File name:

TunnlTo_1.0.7_x64_en-US.msi

Full analysis: https://app.any.run/tasks/d9795db6-0e4b-4f29-92db-505e19f66cc8
Verdict: Malicious activity
Analysis date: January 03, 2025, 23:34:38
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
generated-doc
rust
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: TunnlTo, Author: tunnl, Keywords: Installer, Comments: This installer database contains the logic and data required to install TunnlTo., Template: x64;0, Revision Number: {61FF8CDE-2F35-44D5-A379-E4CE8CE75A15}, Create Time/Date: Mon May 20 02:16:42 2024, Last Saved Time/Date: Mon May 20 02:16:42 2024, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

ABA32A1DCD826CFFEF0DD1832F0FC882

SHA1:

DF44CD8BAF537D3543BE0D5AE2B773866DE502D8

SHA256:

2C4177EE75B4297E31EA834C1BD140FA7422C8F2049347141C2B83E8C255C48C

SSDEEP:

98304:k2Lax6gp2bSMoRfkcYJ3faC2z5lRAEkRS1jx4ZvHBGu0gGw+XtY782Un6yXoDhxx:gz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • The DLL Hijacking

      • msedgewebview2.exe (PID: 1768)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 5140)
      • msiexec.exe (PID: 5452)

    • Reads the Internet Settings

      • msiexec.exe (PID: 5140)
      • msiexec.exe (PID: 2676)
      • msedgewebview2.exe (PID: 7084)
      • powershell.exe (PID: 5072)
      • TunnlTo.exe (PID: 4080)
      • powershell.exe (PID: 6388)
      • powershell.exe (PID: 4164)
      • powershell.exe (PID: 1912)
      • powershell.exe (PID: 1900)
      • powershell.exe (PID: 6500)

    • Executes as Windows Service

      • VSSVC.exe (PID: 704)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 5452)
      • drvinst.exe (PID: 3636)
      • devcon.exe (PID: 1864)
      • drvinst.exe (PID: 3976)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 5452)

    • Application launched itself

      • msedgewebview2.exe (PID: 7084)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 2676)
      • msedgewebview2.exe (PID: 7084)

    • Reads settings of System Certificates

      • msedgewebview2.exe (PID: 7084)
      • TunnlTo.exe (PID: 4080)

    • Starts process via Powershell

      • powershell.exe (PID: 5072)
      • powershell.exe (PID: 6388)
      • powershell.exe (PID: 1912)
      • powershell.exe (PID: 6500)
      • powershell.exe (PID: 1900)
      • powershell.exe (PID: 1600)
      • powershell.exe (PID: 4164)
      • powershell.exe (PID: 3856)

    • Starts POWERSHELL.EXE for commands execution

      • TunnlTo.exe (PID: 4080)

    • Searches for installed software

      • TunnlTo.exe (PID: 4080)

    • Found IP address in command line

      • powershell.exe (PID: 5072)
      • powershell.exe (PID: 6388)
      • powershell.exe (PID: 1912)
      • powershell.exe (PID: 4164)
      • powershell.exe (PID: 3856)
      • powershell.exe (PID: 6500)
      • powershell.exe (PID: 1900)
      • powershell.exe (PID: 1600)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 5452)
      • drvinst.exe (PID: 3636)
      • netcfg.exe (PID: 3684)
      • drvinst.exe (PID: 3976)

    • Adds/modifies Windows certificates

      • certutil.exe (PID: 4772)
      • certutil.exe (PID: 2944)

    • Creates files in the driver directory

      • drvinst.exe (PID: 3636)
      • drvinst.exe (PID: 3976)
      • devcon.exe (PID: 1864)

    • Starts SC.EXE for service management

      • msiexec.exe (PID: 4064)

    • Windows service management via SC.EXE

      • sc.exe (PID: 5800)

    • Executable content was dropped or overwritten

      • drvinst.exe (PID: 3636)
      • netcfg.exe (PID: 3684)
      • drvinst.exe (PID: 3976)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 6836)

  • INFO

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 5140)

    • The sample compiled with english language support

      • msiexec.exe (PID: 5140)
      • msiexec.exe (PID: 5452)
      • drvinst.exe (PID: 3976)

    • Reads the software policy settings

      • msiexec.exe (PID: 5140)
      • msiexec.exe (PID: 5452)
      • msedgewebview2.exe (PID: 7084)
      • TunnlTo.exe (PID: 4080)
      • drvinst.exe (PID: 3636)
      • devcon.exe (PID: 1864)
      • drvinst.exe (PID: 3976)

    • Reads the computer name

      • msiexec.exe (PID: 5452)
      • msiexec.exe (PID: 2676)
      • TunnlTo.exe (PID: 4080)
      • msedgewebview2.exe (PID: 7084)
      • msedgewebview2.exe (PID: 5632)
      • msedgewebview2.exe (PID: 1768)
      • msiexec.exe (PID: 4064)
      • drvinst.exe (PID: 3636)
      • drvinst.exe (PID: 6836)
      • devcon.exe (PID: 1864)
      • drvinst.exe (PID: 3976)

    • Checks supported languages

      • msiexec.exe (PID: 5452)
      • msiexec.exe (PID: 2676)
      • msedgewebview2.exe (PID: 3308)
      • msedgewebview2.exe (PID: 7084)
      • TunnlTo.exe (PID: 4080)
      • msedgewebview2.exe (PID: 1768)
      • msedgewebview2.exe (PID: 2152)
      • msedgewebview2.exe (PID: 5632)
      • msedgewebview2.exe (PID: 3152)
      • msedgewebview2.exe (PID: 2028)
      • msiexec.exe (PID: 4064)
      • drvinst.exe (PID: 3636)
      • devcon.exe (PID: 1864)
      • drvinst.exe (PID: 3976)
      • drvinst.exe (PID: 6836)
      • msedgewebview2.exe (PID: 3804)
      • msedgewebview2.exe (PID: 5896)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5140)
      • msiexec.exe (PID: 5452)

    • Checks proxy server information

      • msiexec.exe (PID: 5140)
      • msedgewebview2.exe (PID: 7084)
      • TunnlTo.exe (PID: 4080)

    • Manages system restore points

      • SrTasks.exe (PID: 5932)
      • SrTasks.exe (PID: 1600)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 5452)
      • msedgewebview2.exe (PID: 7084)
      • TunnlTo.exe (PID: 4080)
      • drvinst.exe (PID: 3636)
      • devcon.exe (PID: 1864)
      • drvinst.exe (PID: 3976)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 5452)

    • The process uses the downloaded file

      • msiexec.exe (PID: 2676)
      • powershell.exe (PID: 6388)
      • powershell.exe (PID: 4164)
      • powershell.exe (PID: 6500)

    • Sends debugging messages

      • msedgewebview2.exe (PID: 7084)

    • Creates files or folders in the user directory

      • msedgewebview2.exe (PID: 3308)
      • msedgewebview2.exe (PID: 7084)
      • msedgewebview2.exe (PID: 5632)

    • Application based on Rust

      • TunnlTo.exe (PID: 4080)

    • Creates files in the driver directory

      • netcfg.exe (PID: 3684)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5072)
      • powershell.exe (PID: 6388)
      • powershell.exe (PID: 1912)
      • powershell.exe (PID: 3856)
      • powershell.exe (PID: 1900)
      • powershell.exe (PID: 4164)
      • powershell.exe (PID: 6500)

    • Reads Environment values

      • msedgewebview2.exe (PID: 7084)

    • Create files in a temporary directory

      • msedgewebview2.exe (PID: 7084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: TunnlTo
Author: tunnl
Keywords: Installer
Comments: This installer database contains the logic and data required to install TunnlTo.
Template: x64;0
RevisionNumber: {61FF8CDE-2F35-44D5-A379-E4CE8CE75A15}
CreateDate: 2024:05:20 02:16:42
ModifyDate: 2024:05:20 02:16:42
Pages: 450
Words: 2
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
175
Monitored processes
57
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs tunnlto.exe msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe no specs powershell.exe no specs conhost.exe no specs msiexec.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs netcfg.exe conhost.exe no specs drvinst.exe devcon.exe no specs conhost.exe no specs drvinst.exe drvinst.exe no specs powershell.exe no specs conhost.exe no specs msiexec.exe no specs powershell.exe no specs conhost.exe no specs msiexec.exe no specs powershell.exe no specs conhost.exe no specs msiexec.exe no specs msedgewebview2.exe no specs powershell.exe no specs conhost.exe no specs msiexec.exe no specs msedgewebview2.exe no specs powershell.exe no specs conhost.exe no specs msiexec.exe no specs powershell.exe no specs conhost.exe no specs msiexec.exe no specs msedgewebview2.exe no specs powershell.exe no specs conhost.exe no specs msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
704C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1564\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exedevcon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1600C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:15C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
1600"powershell" -command "(Start-Process -FilePath \"msiexec.exe\" -ArgumentList \"/i\", '\"C:\Program Files\TunnlTo\wiresock\wiresock-vpn-client-x64-1.2.37.1.msi\"', \"/qr\" -Wait -Passthru).ExitCode"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeTunnlTo.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
1616"C:\Windows\system32\msiexec.exe" /i "C:\Program Files\TunnlTo\wiresock\wiresock-vpn-client-x64-1.2.37.1.msi" /qr C:\Windows\System32\msiexec.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1616\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1768"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\com.tunnl.to\EBWebView" --webview-exe-name=TunnlTo.exe --webview-exe-version=1.0.7 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 --field-trial-handle=1864,i,161121519372870257,12022259221583942188,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:2C:\Program Files (x86)\Microsoft\EdgeWebView\Application\103.0.1264.77\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Version:
103.0.1264.77
Modules
Images
c:\program files (x86)\microsoft\edgewebview\application\103.0.1264.77\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edgewebview\application\103.0.1264.77\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
1864"C:\Program Files\WireSock VPN Client\wiresock-adapter\devcon.exe" install "C:\Program Files\WireSock VPN Client\wiresock-adapter\wiresock.inf" wiresockC:\Program Files\WireSock VPN Client\wiresock-adapter\devcon.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Device Console
Exit code:
0
Version:
10.0.19041.685 (WinBuild.160101.0800)
Modules
Images
c:\program files\wiresock vpn client\wiresock-adapter\devcon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcp_win.dll
1900"powershell" -command "(Start-Process -FilePath \"msiexec.exe\" -ArgumentList \"/i\", '\"C:\Program Files\TunnlTo\wiresock\wiresock-vpn-client-x64-1.2.37.1.msi\"', \"/qr\" -Wait -Passthru).ExitCode"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeTunnlTo.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
1912"powershell" -command "(Start-Process -FilePath \"msiexec.exe\" -ArgumentList \"/i\", '\"C:\Program Files\TunnlTo\wiresock\wiresock-vpn-client-x64-1.2.37.1.msi\"', \"/qr\" -Wait -Passthru).ExitCode"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeTunnlTo.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
73 916
Read events
72 952
Write events
831
Delete events
133

Modification events

(PID) Process:(5452) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000004DDF2322385EDB014C15000098170000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5452) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000065BF5A22385EDB014C15000098170000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5452) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000065BF5A22385EDB014C15000098170000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5452) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
480000000000000013EB6122385EDB014C15000098170000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5452) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000ED422622385EDB014C15000098170000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5452) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000065875F22385EDB014C15000098170000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5452) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
14
(PID) Process:(704) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000895BD422385EDB01C002000038100000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(704) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000895BD422385EDB01C0020000C8120000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(704) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000895BD422385EDB01C00200000C170000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
26
Suspicious files
261
Text files
47
Unknown types
12

Dropped files

PID
Process
Filename
Type
5452msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
5452msiexec.exeC:\Windows\Installer\258539.msi
MD5:
SHA256:
5140msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81Bbinary
MD5:33D1F68D8F83C6E6561A5E23BBEA7516
SHA256:8B2506D800B0768DE139CC362810F47D98F8CBF9E7D3FECB038299B87BEEA026
5140msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_CBBFF7A51C21E740C38443A74DDFD727der
MD5:407AF116BAD6EA5A2C0AD2075391A79D
SHA256:85A1AB8EF235CD9AEBFD23D08920C379B4ACB255758FBB7320E55C349D13111E
5140msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:77B20B5CD41BC6BB475CCA3F91AE6E3C
SHA256:5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
5140msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41Cder
MD5:FE8F750BF1016543E5BA58E0E5E640A8
SHA256:600548A9E16AC9FE9ABF4904740419A60D8BB78DEE89130CAE61B9334A225CC2
5140msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_CBBFF7A51C21E740C38443A74DDFD727binary
MD5:319E3A8AD83CF5A03FEDFC9AD5EFC221
SHA256:0E4699CFB0A0FCC2975C7FE14B5B319E1C2264AAA216A14B95A131F69ADAC249
5140msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81Bbinary
MD5:5D3D8F5474DCD1CB16E4319FB50277AA
SHA256:C6D253A05DF905873956BE129DF6AC0FF67551939C7B45B02B5BC883023107D3
5452msiexec.exeC:\Windows\Installer\25853b.msi
MD5:
SHA256:
5140msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:44EDDD67A563118FD4452D5543E46BD3
SHA256:ED63F957ADF96AFC755A2225DD23BC2C97361FD6F86B0DE162F5EDD1B7D8639E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
27
DNS requests
15
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
104.124.11.219:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
4272
MoUsoCoreWorker.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?97b795836009ca1f
unknown
whitelisted
5140
msiexec.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?bbb81256869159b4
unknown
whitelisted
5140
msiexec.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D
unknown
whitelisted
5140
msiexec.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/rootr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDQHuXxad%2F5c1K2Rl1mo%3D
unknown
whitelisted
5140
msiexec.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/rootr3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCEHgDGEJFcIpBz28BuO60qVQ%3D
unknown
whitelisted
5140
msiexec.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDDIt6H%2BXfAETa93iEg%3D%3D
unknown
whitelisted
HEAD
200
2.21.190.26:443
https://fs.microsoft.com/fs/windows/config.json
unknown
528
svchost.exe
POST
403
2.21.189.164:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
whitelisted
2860
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4010b36f3be13580
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
104.124.11.219:80
Akamai International B.V.
DE
unknown
4272
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
msiexec.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
4272
MoUsoCoreWorker.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
5140
msiexec.exe
104.18.21.226:80
ocsp.globalsign.com
CLOUDFLARENET
whitelisted
5552
svchost.exe
239.255.255.250:1900
whitelisted
5632
msedgewebview2.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4080
TunnlTo.exe
185.199.111.133:443
gist.githubusercontent.com
FASTLY
US
shared
6184
svchost.exe
2.21.190.26:443
fs.microsoft.com
Akamai International B.V.
GB
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
ocsp.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
gist.githubusercontent.com
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.110.133
shared
fs.microsoft.com
  • 2.21.190.26
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
edgeassetservice.azureedge.net
  • 13.107.246.45
whitelisted
www.msftconnecttest.com
  • 184.25.50.48
  • 184.25.50.104
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
1296
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
Process
Message
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\com.tunnl.to directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TunnlTo_1.0.7_x64_en-US.msi