File name:

mbam-clean-2.3.0.1001.exe

Full analysis: https://app.any.run/tasks/e6c6db29-b391-49b0-955d-96ef650f9c53
Verdict: Malicious activity
Analysis date: August 07, 2024, 11:05:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

CDA70C84F14A4F31A9F0328DE7510E77

SHA1:

25856A9209BB7788FEB8D6380B78123ADD1C8F45

SHA256:

A82E45FF39CA986E03220E271B180DF988D132D769F57D8442F4A8290A2D6A63

SSDEEP:

12288:TU0V5wJI6Z1xlUPbKEECce1BxcMrgN8Id5:Tpwi6ZL4cMrC8C5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • mbam-clean-2.3.0.1001.exe (PID: 6344)

  • SUSPICIOUS

    • The process verifies whether the antivirus software is installed

      • mbam-clean-2.3.0.1001.exe (PID: 6344)

    • Searches for installed software

      • mbam-clean-2.3.0.1001.exe (PID: 6344)

  • INFO

    • Reads the computer name

      • mbam-clean-2.3.0.1001.exe (PID: 6344)

    • Checks supported languages

      • mbam-clean-2.3.0.1001.exe (PID: 6344)

    • Create files in a temporary directory

      • mbam-clean-2.3.0.1001.exe (PID: 6344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:06:28 01:32:17+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 264192
InitializedDataSize: 295936
UninitializedDataSize: -
EntryPoint: 0x234d4
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2.3.0.1001
ProductVersionNumber: 2.3.0.1001
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Malwarebytes
FileVersion: 2.3.0.1001
FileDescription: Malwarebytes Anti-Malware Complete Removal Tool
InternalName: mbam-clean.exe
LegalCopyright: @ Malwarebytes. All rights reserved.
LegalTrademarks: -
OriginalFileName: mbam-clean
ProductName: mbam-clean
ProductVersion: 2.3.0.1001
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mbam-clean-2.3.0.1001.exe mbam-clean-2.3.0.1001.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6296"C:\Users\admin\AppData\Local\Temp\mbam-clean-2.3.0.1001.exe" C:\Users\admin\AppData\Local\Temp\mbam-clean-2.3.0.1001.exeexplorer.exe
User:
admin
Company:
Malwarebytes
Integrity Level:
MEDIUM
Description:
Malwarebytes Anti-Malware Complete Removal Tool
Exit code:
3221226540
Version:
2.3.0.1001
Modules
Images
c:\users\admin\appdata\local\temp\mbam-clean-2.3.0.1001.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6344"C:\Users\admin\AppData\Local\Temp\mbam-clean-2.3.0.1001.exe" C:\Users\admin\AppData\Local\Temp\mbam-clean-2.3.0.1001.exe
explorer.exe
User:
admin
Company:
Malwarebytes
Integrity Level:
HIGH
Description:
Malwarebytes Anti-Malware Complete Removal Tool
Exit code:
0
Version:
2.3.0.1001
Modules
Images
c:\users\admin\appdata\local\temp\mbam-clean-2.3.0.1001.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
Total events
1 096
Read events
1 036
Write events
44
Delete events
16

Modification events

(PID) Process:(6344) mbam-clean-2.3.0.1001.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Malwarebytes Anti-Malware
Value:
(PID) Process:(6344) mbam-clean-2.3.0.1001.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:delete valueName:Malwarebytes Anti-Malware
Value:
(PID) Process:(6344) mbam-clean-2.3.0.1001.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Malwarebytes Anti-Malware (reboot)
Value:
(PID) Process:(6344) mbam-clean-2.3.0.1001.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:delete valueName:Malwarebytes Anti-Malware (reboot)
Value:
(PID) Process:(6344) mbam-clean-2.3.0.1001.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Malwarebytes Anti-Malware (registration)
Value:
(PID) Process:(6344) mbam-clean-2.3.0.1001.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:delete valueName:Malwarebytes Anti-Malware (registration)
Value:
(PID) Process:(6344) mbam-clean-2.3.0.1001.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Malwarebytes Anti-Malware (cleanup)
Value:
(PID) Process:(6344) mbam-clean-2.3.0.1001.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:delete valueName:Malwarebytes Anti-Malware (cleanup)
Value:
(PID) Process:(6344) mbam-clean-2.3.0.1001.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Users\admin\AppData\Roaming\Malwarebytes\Malwarebytes Anti-Malware
(PID) Process:(6344) mbam-clean-2.3.0.1001.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Malwarebytes' Anti-Malware
Value:
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6344mbam-clean-2.3.0.1001.exeC:\Users\admin\AppData\Local\Temp\clean-removal-log.txttext
MD5:5C0538A3917E99E3EC7AA633B7C9D987
SHA256:5E229FB8602E25116C2FE7CD2B7CDEDEB6936832B3F350A4A3C8826AA5120240
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
41
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6824
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6872
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3900
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4576
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4100
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5336
SearchApp.exe
2.23.209.143:443
www.bing.com
Akamai International B.V.
GB
unknown
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3900
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.bing.com
  • 2.23.209.143
  • 2.23.209.160
  • 2.23.209.141
  • 2.23.209.150
  • 2.23.209.140
  • 2.23.209.142
  • 2.23.209.158
  • 2.23.209.139
  • 2.23.209.149
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.73
  • 40.126.31.73
  • 20.190.159.71
  • 20.190.159.2
  • 20.190.159.23
  • 20.190.159.68
  • 40.126.31.67
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
th.bing.com
  • 2.23.209.158
  • 2.23.209.169
  • 2.23.209.150
  • 2.23.209.168
  • 2.23.209.160
  • 2.23.209.167
  • 2.23.209.171
  • 2.23.209.166
  • 2.23.209.162
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
mbam-clean-2.3.0.1001.exe