File name:

MBSetup (1).exe

Full analysis: https://app.any.run/tasks/1a4c8652-5971-4fa9-92e3-516d0e459300
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 13, 2025, 15:18:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
connectwise
rmm-tool
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

09E0E68FC7650CA68899739080709F91

SHA1:

A665AC359EF3F782B78484A71A266E50A71567AD

SHA256:

BF83BCE7085B016B5DBD65308C92EFA9B87B17DA561F490A1A17EF96C3D93DAC

SSDEEP:

98304:oURp2UZfeZDtk0wi22IT1PD222222272TSRTP4WG5N0aFvGSSRkrlcfABLqI141S:7XD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • MBAMService.exe (PID: 5124)

  • SUSPICIOUS

    • Reads the BIOS version

      • MBSetup (1).exe (PID: 7184)
      • MBAMService.exe (PID: 5124)

    • Creates files in the driver directory

      • MBSetup (1).exe (PID: 7184)
      • MBAMInstallerService.exe (PID: 7776)
      • MBVpnTunnelService.exe (PID: 4740)
      • drvinst.exe (PID: 5164)
      • MBAMService.exe (PID: 4120)
      • MBAMService.exe (PID: 5124)

    • The process verifies whether the antivirus software is installed

      • MBSetup (1).exe (PID: 7184)
      • MBVpnTunnelService.exe (PID: 4740)
      • drvinst.exe (PID: 5164)
      • MBAMService.exe (PID: 4120)
      • MBAMService.exe (PID: 5124)
      • MBAMWsc.exe (PID: 7908)
      • Malwarebytes.exe (PID: 7996)
      • MBAMInstallerService.exe (PID: 7776)

    • Executable content was dropped or overwritten

      • MBSetup (1).exe (PID: 7184)
      • MBAMInstallerService.exe (PID: 7776)
      • MBVpnTunnelService.exe (PID: 4740)
      • drvinst.exe (PID: 5164)
      • MBAMService.exe (PID: 4120)
      • MBAMService.exe (PID: 5124)

    • Executes as Windows Service

      • MBAMInstallerService.exe (PID: 7776)
      • MBAMService.exe (PID: 5124)

    • Drops a system driver (possible attempt to evade defenses)

      • MBAMInstallerService.exe (PID: 7776)
      • MBVpnTunnelService.exe (PID: 4740)
      • drvinst.exe (PID: 5164)
      • MBAMService.exe (PID: 4120)
      • MBAMService.exe (PID: 5124)

    • Drops 7-zip archiver for unpacking

      • MBAMInstallerService.exe (PID: 7776)

    • The process drops C-runtime libraries

      • MBAMInstallerService.exe (PID: 7776)

    • The process creates files with name similar to system file names

      • MBAMInstallerService.exe (PID: 7776)

    • Process drops legitimate windows executable

      • MBAMInstallerService.exe (PID: 7776)
      • MBAMService.exe (PID: 5124)

    • Adds/modifies Windows certificates

      • MBAMInstallerService.exe (PID: 7776)
      • MBAMService.exe (PID: 5124)

    • Searches for installed software

      • MBSetup (1).exe (PID: 7184)
      • MBAMService.exe (PID: 5124)
      • MBAMInstallerService.exe (PID: 7776)

    • Changes Internet Explorer settings (feature browser emulation)

      • MBAMInstallerService.exe (PID: 7776)
      • MBAMService.exe (PID: 5124)

    • Creates or modifies Windows services

      • MBAMService.exe (PID: 4120)
      • MBAMService.exe (PID: 5124)

    • Reads security settings of Internet Explorer

      • MBAMService.exe (PID: 5124)
      • ig.exe (PID: 2616)

    • Creates/Modifies COM task schedule object

      • MBAMService.exe (PID: 5124)

    • Creates a software uninstall entry

      • MBAMInstallerService.exe (PID: 7776)

    • There is functionality for taking screenshot (YARA)

      • Malwarebytes.exe (PID: 7996)

  • INFO

    • The sample compiled with english language support

      • MBSetup (1).exe (PID: 7184)
      • MBAMInstallerService.exe (PID: 7776)
      • MBVpnTunnelService.exe (PID: 4740)
      • drvinst.exe (PID: 5164)
      • MBAMService.exe (PID: 4120)
      • MBAMService.exe (PID: 5124)

    • Checks supported languages

      • MBSetup (1).exe (PID: 7184)
      • MBAMInstallerService.exe (PID: 7776)
      • MBVpnTunnelService.exe (PID: 4740)
      • drvinst.exe (PID: 5164)
      • MBAMService.exe (PID: 4120)
      • MBAMService.exe (PID: 5124)
      • ig.exe (PID: 2616)
      • Malwarebytes.exe (PID: 7996)
      • MBAMWsc.exe (PID: 7908)

    • Reads the machine GUID from the registry

      • MBSetup (1).exe (PID: 7184)
      • MBAMInstallerService.exe (PID: 7776)
      • drvinst.exe (PID: 5164)
      • MBAMService.exe (PID: 5124)

    • Reads the computer name

      • MBSetup (1).exe (PID: 7184)
      • MBAMInstallerService.exe (PID: 7776)
      • MBVpnTunnelService.exe (PID: 4740)
      • drvinst.exe (PID: 5164)
      • MBAMService.exe (PID: 4120)
      • MBAMService.exe (PID: 5124)
      • ig.exe (PID: 2616)
      • Malwarebytes.exe (PID: 7996)
      • MBAMWsc.exe (PID: 7908)

    • Reads the software policy settings

      • MBSetup (1).exe (PID: 7184)
      • MBAMInstallerService.exe (PID: 7776)
      • slui.exe (PID: 7360)
      • slui.exe (PID: 8104)
      • drvinst.exe (PID: 5164)
      • Malwarebytes.exe (PID: 7996)
      • MBAMService.exe (PID: 5124)

    • Creates files in the program directory

      • MBSetup (1).exe (PID: 7184)
      • MBAMInstallerService.exe (PID: 7776)
      • MBVpnTunnelService.exe (PID: 4740)
      • MBAMService.exe (PID: 5124)
      • Malwarebytes.exe (PID: 7996)

    • Create files in a temporary directory

      • MBSetup (1).exe (PID: 7184)

    • Checks proxy server information

      • MBSetup (1).exe (PID: 7184)
      • slui.exe (PID: 8104)
      • Malwarebytes.exe (PID: 7996)

    • The sample compiled with spanish language support

      • MBAMInstallerService.exe (PID: 7776)

    • Adds/modifies Windows certificates

      • drvinst.exe (PID: 5164)

    • Reads the time zone

      • MBAMService.exe (PID: 5124)

    • Reads CPU info

      • MBAMService.exe (PID: 5124)

    • Reads Environment values

      • MBAMService.exe (PID: 5124)

    • CONNECTWISE has been detected

      • MBAMService.exe (PID: 5124)

    • Process checks whether UAC notifications are on

      • Malwarebytes.exe (PID: 7996)

    • Creates files or folders in the user directory

      • Malwarebytes.exe (PID: 7996)

    • Process checks computer location settings

      • Malwarebytes.exe (PID: 7996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:02:26 20:49:38+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.38
CodeSize: 804352
InitializedDataSize: 1981440
UninitializedDataSize: -
EntryPoint: 0x916c5
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 5.2.8.127
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Malwarebytes
FileDescription: Malwarebytes Setup
FileVersion: 5.2.8.127
LegalCopyright: Copyright (C) 2017 - 2024 Malwarebytes, Inc. All rights reserved.
InternalName: MBSetup.exe
OriginalFileName: MBSetup.exe
ProductName: Malwarebytes
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
162
Monitored processes
20
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mbsetup (1).exe sppextcomobj.exe no specs slui.exe mbaminstallerservice.exe slui.exe mbvpntunnelservice.exe conhost.exe no specs drvinst.exe mbamservice.exe mbamservice.exe ig.exe no specs help.exe no specs help.exe no specs malwarebytes.exe mbamwsc.exe no specs ucpdmgr.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs mbsetup (1).exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
744 /?C:\Windows\SysWOW64\help.exeig.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Command Line Help Utility
Exit code:
3221225506
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\help.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2616ig.exe secureC:\Users\admin\AppData\LocalLow\IGDump\sec\ig.exeMBAMService.exe
User:
admin
Company:
MalwareBytes
Integrity Level:
LOW
Description:
Malware Scanner
Exit code:
3235811341
Version:
1.0.4.8
Modules
Images
c:\program files\malwarebytes\anti-malware\ig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4120"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /ProtectedC:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
MBAMInstallerService.exe
User:
SYSTEM
Company:
Malwarebytes
Integrity Level:
SYSTEM
Description:
Malwarebytes Service
Exit code:
0
Version:
3.2.0.1390
Modules
Images
c:\program files\malwarebytes\anti-malware\mbamservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
4212c:\windows\system32\help.exe /?C:\Windows\SysWOW64\help.exeig.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Command Line Help Utility
Exit code:
3221225506
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\help.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4740"C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe" /installmbtunC:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe
MBAMInstallerService.exe
User:
SYSTEM
Company:
Malwarebytes
Integrity Level:
SYSTEM
Description:
MBVpnTunnelService.exe
Exit code:
0
Version:
5.0.0.101
Modules
Images
c:\program files\malwarebytes\anti-malware\mbvpntunnelservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
5124"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
services.exe
User:
SYSTEM
Company:
Malwarebytes
Integrity Level:
SYSTEM
Description:
Malwarebytes Service
Version:
3.2.0.1390
Modules
Images
c:\program files\malwarebytes\anti-malware\mbamservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
c:\windows\system32\ole32.dll
5164DrvInst.exe "4" "9" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.inf" "9" "4ba9030c7" "00000000000001BC" "Service-0x0-3e7$\Default" "00000000000001D4" "208" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
5188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6044"C:\Users\admin\AppData\Local\Temp\MBSetup (1).exe" C:\Users\admin\AppData\Local\Temp\MBSetup (1).exeexplorer.exe
User:
admin
Company:
Malwarebytes
Integrity Level:
MEDIUM
Description:
Malwarebytes Setup
Exit code:
3221226540
Version:
5.2.8.127
Modules
Images
c:\users\admin\appdata\local\temp\mbsetup (1).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6476\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeMBVpnTunnelService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
254 752
Read events
253 808
Write events
920
Delete events
24

Modification events

(PID) Process:(7184) MBSetup (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\mbamtestkey
Operation:delete keyName:(default)
Value:
(PID) Process:(7184) MBSetup (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes
Operation:writeName:id
Value:
5298d1f6e7a7422cb9019fc3101232b8
(PID) Process:(7184) MBSetup (1).exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Malwarebytes
Operation:writeName:id
Value:
5298d1f6e7a7422cb9019fc3101232b8
(PID) Process:(7776) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:CurrentStep
Value:
1
(PID) Process:(7776) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:MaxStep
Value:
15
(PID) Process:(7776) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:PercentComplete
Value:
6.666667
(PID) Process:(7776) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:StepName
Value:
INSTALL_PREPARE_STEP
(PID) Process:(7776) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:MbamUpgrade
Value:
0
(PID) Process:(7776) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:InstallTempDir
Value:
C:\WINDOWS\TEMP\MBInstallTemp95086463187a11f09e46dc4b8674d0fb
(PID) Process:(7776) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:FreshInstall
Value:
1
Executable files
1 263
Suspicious files
280
Text files
72
Unknown types
2

Dropped files

PID
Process
Filename
Type
7776MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp95086463187a11f09e46dc4b8674d0fb\ctlrpkg.7z
MD5:
SHA256:
7776MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp95086463187a11f09e46dc4b8674d0fb\dbclspkg.7z
MD5:
SHA256:
7776MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp95086463187a11f09e46dc4b8674d0fb\dotnetpkg.7z
MD5:
SHA256:
7776MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp95086463187a11f09e46dc4b8674d0fb\7z.dllexecutable
MD5:3430E2544637CEBF8BA1F509ED5A27B1
SHA256:BB01C6FBB29590D6D144A9038C2A7736D6925A6DBD31889538AF033E03E4F5FA
7776MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp95086463187a11f09e46dc4b8674d0fb\ctlrpkg\Malwarebytes_Assistant.deps.jsonbinary
MD5:551ED60D45EF35F4BA1C5599449DDC37
SHA256:A84A1E1D0D4A82A1CA911F5B9BF865BB9F238E09A53806D487B0A6A0E470BC90
7776MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp95086463187a11f09e46dc4b8674d0fb\servicepkg\mbamelam.catbinary
MD5:BD4CEAE54AF081D6B1DD91FF584C5D61
SHA256:C3C4967B05CD00C31CAFC39B57000EC2E82CCF2CA295C72365F5CF6E5D191034
7776MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp95086463187a11f09e46dc4b8674d0fb\ctlrpkg\Assistant.runtimeconfig.jsonbinary
MD5:D94CF983FBA9AB1BB8A6CB3AD4A48F50
SHA256:1ECA0F0C70070AA83BB609E4B749B26DCB4409784326032726394722224A098A
7776MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp95086463187a11f09e46dc4b8674d0fb\ctlrpkg\Malwarebytes.runtimeconfig.jsonbinary
MD5:EDAF04AFDA9B2C6D778D7042E7824A2F
SHA256:AE076CC42958355D8E061A4D3D020BED0EF3CD0C37C1851BDF84844503F9880C
7776MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp95086463187a11f09e46dc4b8674d0fb\servicepkg.7zcompressed
MD5:7C6D52D92DDEB17E11E31EA40A30D594
SHA256:50D70AE70405F93458B348FBA2CCE90726EBD124ADD2E03EF9136CADAFF48388
7776MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp95086463187a11f09e46dc4b8674d0fb\ctlrpkg\mbam.firefox.manifest.jsonbinary
MD5:F83DF8976D2F549973B4741AABEC7DC8
SHA256:81E215E014635B567D9D11CCCCAE20A0E62BB4D640B1CCE0B30ECE970212AF02
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
62
DNS requests
38
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7944
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7944
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5124
MBAMService.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
5124
MBAMService.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTjzY2p9Pa8oibmj%2BNSMWsz63kmWgQUuhbZbU2FL3MpdpovdYxqII%2BeyG8CEAuuZrxaun%2BVh8b56QTjMwQ%3D
unknown
whitelisted
5124
MBAMService.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
5124
MBAMService.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAc2N7ckVHzYR6z9KGYqXls%3D
unknown
whitelisted
5124
MBAMService.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAYsPEaBY%2BtRPgLpmSJnQ9Y%3D
unknown
whitelisted
5124
MBAMService.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
whitelisted
5124
MBAMService.exe
GET
200
104.18.38.233:80
http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQRz3ETyLz2DaZTxGOH%2BA%2BjK7MkGAQUJGWTmAgB6E7U1kzqZFXhwPr7z7MCEQCmV%2Fd4sxrlI9ZnExcY0W6y
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
7184
MBSetup (1).exe
35.81.219.14:443
api2.amplitude.com
AMAZON-02
US
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7184
MBSetup (1).exe
98.83.243.66:443
ark.mwbsys.com
US
whitelisted
7184
MBSetup (1).exe
13.35.58.13:443
cdn.mwbsys.com
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.48.23.194
  • 23.48.23.140
  • 23.48.23.145
  • 23.48.23.159
  • 23.48.23.141
  • 23.48.23.193
  • 23.48.23.176
  • 23.48.23.169
  • 23.48.23.183
  • 23.48.23.158
  • 23.48.23.156
  • 23.48.23.173
  • 23.48.23.180
  • 23.48.23.177
whitelisted
api2.amplitude.com
  • 35.81.219.14
  • 52.24.126.108
  • 35.80.195.25
  • 44.238.106.106
  • 44.246.101.128
  • 54.69.249.188
  • 35.165.173.90
  • 35.155.178.146
  • 54.201.24.32
  • 52.88.218.85
  • 52.41.15.255
  • 54.149.228.42
  • 44.237.48.197
  • 54.186.79.39
  • 34.209.239.154
  • 52.89.213.37
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.159.130
  • 40.126.31.67
  • 20.190.159.131
  • 40.126.31.131
  • 20.190.159.23
  • 20.190.159.4
  • 20.190.159.75
  • 40.126.31.3
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 184.30.131.245
whitelisted
ark.mwbsys.com
  • 98.83.243.66
  • 52.206.21.148
  • 3.211.176.107
whitelisted
cdn.mwbsys.com
  • 13.35.58.13
  • 13.35.58.84
  • 13.35.58.106
  • 13.35.58.113
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MBSetup (1).exe