File name:

PacketStreamInstaller.exe

Full analysis: https://app.any.run/tasks/f1e55855-e0e7-4fda-953f-3734aebcf353
Verdict: Malicious activity
Analysis date: March 15, 2024, 18:33:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

6D6F50061E5ABE88A7B671046398270F

SHA1:

E2783B9B2993A9CCC13DAB299C3EE581D265B71A

SHA256:

3A819DF32EFEC09CCA52C2D6B6E9B0A99EBC1D64EAC33F9BE426463FC5E60F2D

SSDEEP:

98304:/oFhWG5yK9xYKWDf/sORREAPHFOPioQPLAXE5tfrzTvcyf3AwJRmsTmyYQCGrdlN:TPYDGbKYV+UhH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • pslauncher.exe (PID: 1496)
      • PacketStreamInstaller.exe (PID: 2408)

    • Create files in the Startup directory

      • psclient.exe (PID: 3164)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • PacketStreamInstaller.exe (PID: 2408)
      • pslauncher.exe (PID: 1496)

    • Creates a software uninstall entry

      • PacketStreamInstaller.exe (PID: 2408)

    • The process creates files with name similar to system file names

      • PacketStreamInstaller.exe (PID: 2408)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • PacketStreamInstaller.exe (PID: 2408)

    • Adds/modifies Windows certificates

      • psclient.exe (PID: 3164)

    • Uses RUNDLL32.EXE to load library

      • psclient.exe (PID: 3164)

    • Reads the Internet Settings

      • rundll32.exe (PID: 4044)
      • rundll32.exe (PID: 2808)

    • Reads settings of System Certificates

      • psclient.exe (PID: 3164)

    • Connects to unusual port

      • psclient.exe (PID: 3164)

  • INFO

    • Checks supported languages

      • PacketStreamInstaller.exe (PID: 2408)
      • pslauncher.exe (PID: 1496)
      • pslauncher.exe (PID: 2488)
      • psclient.exe (PID: 2592)
      • psclient.exe (PID: 2968)
      • psclient.exe (PID: 492)
      • psclient.exe (PID: 2176)
      • psclient.exe (PID: 840)
      • psclient.exe (PID: 1784)
      • psclient.exe (PID: 3528)
      • psclient.exe (PID: 1484)
      • psclient.exe (PID: 2620)
      • psclient.exe (PID: 2404)
      • psclient.exe (PID: 1796)
      • psclient.exe (PID: 2640)
      • psclient.exe (PID: 2748)
      • psclient.exe (PID: 3256)
      • psclient.exe (PID: 3988)
      • psclient.exe (PID: 1820)
      • psclient.exe (PID: 1392)
      • psclient.exe (PID: 532)
      • psclient.exe (PID: 2104)
      • psclient.exe (PID: 3236)
      • psclient.exe (PID: 2880)
      • psclient.exe (PID: 3548)
      • psclient.exe (PID: 4020)
      • pslauncher.exe (PID: 3376)
      • psclient.exe (PID: 1072)
      • psclient.exe (PID: 3816)
      • psclient.exe (PID: 1192)
      • psclient.exe (PID: 3368)
      • psclient.exe (PID: 3924)
      • psclient.exe (PID: 1492)
      • psclient.exe (PID: 3764)
      • psclient.exe (PID: 2328)
      • psclient.exe (PID: 1432)
      • psclient.exe (PID: 1692)
      • psclient.exe (PID: 3200)
      • psclient.exe (PID: 3964)
      • psclient.exe (PID: 2776)
      • psclient.exe (PID: 900)
      • psclient.exe (PID: 3164)
      • psclient.exe (PID: 2316)
      • psclient.exe (PID: 3744)
      • psclient.exe (PID: 2524)
      • psclient.exe (PID: 2916)
      • psclient.exe (PID: 3896)
      • psclient.exe (PID: 3524)
      • psclient.exe (PID: 3688)
      • psclient.exe (PID: 3440)
      • psclient.exe (PID: 3740)
      • psclient.exe (PID: 1692)
      • psclient.exe (PID: 3092)
      • psclient.exe (PID: 3200)
      • psclient.exe (PID: 2072)
      • psclient.exe (PID: 680)
      • psclient.exe (PID: 3912)
      • psclient.exe (PID: 3300)
      • psclient.exe (PID: 1576)
      • psclient.exe (PID: 3948)
      • psclient.exe (PID: 3392)
      • psclient.exe (PID: 1072)
      • psclient.exe (PID: 316)
      • psclient.exe (PID: 3576)
      • psclient.exe (PID: 3020)
      • pslauncher.exe (PID: 3016)
      • psclient.exe (PID: 2560)
      • psclient.exe (PID: 3848)
      • psclient.exe (PID: 2884)
      • psclient.exe (PID: 1644)
      • psclient.exe (PID: 3312)
      • psclient.exe (PID: 1544)
      • psclient.exe (PID: 2996)
      • psclient.exe (PID: 3088)
      • psclient.exe (PID: 3472)
      • psclient.exe (PID: 3540)
      • psclient.exe (PID: 968)
      • psclient.exe (PID: 532)

    • Reads the computer name

      • PacketStreamInstaller.exe (PID: 2408)
      • psclient.exe (PID: 3164)

    • Create files in a temporary directory

      • PacketStreamInstaller.exe (PID: 2408)
      • psclient.exe (PID: 3164)

    • Creates files in the program directory

      • PacketStreamInstaller.exe (PID: 2408)

    • Creates files or folders in the user directory

      • pslauncher.exe (PID: 1496)
      • psclient.exe (PID: 3164)

    • Reads the machine GUID from the registry

      • psclient.exe (PID: 3164)

    • Manual execution by a user

      • pslauncher.exe (PID: 2488)
      • pslauncher.exe (PID: 3376)
      • msedge.exe (PID: 3404)
      • msedge.exe (PID: 1820)
      • pslauncher.exe (PID: 3016)

    • Application launched itself

      • msedge.exe (PID: 3728)
      • msedge.exe (PID: 3404)
      • msedge.exe (PID: 984)
      • msedge.exe (PID: 1820)

    • Reads the software policy settings

      • psclient.exe (PID: 3164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:02 02:09:43+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3645
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
121
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start packetstreaminstaller.exe pslauncher.exe psclient.exe pslauncher.exe psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs pslauncher.exe psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs rundll32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs rundll32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs pslauncher.exe psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs packetstreaminstaller.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
316"C:\Program Files\PacketStream\psclient.exe" --versionC:\Program Files\PacketStream\psclient.exepslauncher.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\packetstream\psclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
452"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1256 --field-trial-handle=872,i,4186068532475117917,8152438641344645428,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
492C:\Users\admin\AppData\Roaming\packetstream/psclient.exe --launcher "C:\Program Files\PacketStream/pslauncher.exe"C:\Users\admin\AppData\Roaming\packetstream\psclient.exepslauncher.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\roaming\packetstream\psclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
532C:\Users\admin\AppData\Roaming\packetstream/psclient.exe --launcher "C:\Program Files\PacketStream/pslauncher.exe"C:\Users\admin\AppData\Roaming\packetstream\psclient.exepslauncher.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\roaming\packetstream\psclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
532C:\Users\admin\AppData\Roaming\packetstream/psclient.exe --versionC:\Users\admin\AppData\Roaming\packetstream\psclient.exepslauncher.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\packetstream\psclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
604"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6a76f598,0x6a76f5a8,0x6a76f5b4C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
680"C:\Program Files\PacketStream\psclient.exe" --versionC:\Program Files\PacketStream\psclient.exepslauncher.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\packetstream\psclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
840"C:\Program Files\PacketStream\psclient.exe" --versionC:\Program Files\PacketStream\psclient.exepslauncher.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\packetstream\psclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
840"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1452 --field-trial-handle=1332,i,753215616183249872,12593202332484993928,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
900"C:\Program Files\PacketStream\psclient.exe" --versionC:\Program Files\PacketStream\psclient.exepslauncher.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\packetstream\psclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
31 151
Read events
31 012
Write events
121
Delete events
18

Modification events

(PID) Process:(2408) PacketStreamInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PacketStream
Operation:writeName:DisplayName
Value:
PacketStream
(PID) Process:(2408) PacketStreamInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PacketStream
Operation:writeName:UninstallString
Value:
C:\Program Files\PacketStream\uninstaller.exe
(PID) Process:(2408) PacketStreamInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PacketStream
Operation:writeName:DisplayIcon
Value:
C:\Program Files\PacketStream\icon.ico
(PID) Process:(3164) psclient.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3164) psclient.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
Operation:delete valueName:9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Value:
(PID) Process:(3164) psclient.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(3164) psclient.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
1400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D70300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB60F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D8200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(3164) psclient.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:D1CBCA5DB2D52A7F693B674DE5F05A1D0C957DF0
Value:
(PID) Process:(3164) psclient.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1CBCA5DB2D52A7F693B674DE5F05A1D0C957DF0
Operation:writeName:Blob
Value:
040000000100000010000000FA68BCD9B57FADFDC91D068328CC24C1090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F00000001000000300000000B043572C899DEC43EFD590CFCE610CF443A6315925EBFE589F7506907E44824608489581C7CA0E041458514CF157614030000000100000014000000D1CBCA5DB2D52A7F693B674DE5F05A1D0C957DF01D0000000100000010000000280CF6042C30A2646644BA7286A3AA971400000001000000140000003AE10986D4CF19C29676744976DCE035C663639A0B00000001000000180000005300650063007400690067006F00200045004300430000006200000001000000200000004FF460D54B9C86DABFBCFC5712E0400D2BED3FBC4D4FBDAA86E06ADCD2A9AD7A19000000010000001000000076935B5C5A037216DAAF8AAC76DF42C153000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C02000000001000000930200003082028F30820215A00302010202105C8B99C55A94C5D27156DECD8980CC26300A06082A8648CE3D040303308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374204543432043657274696669636174696F6E20417574686F72697479301E170D3130303230313030303030305A170D3338303131383233353935395A308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374204543432043657274696669636174696F6E20417574686F726974793076301006072A8648CE3D020106052B81040022036200041AAC545AA9F96823E77AD5246F53C65AD84BABC6D5B6D1E67371AEDD9CD60C61FDDBA08903B80514EC57CEEE5D3FE221B3CEF7D48A79E0A3837E2D97D061C4F199DC259163AB7F30A3B470E2C7A1339CF3BF2E5C53B15FB37D327F8A34E37979A3423040301D0603551D0E041604143AE10986D4CF19C29676744976DCE035C663639A300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF300A06082A8648CE3D040303036800306502303667A11608DCE49700411D4EBEE16301CF3BAA421164A09D94390211795C7B1DFA64B9EE1642B3BF8AC209C4ECE4B14D023100E92A61478C524A4B4E1870F6D644D66EF583BA6D58BD24D95648EAEFC4A24681886A3A46D1A99B4DC961DAD15D576A18
(PID) Process:(3164) psclient.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1CBCA5DB2D52A7F693B674DE5F05A1D0C957DF0
Operation:writeName:Blob
Value:
5C00000001000000040000008001000053000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C019000000010000001000000076935B5C5A037216DAAF8AAC76DF42C16200000001000000200000004FF460D54B9C86DABFBCFC5712E0400D2BED3FBC4D4FBDAA86E06ADCD2A9AD7A0B00000001000000180000005300650063007400690067006F00200045004300430000001400000001000000140000003AE10986D4CF19C29676744976DCE035C663639A1D0000000100000010000000280CF6042C30A2646644BA7286A3AA97030000000100000014000000D1CBCA5DB2D52A7F693B674DE5F05A1D0C957DF00F00000001000000300000000B043572C899DEC43EFD590CFCE610CF443A6315925EBFE589F7506907E44824608489581C7CA0E041458514CF157614090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B06010505070308040000000100000010000000FA68BCD9B57FADFDC91D068328CC24C12000000001000000930200003082028F30820215A00302010202105C8B99C55A94C5D27156DECD8980CC26300A06082A8648CE3D040303308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374204543432043657274696669636174696F6E20417574686F72697479301E170D3130303230313030303030305A170D3338303131383233353935395A308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374204543432043657274696669636174696F6E20417574686F726974793076301006072A8648CE3D020106052B81040022036200041AAC545AA9F96823E77AD5246F53C65AD84BABC6D5B6D1E67371AEDD9CD60C61FDDBA08903B80514EC57CEEE5D3FE221B3CEF7D48A79E0A3837E2D97D061C4F199DC259163AB7F30A3B470E2C7A1339CF3BF2E5C53B15FB37D327F8A34E37979A3423040301D0603551D0E041604143AE10986D4CF19C29676744976DCE035C663639A300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF300A06082A8648CE3D040303036800306502303667A11608DCE49700411D4EBEE16301CF3BAA421164A09D94390211795C7B1DFA64B9EE1642B3BF8AC209C4ECE4B14D023100E92A61478C524A4B4E1870F6D644D66EF583BA6D58BD24D95648EAEFC4A24681886A3A46D1A99B4DC961DAD15D576A18
Executable files
9
Suspicious files
76
Text files
129
Unknown types
55

Dropped files

PID
Process
Filename
Type
2408PacketStreamInstaller.exeC:\Users\admin\AppData\Local\Temp\nsq296D.tmp
MD5:
SHA256:
1496pslauncher.exeC:\Users\admin\AppData\Roaming\packetstream\psclient.exeexecutable
MD5:BF73B3D182B6ACEDBA7263620BBEEE39
SHA256:EED5C42164AEAF363A4E6556B9F25AFD741424774D1DD76CB27C1447259FB355
2408PacketStreamInstaller.exeC:\Program Files\PacketStream\icon.icoimage
MD5:A5B3E9154BBA2C73504DA4D8A6F70069
SHA256:EDC66302E85384058798679D928619B04A6B843912828978F31CF88CD49C7FCF
2408PacketStreamInstaller.exeC:\Users\admin\Desktop\PacketStream.lnkbinary
MD5:FE8A5E0D4D740A79F7C1917B4D2C9C7A
SHA256:2654A41915401347640F575C0671BEA36A08573A93E650A35A429DB6EB1D9FEC
2968msedge.exe
MD5:
SHA256:
3404msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1a4586.TMP
MD5:
SHA256:
3404msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3728msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Local Statebinary
MD5:B0B2BCA56E064D57BD2D9051A9FF04B2
SHA256:79638D450D12F2720D71F68C793BBD6512FB2EF70C711452279E538F100216FD
3164psclient.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PacketStream.lnkbinary
MD5:C08704010C093455C21F8FE938AF042D
SHA256:0D42D62B233D654E82F0F9C3EED4248FDFAD0E9AB844D692E144CD554DEB6343
3164psclient.exeC:\Users\admin\AppData\Local\Temp\systray_temp_icon_c54abdac105237d93753dfdad6db6231image
MD5:C54ABDAC105237D93753DFDAD6DB6231
SHA256:FABA35880D7A124F4295B1874B2D37EF4070EF29BEF1710E03FD76B873F0ADDC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
163
DNS requests
80
Threats
3

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
3164
psclient.exe
172.64.145.29:443
client-dl.packetstream.io
CLOUDFLARENET
US
unknown
3164
psclient.exe
104.18.42.227:443
client-dl.packetstream.io
CLOUDFLARENET
shared
3164
psclient.exe
143.198.246.222:443
api.packetstream.io
DIGITALOCEAN-ASN
US
unknown
840
msedge.exe
24.144.71.189:443
packetstream.io
US
unknown
3404
msedge.exe
239.255.255.250:1900
unknown
840
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
client-dl.packetstream.io
  • 172.64.145.29
  • 104.18.42.227
unknown
api.packetstream.io
  • 143.198.246.222
unknown
dns.msftncsi.com
  • 131.107.255.255
shared
config.edge.skype.com
  • 13.107.42.16
whitelisted
packetstream.io
  • 24.144.71.189
unknown
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
www.bing.com
  • 104.126.37.130
  • 104.126.37.163
  • 104.126.37.153
  • 104.126.37.131
  • 104.126.37.139
  • 104.126.37.145
  • 104.126.37.162
  • 104.126.37.184
  • 104.126.37.171
  • 104.126.37.146
  • 104.126.37.168
  • 104.126.37.155
  • 104.126.37.137
  • 104.126.37.161
  • 104.126.37.160
whitelisted
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
  • 152.199.21.175
whitelisted
fonts.googleapis.com
  • 142.250.186.106
whitelisted
fonts.gstatic.com
  • 142.250.186.163
whitelisted

Threats

PID
Process
Class
Message
840
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
840
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
2228
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PacketStreamInstaller.exe