File name:

TribeWars Setup 10.2.27.exe

Full analysis: https://app.any.run/tasks/dddb5af9-3fa9-4bee-b8b9-ad5018fc1900
Verdict: Malicious activity
Analysis date: June 30, 2025, 10:37:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-doc
nodejs
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

338D2F80BDC1DDB0F7B99C47CCBF12A4

SHA1:

9E0B823DDAD5363DDB47D5F35AE47DF2EDB4DF3C

SHA256:

1F5823734E47720858F9D49060CDE39C3A7313D99198C65DCA70D67B2B1EFF0C

SSDEEP:

1572864:/BYKVzcooUSYOSd8gHgGgWaUp/T9R5Qhb:/2KVzhP7HgGgWaU3R5Ib

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • TribeWars Setup 10.2.27.exe (PID: 6876)
      • TribeWars Setup 10.2.27.exe (PID: 5712)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • TribeWars Setup 10.2.27.exe (PID: 6876)

    • The process creates files with name similar to system file names

      • TribeWars Setup 10.2.27.exe (PID: 6876)

    • Drops 7-zip archiver for unpacking

      • TribeWars Setup 10.2.27.exe (PID: 6876)

    • Reads security settings of Internet Explorer

      • TribeWars Setup 10.2.27.exe (PID: 6876)
      • TribeWars.exe (PID: 1336)

    • Executable content was dropped or overwritten

      • TribeWars Setup 10.2.27.exe (PID: 6876)
      • TribeWars.exe (PID: 1336)

    • Process drops legitimate windows executable

      • TribeWars Setup 10.2.27.exe (PID: 6876)
      • TribeWars.exe (PID: 1336)

    • Creates a software uninstall entry

      • TribeWars Setup 10.2.27.exe (PID: 6876)

    • Starts CMD.EXE for commands execution

      • TribeWars.exe (PID: 1336)
      • TribeWars.exe (PID: 5400)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 6264)
      • cmd.exe (PID: 6520)
      • cmd.exe (PID: 7284)
      • cmd.exe (PID: 7696)
      • cmd.exe (PID: 2808)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5992)
      • cmd.exe (PID: 5424)
      • cmd.exe (PID: 7072)
      • cmd.exe (PID: 7352)
      • cmd.exe (PID: 7836)
      • cmd.exe (PID: 8160)
      • cmd.exe (PID: 7340)
      • cmd.exe (PID: 7544)
      • cmd.exe (PID: 2160)
      • cmd.exe (PID: 7408)
      • cmd.exe (PID: 7648)

    • Application launched itself

      • TribeWars.exe (PID: 1336)
      • TribeWars.exe (PID: 5400)

    • Process drops python dynamic module

      • TribeWars.exe (PID: 1336)

    • The process drops C-runtime libraries

      • TribeWars.exe (PID: 1336)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 1300)
      • WMIC.exe (PID: 1216)
      • WMIC.exe (PID: 7748)
      • WMIC.exe (PID: 6128)
      • WMIC.exe (PID: 7480)

    • Reads the date of Windows installation

      • TribeWars.exe (PID: 1336)

  • INFO

    • The sample compiled with english language support

      • TribeWars Setup 10.2.27.exe (PID: 6876)
      • TribeWars.exe (PID: 1336)

    • Checks supported languages

      • TribeWars Setup 10.2.27.exe (PID: 6876)
      • TribeWars.exe (PID: 1336)
      • TribeWars.exe (PID: 4044)
      • TribeWars.exe (PID: 2216)
      • TribeWars.exe (PID: 4816)
      • TribeWars.exe (PID: 3944)
      • TribeWars.exe (PID: 4960)
      • TribeWars.exe (PID: 5400)
      • TribeWars.exe (PID: 2804)
      • TribeWars.exe (PID: 6836)
      • TribeWars.exe (PID: 5564)

    • Creates files in the program directory

      • TribeWars Setup 10.2.27.exe (PID: 6876)

    • Reads the computer name

      • TribeWars Setup 10.2.27.exe (PID: 6876)
      • TribeWars.exe (PID: 1336)
      • TribeWars.exe (PID: 4044)
      • TribeWars.exe (PID: 2216)
      • TribeWars.exe (PID: 5400)
      • TribeWars.exe (PID: 6836)
      • TribeWars.exe (PID: 2804)

    • Create files in a temporary directory

      • TribeWars Setup 10.2.27.exe (PID: 6876)
      • TribeWars.exe (PID: 1336)
      • TribeWars.exe (PID: 5400)

    • Creates files or folders in the user directory

      • TribeWars Setup 10.2.27.exe (PID: 6876)
      • TribeWars.exe (PID: 1336)
      • TribeWars.exe (PID: 2216)
      • TribeWars.exe (PID: 6836)
      • TribeWars.exe (PID: 5400)

    • Manual execution by a user

      • TribeWars.exe (PID: 3800)
      • TribeWars.exe (PID: 1336)
      • notepad.exe (PID: 5244)
      • cmd.exe (PID: 8072)
      • OpenWith.exe (PID: 8084)

    • Reads Environment values

      • TribeWars.exe (PID: 1336)
      • TribeWars.exe (PID: 5400)

    • Reads product name

      • TribeWars.exe (PID: 1336)
      • TribeWars.exe (PID: 5400)

    • Reads CPU info

      • TribeWars.exe (PID: 1336)
      • TribeWars.exe (PID: 5400)

    • Process checks computer location settings

      • TribeWars.exe (PID: 1336)
      • TribeWars.exe (PID: 4816)
      • TribeWars.exe (PID: 3944)
      • TribeWars.exe (PID: 4960)
      • TribeWars.exe (PID: 5400)
      • TribeWars.exe (PID: 5564)

    • Checks proxy server information

      • TribeWars.exe (PID: 1336)
      • TribeWars.exe (PID: 5400)
      • slui.exe (PID: 7980)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 1300)
      • WMIC.exe (PID: 1216)
      • WMIC.exe (PID: 7748)
      • notepad.exe (PID: 5244)
      • WMIC.exe (PID: 7480)
      • WMIC.exe (PID: 6128)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3608)
      • powershell.exe (PID: 4168)

    • Reads the machine GUID from the registry

      • TribeWars.exe (PID: 1336)
      • TribeWars.exe (PID: 5400)

    • Reads Windows Product ID

      • powershell.exe (PID: 3100)
      • powershell.exe (PID: 7596)
      • powershell.exe (PID: 7692)

    • Node.js compiler has been detected

      • TribeWars.exe (PID: 1336)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 8084)

    • Reads the software policy settings

      • slui.exe (PID: 7980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:12:15 22:26:14+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 473088
UninitializedDataSize: 16384
EntryPoint: 0x338f
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 10.2.27.0
ProductVersionNumber: 10.2.27.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: TribeWars designed with cutting-edge cybersecurity measures, this application prioritizes user safety.
FileVersion: 10.2.27
LegalCopyright: Copyright © 2025 TribeWars
ProductName: TribeWars
ProductVersion: 10.2.27
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
202
Monitored processes
68
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start tribewars setup 10.2.27.exe tribewars.exe no specs tribewars.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs wmic.exe no specs tribewars.exe no specs tribewars.exe tribewars.exe no specs tribewars.exe no specs tribewars.exe no specs tribewars.exe no specs tribewars.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs wmic.exe no specs tribewars.exe no specs powershell.exe no specs tribewars.exe no specs tribewars.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs slui.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs notepad.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs rundll32.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs openwith.exe no specs tribewars setup 10.2.27.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
592powershell.exe -Command "(Get-CimInstance Win32_ComputerSystemProduct).UUID"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1212\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1216wmic path win32_VideoController get nameC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1300wmic path win32_VideoController get nameC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1336"C:\Program Files\TribeWars\TribeWars.exe" C:\Program Files\TribeWars\TribeWars.exe
explorer.exe
User:
admin
Company:
GitHub, Inc.
Integrity Level:
HIGH
Description:
TribeWars designed with cutting-edge cybersecurity measures, this application prioritizes user safety.
Version:
10.2.27
Modules
Images
c:\program files\tribewars\tribewars.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\dbghelp.dll
2160C:\WINDOWS\system32\cmd.exe /d /s /c "powershell.exe -Command "(Get-CimInstance Win32_ComputerSystemProduct).UUID""C:\Windows\System32\cmd.exeTribeWars.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2216"C:\Program Files\TribeWars\TribeWars.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\admin\AppData\Roaming\TribeWars" --field-trial-handle=1916,i,3839292653697606189,8764772325148775987,262144 --enable-features=PdfUseShowSaveFilePicker --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit --variations-seed-version --mojo-platform-channel-handle=2172 /prefetch:3C:\Program Files\TribeWars\TribeWars.exe
TribeWars.exe
User:
admin
Company:
GitHub, Inc.
Integrity Level:
HIGH
Description:
TribeWars designed with cutting-edge cybersecurity measures, this application prioritizes user safety.
Version:
10.2.27
Modules
Images
c:\program files\tribewars\tribewars.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2596"C:\Program Files\TribeWars\TribeWars.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\TribeWars" --app-path="C:\Program Files\TribeWars\resources\app.asar" --no-sandbox --no-zygote --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=1916,i,3839292653697606189,8764772325148775987,262144 --enable-features=PdfUseShowSaveFilePicker --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:1C:\Program Files\TribeWars\TribeWars.exeTribeWars.exe
User:
admin
Company:
GitHub, Inc.
Integrity Level:
HIGH
Description:
TribeWars designed with cutting-edge cybersecurity measures, this application prioritizes user safety.
Exit code:
0
Version:
10.2.27
Modules
Images
c:\program files\tribewars\tribewars.exe
c:\windows\system32\ntdll.dll
2804"C:\Program Files\TribeWars\TribeWars.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\TribeWars" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1868,i,1049388130966278802,4643420627023583204,262144 --enable-features=PdfUseShowSaveFilePicker --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit --variations-seed-version --mojo-platform-channel-handle=1848 /prefetch:2C:\Program Files\TribeWars\TribeWars.exeTribeWars.exe
User:
admin
Company:
GitHub, Inc.
Integrity Level:
LOW
Description:
TribeWars designed with cutting-edge cybersecurity measures, this application prioritizes user safety.
Exit code:
0
Version:
10.2.27
Modules
Images
c:\program files\tribewars\tribewars.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
55 089
Read events
55 017
Write events
18
Delete events
54

Modification events

(PID) Process:(6876) TribeWars Setup 10.2.27.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\5f153963-6af3-5c10-aafa-05db07f67181
Operation:writeName:InstallLocation
Value:
C:\Program Files\TribeWars
(PID) Process:(6876) TribeWars Setup 10.2.27.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\5f153963-6af3-5c10-aafa-05db07f67181
Operation:writeName:KeepShortcuts
Value:
true
(PID) Process:(6876) TribeWars Setup 10.2.27.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\5f153963-6af3-5c10-aafa-05db07f67181
Operation:writeName:ShortcutName
Value:
TribeWars
(PID) Process:(6876) TribeWars Setup 10.2.27.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\5f153963-6af3-5c10-aafa-05db07f67181
Operation:writeName:DisplayName
Value:
TribeWars 10.2.27
(PID) Process:(6876) TribeWars Setup 10.2.27.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\5f153963-6af3-5c10-aafa-05db07f67181
Operation:writeName:UninstallString
Value:
"C:\Program Files\TribeWars\Uninstall TribeWars.exe" /allusers
(PID) Process:(6876) TribeWars Setup 10.2.27.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\5f153963-6af3-5c10-aafa-05db07f67181
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\TribeWars\Uninstall TribeWars.exe" /allusers /S
(PID) Process:(6876) TribeWars Setup 10.2.27.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\5f153963-6af3-5c10-aafa-05db07f67181
Operation:writeName:DisplayVersion
Value:
10.2.27
(PID) Process:(6876) TribeWars Setup 10.2.27.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\5f153963-6af3-5c10-aafa-05db07f67181
Operation:writeName:DisplayIcon
Value:
C:\Program Files\TribeWars\TribeWars.exe,0
(PID) Process:(6876) TribeWars Setup 10.2.27.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\5f153963-6af3-5c10-aafa-05db07f67181
Operation:writeName:NoModify
Value:
1
(PID) Process:(6876) TribeWars Setup 10.2.27.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\5f153963-6af3-5c10-aafa-05db07f67181
Operation:writeName:NoRepair
Value:
1
Executable files
49
Suspicious files
206
Text files
139
Unknown types
139

Dropped files

PID
Process
Filename
Type
6876TribeWars Setup 10.2.27.exeC:\Users\admin\AppData\Local\Temp\nsb77A2.tmp\app-64.7z
MD5:
SHA256:
6876TribeWars Setup 10.2.27.exeC:\Users\admin\AppData\Local\Temp\nsb77A2.tmp\7z-out\icudtl.dat
MD5:
SHA256:
6876TribeWars Setup 10.2.27.exeC:\Users\admin\AppData\Local\Temp\nsb77A2.tmp\7z-out\LICENSES.chromium.html
MD5:
SHA256:
6876TribeWars Setup 10.2.27.exeC:\Users\admin\AppData\Local\Temp\nsb77A2.tmp\SpiderBanner.dllexecutable
MD5:17309E33B596BA3A5693B4D3E85CF8D7
SHA256:996A259E53CA18B89EC36D038C40148957C978C0FD600A268497D4C92F882A93
6876TribeWars Setup 10.2.27.exeC:\Users\admin\AppData\Local\Temp\nsb77A2.tmp\7z-out\LICENSE.electron.txttext
MD5:4D42118D35941E0F664DDDBD83F633C5
SHA256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
6876TribeWars Setup 10.2.27.exeC:\Users\admin\AppData\Local\Temp\nsb77A2.tmp\nsProcess.dllexecutable
MD5:F0438A894F3A7E01A4AAE8D1B5DD0289
SHA256:30C6C3DD3CC7FCEA6E6081CE821ADC7B2888542DAE30BF00E881C0A105EB4D11
6876TribeWars Setup 10.2.27.exeC:\Users\admin\AppData\Local\Temp\nsb77A2.tmp\System.dllexecutable
MD5:0D7AD4F45DC6F5AA87F606D0331C6901
SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
6876TribeWars Setup 10.2.27.exeC:\Users\admin\AppData\Local\Temp\nsb77A2.tmp\7z-out\locales\bg.pakpgc
MD5:53C135B4BCC75E3A1BC6FBFD4DB60758
SHA256:C6F7F71D759009F6D9081D71E3936AAD9A41779E9622965D7D71752CC5B8AFC8
6876TribeWars Setup 10.2.27.exeC:\Users\admin\AppData\Local\Temp\nsb77A2.tmp\7z-out\locales\ar.pakpgc
MD5:5E011F61B1B798C01DCD9EEF268A2B66
SHA256:22ACE6E8A5854580649D68FECE948D329EF354908014285BEC676904628B1001
6876TribeWars Setup 10.2.27.exeC:\Users\admin\AppData\Local\Temp\nsb77A2.tmp\7z-out\locales\bn.pakpgc
MD5:3CA79BFE2A397C6C0A58D9B1D5FFF24E
SHA256:43A0C8BF652288C7A1EFAF19926D25275507FA03E9134CFE5E3A580E8E7CD203
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
30
DNS requests
22
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6344
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5060
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5060
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2940
svchost.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
592
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6344
svchost.exe
20.190.160.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6344
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
login.live.com
  • 20.190.160.67
  • 20.190.160.64
  • 20.190.160.2
  • 20.190.160.22
  • 20.190.160.4
  • 20.190.160.3
  • 20.190.160.128
  • 20.190.160.14
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.13
whitelisted
macattic.com
  • 172.67.194.150
  • 104.21.68.109
unknown
challenges.cloudflare.com
  • 104.18.94.41
  • 104.18.95.41
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
2216
TribeWars.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2216
TribeWars.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2216
TribeWars.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2216
TribeWars.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2216
TribeWars.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
2216
TribeWars.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TribeWars Setup 10.2.27.exe