File name:

MBSetup.exe

Full analysis: https://app.any.run/tasks/f0496607-d417-4c15-9e9f-abe7a729917f
Verdict: Malicious activity
Analysis date: June 05, 2025, 08:06:41
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

09E0E68FC7650CA68899739080709F91

SHA1:

A665AC359EF3F782B78484A71A266E50A71567AD

SHA256:

BF83BCE7085B016B5DBD65308C92EFA9B87B17DA561F490A1A17EF96C3D93DAC

SSDEEP:

98304:oURp2UZfeZDtk0wi22IT1PD222222272TSRTP4WG5N0aFvGSSRkrlcfABLqI141S:7XD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the BIOS version

      • MBSetup.exe (PID: 4400)
      • MBAMService.exe (PID: 7572)

    • Searches for installed software

      • MBSetup.exe (PID: 4400)
      • MBAMInstallerService.exe (PID: 4180)

    • Creates files in the driver directory

      • MBSetup.exe (PID: 4400)
      • MBAMInstallerService.exe (PID: 4180)
      • drvinst.exe (PID: 7340)
      • MBAMService.exe (PID: 7880)
      • MBVpnTunnelService.exe (PID: 672)

    • The process verifies whether the antivirus software is installed

      • MBSetup.exe (PID: 4400)
      • MBAMInstallerService.exe (PID: 4180)
      • drvinst.exe (PID: 7340)
      • MBVpnTunnelService.exe (PID: 672)
      • MBAMService.exe (PID: 7572)
      • MBAMService.exe (PID: 7880)

    • Executes as Windows Service

      • MBAMInstallerService.exe (PID: 4180)
      • MBAMService.exe (PID: 7572)

    • Executable content was dropped or overwritten

      • MBSetup.exe (PID: 4400)
      • MBAMInstallerService.exe (PID: 4180)
      • drvinst.exe (PID: 7340)
      • MBVpnTunnelService.exe (PID: 672)
      • MBAMService.exe (PID: 7880)
      • MBAMService.exe (PID: 7572)

    • Drops 7-zip archiver for unpacking

      • MBAMInstallerService.exe (PID: 4180)

    • Drops a system driver (possible attempt to evade defenses)

      • MBAMInstallerService.exe (PID: 4180)
      • MBVpnTunnelService.exe (PID: 672)
      • drvinst.exe (PID: 7340)
      • MBAMService.exe (PID: 7880)
      • MBAMService.exe (PID: 7572)

    • The process creates files with name similar to system file names

      • MBAMInstallerService.exe (PID: 4180)

    • Process drops legitimate windows executable

      • MBAMInstallerService.exe (PID: 4180)
      • MBAMService.exe (PID: 7572)

    • Changes Internet Explorer settings (feature browser emulation)

      • MBAMInstallerService.exe (PID: 4180)
      • MBAMService.exe (PID: 7572)

    • The process drops C-runtime libraries

      • MBAMInstallerService.exe (PID: 4180)
      • MBAMService.exe (PID: 7572)

    • Adds/modifies Windows certificates

      • MBAMInstallerService.exe (PID: 4180)

    • The process checks if it is being run in the virtual environment

      • MBAMService.exe (PID: 7880)
      • MBAMService.exe (PID: 7572)

    • Creates/Modifies COM task schedule object

      • MBAMService.exe (PID: 7572)

    • Reads security settings of Internet Explorer

      • MBAMService.exe (PID: 7572)

    • Creates or modifies Windows services

      • MBAMService.exe (PID: 7880)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 5056)

    • Starts CMD.EXE for commands execution

      • MBSetup.exe (PID: 4400)

    • The process drops Mozilla's DLL files

      • MBAMService.exe (PID: 7572)

  • INFO

    • The sample compiled with english language support

      • MBSetup.exe (PID: 4400)
      • MBAMInstallerService.exe (PID: 4180)
      • drvinst.exe (PID: 7340)
      • MBVpnTunnelService.exe (PID: 672)
      • MBAMService.exe (PID: 7880)
      • MBAMService.exe (PID: 7572)

    • Checks supported languages

      • MBSetup.exe (PID: 4400)
      • MBAMInstallerService.exe (PID: 4180)
      • drvinst.exe (PID: 7340)
      • MBAMService.exe (PID: 7880)
      • MBVpnTunnelService.exe (PID: 672)
      • MBAMService.exe (PID: 7572)

    • Reads the machine GUID from the registry

      • MBSetup.exe (PID: 4400)
      • MBAMInstallerService.exe (PID: 4180)
      • drvinst.exe (PID: 7340)
      • MBAMService.exe (PID: 7572)

    • Create files in a temporary directory

      • MBSetup.exe (PID: 4400)

    • Reads the computer name

      • MBSetup.exe (PID: 4400)
      • MBAMInstallerService.exe (PID: 4180)
      • MBVpnTunnelService.exe (PID: 672)
      • drvinst.exe (PID: 7340)
      • MBAMService.exe (PID: 7880)
      • MBAMService.exe (PID: 7572)

    • Creates files in the program directory

      • MBSetup.exe (PID: 4400)
      • MBAMInstallerService.exe (PID: 4180)
      • MBVpnTunnelService.exe (PID: 672)
      • MBAMService.exe (PID: 7572)

    • Checks proxy server information

      • MBSetup.exe (PID: 4400)

    • Reads the software policy settings

      • MBSetup.exe (PID: 4400)
      • MBAMInstallerService.exe (PID: 4180)
      • drvinst.exe (PID: 7340)
      • slui.exe (PID: 7968)

    • The sample compiled with spanish language support

      • MBAMInstallerService.exe (PID: 4180)

    • Adds/modifies Windows certificates

      • drvinst.exe (PID: 7340)

    • Manual execution by a user

      • firefox.exe (PID: 3140)

    • Application launched itself

      • firefox.exe (PID: 7608)
      • firefox.exe (PID: 3140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:02:26 20:49:38+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.38
CodeSize: 804352
InitializedDataSize: 1981440
UninitializedDataSize: -
EntryPoint: 0x916c5
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 5.2.8.127
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Malwarebytes
FileDescription: Malwarebytes Setup
FileVersion: 5.2.8.127
LegalCopyright: Copyright (C) 2017 - 2024 Malwarebytes, Inc. All rights reserved.
InternalName: MBSetup.exe
OriginalFileName: MBSetup.exe
ProductName: Malwarebytes
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
191
Monitored processes
60
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start mbsetup.exe mbaminstallerservice.exe slui.exe mbvpntunnelservice.exe conhost.exe no specs drvinst.exe mbamservice.exe mbamservice.exe ig.exe no specs help.exe no specs help.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs malwarebytes.exe mbamwsc.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs mbsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2988 -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 2976 -prefsLen 32306 -prefMapSize 244583 -jsInitHandle 1352 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca171224-2d95-49f2-8d13-b0505f418193} 7608 "\\.\pipe\gecko-crash-server-pipe.7608" 2761c4a9d90 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
496ig.exe reseedC:\Program Files\Malwarebytes\Anti-Malware\ig.exeMBAMService.exe
User:
admin
Company:
MalwareBytes
Integrity Level:
LOW
Description:
Malware Scanner
Exit code:
11862016
Version:
1.0.4.8
Modules
Images
c:\program files\malwarebytes\anti-malware\ig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
632ig.exe reseedC:\Program Files\Malwarebytes\Anti-Malware\ig.exeMBAMService.exe
User:
admin
Company:
MalwareBytes
Integrity Level:
LOW
Description:
Malware Scanner
Exit code:
6815744
Version:
1.0.4.8
Modules
Images
c:\program files\malwarebytes\anti-malware\ig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
672"C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe" /installmbtunC:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe
MBAMInstallerService.exe
User:
SYSTEM
Company:
Malwarebytes
Integrity Level:
SYSTEM
Description:
MBVpnTunnelService.exe
Exit code:
0
Version:
5.0.0.101
Modules
Images
c:\program files\malwarebytes\anti-malware\mbvpntunnelservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
960ig.exe reseedC:\Program Files\Malwarebytes\Anti-Malware\ig.exeMBAMService.exe
User:
admin
Company:
MalwareBytes
Integrity Level:
LOW
Description:
Malware Scanner
Exit code:
5767168
Version:
1.0.4.8
Modules
Images
c:\program files\malwarebytes\anti-malware\ig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1052ig.exe reseedC:\Program Files\Malwarebytes\Anti-Malware\ig.exeMBAMService.exe
User:
admin
Company:
MalwareBytes
Integrity Level:
LOW
Description:
Malware Scanner
Exit code:
1376256
Version:
1.0.4.8
Modules
Images
c:\program files\malwarebytes\anti-malware\ig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1244"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4796 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 4780 -prefMapHandle 4612 -prefsLen 36668 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {784828ee-f0d7-42a8-bf98-28dcde9820b2} 7608 "\\.\pipe\gecko-crash-server-pipe.7608" 27623821b10 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1312ig.exe reseedC:\Program Files\Malwarebytes\Anti-Malware\ig.exeMBAMService.exe
User:
admin
Company:
MalwareBytes
Integrity Level:
LOW
Description:
Malware Scanner
Exit code:
14352384
Version:
1.0.4.8
Modules
Images
c:\program files\malwarebytes\anti-malware\ig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1452ig.exe reseedC:\Program Files\Malwarebytes\Anti-Malware\ig.exeMBAMService.exe
User:
admin
Company:
MalwareBytes
Integrity Level:
LOW
Description:
Malware Scanner
Exit code:
11206656
Version:
1.0.4.8
Modules
Images
c:\program files\malwarebytes\anti-malware\ig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1600"C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe" /wac 0 /status on true /updatesubstatus none /scansubstatus recommended /settingssubstatus noneC:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exeMBAMService.exe
User:
SYSTEM
Company:
Malwarebytes
Integrity Level:
SYSTEM
Exit code:
0
Version:
3.1.0.245
Modules
Images
c:\program files\malwarebytes\anti-malware\mbamwsc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\user32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shell32.dll
Total events
278 011
Read events
277 034
Write events
953
Delete events
24

Modification events

(PID) Process:(4400) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\mbamtestkey
Operation:delete keyName:(default)
Value:
(PID) Process:(4400) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes
Operation:writeName:id
Value:
250bd7701cf04c2cbfd9c919ef64ff43
(PID) Process:(4400) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Malwarebytes
Operation:writeName:id
Value:
250bd7701cf04c2cbfd9c919ef64ff43
(PID) Process:(4180) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:CurrentStep
Value:
1
(PID) Process:(4180) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:MaxStep
Value:
15
(PID) Process:(4180) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:PercentComplete
Value:
6.666667
(PID) Process:(4180) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:StepName
Value:
INSTALL_PREPARE_STEP
(PID) Process:(4180) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:MbamUpgrade
Value:
0
(PID) Process:(4180) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:InstallTempDir
Value:
C:\WINDOWS\TEMP\MBInstallTemp0f9d4ef941e411f0ba3948cf6e511772
(PID) Process:(4180) MBAMInstallerService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:FreshInstall
Value:
1
Executable files
1 288
Suspicious files
342
Text files
98
Unknown types
65

Dropped files

PID
Process
Filename
Type
4180MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp0f9d4ef941e411f0ba3948cf6e511772\ctlrpkg.7z
MD5:
SHA256:
4180MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp0f9d4ef941e411f0ba3948cf6e511772\dbclspkg.7z
MD5:
SHA256:
4180MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp0f9d4ef941e411f0ba3948cf6e511772\dotnetpkg.7z
MD5:
SHA256:
4400MBSetup.exeC:\ProgramData\mbamtestfile.dattext
MD5:9F06243ABCB89C70E0C331C61D871FA7
SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
4180MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp0f9d4ef941e411f0ba3948cf6e511772\ctlrpkg\Malwarebytes_Assistant.runtimeconfig.jsonbinary
MD5:D94CF983FBA9AB1BB8A6CB3AD4A48F50
SHA256:1ECA0F0C70070AA83BB609E4B749B26DCB4409784326032726394722224A098A
4180MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp0f9d4ef941e411f0ba3948cf6e511772\ctlrpkg\Assistant.runtimeconfig.jsonbinary
MD5:D94CF983FBA9AB1BB8A6CB3AD4A48F50
SHA256:1ECA0F0C70070AA83BB609E4B749B26DCB4409784326032726394722224A098A
4180MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp0f9d4ef941e411f0ba3948cf6e511772\ctlrpkg\Malwarebytes.runtimeconfig.jsonbinary
MD5:EDAF04AFDA9B2C6D778D7042E7824A2F
SHA256:AE076CC42958355D8E061A4D3D020BED0EF3CD0C37C1851BDF84844503F9880C
4180MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp0f9d4ef941e411f0ba3948cf6e511772\ctlrpkg\Assistant.deps.jsonbinary
MD5:26D5540F2674A1E33722EAF225EF7591
SHA256:064A06E32F5A36F010A26737DEDEFD24CDBE5112FD08757B78449C3548447954
4180MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp0f9d4ef941e411f0ba3948cf6e511772\ctlrpkg\mbam.firefox.manifest.jsonbinary
MD5:F83DF8976D2F549973B4741AABEC7DC8
SHA256:81E215E014635B567D9D11CCCCAE20A0E62BB4D640B1CCE0B30ECE970212AF02
4180MBAMInstallerService.exeC:\Windows\Temp\MBInstallTemp0f9d4ef941e411f0ba3948cf6e511772\servicepkg\mbamelam.sysexecutable
MD5:8DA81AA1F6B89CE1D2E216E3EA351C59
SHA256:F7F047533C670B86022F871CFA3E812B977153DF118239B012D9B3F88B13904D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
82
DNS requests
114
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
23.63.118.230:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1072
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1072
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7544
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
7572
MBAMService.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
7572
MBAMService.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
7572
MBAMService.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAYsPEaBY%2BtRPgLpmSJnQ9Y%3D
unknown
whitelisted
7572
MBAMService.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAc2N7ckVHzYR6z9KGYqXls%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7872
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7188
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4400
MBSetup.exe
34.213.16.205:443
api2.amplitude.com
AMAZON-02
US
whitelisted
4400
MBSetup.exe
44.207.18.233:443
ark.mwbsys.com
AMAZON-AES
US
whitelisted
4400
MBSetup.exe
13.35.58.13:443
cdn.mwbsys.com
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.32.238.112
  • 23.32.238.107
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
api2.amplitude.com
  • 34.213.16.205
  • 52.41.192.150
  • 54.212.213.204
  • 52.89.184.202
  • 35.164.164.201
  • 52.27.177.179
  • 52.35.160.79
  • 54.71.41.136
  • 54.218.203.220
  • 52.88.42.172
  • 44.239.161.51
  • 54.71.35.30
  • 35.155.221.55
  • 35.163.162.168
  • 54.190.99.220
  • 44.225.129.160
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
ark.mwbsys.com
  • 44.207.18.233
  • 52.207.198.162
  • 23.21.84.238
whitelisted
cdn.mwbsys.com
  • 13.35.58.13
  • 13.35.58.84
  • 13.35.58.113
  • 13.35.58.106
whitelisted
login.live.com
  • 40.126.31.3
  • 40.126.31.131
  • 20.190.159.71
  • 40.126.31.129
  • 20.190.159.64
  • 20.190.159.130
  • 40.126.31.69
  • 20.190.159.75
  • 40.126.31.130
  • 20.190.159.131
  • 20.190.159.2
  • 40.126.31.73
whitelisted
ocsp.digicert.com
  • 2600:1901:0:d29a::
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted

Threats

No threats detected
Process
Message
MBAMService.exe
Retry XPE file open
MBAMService.exe
Retry XPE file open
MBAMService.exe
Retry XPE file open
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MBSetup.exe