File name:

MBSetup.exe

Full analysis: https://app.any.run/tasks/15c58d0b-fdf1-424a-ade7-d5be6992a969
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 08, 2026, 05:37:08
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
screenconnect
rmm-tool
stealer
arch-exec
Indicators:
MD5:

B289E104190AF1C8A3244D2CC22DFBD3

SHA1:

4BC2BD93B55FC463FD2D37A3A4CDBC8B82A559D9

SHA256:

7E373EEC574CC081B3864AE49BA0C8022D8C94FD88CD634458D41F1086D4F586

SSDEEP:

98304:S4s0Qy5Aj94MCyZFxYYw22IT1PD222222272TSRTP4WG5N0aFvGSSRkrlcfABLqc:yX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • MBAMInstallerService.exe (PID: 880)
      • MBAMService.exe (PID: 6840)

    • Actions looks like stealing of personal data

      • MBAMService.exe (PID: 6840)

  • SUSPICIOUS

    • Creates files in the driver directory

      • MBSetup.exe (PID: 3016)
      • MBVpnTunnelService.exe (PID: 2268)
      • MBAMInstallerService.exe (PID: 880)
      • MBAMService.exe (PID: 5412)
      • MBAMService.exe (PID: 6840)

    • The process drops C-runtime libraries

      • MBAMInstallerService.exe (PID: 880)
      • MBAMService.exe (PID: 6840)

    • Executable content was dropped or overwritten

      • MBAMInstallerService.exe (PID: 880)
      • MBSetup.exe (PID: 3016)
      • MBVpnTunnelService.exe (PID: 2268)
      • MBAMService.exe (PID: 5412)
      • MBAMService.exe (PID: 6840)

    • Drops 7-zip archiver for unpacking

      • MBAMInstallerService.exe (PID: 880)

    • Searches for installed software

      • MBSetup.exe (PID: 3016)
      • MBAMInstallerService.exe (PID: 880)
      • Malwarebytes.exe (PID: 5304)
      • MBAMService.exe (PID: 6840)

    • Reads the BIOS version

      • MBSetup.exe (PID: 3016)
      • MBAMService.exe (PID: 6840)
      • mbupdatrV5.exe (PID: 7964)

    • The process verifies whether the antivirus software is installed

      • MBSetup.exe (PID: 3016)
      • MBAMInstallerService.exe (PID: 880)
      • MBVpnTunnelService.exe (PID: 2268)
      • drvinst.exe (PID: 7868)
      • MBAMService.exe (PID: 6840)
      • MBAMService.exe (PID: 5412)
      • Malwarebytes.exe (PID: 5988)
      • Malwarebytes.exe (PID: 5724)
      • Malwarebytes.exe (PID: 5304)
      • MBAMWsc.exe (PID: 7740)
      • MBAMWsc.exe (PID: 7232)
      • mbupdatrV5.exe (PID: 7964)
      • DDSHelper.exe (PID: 1656)

    • Executes as Windows Service

      • MBAMInstallerService.exe (PID: 880)
      • MBAMService.exe (PID: 6840)

    • Drops a system driver (possible attempt to evade defenses)

      • MBAMInstallerService.exe (PID: 880)
      • drvinst.exe (PID: 7868)
      • MBVpnTunnelService.exe (PID: 2268)
      • MBAMService.exe (PID: 5412)
      • MBAMService.exe (PID: 6840)

    • The process creates files with name similar to system file names

      • MBAMInstallerService.exe (PID: 880)

    • Adds/modifies Windows certificates

      • MBAMInstallerService.exe (PID: 880)
      • MBAMService.exe (PID: 6840)

    • Changes Internet Explorer settings (feature browser emulation)

      • MBAMInstallerService.exe (PID: 880)
      • MBAMService.exe (PID: 6840)

    • Creates or modifies Windows services

      • MBAMService.exe (PID: 5412)
      • MBAMService.exe (PID: 6840)

    • Creates/Modifies COM task schedule object

      • MBAMService.exe (PID: 6840)

    • Application launched itself

      • Malwarebytes.exe (PID: 5988)

  • INFO

    • Create files in a temporary directory

      • MBSetup.exe (PID: 3016)

    • Reads the computer name

      • MBSetup.exe (PID: 3016)
      • MBAMInstallerService.exe (PID: 880)
      • MBVpnTunnelService.exe (PID: 2268)
      • drvinst.exe (PID: 7868)
      • MBAMService.exe (PID: 5412)
      • MBAMService.exe (PID: 6840)
      • Malwarebytes.exe (PID: 5304)
      • Malwarebytes.exe (PID: 5988)
      • Malwarebytes.exe (PID: 5724)
      • ig.exe (PID: 2324)
      • MBAMWsc.exe (PID: 7740)
      • MBAMWsc.exe (PID: 7232)
      • ig.exe (PID: 7904)
      • mbupdatrV5.exe (PID: 7964)
      • DDSHelper.exe (PID: 1656)

    • Checks supported languages

      • MBSetup.exe (PID: 3016)
      • MBAMInstallerService.exe (PID: 880)
      • MBVpnTunnelService.exe (PID: 2268)
      • drvinst.exe (PID: 7868)
      • MBAMService.exe (PID: 6840)
      • Malwarebytes.exe (PID: 5304)
      • Malwarebytes.exe (PID: 5988)
      • Malwarebytes.exe (PID: 5724)
      • ig.exe (PID: 2324)
      • MBAMWsc.exe (PID: 7740)
      • MBAMWsc.exe (PID: 7232)
      • mbupdatrV5.exe (PID: 7964)
      • ig.exe (PID: 7904)
      • DDSHelper.exe (PID: 1656)
      • MBAMService.exe (PID: 5412)

    • Reads the machine GUID from the registry

      • MBSetup.exe (PID: 3016)
      • drvinst.exe (PID: 7868)
      • MBAMInstallerService.exe (PID: 880)
      • MBAMService.exe (PID: 6840)
      • mbupdatrV5.exe (PID: 7964)
      • DDSHelper.exe (PID: 1656)

    • Manual execution by a user

      • chrome.exe (PID: 7544)
      • Malwarebytes.exe (PID: 5988)

    • Application launched itself

      • chrome.exe (PID: 7544)

    • The sample compiled with english language support

      • MBSetup.exe (PID: 3016)
      • MBAMInstallerService.exe (PID: 880)
      • MBVpnTunnelService.exe (PID: 2268)
      • drvinst.exe (PID: 7868)
      • MBAMService.exe (PID: 5412)
      • MBAMService.exe (PID: 6840)

    • The sample compiled with spanish language support

      • MBAMInstallerService.exe (PID: 880)

    • Changes settings of System certificates

      • drvinst.exe (PID: 7868)

    • Adds/modifies Windows certificates

      • drvinst.exe (PID: 7868)

    • Reads security settings of Internet Explorer

      • MBAMService.exe (PID: 6840)
      • Malwarebytes.exe (PID: 5304)
      • ig.exe (PID: 2324)

    • Reads Environment values

      • MBAMService.exe (PID: 6840)

    • Creates a software uninstall entry

      • MBAMInstallerService.exe (PID: 880)

    • CONNECTWISE has been detected

      • MBAMService.exe (PID: 6840)

    • Process checks whether UAC notifications are on

      • Malwarebytes.exe (PID: 5304)

    • There is functionality for taking screenshot (YARA)

      • Malwarebytes.exe (PID: 5304)

    • Process checks computer location settings

      • Malwarebytes.exe (PID: 5304)

    • Reads the time zone

      • MBAMService.exe (PID: 6840)

    • Reads CPU info

      • MBAMService.exe (PID: 6840)

    • Creates files or folders in the user directory

      • Malwarebytes.exe (PID: 5304)
      • ig.exe (PID: 7904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
168
Monitored processes
33
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start mbsetup.exe mbaminstallerservice.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs mbvpntunnelservice.exe conhost.exe no specs drvinst.exe no specs mbamservice.exe mbamservice.exe malwarebytes.exe malwarebytes.exe malwarebytes.exe ig.exe no specs help.exe no specs help.exe no specs ig.exe no specs ig.exe no specs ig.exe no specs mbamwsc.exe no specs mbamwsc.exe no specs mbupdatrv5.exe no specs ig.exe no specs ddshelper.exe filecoauth.exe no specs mbsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
880"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
services.exe
User:
SYSTEM
Company:
Malwarebytes
Integrity Level:
SYSTEM
Description:
Malwarebytes Installer Service
Exit code:
0
Version:
5.1.0.225
Modules
Images
c:\program files\malwarebytes\anti-malware\mbaminstallerservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\authz.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
1656"C:\Program Files\Malwarebytes\Anti-Malware\ddshelper.exe" "C:\Program Files\Malwarebytes\Anti-Malware" "C:\ProgramData\Malwarebytes\MBAMService" "Malwarebytes" "Global\MBUP_a623ed42-4aa0-11f1-8041-42bae7e2fa96"C:\Program Files\Malwarebytes\Anti-Malware\DDSHelper.exe
MBAMService.exe
User:
SYSTEM
Company:
Malwarebytes
Integrity Level:
SYSTEM
Description:
Malwarebytes helper
Version:
1.0.0.4
Modules
Images
c:\program files\malwarebytes\anti-malware\ddshelper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1788 /?C:\Windows\SysWOW64\help.exeig.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Command Line Help Utility
Exit code:
3221225506
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\help.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2216"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4304,i,5988881183744852969,5248296629507162247,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=4268 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2268"C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe" /installmbtunC:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe
MBAMInstallerService.exe
User:
SYSTEM
Company:
Malwarebytes
Integrity Level:
SYSTEM
Description:
MBVpnTunnelService.exe
Exit code:
0
Version:
5.0.0.101
Modules
Images
c:\program files\malwarebytes\anti-malware\mbvpntunnelservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2324ig.exe secureC:\Users\admin\AppData\LocalLow\IGDump\sec\ig.exeMBAMService.exe
User:
admin
Company:
MalwareBytes
Integrity Level:
LOW
Description:
Malware Scanner
Exit code:
3235811341
Version:
1.0.4.8
Modules
Images
c:\program files\malwarebytes\anti-malware\ig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3016"C:\Users\admin\Desktop\MBSetup.exe" C:\Users\admin\Desktop\MBSetup.exe
explorer.exe
User:
admin
Company:
Malwarebytes
Integrity Level:
HIGH
Description:
Malwarebytes Setup
Exit code:
0
Version:
5.5.6.144
Modules
Images
c:\users\admin\desktop\mbsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll
3416\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeMBVpnTunnelService.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3420ig.exe reseedC:\Program Files\Malwarebytes\Anti-Malware\ig.exeMBAMService.exe
User:
admin
Company:
MalwareBytes
Integrity Level:
LOW
Description:
Malware Scanner
Exit code:
1572864
Version:
1.0.4.8
Modules
Images
c:\program files\malwarebytes\anti-malware\ig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5284ig.exe reseedC:\Program Files\Malwarebytes\Anti-Malware\ig.exeMBAMService.exe
User:
admin
Company:
MalwareBytes
Integrity Level:
LOW
Description:
Malware Scanner
Exit code:
9043968
Version:
1.0.4.8
Modules
Images
c:\program files\malwarebytes\anti-malware\ig.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
178 531
Read events
177 503
Write events
1 011
Delete events
17

Modification events

(PID) Process:(3016) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\mbamtestkey
Operation:delete keyName:(default)
Value:
(PID) Process:(3016) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes
Operation:writeName:id
Value:
575e3503c631445294b1e521b4d9badd
(PID) Process:(3016) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Malwarebytes
Operation:writeName:id
Value:
575e3503c631445294b1e521b4d9badd
(PID) Process:(3016) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:UserName
Value:
admin
(PID) Process:(3016) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:ProductCode
Value:
MBAM-C
(PID) Process:(3016) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:ProductBuild
Value:
consumer
(PID) Process:(3016) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:ProgramDirectory
Value:
C:\Program Files\Malwarebytes\Anti-Malware
(PID) Process:(3016) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:LocalAppDataDir
Value:
C:\Users\admin\AppData\Local
(PID) Process:(3016) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:Channel
Value:
release
(PID) Process:(3016) MBSetup.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MBAMInstallerService\Parameters
Operation:writeName:Installer
Value:
C:\Users\admin\Desktop\MBSetup.exe
Executable files
1 253
Suspicious files
269
Text files
164
Unknown types
44

Dropped files

PID
Process
Filename
Type
880MBAMInstallerService.exeC:\ProgramData\MalwarebytesTemp\MBInstallTemp_140e23b64aa011f19bcf42bae7e2fa96\ctlrpkg.7z
MD5:
SHA256:
880MBAMInstallerService.exeC:\ProgramData\MalwarebytesTemp\MBInstallTemp_140e23b64aa011f19bcf42bae7e2fa96\dbclspkg.7z
MD5:
SHA256:
880MBAMInstallerService.exeC:\ProgramData\MalwarebytesTemp\MBInstallTemp_140e23b64aa011f19bcf42bae7e2fa96\dotnetpkg.7z
MD5:
SHA256:
3016MBSetup.exeC:\Windows\SysWOW64\drivers\mbamtestfile.dattext
MD5:9F06243ABCB89C70E0C331C61D871FA7
SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
880MBAMInstallerService.exeC:\ProgramData\MalwarebytesTemp\MBInstallTemp_140e23b64aa011f19bcf42bae7e2fa96\7z.dllexecutable
MD5:3430E2544637CEBF8BA1F509ED5A27B1
SHA256:BB01C6FBB29590D6D144A9038C2A7736D6925A6DBD31889538AF033E03E4F5FA
3016MBSetup.exeC:\ProgramData\mbamtestfile.dattext
MD5:9F06243ABCB89C70E0C331C61D871FA7
SHA256:837CCB607E312B170FAC7383D7CCFD61FA5072793F19A25E75FBACB56539B86B
880MBAMInstallerService.exeC:\ProgramData\MalwarebytesTemp\MBInstallTemp_140e23b64aa011f19bcf42bae7e2fa96\ctlrpkg\ddshelper.bintext
MD5:BDF8A750AE5FF4858B88F1A0F729E4B1
SHA256:99198C557B03B24DBF40724C62C12C8C039447AFEDFD109E20061288963D9454
880MBAMInstallerService.exeC:\ProgramData\MalwarebytesTemp\MBInstallTemp_140e23b64aa011f19bcf42bae7e2fa96\ctlrpkg\mbam.firefox.manifest.jsontext
MD5:F83DF8976D2F549973B4741AABEC7DC8
SHA256:81E215E014635B567D9D11CCCCAE20A0E62BB4D640B1CCE0B30ECE970212AF02
880MBAMInstallerService.exeC:\ProgramData\MalwarebytesTemp\MBInstallTemp_140e23b64aa011f19bcf42bae7e2fa96\ctlrpkg\Malwarebytes.deps.jsontext
MD5:63542646522CA1369230D55C3196053C
SHA256:6047C75AE56E1D74CB75D6461B7612ACAF10678010A78E6199E96430F7288C57
880MBAMInstallerService.exeC:\ProgramData\MalwarebytesTemp\MBInstallTemp_140e23b64aa011f19bcf42bae7e2fa96\ctlrpkg\Malwarebytes_Assistant.deps.jsontext
MD5:BFFA3E90259A6A51B27D571909D32951
SHA256:2283A3B8A2B86FD7052F8CBD766F75AF659824E00DDBF4D6011D4669164CCCAC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
78
TCP/UDP connections
73
DNS requests
63
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3996
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
3996
SIHClient.exe
GET
200
135.233.95.135:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
3996
SIHClient.exe
GET
200
135.232.92.137:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
3996
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
5484
svchost.exe
GET
304
51.124.78.146:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
3016
MBSetup.exe
GET
302
34.197.64.160:443
https://ark.mwbsys.com/mbam-c.isvc.64bitv5/release
US
unknown
880
MBAMInstallerService.exe
GET
302
34.197.64.160:443
https://ark.mwbsys.com/mbam-c.ctlrv5.64bit/release
US
unknown
880
MBAMInstallerService.exe
GET
200
143.204.181.97:443
https://cdn.mwbsys.com/packages/mbam-c.ctlrv5.64bit/2/e/0/3/2e0302e3cda1294ac1ecf8d0978c1979/7fee3e9b-d346-4c28-b943-45d216a20e49.7z
US
unknown
880
MBAMInstallerService.exe
GET
302
34.197.64.160:443
https://ark.mwbsys.com/mbam-c.dbcls.64bitv5/release
US
unknown
880
MBAMInstallerService.exe
GET
200
143.204.181.97:443
https://cdn.mwbsys.com/packages/mbam-c.dbcls.64bitv5/e/a/b/2/eab272d619316e89a251628da8e587f9/b1ab2edd-9416-4631-ad9f-c8635e146914.7z
US
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5532
SearchApp.exe
92.123.104.31:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
5532
SearchApp.exe
23.11.41.157:80
ocsp.digicert.com
AKAMAI-AMS
NL
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5484
svchost.exe
23.216.77.28:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5484
svchost.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
www.bing.com
  • 92.123.104.31
  • 92.123.104.38
  • 92.123.104.30
  • 92.123.104.33
  • 92.123.104.35
  • 92.123.104.36
  • 92.123.104.29
  • 92.123.104.32
  • 92.123.104.37
whitelisted
ocsp.digicert.com
  • 23.11.41.157
whitelisted
google.com
  • 142.250.154.100
  • 142.250.154.138
  • 142.250.154.139
  • 142.250.154.101
  • 142.250.154.113
  • 142.250.154.102
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.52.181.212
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.4
  • 20.190.160.17
  • 40.126.32.72
  • 40.126.32.140
  • 20.190.160.2
  • 40.126.32.134
  • 40.126.32.68
  • 20.190.160.20
whitelisted

Threats

PID
Process
Class
Message
5484
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
3016
MBSetup.exe
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
3016
MBSetup.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3016
MBSetup.exe
Misc activity
ET INFO Packed Executable Download
5304
Malwarebytes.exe
Misc activity
SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
Process
Message
Malwarebytes.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 5304. Message ID: [0x2509].
Malwarebytes.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 5988. Message ID: [0x2509].
Malwarebytes.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 5724. Message ID: [0x2509].
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MBSetup.exe