
?myRegSetValueEx@CRegistry@@AAEJPAUHKEY__@@PBGKKPBEK@Z
QSSh0
QSSh0
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegEnumKeyW
RegEnumKeyW
RegDeleteKeyW
RegDeleteKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
_amsg_exit
_amsg_exit
_acmdln
_acmdln
?Report@CEventLog@@QAEHGKVCInsertionString@@000000000@Z
?Report@CEventLog@@QAEHGKVCInsertionString@@000000000@Z
WMIADAP.pdb
WMIADAP.pdb
5m6z6
5m6z6
%s_x
%s_x
%s_x_
%s_x_
Global\WMI_SysEvent_Semaphore_%d
Global\WMI_SysEvent_Semaphore_%d
WinMSGWMIADAP
WinMSGWMIADAP
\\.\root\cimv2
\\.\root\cimv2
WMIADAP Msg window
WMIADAP Msg window
\\.\root\wmi
\\.\root\wmi
PSAPI.DLL
PSAPI.DLL
x=%s
x=%s
Describes all the counters supported via WMI Hi-Performance providers
Describes all the counters supported via WMI Hi-Performance providers
_new.ini
_new.ini
xx %s%s.ini
xx %s%s.ini
xx %s
xx %s
\\.\ROOT\cimv2:__ClassProviderRegistration.provider="\\\\.\\root\\cimv2:__Win32Provider.Name=\"WmiPerfClass\""
\\.\ROOT\cimv2:__ClassProviderRegistration.provider="\\\\.\\root\\cimv2:__Win32Provider.Name=\"WmiPerfClass\""
WmiApRes.dll
WmiApRes.dll
%s\%s
%s\%s
6.1.7600.16385 (win7_rtm.090713-1255)
6.1.7600.16385 (win7_rtm.090713-1255)
wmicookr.dll
wmicookr.dll
Windows
Windows
Operating System
Operating System
6.1.7600.16385
6.1.7600.16385
mbae-svc.exe_1912:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
t.PSh
t.PSh
SSSSh
SSSSh
s%j.Zf
s%j.Zf
@Ew.AEw
@Ew.AEw
kCv.SCv!
kCv.SCv!
;3:'84!<:>
;3:'84!<:>
kernelbase.dll
kernelbase.dll
%s%d\%s\
%s%d\%s\
%s%s%s%d
%s%s%s%d
%s%s%s%d$%x
%s%s%s%d$%x
%s%d\
%s%d\
%s%s%d
%s%s%d
%s%s%d$%x
%s%s%d$%x
%s$%x
%s$%x
'02
'02
%s$x$x
%s$x$x
msvcrt.dll
msvcrt.dll
$x
$x
-60%!<:>
-60%!<:>
6666666666666666
6666666666666666
GetProcessWindowStation
GetProcessWindowStation
operator
operator
Port
Port
%s - d:d:d %s %s:
%s - d:d:d %s %s:
Kernel32.dll
Kernel32.dll
kernel32.dll
kernel32.dll
.jpeg
.jpeg
------------------------xx
------------------------xx
Content-Disposition: form-data; name="%s"; filename="%s"
Content-Disposition: form-data; name="%s"; filename="%s"
--%s--
--%s--
Content-Type: multipart/form-data; boundary=%s
Content-Type: multipart/form-data; boundary=%s
Content-Length: %d
Content-Length: %d
X-MB-SKU: %s
X-MB-SKU: %s
X-MB-VERSION: %s
X-MB-VERSION: %s
F:\Jenkins\workspace\mbae-consumer-unsigned\mbae\bin\Release\mbae-svc.pdb
F:\Jenkins\workspace\mbae-consumer-unsigned\mbae\bin\Release\mbae-svc.pdb
WS2_32.dll
WS2_32.dll
GetProcessHeap
GetProcessHeap
CreatePipe
CreatePipe
GetWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ReportEventW
ReportEventW
RegEnumKeyW
RegEnumKeyW
RegCreateKeyW
RegCreateKeyW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
NETAPI32.dll
NETAPI32.dll
VERSION.dll
VERSION.dll
HttpSendRequestW
HttpSendRequestW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpQueryInfoW
HttpQueryInfoW
HttpOpenRequestA
HttpOpenRequestA
HttpOpenRequestW
HttpOpenRequestW
HttpAddRequestHeadersA
HttpAddRequestHeadersA
WININET.dll
WININET.dll
WTSAPI32.dll
WTSAPI32.dll
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpSendRequest
WinHttpConnect
WinHttpConnect
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpOpen
WinHttpOpen
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpReadData
WinHttpReadData
WINHTTP.dll
WINHTTP.dll
CertGetNameStringW
CertGetNameStringW
CertFreeCertificateContext
CertFreeCertificateContext
CRYPT32.dll
CRYPT32.dll
WINTRUST.dll
WINTRUST.dll
ImageGetCertificateData
ImageGetCertificateData
ImageEnumerateCertificates
ImageEnumerateCertificates
ImageGetCertificateHeader
ImageGetCertificateHeader
imagehlp.dll
imagehlp.dll
GetCPInfo
GetCPInfo
S^p.vN
S^p.vN
%Program Files%\Malwarebytes Anti-Exploit\mbae-svc.exe
%Program Files%\Malwarebytes Anti-Exploit\mbae-svc.exe
True/PM
True/PM
9#959:9?9|9
9#959:9?9|9
77S7Z7j7s7
77S7Z7j7s7
7%8X8e8o8
7%8X8e8o8
>*>7>=>\>
>*>7>=>\>
4$434@4^4
4$434@4^4
00k0}0
00k0}0
>$>1>7>[>
>$>1>7>[>
9Ÿ9V9]9m9v9
9Ÿ9V9]9m9v9
>&? ?=?[?
>&? ?=?[?
9&: :=:[:
9&: :=:[:
8!8'868]8
8!8'868]8
0*1/141^1
0*1/141^1
9Ÿ9k9
9Ÿ9k9
5&6 6=6[6
5&6 6=6[6
8!81878?8
8!81878?8
4"4,434=4[4
4"4,434=4[4
5e6?6~6
5e6?6~6
4)505>5`5
4)505>5`5
0$0
0$0
8$8(8,808
8$8(8,808
advapi32.dll
advapi32.dll
SendIpcMessage: *** LpcPortThread did not fill in the process ID
SendIpcMessage: *** LpcPortThread did not fill in the process ID
SendIpcMessage: NtConnectPort complete
SendIpcMessage: NtConnectPort complete
%s(%d): NtConnectPort complete
%s(%d): NtConnectPort complete
NtCreatePort succeeded
NtCreatePort succeeded
LpcPortThread: Rejecting connection request because accepting it failed
LpcPortThread: Rejecting connection request because accepting it failed
LpcPortThread: Completing connection request
LpcPortThread: Completing connection request
LpcPortThread: Accepting connection request
LpcPortThread: Accepting connection request
LpcPortThread: Rejecting connection request because queue is shutting down
LpcPortThread: Rejecting connection request because queue is shutting down
LpcPortThread: Got message from client
LpcPortThread: Got message from client
InitIpcAnswer: Opening existing answer file mapping. name=%S
InitIpcAnswer: Opening existing answer file mapping. name=%S
InitIpcAnswer: Creating Answer file mapping. name=%S
InitIpcAnswer: Creating Answer file mapping. name=%S
CloseIpcAnswer: CloseHandle(Event2) failed: %d
CloseIpcAnswer: CloseHandle(Event2) failed: %d
CloseIpcAnswer: CloseHandle(Event1) failed: %d
CloseIpcAnswer: CloseHandle(Event1) failed: %d
CloseIpcAnswer: CloseHandle(Map) failed: %d
CloseIpcAnswer: CloseHandle(Map) failed: %d
CloseIpcAnswer: UnmapViewOfFile failed: %d
CloseIpcAnswer: UnmapViewOfFile failed: %d
%S%S$%x
%S%S$%x
** PipedIpcThread1: InitIpcAnswer returned False
** PipedIpcThread1: InitIpcAnswer returned False
PipedIpcThread1: Creating PipedIpcThread2
PipedIpcThread1: Creating PipedIpcThread2
PipedIpcThread1: InitIpcAnswer returned True
PipedIpcThread1: InitIpcAnswer returned True
PipedIpcThread1: Failed reading message buffer
PipedIpcThread1: Failed reading message buffer
PipedIpcThread1: Failed reading value of answer length
PipedIpcThread1: Failed reading value of answer length
PipedIpcThread1: Failed reading value of session
PipedIpcThread1: Failed reading value of session
PipedIpcThread1: Failed reading value of counter
PipedIpcThread1: Failed reading value of counter
PipedIpcThread1: Starting a new message...
PipedIpcThread1: Starting a new message...
PipedIpcThread1: Failed reading value of message length
PipedIpcThread1: Failed reading value of message length
PipedIpcThread1: After callback issued, answer length is %d. Setting Event2 and closing answer
PipedIpcThread1: After callback issued, answer length is %d. Setting Event2 and closing answer
HandlePipedIpcMessage: Invoking client registered callback...
HandlePipedIpcMessage: Invoking client registered callback...
ReadFromPipe: Error reading from pipe: ReadFile returned False
ReadFromPipe: Error reading from pipe: ReadFile returned False
ReadFromPipe: Error reading from pipe: Number read was %d, requested was %d
ReadFromPipe: Error reading from pipe: Number read was %d, requested was %d
ntdll.dll
ntdll.dll
%S$%x
%S$%x
PatchExportTable
PatchExportTable
public %s
public %s
sub_%0X
sub_%0X
%sloc_%0X
%sloc_%0X
loc_%0X:
loc_%0X:
PatchMyImportTables
PatchMyImportTables
push %seg
push %seg
pop %seg
pop %seg
setÌ
setÌ
cmovÌ
cmovÌ
66006666
66006666
xmm%d
xmm%d
st(%d)
st(%d)
%s (%0Xh)
%s (%0Xh)
%0Xh
%0Xh
-%0Xh
-%0Xh
%s:%s
%s:%s
%0Xh:%0Xh
%0Xh:%0Xh
%0Xh, %0Xh
%0Xh, %0Xh
BAD ptr %s
BAD ptr %s
oword ptr %s
oword ptr %s
tbyte ptr %s
tbyte ptr %s
qword ptr %s
qword ptr %s
dword ptr %s
dword ptr %s
word ptr %s
word ptr %s
byte ptr %s
byte ptr %s
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
nKERNEL32.DLL
nKERNEL32.DLL
WUSER32.DLL
WUSER32.DLL
..\..\mbae-common\MbaeLog.cpp
..\..\mbae-common\MbaeLog.cpp
Error %d in swprintf_s
Error %d in swprintf_s
mbae-default.log
mbae-default.log
%s.bak
%s.bak
Memory allocation error in log file: %s - %d
Memory allocation error in log file: %s - %d
%s-%s(%d) - d/d/d - d:d:d - #%X# - %s: %s -
%s-%s(%d) - d/d/d - d:d:d - #%X# - %s: %s -
%d - %u
%d - %u
Error opening the log file: %s - %d
Error opening the log file: %s - %d
Error writting the log file: %s - %d - %d
Error writting the log file: %s - %d - %d
%s-d/d/d - d:d:d - %s
%s-d/d/d - d:d:d - %s
Memory allocation error in log file: %d
Memory allocation error in log file: %d
wcstombs_s error in log file: %s - %d
wcstombs_s error in log file: %s - %d
Bias: %d - DaylightBias: %d - StandardBias: %d - Hour: %d - Mode: %d
Bias: %d - DaylightBias: %d - StandardBias: %d - Hour: %d - Mode: %d
%s - %d - %s - %d - %s - %d - %d - %d - %d - %s - %d - %d - %d - %d - %s - %s - %s - %s - %s
%s - %d - %s - %d - %s - %d - %d - %d - %d - %s - %d - %d - %d - %d - %s - %s - %s - %s - %s
mbae-alert.log
mbae-alert.log
0xX
0xX
"d-d-dTd:d:d.d%cd:d";"%s";"%s";"%s";"%s";"%s";"%d";"%s";"%s";"%s";"%s";"%s";"%s";"%s";"%s";"%s";"%s";"%s";"%s";"%s"
"d-d-dTd:d:d.d%cd:d";"%s";"%s";"%s";"%s";"%s";"%d";"%s";"%s";"%s";"%s";"%s";"%s";"%s";"%s";"%s";"%s";"%s";"%s";"%s"
mbae-service.log
mbae-service.log
"d-d-dTd:d:d.d%cd:d";"%s";"%d";"%s";"%s";"%s"
"d-d-dTd:d:d.d%cd:d";"%s";"%d";"%s";"%s";"%s"
SHGetFolderPath: %d
SHGetFolderPath: %d
%s\%s\
%s\%s\
%s\%s
%s\%s
mbae-protector.xpe
mbae-protector.xpe
GetWindowsVersion
GetWindowsVersion
Windows 10
Windows 10
Windows Server 10
Windows Server 10
Windows Vista
Windows Vista
Windows Server 2008
Windows Server 2008
Windows 7
Windows 7
Windows Server 2008 R2
Windows Server 2008 R2
Windows 8.0
Windows 8.0
Windows Server 2012
Windows Server 2012
Windows 8.1
Windows 8.1
Windows Server 2012 R2
Windows Server 2012 R2
Windows Server 2003 R2
Windows Server 2003 R2
Windows Storage Server 2003
Windows Storage Server 2003
Windows Home Server
Windows Home Server
Windows XP Professional x64
Windows XP Professional x64
Windows Server 2003
Windows Server 2003
Windows Server 2003 Datacenter Edition for Itanium-based Systems
Windows Server 2003 Datacenter Edition for Itanium-based Systems
Windows Server 2003 Enterprise Edition for Itanium-based Systems
Windows Server 2003 Enterprise Edition for Itanium-based Systems
Windows Server 2003 Datacenter AMDx64 Edition
Windows Server 2003 Datacenter AMDx64 Edition
Windows Server 2003 Enterprise AMDx64 Edition
Windows Server 2003 Enterprise AMDx64 Edition
Windows Server 2003 Standard AMDx64 Edition
Windows Server 2003 Standard AMDx64 Edition
Windows Server 2003 Compute Cluster Edition
Windows Server 2003 Compute Cluster Edition
Windows Server 2003 Datacenter Edition
Windows Server 2003 Datacenter Edition
Windows Server 2003 Enterprise Edition
Windows Server 2003 Enterprise Edition
Windows Server 2003 Web Edition
Windows Server 2003 Web Edition
Windows Server 2003 Standard Edition
Windows Server 2003 Standard Edition
Windows XP Home Edition
Windows XP Home Edition
Windows XP Professional Edition
Windows XP Professional Edition
Windows 2000 ProfessionaL
Windows 2000 ProfessionaL
Windows 2000 DataCenter Server
Windows 2000 DataCenter Server
Windows 2000 Advanced Server
Windows 2000 Advanced Server
Windows 2000 Server
Windows 2000 Server
..\..\mbae-common\MbaeVersion.cpp
..\..\mbae-common\MbaeVersion.cpp
%d.d.%d.%d
%d.d.%d.%d
0.0.0.0
0.0.0.0
..\MainSvc.cpp
..\MainSvc.cpp
Reinstall: %d
Reinstall: %d
%s - OS: %s %s - %s - %s
%s - OS: %s %s - %s - %s
MUID: %s
MUID: %s
ReportStatusToSCMgr
ReportStatusToSCMgr
%s error: %d
%s error: %d
%s - OS: %s %s - %s - %s // %d - %d - %d
%s - OS: %s %s - %s - %s // %d - %d - %d
CmdInstallService
CmdInstallService
%s(%d): Unable to install %s - %s
%s(%d): Unable to install %s - %s
Unable to install %s - %s
Unable to install %s - %s
%s(%d): InstallTrialVersion failed - %s
%s(%d): InstallTrialVersion failed - %s
InstallTrialVersion failed - %s
InstallTrialVersion failed - %s
%s(%d): OpenSCManager failed - %s
%s(%d): OpenSCManager failed - %s
OpenSCManager failed - %s
OpenSCManager failed - %s
"%s" /reinstall
"%s" /reinstall
%s(%d): CreateService failed - %s
%s(%d): CreateService failed - %s
CreateService failed - %s
CreateService failed - %s
%s(%d): ChangeServiceConfig2 failed - %s
%s(%d): ChangeServiceConfig2 failed - %s
ChangeServiceConfig2 failed - %s
ChangeServiceConfig2 failed - %s
mbae.exe
mbae.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s(%d): StartService failed - %s
%s(%d): StartService failed - %s
StartService failed - %s
StartService failed - %s
%s(%d): %s installed - %d.
%s(%d): %s installed - %d.
%s installed - %d.
%s installed - %d.
%s(%d): %s failed to start.
%s(%d): %s failed to start.
%s failed to start.
%s failed to start.
%s - OS: %s %s - %s - %s // %s - %d
%s - OS: %s %s - %s - %s // %s - %d
CmdDelService
CmdDelService
MUID: %s - %s
MUID: %s - %s
%s(%d): OpenService failed - %s: %s
%s(%d): OpenService failed - %s: %s
OpenService failed - %s: %s
OpenService failed - %s: %s
Stopping %s.
Stopping %s.
%s(%d):
%s(%d):
%s stopped.
%s stopped.
%s failed to stop.
%s failed to stop.
ControlService error(%d): %s.
ControlService error(%d): %s.
%s(%d): %s deleted.
%s(%d): %s deleted.
%s deleted.
%s deleted.
%s(%d): DeleteService failed - %s
%s(%d): DeleteService failed - %s
DeleteService failed - %s
DeleteService failed - %s
mbae.dll
mbae.dll
mbae64.dll
mbae64.dll
CmdDebugService
CmdDebugService
%s(%d): CmdDebugService CommandLineToArgvW returned NULL
%s(%d): CmdDebugService CommandLineToArgvW returned NULL
CmdDebugService CommandLineToArgvW returned NULL
CmdDebugService CommandLineToArgvW returned NULL
Debugging %s.
Debugging %s.
%s(%d): Debugging %s.
%s(%d): Debugging %s.
mbae-svc.exe
mbae-svc.exe
%s%s /Install
%s%s /Install
%s(%d): Stopping %s.
%s(%d): Stopping %s.
%s (0x%x)
%s (0x%x)
mbae64.exe
mbae64.exe
%s %s
%s %s
mbae - consumer_%s (service) - base:%s -
mbae - consumer_%s (service) - base:%s -
..\ScvExploitFiles.cpp
..\ScvExploitFiles.cpp
%s%s\%s.mbae
%s%s\%s.mbae
%s -> %s
%s -> %s
XXXXXXXXXXX
XXXXXXXXXXX
%sPL_%s_%s_d_%s
%sPL_%s_%s_d_%s
%s [%s]
%s [%s]
%s [%d]
%s [%d]
%sPL_%s_%s_d.xpe
%sPL_%s_%s_d.xpe
%sPL_%s_%s_d.txt
%sPL_%s_%s_d.txt
%s - %s - %s
%s - %s - %s
mbae.arc
mbae.arc
%sFF_%s_%s.arc
%sFF_%s_%s.arc
Archive: %s -> %s
Archive: %s -> %s
%sMON_%s_%s.arc
%sMON_%s_%s.arc
size: %d
size: %d
IE Cache: %s [%d]
IE Cache: %s [%d]
firefox
firefox
FF Cache: %s [%d]
FF Cache: %s [%d]
chrome
chrome
Chrome Cache: %s [%d]
Chrome Cache: %s [%d]
App error: %s [%d - %s]
App error: %s [%d - %s]
%s%s_%s.arc
%s%s_%s.arc
Error %d SendIpcMessageToOneMbaeGUI: %d - %d - %d
Error %d SendIpcMessageToOneMbaeGUI: %d - %d - %d
[%d] %s -> %s: %I64d - %s - d/d/d - d:d:d.d - d/d/d - d:d:d.d
[%d] %s -> %s: %I64d - %s - d/d/d - d:d:d.d - d/d/d - d:d:d.d
[%d] %s
[%d] %s
\Mozilla\Firefox
\Mozilla\Firefox
%s\profiles.ini
%s\profiles.ini
%s\%s\cache2\entries\*.*
%s\%s\cache2\entries\*.*
%s\%s\cache2\entries\%s
%s\%s\cache2\entries\%s
GetUrlFromFFCache
GetUrlFromFFCache
GetFilesFromChromeDataFile
GetFilesFromChromeDataFile
%d - %d - %s
%d - %d - %s
%sf_x
%sf_x
MBAERT_NOTENOUGHMEMORY - Size: %d - %s
MBAERT_NOTENOUGHMEMORY - Size: %d - %s
OpenChromeDataFile
OpenChromeDataFile
[%s] - Magic: %X - Version: %d.%d
[%s] - Magic: %X - Version: %d.%d
GetCacheFilesFromChrome
GetCacheFilesFromChrome
\Google\Chrome\User Data\Default\Cache
\Google\Chrome\User Data\Default\Cache
%s\data_%d
%s\data_%d
[%s] - Wrong EntrySize: %d
[%s] - Wrong EntrySize: %d
mbae-liec.dat
mbae-liec.dat
%s - %d
%s - %d
mbae.mb-cosmos.com
mbae.mb-cosmos.com
SendFileToCosmos response: %d - %s
SendFileToCosmos response: %d - %s
quarantine.dat
quarantine.dat
application/x-www-form-urlencoded
application/x-www-form-urlencoded
stats.mbamupdates.com
stats.mbamupdates.com
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
uuid=%s&osversion=%s&arch=%s&language=%s
uuid=%s&osversion=%s&arch=%s&language=%s
MbaePostStatisticEx response: %d - %s
MbaePostStatisticEx response: %d - %s
uuid=%s&key=%s&id=%s
uuid=%s&key=%s&id=%s
MbaePostLicenseEx response: %d - %s
MbaePostLicenseEx response: %d - %s
..\SvcAppFiles.cpp
..\SvcAppFiles.cpp
mbae-config.dat
mbae-config.dat
MBAERT_INCOMPATIBLE_VERSION: %d
MBAERT_INCOMPATIBLE_VERSION: %d
l0_xmlhttp
l0_xmlhttp
l3_vb_exec
l3_vb_exec
l3_msgbox
l3_msgbox
l3_javacmd
l3_javacmd
submit-exploit-kit-urls
submit-exploit-kit-urls
%s_mask
%s_mask
applications.dat
applications.dat
%d - %d - %d
%d - %d - %d
exclusions.dat
exclusions.dat
INCOMPATIBLE_VERSION: (%s): %X - %X - %d - %d - %d
INCOMPATIBLE_VERSION: (%s): %X - %X - %d - %d - %d
LoadReportFile
LoadReportFile
mbae-svc.dat
mbae-svc.dat
SaveReportFile
SaveReportFile
DeleteReportFile
DeleteReportFile
..\SvcClientIPC.cpp
..\SvcClientIPC.cpp
SHIELD_APPLICATION: %s
SHIELD_APPLICATION: %s
UNSHIELD_APPLICATION: %s
UNSHIELD_APPLICATION: %s
MODIFY_APPLICATION: %s - %s - %s - %d
MODIFY_APPLICATION: %s - %s - %s - %d
ADD_APPLICATION: %s - %s - %s - %d
ADD_APPLICATION: %s - %s - %s - %d
DEL_APPLICATION: %s - %d
DEL_APPLICATION: %s - %d
EXCLUDE_ITEM: (%s): %s - %s
EXCLUDE_ITEM: (%s): %s - %s
DEL_EXCLUSION: (%s): %s
DEL_EXCLUSION: (%s): %s
CLIENT_RUNNING (%d): %s - %s
CLIENT_RUNNING (%d): %s - %s
SET_CONFIG: %s
SET_CONFIG: %s
Change hooking: %s
Change hooking: %s
GET_NUM_REPORTS
GET_NUM_REPORTS
DEL_REPORTS: %s
DEL_REPORTS: %s
%s - %d - %d
%s - %d - %d
[{"name" : "mbae.database.whitelist","semver" : "#WL_VERSION#","channel" : "dev"}] }
[{"name" : "mbae.database.whitelist","semver" : "#WL_VERSION#","channel" : "dev"}] }
%s%s.new
%s%s.new
%d.%d.%d
%d.%d.%d
..\SvcSirius.cpp
..\SvcSirius.cpp
sirius.mwbsys.com
sirius.mwbsys.com
/api/v1/updates/manifest.json
/api/v1/updates/manifest.json
GetExclusionFileUpdate response: %d - %s
GetExclusionFileUpdate response: %d - %s
"mbae.database.whitelist"
"mbae.database.whitelist"
Wrong response for semver: %s
Wrong response for semver: %s
"url":
"url":
DownloadFile: %s - %s
DownloadFile: %s - %s
Wrong MD5: %s
Wrong MD5: %s
%smbae-telemetry.log
%smbae-telemetry.log
{ "header":{ "uuid":"#UUID#", "time":"#TIME#" }, "client":{ "program":"mbae", "build":"#BUILD#", "caller":{ "name":"exploit", "trigger":"detection" }, "os_version":"#OS_VERSION#", "version":"#VERSION#", "registered":"#REGISTERED#", "components":[ ], "muid":"#MUID#" }, "license":{ "license_state":"#LICENSE_STATE#" }, "exploit":{ "pid":"#PID#", "process":"#PROCESS#", "md5_payload":"#MD5_PAYLOAD#", "cmd":"#CMD#", "detection":{ "type":"#TYPE#", "api":"#API#"
{ "header":{ "uuid":"#UUID#", "time":"#TIME#" }, "client":{ "program":"mbae", "build":"#BUILD#", "caller":{ "name":"exploit", "trigger":"detection" }, "os_version":"#OS_VERSION#", "version":"#VERSION#", "registered":"#REGISTERED#", "components":[ ], "muid":"#MUID#" }, "license":{ "license_state":"#LICENSE_STATE#" }, "exploit":{ "pid":"#PID#", "process":"#PROCESS#", "md5_payload":"#MD5_PAYLOAD#", "cmd":"#CMD#", "detection":{ "type":"#TYPE#", "api":"#API#"
"firefox":"#FF_VERSION#",
"firefox":"#FF_VERSION#",
"chrome":"#CHROME_VERSION#",
"chrome":"#CHROME_VERSION#",
"urls":[ #URLS# ] } }
"urls":[ #URLS# ] } }
#CMD#
#CMD#
#CHROME_VERSION#
#CHROME_VERSION#
#URLS#
#URLS#
NumExploitKits: %d
NumExploitKits: %d
SendTelemetryURLs
SendTelemetryURLs
..\SvcTelemetry.cpp
..\SvcTelemetry.cpp
Process: %s
Process: %s
Payload: %s
Payload: %s
d-d-dTd:d:dZ
d-d-dTd:d:dZ
NumExploitKits: %d - %d
NumExploitKits: %d - %d
"domain":"#DOMAIN#", "resolv":[ #IPS# ], "port":"#PORT#", "uri":"#URI#", "md5":"#MD5#", "header":"#HEADER#" } }
"domain":"#DOMAIN#", "resolv":[ #IPS# ], "port":"#PORT#", "uri":"#URI#", "md5":"#MD5#", "header":"#HEADER#" } }
#PORT#
#PORT#
CreateJsonURLs
CreateJsonURLs
url size: %d
url size: %d
mbstowcs_s: %d
mbstowcs_s: %d
, "%s"
, "%s"
host: %s
host: %s
uri: %s
uri: %s
httpHeader: %s
httpHeader: %s
%s - %s
%s - %s
Google Chrome
Google Chrome
*Mozilla Firefox
*Mozilla Firefox
Error %d DisplayVersion IE
Error %d DisplayVersion IE
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall
Error %d RegOpenKeyEx: %d - %s
Error %d RegOpenKeyEx: %d - %s
Error %d DisplayName: %d - %s
Error %d DisplayName: %d - %s
Error %d DisplayVersion: %d - %s
Error %d DisplayVersion: %d - %s
data.service.malwarebytes.org
data.service.malwarebytes.org
SendTelemetryData response: %d - %s
SendTelemetryData response: %d - %s
HWDeviceService64.exe
HWDeviceService64.exe
SBUpdate.exe
SBUpdate.exe
hsmgr64.exe
hsmgr64.exe
hsmgr.exe
hsmgr.exe
jp2launcher.exe
jp2launcher.exe
winpm-64.exe
winpm-64.exe
winpm-32.exe
winpm-32.exe
thebat.exe
thebat.exe
operamail.exe
operamail.exe
msimn.exe
msimn.exe
nlnotes.exe
nlnotes.exe
lotusnotes.exe
lotusnotes.exe
notes.exe
notes.exe
lotus.exe
lotus.exe
dreammail.exe
dreammail.exe
foxmail.exe
foxmail.exe
mulberry.exe
mulberry.exe
yahoomessenger.exe
yahoomessenger.exe
wlmail.exe
wlmail.exe
mail.exe
mail.exe
winmail.exe
winmail.exe
pegasus.exe
pegasus.exe
incmail.exe
incmail.exe
incredimail.exe
incredimail.exe
thunderbird.exe
thunderbird.exe
outlook.exe
outlook.exe
winwordc.exe
winwordc.exe
winword.exe
winword.exe
winhlp32.exe
winhlp32.exe
helpctr.exe
helpctr.exe
wscript.exe
wscript.exe
javaws.exe
javaws.exe
javaw.exe
javaw.exe
java.exe
java.exe
..\SvcServerIPC.cpp
..\SvcServerIPC.cpp
%s_%d_%d
%s_%d_%d
MBAE_IMT_GET_FAMILY_ID: %d
MBAE_IMT_GET_FAMILY_ID: %d
(%d)%s - %d - %d - (%d)%s - %s
(%d)%s - %d - %d - (%d)%s - %s
MBAE_IMT_GET_FAMILY_ID ERROR: %d
MBAE_IMT_GET_FAMILY_ID ERROR: %d
(%d)NULL - %d - %d
(%d)NULL - %d - %d
(%d)%s - %d - %d - (%d)%s
(%d)%s - %d - %d - (%d)%s
MBAE_IMT_INJECTED: %d
MBAE_IMT_INJECTED: %d
(%d)%s is now shield - %s - (%d)%s
(%d)%s is now shield - %s - (%d)%s
MBAE_IMT_UNINJECTED: %d
MBAE_IMT_UNINJECTED: %d
(%d)%s is now unshield
(%d)%s is now unshield
(%d)%s - %s
(%d)%s - %s
MBAE_IMT_MEMORY BLOCKED: %d:%d:%d - (%d)%s
MBAE_IMT_MEMORY BLOCKED: %d:%d:%d - (%d)%s
MBAE_IMT_LOADING_MODULE_DETECTION BLOCKED: %d:%d:%d - (%d)%s
MBAE_IMT_LOADING_MODULE_DETECTION BLOCKED: %d:%d:%d - (%d)%s
File Blocked: %d:%d:%d
File Blocked: %d:%d:%d
PE_BLOCKED: %d:%d:%d
PE_BLOCKED: %d:%d:%d
MBAE_IMT_PROCESS_BLOCKED: %d:%d:%d
MBAE_IMT_PROCESS_BLOCKED: %d:%d:%d
VBSCRIPT_ATTACK: %d:%d:%d
VBSCRIPT_ATTACK: %d:%d:%d
OFFICE_WMI: %d:%d:%d
OFFICE_WMI: %d:%d:%d
MBAE_IMT_ADD_POOL: %d
MBAE_IMT_ADD_POOL: %d
(%d) - %s
(%d) - %s
MBAE_IMT_CHECK_IS_PE: %d
MBAE_IMT_CHECK_IS_PE: %d
MBAE_IMT_CHECK_POOL: %d
MBAE_IMT_CHECK_POOL: %d
MBAE_IMT_CHECK_POOL_CMD: %d
MBAE_IMT_CHECK_POOL_CMD: %d
(%d)%s - %s - %d
(%d)%s - %s - %d
MBAE_IMT_CHECK_EXCLUSION_FILE: %d
MBAE_IMT_CHECK_EXCLUSION_FILE: %d
MBAE_IMT_INFO_PROCESS: %d - (%d)%s. Parameters: %s - %s. Parent Process (%d)%s.
MBAE_IMT_INFO_PROCESS: %d - (%d)%s. Parameters: %s - %s. Parent Process (%d)%s.
MBAE_IMT_INFO_URL: %d
MBAE_IMT_INFO_URL: %d
(%d)%s Parameters: %s - %s
(%d)%s Parameters: %s - %s
MBAE_IMT_DEP_ENFORCEMENT: %d
MBAE_IMT_DEP_ENFORCEMENT: %d
(%d)%s Parameters: %s - %d
(%d)%s Parameters: %s - %d
MBAE_IMT_HEAPSPRAY_ENFORCEMENT: %d
MBAE_IMT_HEAPSPRAY_ENFORCEMENT: %d
MBAE_IMT_BOTTOMUP_ENFORCEMENT: %d
MBAE_IMT_BOTTOMUP_ENFORCEMENT: %d
MBAE_IMT_EXPLOITKIT: %d
MBAE_IMT_EXPLOITKIT: %d
(%d)%s [%d] Parameters: %s - %s - %d
(%d)%s [%d] Parameters: %s - %s - %d
MBAE_IMT_EXPLOITFILE: %d
MBAE_IMT_EXPLOITFILE: %d
MBAE_IMT_GETCONFIG: (%d)%s - %d - %d
MBAE_IMT_GETCONFIG: (%d)%s - %d - %d
Exploit code executing from stack blocked
Exploit code executing from stack blocked
Attempt to execute VBScript blocked
Attempt to execute VBScript blocked
Exploit code executing from RW memory blocked
Exploit code executing from RW memory blocked
Exploit code executing from Heap memory blocked
Exploit code executing from Heap memory blocked
Java Metasploit/Meterpreter command execution detected
Java Metasploit/Meterpreter command execution detected
IsReportDuplicatedInApplication
IsReportDuplicatedInApplication
cmd.exe
cmd.exe
CmdExclusionProcessNames checking: %s - %d - %s - %d - %d - %d - %d
CmdExclusionProcessNames checking: %s - %d - %s - %d - %d - %d - %d
ConditionalShieldProcessNames - Not Found: %s - %d - %s - %d
ConditionalShieldProcessNames - Not Found: %s - %d - %s - %d
GetParentProcessInfo: %s - %d - %s - %d
GetParentProcessInfo: %s - %d - %s - %d
Parent process injected: %s - %d - %s - %d
Parent process injected: %s - %d - %s - %d
Parent process ExploitableProcessNames: %s - %d - %s - %d
Parent process ExploitableProcessNames: %s - %d - %s - %d
Uninjecting Conditional Shield process: %s - %d - %s - %d
Uninjecting Conditional Shield process: %s - %d - %s - %d
New PID duplicated: %s - %s - %d
New PID duplicated: %s - %s - %d
PID not found: %s - %d
PID not found: %s - %d
%s%s /open
%s%s /open
OpenProcess: %s - %d
OpenProcess: %s - %d
..\SvcMisc.cpp
..\SvcMisc.cpp
%d: %s
%d: %s
Parent process name not found: %d - %d
Parent process name not found: %d - %d
Error (%d): %d
Error (%d): %d
Error (%d): %s - %d
Error (%d): %s - %d
Error opening the process: %s - %d
Error opening the process: %s - %d
Cannot enumerate loaded modules Pid: %d Process Name: %s Address: 0xX
Cannot enumerate loaded modules Pid: %d Process Name: %s Address: 0xX
Cannot enumerate the first loaded modules Pid: %d Process Name: %s Address: 0xX
Cannot enumerate the first loaded modules Pid: %d Process Name: %s Address: 0xX
Process Info: Pid: %d Process Name: %s Address: 0xX
Process Info: Pid: %d Process Name: %s Address: 0xX
Pid: %d -
Pid: %d -
(*)LoadedModule: %s
(*)LoadedModule: %s
Address: 0xX:0xX
Address: 0xX:0xX
Cannot enumerate loaded modules Pid: %d
Cannot enumerate loaded modules Pid: %d
Cannot enumerate the first loaded modules Pid: %d
Cannot enumerate the first loaded modules Pid: %d
Process injected: %d - %s - %s
Process injected: %d - %s - %s
Process not injected: %d
Process not injected: %d
Dead process: %s - %d
Dead process: %s - %d
User: %s
User: %s
License: %d - %s
License: %d - %s
d-d-d
d-d-d
License: %d - %s - %s
License: %d - %s - %s
ValidateKeyFromID
ValidateKeyFromID
CalculateKeyFromID
CalculateKeyFromID
X-X-X-XX-XXXXXX
X-X-X-XX-XXXXXX
XXXXXXXX
XXXXXXXX
SetRegistryKey
SetRegistryKey
\uX
\uX
..\SvcProtection.cpp
..\SvcProtection.cpp
LError %d Installing Malwarebytes Anti-Exploit Driver, the Malwarebytes Anti-Exploit process will be terminated
LError %d Installing Malwarebytes Anti-Exploit Driver, the Malwarebytes Anti-Exploit process will be terminated
mbae.sys
mbae.sys
mbae64.sys
mbae64.sys
Can not install Malwarebytes Anti-Exploit driver. %s - %s
Can not install Malwarebytes Anti-Exploit driver. %s - %s
%s%s /Start %d "
%s%s /Start %d "
Error starting 64bit injection DLL: %d - %d - %s
Error starting 64bit injection DLL: %d - %d - %s
%s%s /Stop %d "
%s%s /Stop %d "
Error stopping 64bit injection DLL: %d - %d
Error stopping 64bit injection DLL: %d - %d
Starting Injection with: %s - %s
Starting Injection with: %s - %s
DLL Injection has been successfully started %s
DLL Injection has been successfully started %s
Stopping Injection with: %s
Stopping Injection with: %s
DLL Injection has been successfully stopped %s
DLL Injection has been successfully stopped %s
Stopping Injection in all process with application: %s - %d
Stopping Injection in all process with application: %s - %d
%s%s /StopPid
%s%s /StopPid
OpenProcess: %d - %d
OpenProcess: %d - %d
Stopping Injection in 64 process: %s
Stopping Injection in 64 process: %s
Error stopping 64bit injection processes: %s - %d - %d - %d
Error stopping 64bit injection processes: %s - %d - %d - %d
Process Injection has been successfully stopped %s - %d
Process Injection has been successfully stopped %s - %d
%p - %s
%p - %s
yKernel32.dll
yKernel32.dll
KillProcessName: %s - %d
KillProcessName: %s - %d
..\SvcUpgrade.cpp
..\SvcUpgrade.cpp
data-cdn.mbamupdates.com
data-cdn.mbamupdates.com
/v2/mbae/consumer/version.chk
/v2/mbae/consumer/version.chk
/SP- /VERYSILENT /SUPRESSMSGBOXES
/SP- /VERYSILENT /SUPRESSMSGBOXES
mbae-setup-%s.exe
mbae-setup-%s.exe
%s%s/%s
%s%s/%s
%d - %d
%d - %d
LPC_PORT_CLOSED
LPC_PORT_CLOSED
An invalid parameter was passed to a service or function.
An invalid parameter was passed to a service or function.
STATUS_INVALID_PORT_ATTRIBUTES
STATUS_INVALID_PORT_ATTRIBUTES
Invalid Object Attributes specified to NtCreatePort or invalid Port Attributes specified to NtConnectPort
Invalid Object Attributes specified to NtCreatePort or invalid Port Attributes specified to NtConnectPort
STATUS_PORT_MESSAGE_TOO_LONG
STATUS_PORT_MESSAGE_TOO_LONG
Length of message passed to NtRequestPort or NtRequestWaitReplyPort was longer than the maximum message allowed by the port
Length of message passed to NtRequestPort or NtRequestWaitReplyPort was longer than the maximum message allowed by the port
STATUS_PORT_DISCONNECTED
STATUS_PORT_DISCONNECTED
Attempt to send a message to a disconnected communication port.
Attempt to send a message to a disconnected communication port.
STATUS_PORT_CONNECTION_REFUSED
STATUS_PORT_CONNECTION_REFUSED
The NtConnectPort request is refused.
The NtConnectPort request is refused.
STATUS_INVALID_PORT_HANDLE
STATUS_INVALID_PORT_HANDLE
The type of port handle is invalid for the operation requested.
The type of port handle is invalid for the operation requested.
Insufficient quota exists to complete the operation
Insufficient quota exists to complete the operation
STATUS_PORT_ALREADY_SET
STATUS_PORT_ALREADY_SET
An attempt to set a processes DebugPort or ExceptionPort was made, but a port already exists in the process
An attempt to set a processes DebugPort or ExceptionPort was made, but a port already exists in the process
Windows Help
Windows Help
Windows Script Host
Windows Script Host
quicktimeplayer.exe
quicktimeplayer.exe
winamp.exe
winamp.exe
vlc.exe
vlc.exe
Windows Media Player (mplayer2)
Windows Media Player (mplayer2)
mplayer2.exe
mplayer2.exe
Windows Media Player (wmplayer)
Windows Media Player (wmplayer)
wmplayer.exe
wmplayer.exe
powerpnt.exe
powerpnt.exe
excel.exe
excel.exe
excelc.exe
excelc.exe
soffice.bin
soffice.bin
foxitreader.exe
foxitreader.exe
foxit reader.exe
foxit reader.exe
Foxit PhantomPDF.exe
Foxit PhantomPDF.exe
FoxitPhantomPDF.exe
FoxitPhantomPDF.exe
acrord32.exe
acrord32.exe
acrobat.exe
acrobat.exe
dragon.exe
dragon.exe
waterfox.exe
waterfox.exe
tor.exe
tor.exe
tbb-firefox.exe
tbb-firefox.exe
palemoon.exe
palemoon.exe
cyberfox.exe
cyberfox.exe
icedragon.exe
icedragon.exe
Seamonkey
Seamonkey
seamonkey.exe
seamonkey.exe
seamonkey
seamonkey
maxthon.exe
maxthon.exe
mxapploader.exe
mxapploader.exe
Opera (and plug-ins)
Opera (and plug-ins)
opera.exe
opera.exe
opera
opera
opera_plugin_wrapper.exe
opera_plugin_wrapper.exe
opera_wrapper_32.exe
opera_wrapper_32.exe
iexplore.exe
iexplore.exe
MicrosoftEdge.exe
MicrosoftEdge.exe
MicrosoftEdgeCP.exe
MicrosoftEdgeCP.exe
Google Chrome (and plug-ins)
Google Chrome (and plug-ins)
chrome.exe
chrome.exe
old_chrome.exe
old_chrome.exe
Mozilla Firefox (and add-ons)
Mozilla Firefox (and add-ons)
firefox.exe
firefox.exe
plugin-container.exe
plugin-container.exe
FlashPlayerPlugin*.exe
FlashPlayerPlugin*.exe
Microsoft Help and Support Center
Microsoft Help and Support Center
mbae-test.exe
mbae-test.exe
1.08.1.2563
1.08.1.2563
%Program Files%\Malwarebytes Anti-Exploit\
%Program Files%\Malwarebytes Anti-Exploit\
bae-svc.exe
bae-svc.exe
C:\ProgramData\Malwarebytes Anti-Exploit\
C:\ProgramData\Malwarebytes Anti-Exploit\
9C03934C-9146-44A9-93F3-9CD73F3EEF09
9C03934C-9146-44A9-93F3-9CD73F3EEF09
1.08.1.2572
1.08.1.2572
1.8.1.2563
1.8.1.2563