File name:

Мalwarebytes.exe

Full analysis: https://app.any.run/tasks/01bdb3d7-0776-423b-806e-3bfe0741b565
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: February 24, 2024, 18:01:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

B8B19F60A31DCFD64FC57D146CAA6905

SHA1:

6EAE2A166590474FD0B0BF15A62EC2DCA51F2DE0

SHA256:

3C8AD63E9704EB602FD0833789EE732032A1703C0E1D2CFF73BC47DB3A75A6F5

SSDEEP:

98304:V8alYjU0Fn8IB0KZ4AvUdaVc0OUE1hRv12bBOU1171Zw111L1kjsRq/qrg2GDkaQ:I/Ogi

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Мalwarebytes.exe (PID: 3668)
      • MBSetup.exe (PID: 1876)
      • MBVpnTunnelService.exe (PID: 2336)
      • drvinst.exe (PID: 968)
      • MBAMService.exe (PID: 3760)
      • MBAMInstallerService.exe (PID: 2596)

    • Actions looks like stealing of personal data

      • MBSetup.exe (PID: 1876)
      • MBAMInstallerService.exe (PID: 2596)
      • MBAMService.exe (PID: 3760)

    • Creates a writable file in the system directory

      • MBSetup.exe (PID: 1876)
      • MBVpnTunnelService.exe (PID: 2336)
      • MBAMInstallerService.exe (PID: 2596)
      • drvinst.exe (PID: 968)
      • MBAMService.exe (PID: 3760)

    • Downloads files via BITSADMIN.EXE

      • mshta.exe (PID: 3932)

    • Steals credentials

      • MBAMService.exe (PID: 3760)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Мalwarebytes.exe (PID: 3668)
      • MBAMService.exe (PID: 3760)

    • Executable content was dropped or overwritten

      • Мalwarebytes.exe (PID: 3668)
      • MBAMInstallerService.exe (PID: 2596)
      • MBSetup.exe (PID: 1876)
      • MBVpnTunnelService.exe (PID: 2336)
      • drvinst.exe (PID: 968)
      • MBAMService.exe (PID: 3760)

    • Reads the Internet Settings

      • Мalwarebytes.exe (PID: 3668)
      • mshta.exe (PID: 3932)
      • MBSetup.exe (PID: 1876)
      • Malwarebytes.exe (PID: 3304)

    • Searches for installed software

      • MBSetup.exe (PID: 1876)
      • MBAMInstallerService.exe (PID: 2596)

    • Reads the BIOS version

      • MBSetup.exe (PID: 1876)
      • MBAMService.exe (PID: 3760)

    • The process checks if it is being run in the virtual environment

      • mshta.exe (PID: 3932)

    • Creates files in the driver directory

      • MBSetup.exe (PID: 1876)
      • MBAMInstallerService.exe (PID: 2596)
      • MBVpnTunnelService.exe (PID: 2336)
      • drvinst.exe (PID: 968)
      • MBAMService.exe (PID: 3760)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 3932)

    • The process verifies whether the antivirus software is installed

      • MBSetup.exe (PID: 1876)
      • MBVpnTunnelService.exe (PID: 2336)
      • drvinst.exe (PID: 968)
      • MBAMService.exe (PID: 4064)
      • MBAMService.exe (PID: 3760)
      • Malwarebytes.exe (PID: 3304)
      • MBAMInstallerService.exe (PID: 2596)

    • Executes as Windows Service

      • MBAMInstallerService.exe (PID: 2596)
      • VSSVC.exe (PID: 2772)
      • MBAMService.exe (PID: 3760)

    • Reads settings of System Certificates

      • MBSetup.exe (PID: 1876)
      • Malwarebytes.exe (PID: 3304)

    • Adds/modifies Windows certificates

      • MBSetup.exe (PID: 1876)
      • MBAMInstallerService.exe (PID: 2596)
      • MBVpnTunnelService.exe (PID: 2336)
      • MBAMService.exe (PID: 3760)

    • Drops 7-zip archiver for unpacking

      • MBAMInstallerService.exe (PID: 2596)

    • The process creates files with name similar to system file names

      • MBAMInstallerService.exe (PID: 2596)

    • Process drops legitimate windows executable

      • MBAMInstallerService.exe (PID: 2596)

    • The process drops C-runtime libraries

      • MBAMInstallerService.exe (PID: 2596)

    • Drops a system driver (possible attempt to evade defenses)

      • MBAMInstallerService.exe (PID: 2596)
      • MBVpnTunnelService.exe (PID: 2336)
      • drvinst.exe (PID: 968)
      • MBAMService.exe (PID: 3760)

    • Checks Windows Trust Settings

      • MBVpnTunnelService.exe (PID: 2336)
      • drvinst.exe (PID: 968)

    • Changes Internet Explorer settings (feature browser emulation)

      • MBAMInstallerService.exe (PID: 2596)
      • MBAMService.exe (PID: 3760)

    • Creates/Modifies COM task schedule object

      • MBAMService.exe (PID: 3760)

    • Creates or modifies Windows services

      • MBAMService.exe (PID: 3760)

    • Creates a software uninstall entry

      • MBAMInstallerService.exe (PID: 2596)

    • Starts CMD.EXE for commands execution

      • MBSetup.exe (PID: 1876)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 3848)

  • INFO

    • Reads the computer name

      • Мalwarebytes.exe (PID: 3668)
      • MBSetup.exe (PID: 1876)
      • MBAMInstallerService.exe (PID: 2596)
      • MBVpnTunnelService.exe (PID: 2336)
      • drvinst.exe (PID: 968)
      • MBAMService.exe (PID: 4064)
      • MBAMService.exe (PID: 3760)
      • Malwarebytes.exe (PID: 3304)

    • Checks supported languages

      • Мalwarebytes.exe (PID: 3668)
      • MBSetup.exe (PID: 1876)
      • MBAMInstallerService.exe (PID: 2596)
      • MBVpnTunnelService.exe (PID: 2336)
      • MBAMService.exe (PID: 4064)
      • drvinst.exe (PID: 968)
      • MBAMService.exe (PID: 3760)
      • Malwarebytes.exe (PID: 3304)

    • Reads the machine GUID from the registry

      • Мalwarebytes.exe (PID: 3668)
      • MBSetup.exe (PID: 1876)
      • MBAMInstallerService.exe (PID: 2596)
      • MBVpnTunnelService.exe (PID: 2336)
      • drvinst.exe (PID: 968)
      • MBAMService.exe (PID: 3760)
      • Malwarebytes.exe (PID: 3304)

    • Create files in a temporary directory

      • Мalwarebytes.exe (PID: 3668)
      • MBSetup.exe (PID: 1876)

    • Checks proxy server information

      • mshta.exe (PID: 3932)

    • Creates files in the program directory

      • MBSetup.exe (PID: 1876)
      • MBAMInstallerService.exe (PID: 2596)
      • MBVpnTunnelService.exe (PID: 2336)
      • MBAMService.exe (PID: 3760)
      • Malwarebytes.exe (PID: 3304)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 3932)

    • Reads the software policy settings

      • MBSetup.exe (PID: 1876)
      • MBAMInstallerService.exe (PID: 2596)
      • MBVpnTunnelService.exe (PID: 2336)
      • drvinst.exe (PID: 968)
      • MBAMService.exe (PID: 3760)
      • Malwarebytes.exe (PID: 3304)

    • Adds/modifies Windows certificates

      • drvinst.exe (PID: 968)

    • Reads CPU info

      • MBAMService.exe (PID: 3760)

    • Reads the time zone

      • MBAMService.exe (PID: 3760)

    • Reads Environment values

      • MBAMService.exe (PID: 3760)

    • Creates files or folders in the user directory

      • Malwarebytes.exe (PID: 3304)

    • Manual execution by a user

      • firefox.exe (PID: 2688)

    • Application launched itself

      • firefox.exe (PID: 2688)
      • firefox.exe (PID: 2864)

    • Process checks computer location settings

      • Malwarebytes.exe (PID: 3304)

    • Drops the executable file immediately after the start

      • firefox.exe (PID: 2864)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 2864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:02:24 17:57:58+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 2596864
InitializedDataSize: 142848
UninitializedDataSize: -
EntryPoint: 0x27be3e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.0.17.80
ProductVersionNumber: 5.0.17.80
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Malwarebytes
FileDescription: Malwarebytes Setup
FileVersion: 5.0.17.80
InternalName: Mаlwarebytes.exe
LegalCopyright: Copyright (C) 2017 - 2024 Malwarebytes, Inc. All rights reserved.
OriginalFileName: Mаlwarebytes.exe
ProductName: Malwarebytes
ProductVersion: 5.0.17.80
AssemblyVersion: 5.0.17.80
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
73
Monitored processes
25
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start мalwarebytes.exe mbsetup.exe no specs mbsetup.exe mshta.exe no specs bitsadmin.exe no specs mbaminstallerservice.exe mbvpntunnelservice.exe drvinst.exe vssvc.exe no specs mbamservice.exe no specs mbamservice.exe malwarebytes.exe cmd.exe no specs timeout.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
968DrvInst.exe "4" "8" "C:\Windows\TEMP\{19e78772-0a94-22af-3003-b27a103c7e54}\mbtun.inf" "0" "6ba9030c7" "000002CC" "Service-0x0-3e7$\Default" "000004B4" "208" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1528"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.6.584289034\911040086" -childID 5 -isForBrowser -prefsHandle 4136 -prefMapHandle 4124 -prefsLen 34406 -prefMapSize 244195 -jsInitHandle 888 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fcd530e-4fdc-45a6-a228-844d202c14b5} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 4028 1b255840 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
1876"C:\Users\admin\AppData\Local\Temp\MBSetup.exe" C:\Users\admin\AppData\Local\Temp\MBSetup.exe
Мalwarebytes.exe
User:
admin
Company:
Malwarebytes
Integrity Level:
HIGH
Description:
Malwarebytes Setup
Exit code:
0
Version:
5.0.17.80
Modules
Images
c:\users\admin\appdata\local\temp\mbsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2000"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.3.79588048\1259294060" -childID 2 -isForBrowser -prefsHandle 2708 -prefMapHandle 2704 -prefsLen 34225 -prefMapSize 244195 -jsInitHandle 888 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1ddda3e-8b7c-49d7-86c6-ad2e0eea0b46} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 2724 18a3be00 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2336"C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe" /installmbtunC:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe
MBAMInstallerService.exe
User:
SYSTEM
Company:
Malwarebytes
Integrity Level:
SYSTEM
Description:
MBVpnTunnelService.exe
Exit code:
0
Version:
1.0.0.91
Modules
Images
c:\program files\malwarebytes\anti-malware\mbvpntunnelservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
2436"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.0.1589361409\1696257155" -parentBuildID 20230710165010 -prefsHandle 1100 -prefMapHandle 1092 -prefsLen 28523 -prefMapSize 244195 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c14cc9d-be88-470c-89cd-a9139e4f0c68} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 1172 c6acaf0 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2496"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.7.1435019530\2031624007" -childID 6 -isForBrowser -prefsHandle 4296 -prefMapHandle 4304 -prefsLen 29365 -prefMapSize 244195 -jsInitHandle 888 -jsInitLen 240908 -parentBuildID 20230710165010 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddcaeae2-3756-40e7-b827-495c20e8ceb3} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 4284 1b255e00 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2524"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.1.1849898017\1984541148" -parentBuildID 20230710165010 -prefsHandle 1392 -prefMapHandle 1388 -prefsLen 28600 -prefMapSize 244195 -appDir "C:\Program Files\Mozilla Firefox\browser" - {07e2fa46-5765-44aa-9e5a-196f86a69f2a} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 1408 c625390 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2596"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
services.exe
User:
SYSTEM
Company:
Malwarebytes
Integrity Level:
SYSTEM
Description:
Malwarebytes Installer Service
Exit code:
0
Version:
5.0.0.140
Modules
Images
c:\program files\malwarebytes\anti-malware\mbaminstallerservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\authz.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
2688"C:\Program Files\Mozilla Firefox\firefox.exe" -install -extension C:\Users\admin\AppData\Local\Temp\{242af0bb-db11-4734-b7a0-61cb8a9b20fb}.xpi --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeexplorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
Total events
152 231
Read events
151 332
Write events
845
Delete events
54

Modification events

(PID) Process:(3668) Мalwarebytes.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3668) Мalwarebytes.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3668) Мalwarebytes.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3668) Мalwarebytes.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1876) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes
Operation:writeName:id
Value:
f9d75b3d59e946d8886956cb04df845c
(PID) Process:(3932) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3932) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3932) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3932) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1876) MBSetup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
1 260
Suspicious files
136
Text files
112
Unknown types
110

Dropped files

PID
Process
Filename
Type
2596MBAMInstallerService.exeC:\Windows\TEMP\MBInstallTempef358803d33e11ee926a12a9866c77de\ctlrpkg.7z
MD5:
SHA256:
2596MBAMInstallerService.exeC:\Windows\TEMP\MBInstallTempef358803d33e11ee926a12a9866c77de\dbclspkg.7z
MD5:
SHA256:
2596MBAMInstallerService.exeC:\Windows\TEMP\MBInstallTempef358803d33e11ee926a12a9866c77de\dotnetpkg.7z
MD5:
SHA256:
3668Мalwarebytes.exeC:\Users\admin\AppData\Local\Temp\Downloader.htahtml
MD5:7B22EBB25E9A88E67BA13039B6EEC11E
SHA256:CD7BD45CDB710E00FF5F8A42DCBE9A46112D5357027F29749113B41746C5E7F2
1876MBSetup.exeC:\Program Files\mbamtestfile.dattext
MD5:9F06243ABCB89C70E0C331C61D871FA7
SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
3668Мalwarebytes.exeC:\Users\admin\AppData\Local\Temp\MBSetup.exeexecutable
MD5:38FCBED91AA65065EBBE593DA8A81FED
SHA256:8F0D67741E5BAE151C67E274320AFF754480E188499BE17C08E72CB4FC6FBFEC
2596MBAMInstallerService.exeC:\Windows\TEMP\MBInstallTempef358803d33e11ee926a12a9866c77de\servicepkg.7zcompressed
MD5:EFEC4FF2241F49D05FECF914EA0F5E20
SHA256:C0B71BD0745B7DC4ACEC33F7C98CB8CAE4854C6F78C0F04F9616A373C95E17E8
1876MBSetup.exeC:\ProgramData\mbamtestfile.dattext
MD5:9F06243ABCB89C70E0C331C61D871FA7
SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
2596MBAMInstallerService.exeC:\Windows\TEMP\MBInstallTempef358803d33e11ee926a12a9866c77de\servicepkg\msrootca2020.crttext
MD5:77AC2A1AE404C2E29334C4D0CE29AC0E
SHA256:626727D3F4FB4C4EF816648217966D5EB2A028AFE03C801788B1834A456B48E8
2596MBAMInstallerService.exeC:\Windows\TEMP\MBInstallTempef358803d33e11ee926a12a9866c77de\servicepkg\BaltimoreCyberTrustRoot.crttext
MD5:379A301592736712C9A60676C50CF19B
SHA256:CC7400692BD90E1B5FC44E11C8DD7C788CBB462F52EA3F3DECB579E4D51EB268
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
68
DNS requests
121
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2864
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
text
90 b
unknown
2864
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
text
8 b
unknown
2864
firefox.exe
POST
200
172.217.16.131:80
http://ocsp.pki.goog/gts1c3
unknown
binary
472 b
unknown
3760
MBAMService.exe
GET
200
184.24.77.188:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c32fc51c0c5d995c
unknown
compressed
65.2 Kb
unknown
2864
firefox.exe
POST
200
184.24.77.207:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
2864
firefox.exe
POST
200
184.24.77.207:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
2864
firefox.exe
POST
200
184.24.77.207:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
2864
firefox.exe
POST
200
172.217.16.131:80
http://ocsp.pki.goog/gts1c3
unknown
binary
472 b
unknown
2864
firefox.exe
POST
200
184.24.77.207:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
2864
firefox.exe
POST
200
184.24.77.207:80
http://r3.o.lencr.org/
unknown
binary
503 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1876
MBSetup.exe
52.38.82.208:443
api2.amplitude.com
AMAZON-02
US
unknown
2408
svchost.exe
239.255.255.250:1900
unknown
856
svchost.exe
176.99.128.18:443
dropmefiles.com
Inetcom LLC
RU
unknown
1876
MBSetup.exe
100.24.155.204:443
ark.mwbsys.com
AMAZON-AES
US
unknown
1876
MBSetup.exe
99.86.4.35:443
cdn.mwbsys.com
AMAZON-02
US
unknown
2596
MBAMInstallerService.exe
100.24.155.204:443
ark.mwbsys.com
AMAZON-AES
US
unknown
2596
MBAMInstallerService.exe
99.86.4.35:443
cdn.mwbsys.com
AMAZON-02
US
unknown

DNS requests

Domain
IP
Reputation
api2.amplitude.com
  • 52.38.82.208
  • 44.237.121.95
  • 52.34.85.102
  • 54.149.75.82
  • 52.24.22.222
  • 50.112.65.223
  • 54.189.250.70
  • 52.35.249.210
  • 52.42.231.78
  • 54.187.95.95
  • 35.163.46.144
  • 52.41.61.200
  • 35.82.214.69
  • 54.184.113.98
whitelisted
dropmefiles.com
  • 176.99.128.18
  • 176.99.128.38
  • 176.99.128.9
whitelisted
ark.mwbsys.com
  • 100.24.155.204
  • 54.87.163.190
  • 34.202.188.109
unknown
cdn.mwbsys.com
  • 99.86.4.35
  • 99.86.4.118
  • 99.86.4.72
  • 99.86.4.25
whitelisted
holocron.mwbsys.com
  • 44.195.155.226
  • 34.225.249.114
  • 50.16.174.249
unknown
ipv4.am.i.mullvad.net
  • 45.83.223.233
unknown
ctldl.windowsupdate.com
  • 184.24.77.188
  • 184.24.77.199
  • 184.24.77.184
  • 184.24.77.182
  • 184.24.77.205
  • 184.24.77.206
  • 184.24.77.193
  • 184.24.77.190
  • 184.24.77.197
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
example.org
  • 93.184.216.34
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
Misc activity
ET INFO File Sharing Service Domain in DNS Lookup (dropmefiles .com)
856
svchost.exe
Misc activity
ET INFO Observed File Sharing Service Domain (dropmefiles .com in TLS SNI)
Process
Message
Malwarebytes.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 3304. Message ID: [0x2509].
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Мalwarebytes.exe