File name:

MBSetup (1).exe

Full analysis: https://app.any.run/tasks/1a4c8652-5971-4fa9-92e3-516d0e459300
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 13, 2025, 15:18:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
connectwise
rmm-tool
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

09E0E68FC7650CA68899739080709F91

SHA1:

A665AC359EF3F782B78484A71A266E50A71567AD

SHA256:

BF83BCE7085B016B5DBD65308C92EFA9B87B17DA561F490A1A17EF96C3D93DAC

SSDEEP:

98304:oURp2UZfeZDtk0wi22IT1PD222222272TSRTP4WG5N0aFvGSSRkrlcfABLqI141S:7XD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • MBAMService.exe (PID: 5124)

  • SUSPICIOUS

    • Reads the BIOS version

      • MBSetup (1).exe (PID: 7184)
      • MBAMService.exe (PID: 5124)

    • Creates files in the driver directory

      • MBSetup (1).exe (PID: 7184)
      • MBAMInstallerService.exe (PID: 7776)
      • MBVpnTunnelService.exe (PID: 4740)
      • MBAMService.exe (PID: 4120)
      • MBAMService.exe (PID: 5124)
      • drvinst.exe (PID: 5164)

    • Executable content was dropped or overwritten

      • MBSetup (1).exe (PID: 7184)
      • MBAMInstallerService.exe (PID: 7776)
      • MBVpnTunnelService.exe (PID: 4740)
      • MBAMService.exe (PID: 4120)
      • MBAMService.exe (PID: 5124)
      • drvinst.exe (PID: 5164)

    • Executes as Windows Service

      • MBAMInstallerService.exe (PID: 7776)
      • MBAMService.exe (PID: 5124)

    • The process verifies whether the antivirus software is installed

      • MBSetup (1).exe (PID: 7184)
      • MBVpnTunnelService.exe (PID: 4740)
      • drvinst.exe (PID: 5164)
      • MBAMService.exe (PID: 4120)
      • MBAMInstallerService.exe (PID: 7776)
      • MBAMWsc.exe (PID: 7908)
      • MBAMService.exe (PID: 5124)
      • Malwarebytes.exe (PID: 7996)

    • Searches for installed software

      • MBAMInstallerService.exe (PID: 7776)
      • MBSetup (1).exe (PID: 7184)
      • MBAMService.exe (PID: 5124)

    • Drops a system driver (possible attempt to evade defenses)

      • MBAMInstallerService.exe (PID: 7776)
      • MBVpnTunnelService.exe (PID: 4740)
      • drvinst.exe (PID: 5164)
      • MBAMService.exe (PID: 4120)
      • MBAMService.exe (PID: 5124)

    • The process creates files with name similar to system file names

      • MBAMInstallerService.exe (PID: 7776)

    • Drops 7-zip archiver for unpacking

      • MBAMInstallerService.exe (PID: 7776)

    • Process drops legitimate windows executable

      • MBAMInstallerService.exe (PID: 7776)
      • MBAMService.exe (PID: 5124)

    • The process drops C-runtime libraries

      • MBAMInstallerService.exe (PID: 7776)

    • Changes Internet Explorer settings (feature browser emulation)

      • MBAMInstallerService.exe (PID: 7776)
      • MBAMService.exe (PID: 5124)

    • Adds/modifies Windows certificates

      • MBAMInstallerService.exe (PID: 7776)
      • MBAMService.exe (PID: 5124)

    • Creates or modifies Windows services

      • MBAMService.exe (PID: 4120)
      • MBAMService.exe (PID: 5124)

    • Creates/Modifies COM task schedule object

      • MBAMService.exe (PID: 5124)

    • Reads security settings of Internet Explorer

      • MBAMService.exe (PID: 5124)
      • ig.exe (PID: 2616)

    • Creates a software uninstall entry

      • MBAMInstallerService.exe (PID: 7776)

    • There is functionality for taking screenshot (YARA)

      • Malwarebytes.exe (PID: 7996)

  • INFO

    • The sample compiled with english language support

      • MBSetup (1).exe (PID: 7184)
      • MBAMInstallerService.exe (PID: 7776)
      • MBVpnTunnelService.exe (PID: 4740)
      • drvinst.exe (PID: 5164)
      • MBAMService.exe (PID: 4120)
      • MBAMService.exe (PID: 5124)

    • Create files in a temporary directory

      • MBSetup (1).exe (PID: 7184)

    • Reads the computer name

      • MBSetup (1).exe (PID: 7184)
      • MBAMInstallerService.exe (PID: 7776)
      • MBVpnTunnelService.exe (PID: 4740)
      • drvinst.exe (PID: 5164)
      • MBAMService.exe (PID: 4120)
      • MBAMService.exe (PID: 5124)
      • ig.exe (PID: 2616)
      • Malwarebytes.exe (PID: 7996)
      • MBAMWsc.exe (PID: 7908)

    • Checks supported languages

      • MBSetup (1).exe (PID: 7184)
      • MBAMInstallerService.exe (PID: 7776)
      • MBVpnTunnelService.exe (PID: 4740)
      • MBAMService.exe (PID: 4120)
      • drvinst.exe (PID: 5164)
      • MBAMService.exe (PID: 5124)
      • ig.exe (PID: 2616)
      • Malwarebytes.exe (PID: 7996)
      • MBAMWsc.exe (PID: 7908)

    • Creates files in the program directory

      • MBSetup (1).exe (PID: 7184)
      • MBAMInstallerService.exe (PID: 7776)
      • MBVpnTunnelService.exe (PID: 4740)
      • MBAMService.exe (PID: 5124)
      • Malwarebytes.exe (PID: 7996)

    • Reads the machine GUID from the registry

      • MBSetup (1).exe (PID: 7184)
      • MBAMInstallerService.exe (PID: 7776)
      • drvinst.exe (PID: 5164)
      • MBAMService.exe (PID: 5124)

    • Checks proxy server information

      • MBSetup (1).exe (PID: 7184)
      • slui.exe (PID: 8104)
      • Malwarebytes.exe (PID: 7996)

    • Reads the software policy settings

      • MBAMInstallerService.exe (PID: 7776)
      • MBSetup (1).exe (PID: 7184)
      • slui.exe (PID: 7360)
      • slui.exe (PID: 8104)
      • drvinst.exe (PID: 5164)
      • Malwarebytes.exe (PID: 7996)
      • MBAMService.exe (PID: 5124)

    • The sample compiled with spanish language support

      • MBAMInstallerService.exe (PID: 7776)

    • Adds/modifies Windows certificates

      • drvinst.exe (PID: 5164)

    • Reads the time zone

      • MBAMService.exe (PID: 5124)

    • Reads CPU info

      • MBAMService.exe (PID: 5124)

    • CONNECTWISE has been detected

      • MBAMService.exe (PID: 5124)

    • Reads Environment values

      • MBAMService.exe (PID: 5124)

    • Creates files or folders in the user directory

      • Malwarebytes.exe (PID: 7996)

    • Process checks whether UAC notifications are on

      • Malwarebytes.exe (PID: 7996)

    • Process checks computer location settings

      • Malwarebytes.exe (PID: 7996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:02:26 20:49:38+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.38
CodeSize: 804352
InitializedDataSize: 1981440
UninitializedDataSize: -
EntryPoint: 0x916c5
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 5.2.8.127
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Malwarebytes
FileDescription: Malwarebytes Setup
FileVersion: 5.2.8.127
LegalCopyright: Copyright (C) 2017 - 2024 Malwarebytes, Inc. All rights reserved.
InternalName: MBSetup.exe
OriginalFileName: MBSetup.exe
ProductName: Malwarebytes
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
162
Monitored processes
20
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mbsetup (1).exe sppextcomobj.exe no specs slui.exe mbaminstallerservice.exe slui.exe mbvpntunnelservice.exe conhost.exe no specs drvinst.exe mbamservice.exe mbamservice.exe ig.exe no specs help.exe no specs help.exe no specs malwarebytes.exe mbamwsc.exe no specs ucpdmgr.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs mbsetup (1).exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
744 /?C:\Windows\SysWOW64\help.exeig.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Command Line Help Utility
Exit code:
3221225506
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\help.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2616ig.exe secureC:\Users\admin\AppData\LocalLow\IGDump\sec\ig.exeMBAMService.exe
User:
admin
Company:
MalwareBytes
Integrity Level:
LOW
Description:
Malware Scanner
Exit code:
3235811341
Version:
1.0.4.8
Modules
Images
c:\program files\malwarebytes\anti-malware\ig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4120"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /ProtectedC:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
MBAMInstallerService.exe
User:
SYSTEM
Company:
Malwarebytes
Integrity Level:
SYSTEM
Description:
Malwarebytes Service
Exit code:
0
Version:
3.2.0.1390
Modules
Images
c:\program files\malwarebytes\anti-malware\mbamservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
4212c:\windows\system32\help.exe /?C:\Windows\SysWOW64\help.exeig.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Command Line Help Utility
Exit code:
3221225506
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\help.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4740"C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe" /installmbtunC:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe
MBAMInstallerService.exe
User:
SYSTEM
Company:
Malwarebytes
Integrity Level:
SYSTEM
Description:
MBVpnTunnelService.exe
Exit code:
0
Version:
5.0.0.101
Modules
Images
c:\program files\malwarebytes\anti-malware\mbvpntunnelservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
5124"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
services.exe
User:
SYSTEM
Company:
Malwarebytes
Integrity Level:
SYSTEM
Description:
Malwarebytes Service
Version:
3.2.0.1390
Modules
Images
c:\program files\malwarebytes\anti-malware\mbamservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
c:\windows\system32\ole32.dll
5164DrvInst.exe "4" "9" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.inf" "9" "4ba9030c7" "00000000000001BC" "Service-0x0-3e7$\Default" "00000000000001D4" "208" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
5188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6044"C:\Users\admin\AppData\Local\Temp\MBSetup (1).exe" C:\Users\admin\AppData\Local\Temp\MBSetup (1).exeexplorer.exe
User:
admin
Company:
Malwarebytes
Integrity Level:
MEDIUM
Description:
Malwarebytes Setup
Exit code:
3221226540
Version:
5.2.8.127
Modules
Images
c:\users\admin\appdata\local\temp\mbsetup (1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6476\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeMBVpnTunnelService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
254 752
Read events
253 808
Write events
920
Delete events
24

Modification events

(PID) Process:(7184) MBSetup (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\mbamtestkey
Operation:delete keyName:(default)
Value:
(PID) Process:(7184) MBSetup (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes
Operation:writeName:id
Value:
5298d1f6e7a7422cb9019fc3101232b8
(PID) Process:(7184) MBSetup (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Malwarebytes
Operation:writeName:id
Value:
5298d1f6e7a7422cb9019fc3101232b8
(PID) Process:(7776) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:CurrentStep
Value:
1
(PID) Process:(7776) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:MaxStep
Value:
15
(PID) Process:(7776) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:PercentComplete
Value:
6.666667
(PID) Process:(7776) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:StepName
Value:
INSTALL_PREPARE_STEP
(PID) Process:(7776) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:MbamUpgrade
Value:
0
(PID) Process:(7776) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:InstallTempDir
Value:
C:\WINDOWS\TEMP\MBInstallTemp95086463187a11f09e46dc4b8674d0fb
(PID) Process:(7776) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:FreshInstall
Value:
1
Executable files
1 263
Suspicious files
280
Text files
72
Unknown types
2

Dropped files

PID
Process
Filename
Type
7776MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp95086463187a11f09e46dc4b8674d0fb\ctlrpkg.7z
MD5:
SHA256:
7776MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp95086463187a11f09e46dc4b8674d0fb\dbclspkg.7z
MD5:
SHA256:
7776MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp95086463187a11f09e46dc4b8674d0fb\dotnetpkg.7z
MD5:
SHA256:
7184MBSetup (1).exeC:\ProgramData\mbamtestfile.dattext
MD5:9F06243ABCB89C70E0C331C61D871FA7
SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
7776MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp95086463187a11f09e46dc4b8674d0fb\servicepkg\MBAMService.exeexecutable
MD5:1CB848862AD97D3E4C2C2D559C091B2D
SHA256:56590D7734A8A61AA5E28EA4DE17FBB5C3926CCA8FB8ADAA5ED9B8E6D3180AB7
7184MBSetup (1).exeC:\Program Files (x86)\mbamtestfile.dattext
MD5:9F06243ABCB89C70E0C331C61D871FA7
SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
7776MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp95086463187a11f09e46dc4b8674d0fb\ctlrpkg\Assistant.runtimeconfig.jsonbinary
MD5:D94CF983FBA9AB1BB8A6CB3AD4A48F50
SHA256:1ECA0F0C70070AA83BB609E4B749B26DCB4409784326032726394722224A098A
7776MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp95086463187a11f09e46dc4b8674d0fb\servicepkg\mbamelam.catbinary
MD5:BD4CEAE54AF081D6B1DD91FF584C5D61
SHA256:C3C4967B05CD00C31CAFC39B57000EC2E82CCF2CA295C72365F5CF6E5D191034
7776MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp95086463187a11f09e46dc4b8674d0fb\servicepkg\srvversion.dattext
MD5:7DA9049DB2A1DF81C54860D0B8506235
SHA256:0D27707B4CF2AD08C6C490AF271C36B9D9B1F6215A4970ECF97CF374A49D7B00
7776MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp95086463187a11f09e46dc4b8674d0fb\ctlrpkg\Malwarebytes_Assistant.deps.jsonbinary
MD5:551ED60D45EF35F4BA1C5599449DDC37
SHA256:A84A1E1D0D4A82A1CA911F5B9BF865BB9F238E09A53806D487B0A6A0E470BC90
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
62
DNS requests
38
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5124
MBAMService.exe
GET
200
104.18.38.233:80
http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQRz3ETyLz2DaZTxGOH%2BA%2BjK7MkGAQUJGWTmAgB6E7U1kzqZFXhwPr7z7MCEQCmV%2Fd4sxrlI9ZnExcY0W6y
unknown
whitelisted
5124
MBAMService.exe
GET
200
172.64.149.23:80
http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEQCeArDpSs6yEJyh6YNr4MLb
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7944
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7944
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5124
MBAMService.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAc2N7ckVHzYR6z9KGYqXls%3D
unknown
whitelisted
5124
MBAMService.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
5124
MBAMService.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
5124
MBAMService.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAYsPEaBY%2BtRPgLpmSJnQ9Y%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
7184
MBSetup (1).exe
35.81.219.14:443
api2.amplitude.com
AMAZON-02
US
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7184
MBSetup (1).exe
98.83.243.66:443
ark.mwbsys.com
US
whitelisted
7184
MBSetup (1).exe
13.35.58.13:443
cdn.mwbsys.com
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.48.23.194
  • 23.48.23.140
  • 23.48.23.145
  • 23.48.23.159
  • 23.48.23.141
  • 23.48.23.193
  • 23.48.23.176
  • 23.48.23.169
  • 23.48.23.183
  • 23.48.23.158
  • 23.48.23.156
  • 23.48.23.173
  • 23.48.23.180
  • 23.48.23.177
whitelisted
api2.amplitude.com
  • 35.81.219.14
  • 52.24.126.108
  • 35.80.195.25
  • 44.238.106.106
  • 44.246.101.128
  • 54.69.249.188
  • 35.165.173.90
  • 35.155.178.146
  • 54.201.24.32
  • 52.88.218.85
  • 52.41.15.255
  • 54.149.228.42
  • 44.237.48.197
  • 54.186.79.39
  • 34.209.239.154
  • 52.89.213.37
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.130
  • 40.126.31.67
  • 20.190.159.131
  • 40.126.31.131
  • 20.190.159.23
  • 20.190.159.4
  • 20.190.159.75
  • 40.126.31.3
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 184.30.131.245
whitelisted
ark.mwbsys.com
  • 98.83.243.66
  • 52.206.21.148
  • 3.211.176.107
whitelisted
cdn.mwbsys.com
  • 13.35.58.13
  • 13.35.58.84
  • 13.35.58.106
  • 13.35.58.113
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MBSetup (1).exe