File name:

MBSetup.exe

Full analysis: https://app.any.run/tasks/6c189751-1d5d-427e-8198-937993b709e8
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Analysis date: January 10, 2025, 21:20:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-scr
arch-doc
arch-html
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

CD4DE7A9A97440100F4886C7B463A67D

SHA1:

D624A57038639D6578871CEE2FF2A383D7282486

SHA256:

46EF8B210A36766F6C8847119088DCE219BAA7036699F687638A8FC77813F86A

SSDEEP:

98304:P+gn1uXJIaIbC070I22IT1PD222222272TSRTP4WG5N0aFvGSSRkrlcfABLqI14d:OXK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Actions looks like stealing of personal data

      • MBAMInstallerService.exe (PID: 6640)
      • MBAMService.exe (PID: 6176)
  • SUSPICIOUS

    • Searches for installed software

      • MBSetup.exe (PID: 6652)
      • MBAMInstallerService.exe (PID: 6640)
      • MBAMService.exe (PID: 6176)
    • Reads the BIOS version

      • MBSetup.exe (PID: 6652)
      • MBAMService.exe (PID: 6176)
    • The process verifies whether the antivirus software is installed

      • MBSetup.exe (PID: 6652)
      • drvinst.exe (PID: 5256)
      • MBVpnTunnelService.exe (PID: 836)
      • MBAMService.exe (PID: 6152)
      • MBAMInstallerService.exe (PID: 6640)
      • MBAMWsc.exe (PID: 1172)
      • Malwarebytes.exe (PID: 4012)
      • MBAMService.exe (PID: 6176)
      • Malwarebytes.exe (PID: 7492)
      • Malwarebytes.exe (PID: 7560)
    • Executable content was dropped or overwritten

      • MBSetup.exe (PID: 6652)
      • MBAMInstallerService.exe (PID: 6640)
      • MBVpnTunnelService.exe (PID: 836)
      • MBAMService.exe (PID: 6152)
      • drvinst.exe (PID: 5256)
      • MBAMService.exe (PID: 6176)
    • Executes as Windows Service

      • MBAMInstallerService.exe (PID: 6640)
      • MBAMService.exe (PID: 6176)
    • Process drops legitimate windows executable

      • MBAMInstallerService.exe (PID: 6640)
      • MBAMService.exe (PID: 6176)
    • The process creates files with name similar to system file names

      • MBAMInstallerService.exe (PID: 6640)
    • Drops 7-zip archiver for unpacking

      • MBAMInstallerService.exe (PID: 6640)
    • Drops a system driver (possible attempt to evade defenses)

      • MBAMInstallerService.exe (PID: 6640)
      • MBVpnTunnelService.exe (PID: 836)
      • drvinst.exe (PID: 5256)
      • MBAMService.exe (PID: 6152)
      • MBAMService.exe (PID: 6176)
    • The process drops C-runtime libraries

      • MBAMInstallerService.exe (PID: 6640)
      • MBAMService.exe (PID: 6176)
    • Creates files in the driver directory

      • MBVpnTunnelService.exe (PID: 836)
      • drvinst.exe (PID: 5256)
      • MBAMService.exe (PID: 6176)
    • Checks Windows Trust Settings

      • drvinst.exe (PID: 5256)
      • MBAMService.exe (PID: 6176)
    • Reads security settings of Internet Explorer

      • MBAMService.exe (PID: 6176)
      • ig.exe (PID: 4996)
      • Malwarebytes.exe (PID: 4012)
    • Changes Internet Explorer settings (feature browser emulation)

      • MBAMService.exe (PID: 6176)
    • Creates/Modifies COM task schedule object

      • MBAMService.exe (PID: 6176)
    • Adds/modifies Windows certificates

      • MBAMService.exe (PID: 6176)
    • Creates or modifies Windows services

      • MBAMService.exe (PID: 6176)
    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6988)
    • Starts CMD.EXE for commands execution

      • MBSetup.exe (PID: 6652)
    • The process drops Mozilla's DLL files

      • MBAMService.exe (PID: 6176)
    • Application launched itself

      • Malwarebytes.exe (PID: 7492)
  • INFO

    • Reads the machine GUID from the registry

      • MBSetup.exe (PID: 6652)
      • MBAMInstallerService.exe (PID: 6640)
      • drvinst.exe (PID: 5256)
      • MBAMService.exe (PID: 6176)
      • MbamBgNativeMsg.exe (PID: 7328)
    • Reads the computer name

      • MBSetup.exe (PID: 6652)
      • MBAMInstallerService.exe (PID: 6640)
      • MBVpnTunnelService.exe (PID: 836)
      • ig.exe (PID: 4996)
      • MbamBgNativeMsg.exe (PID: 7328)
      • Malwarebytes.exe (PID: 7560)
    • Checks supported languages

      • MBSetup.exe (PID: 6652)
      • MBAMInstallerService.exe (PID: 6640)
      • MBVpnTunnelService.exe (PID: 836)
      • drvinst.exe (PID: 5256)
      • MBAMService.exe (PID: 6176)
      • ig.exe (PID: 4996)
      • MbamBgNativeMsg.exe (PID: 7328)
    • The sample compiled with english language support

      • MBSetup.exe (PID: 6652)
      • MBAMInstallerService.exe (PID: 6640)
      • MBVpnTunnelService.exe (PID: 836)
      • drvinst.exe (PID: 5256)
      • MBAMService.exe (PID: 6152)
      • MBAMService.exe (PID: 6176)
    • Create files in a temporary directory

      • MBSetup.exe (PID: 6652)
    • Creates files in the program directory

      • MBSetup.exe (PID: 6652)
      • MBAMInstallerService.exe (PID: 6640)
      • MBVpnTunnelService.exe (PID: 836)
      • MBAMService.exe (PID: 6176)
      • Malwarebytes.exe (PID: 4012)
    • Checks proxy server information

      • MBSetup.exe (PID: 6652)
      • Malwarebytes.exe (PID: 4012)
    • Reads the software policy settings

      • MBSetup.exe (PID: 6652)
      • MBAMInstallerService.exe (PID: 6640)
      • MBAMService.exe (PID: 6176)
      • Malwarebytes.exe (PID: 4012)
    • The sample compiled with spanish language support

      • MBAMInstallerService.exe (PID: 6640)
    • Reads CPU info

      • MBAMService.exe (PID: 6176)
    • Reads the time zone

      • MBAMService.exe (PID: 6176)
    • Reads Environment values

      • MBAMService.exe (PID: 6176)
    • Sends debugging messages

      • MBAMService.exe (PID: 6176)
      • Malwarebytes.exe (PID: 4012)
      • Malwarebytes.exe (PID: 7492)
      • Malwarebytes.exe (PID: 7560)
    • Application launched itself

      • firefox.exe (PID: 2084)
      • firefox.exe (PID: 2548)
      • msedge.exe (PID: 7968)
    • Manual execution by a user

      • firefox.exe (PID: 2084)
      • Malwarebytes.exe (PID: 7492)
    • The process uses the downloaded file

      • MBAMService.exe (PID: 6176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

ProductName: Malwarebytes
OriginalFileName: MBSetup.exe
InternalName: MBSetup.exe
LegalCopyright: Copyright (C) 2017 - 2024 Malwarebytes, Inc. All rights reserved.
FileVersion: 5.2.5.120
FileDescription: Malwarebytes Setup
CompanyName: Malwarebytes
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Dynamic link library
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 5.2.5.120
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x91465
UninitializedDataSize: -
InitializedDataSize: 1980928
CodeSize: 803840
LinkerVersion: 14.38
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2024:12:10 21:10:05+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
212
Monitored processes
77
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mbsetup.exe no specs mbsetup.exe mbaminstallerservice.exe mbvpntunnelservice.exe conhost.exe no specs drvinst.exe mbamservice.exe mbamservice.exe ig.exe no specs help.exe no specs help.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs mbamwsc.exe no specs malwarebytes.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs mbambgnativemsg.exe no specs malwarebytes.exe no specs malwarebytes.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6488"C:\Users\admin\AppData\Local\Temp\MBSetup.exe" C:\Users\admin\AppData\Local\Temp\MBSetup.exeexplorer.exe
User:
admin
Company:
Malwarebytes
Integrity Level:
MEDIUM
Description:
Malwarebytes Setup
Exit code:
3221226540
Version:
5.2.5.120
Modules
Images
c:\users\admin\appdata\local\temp\mbsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6652"C:\Users\admin\AppData\Local\Temp\MBSetup.exe" C:\Users\admin\AppData\Local\Temp\MBSetup.exe
explorer.exe
User:
admin
Company:
Malwarebytes
Integrity Level:
HIGH
Description:
Malwarebytes Setup
Exit code:
0
Version:
5.2.5.120
Modules
Images
c:\users\admin\appdata\local\temp\mbsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll
6640"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
services.exe
User:
SYSTEM
Company:
Malwarebytes
Integrity Level:
SYSTEM
Description:
Malwarebytes Installer Service
Exit code:
0
Version:
5.1.0.175
Modules
Images
c:\program files\malwarebytes\anti-malware\mbaminstallerservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\authz.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
836"C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe" /installmbtunC:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe
MBAMInstallerService.exe
User:
SYSTEM
Company:
Malwarebytes
Integrity Level:
SYSTEM
Description:
MBVpnTunnelService.exe
Exit code:
0
Version:
5.0.0.101
Modules
Images
c:\program files\malwarebytes\anti-malware\mbvpntunnelservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
5740\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeMBVpnTunnelService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5256DrvInst.exe "4" "9" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.inf" "9" "4ba9030c7" "00000000000001D8" "Service-0x0-3e7$\Default" "00000000000001E8" "208" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
6152"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /ProtectedC:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
MBAMInstallerService.exe
User:
SYSTEM
Company:
Malwarebytes
Integrity Level:
SYSTEM
Description:
Malwarebytes Service
Exit code:
0
Version:
3.2.0.1355
Modules
Images
c:\program files\malwarebytes\anti-malware\mbamservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
6176"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
services.exe
User:
SYSTEM
Company:
Malwarebytes
Integrity Level:
SYSTEM
Description:
Malwarebytes Service
Version:
3.2.0.1355
Modules
Images
c:\program files\malwarebytes\anti-malware\mbamservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\user32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\iphlpapi.dll
4996ig.exe secureC:\Users\admin\AppData\LocalLow\IGDump\sec\ig.exeMBAMService.exe
User:
admin
Company:
MalwareBytes
Integrity Level:
LOW
Description:
Malware Scanner
Exit code:
3235811341
Version:
1.0.4.8
Modules
Images
c:\program files\malwarebytes\anti-malware\ig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4384c:\windows\system32\help.exe /?C:\Windows\SysWOW64\help.exeig.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Command Line Help Utility
Exit code:
3221225506
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\help.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
262 391
Read events
261 435
Write events
933
Delete events
23

Modification events

(PID) Process:(6652) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes
Operation:writeName:id
Value:
ab1c4b569c6e4ce6997145e64cc9a845
(PID) Process:(6652) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Malwarebytes
Operation:writeName:id
Value:
ab1c4b569c6e4ce6997145e64cc9a845
(PID) Process:(6652) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\mbamtestkey
Operation:delete keyName:(default)
Value:
(PID) Process:(6652) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:UserName
Value:
admin
(PID) Process:(6652) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:ProductCode
Value:
MBAM-C
(PID) Process:(6652) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:ProductBuild
Value:
consumer
(PID) Process:(6652) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:ProgramDirectory
Value:
C:\Program Files\Malwarebytes\Anti-Malware
(PID) Process:(6652) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:LocalAppDataDir
Value:
C:\Users\admin\AppData\Local
(PID) Process:(6652) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:Channel
Value:
release
(PID) Process:(6652) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:Installer
Value:
C:\Users\admin\AppData\Local\Temp\MBSetup.exe
Executable files
1 305
Suspicious files
907
Text files
474
Unknown types
13

Dropped files

PID
Process
Filename
Type
6640MBAMInstallerService.exeC:\Windows\Temp\MBInstallTempba1950c0cf9811efaf57525400516a2b\ctlrpkg.7z
MD5:
SHA256:
6640MBAMInstallerService.exeC:\Windows\Temp\MBInstallTempba1950c0cf9811efaf57525400516a2b\dbclspkg.7z
MD5:
SHA256:
6640MBAMInstallerService.exeC:\Windows\Temp\MBInstallTempba1950c0cf9811efaf57525400516a2b\dotnetpkg.7z
MD5:
SHA256:
6640MBAMInstallerService.exeC:\Windows\Temp\MBInstallTempba1950c0cf9811efaf57525400516a2b\servicepkg\srvversion.dattext
MD5:4E8216B2AB7456D308DB77544216F2F5
SHA256:DF1626CDEDB79ED8B7E013C7A31B4ACCF312A39635A689F3BE4BB6821E951E8D
6640MBAMInstallerService.exeC:\Windows\Temp\MBInstallTempba1950c0cf9811efaf57525400516a2b\ctlrpkg\Assistant.runtimeconfig.jsonbinary
MD5:D94CF983FBA9AB1BB8A6CB3AD4A48F50
SHA256:1ECA0F0C70070AA83BB609E4B749B26DCB4409784326032726394722224A098A
6640MBAMInstallerService.exeC:\Windows\Temp\MBInstallTempba1950c0cf9811efaf57525400516a2b\ctlrpkg\Malwarebytes.runtimeconfig.jsonbinary
MD5:EDAF04AFDA9B2C6D778D7042E7824A2F
SHA256:AE076CC42958355D8E061A4D3D020BED0EF3CD0C37C1851BDF84844503F9880C
6652MBSetup.exeC:\Windows\SysWOW64\drivers\mbamtestfile.dattext
MD5:9F06243ABCB89C70E0C331C61D871FA7
SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
6640MBAMInstallerService.exeC:\Windows\Temp\MBInstallTempba1950c0cf9811efaf57525400516a2b\servicepkg.7zcompressed
MD5:63A48540A821504A8D95FAE70FDBDE31
SHA256:6A1B0CFEEA467E0E6719F9E388FDBC5613A0CDDBF85EF2AF7768A9134FB5FC13
6640MBAMInstallerService.exeC:\Windows\Temp\MBInstallTempba1950c0cf9811efaf57525400516a2b\servicepkg\MBAMService.exeexecutable
MD5:A91250EE015E44503B78B787BD444558
SHA256:A43179B449C2BAB069CFC055DE0A3E9E5F3BA378FE4306C19F2B999325A2C7B2
6652MBSetup.exeC:\ProgramData\mbamtestfile.dattext
MD5:9F06243ABCB89C70E0C331C61D871FA7
SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
149
DNS requests
201
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6744
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2548
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6176
MBAMService.exe
GET
200
104.18.38.233:80
http://crl.comodoca.com/AAACertificateServices.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6476
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6476
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6176
MBAMService.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Identity%20Verification%20Root%20Certificate%20Authority%202020.crl
unknown
whitelisted
6176
MBAMService.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Public%20RSA%20Timestamping%20CA%202020.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
2548
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2548
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
6652
MBSetup.exe
52.11.169.241:443
api2.amplitude.com
AMAZON-02
US
whitelisted
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
  • 23.48.23.162
  • 23.48.23.167
  • 23.48.23.169
  • 23.48.23.150
  • 23.48.23.143
  • 23.48.23.141
  • 23.48.23.147
  • 23.48.23.164
  • 23.48.23.166
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
google.com
  • 172.217.18.14
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
  • 104.126.37.170
  • 104.126.37.131
  • 104.126.37.154
  • 104.126.37.176
  • 104.126.37.139
  • 104.126.37.144
  • 104.126.37.130
  • 104.126.37.155
  • 104.126.37.129
whitelisted
api2.amplitude.com
  • 52.11.169.241
  • 52.88.110.114
  • 34.213.75.7
  • 35.82.172.137
  • 34.218.109.95
  • 44.230.206.229
  • 35.82.109.232
  • 54.213.47.33
  • 34.212.71.236
  • 54.188.159.179
  • 52.10.188.122
  • 54.200.178.131
  • 34.213.154.33
  • 52.36.77.26
  • 52.42.154.212
  • 34.215.6.137
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.23
  • 40.126.31.69
  • 40.126.31.71
  • 20.190.159.2
  • 20.190.159.64
  • 40.126.31.73
  • 20.190.159.4
  • 20.190.159.75
whitelisted
ark.mwbsys.com
  • 3.212.179.98
  • 34.198.178.3
  • 34.199.184.93
whitelisted
cdn.mwbsys.com
  • 99.86.4.35
  • 99.86.4.25
  • 99.86.4.118
  • 99.86.4.72
whitelisted

Threats

No threats detected
No debug info