File name:

PacketStreamInstaller.exe

Full analysis: https://app.any.run/tasks/f1e55855-e0e7-4fda-953f-3734aebcf353
Verdict: Malicious activity
Analysis date: March 15, 2024, 18:33:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

6D6F50061E5ABE88A7B671046398270F

SHA1:

E2783B9B2993A9CCC13DAB299C3EE581D265B71A

SHA256:

3A819DF32EFEC09CCA52C2D6B6E9B0A99EBC1D64EAC33F9BE426463FC5E60F2D

SSDEEP:

98304:/oFhWG5yK9xYKWDf/sORREAPHFOPioQPLAXE5tfrzTvcyf3AwJRmsTmyYQCGrdlN:TPYDGbKYV+UhH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • PacketStreamInstaller.exe (PID: 2408)
      • pslauncher.exe (PID: 1496)

    • Create files in the Startup directory

      • psclient.exe (PID: 3164)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • PacketStreamInstaller.exe (PID: 2408)
      • pslauncher.exe (PID: 1496)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • PacketStreamInstaller.exe (PID: 2408)

    • The process creates files with name similar to system file names

      • PacketStreamInstaller.exe (PID: 2408)

    • Creates a software uninstall entry

      • PacketStreamInstaller.exe (PID: 2408)

    • Reads settings of System Certificates

      • psclient.exe (PID: 3164)

    • Adds/modifies Windows certificates

      • psclient.exe (PID: 3164)

    • Uses RUNDLL32.EXE to load library

      • psclient.exe (PID: 3164)

    • Reads the Internet Settings

      • rundll32.exe (PID: 4044)
      • rundll32.exe (PID: 2808)

    • Connects to unusual port

      • psclient.exe (PID: 3164)

  • INFO

    • Checks supported languages

      • PacketStreamInstaller.exe (PID: 2408)
      • pslauncher.exe (PID: 1496)
      • psclient.exe (PID: 3164)
      • psclient.exe (PID: 2592)
      • pslauncher.exe (PID: 2488)
      • psclient.exe (PID: 2968)
      • psclient.exe (PID: 2176)
      • psclient.exe (PID: 492)
      • psclient.exe (PID: 840)
      • psclient.exe (PID: 1784)
      • psclient.exe (PID: 1484)
      • psclient.exe (PID: 532)
      • psclient.exe (PID: 3988)
      • psclient.exe (PID: 3236)
      • psclient.exe (PID: 2880)
      • psclient.exe (PID: 1072)
      • pslauncher.exe (PID: 3376)
      • psclient.exe (PID: 3548)
      • psclient.exe (PID: 2104)
      • psclient.exe (PID: 4020)
      • psclient.exe (PID: 3528)
      • psclient.exe (PID: 1796)
      • psclient.exe (PID: 2620)
      • psclient.exe (PID: 2404)
      • psclient.exe (PID: 2640)
      • psclient.exe (PID: 2748)
      • psclient.exe (PID: 1820)
      • psclient.exe (PID: 3312)
      • psclient.exe (PID: 3256)
      • psclient.exe (PID: 1392)
      • psclient.exe (PID: 3816)
      • psclient.exe (PID: 3764)
      • psclient.exe (PID: 3368)
      • psclient.exe (PID: 1192)
      • psclient.exe (PID: 3924)
      • psclient.exe (PID: 1492)
      • psclient.exe (PID: 1432)
      • psclient.exe (PID: 2328)
      • psclient.exe (PID: 3200)
      • psclient.exe (PID: 3964)
      • psclient.exe (PID: 1692)
      • psclient.exe (PID: 2776)
      • psclient.exe (PID: 2916)
      • psclient.exe (PID: 900)
      • psclient.exe (PID: 1692)
      • psclient.exe (PID: 3896)
      • psclient.exe (PID: 3744)
      • psclient.exe (PID: 3688)
      • psclient.exe (PID: 3740)
      • psclient.exe (PID: 2524)
      • psclient.exe (PID: 3524)
      • psclient.exe (PID: 3440)
      • psclient.exe (PID: 3092)
      • psclient.exe (PID: 3200)
      • psclient.exe (PID: 3912)
      • psclient.exe (PID: 680)
      • psclient.exe (PID: 2072)
      • psclient.exe (PID: 1576)
      • psclient.exe (PID: 3948)
      • psclient.exe (PID: 3300)
      • psclient.exe (PID: 532)
      • psclient.exe (PID: 2316)
      • psclient.exe (PID: 1072)
      • psclient.exe (PID: 3392)
      • psclient.exe (PID: 3576)
      • pslauncher.exe (PID: 3016)
      • psclient.exe (PID: 3020)
      • psclient.exe (PID: 316)
      • psclient.exe (PID: 2560)
      • psclient.exe (PID: 3472)
      • psclient.exe (PID: 3088)
      • psclient.exe (PID: 968)
      • psclient.exe (PID: 3540)
      • psclient.exe (PID: 1544)
      • psclient.exe (PID: 2884)
      • psclient.exe (PID: 2996)
      • psclient.exe (PID: 3848)
      • psclient.exe (PID: 1644)

    • Reads the computer name

      • PacketStreamInstaller.exe (PID: 2408)
      • psclient.exe (PID: 3164)

    • Create files in a temporary directory

      • PacketStreamInstaller.exe (PID: 2408)
      • psclient.exe (PID: 3164)

    • Creates files in the program directory

      • PacketStreamInstaller.exe (PID: 2408)

    • Creates files or folders in the user directory

      • pslauncher.exe (PID: 1496)
      • psclient.exe (PID: 3164)

    • Reads the software policy settings

      • psclient.exe (PID: 3164)

    • Reads the machine GUID from the registry

      • psclient.exe (PID: 3164)

    • Manual execution by a user

      • pslauncher.exe (PID: 2488)
      • pslauncher.exe (PID: 3376)
      • msedge.exe (PID: 3404)
      • msedge.exe (PID: 1820)
      • pslauncher.exe (PID: 3016)

    • Application launched itself

      • msedge.exe (PID: 3728)
      • msedge.exe (PID: 3404)
      • msedge.exe (PID: 984)
      • msedge.exe (PID: 1820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:02 02:09:43+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3645
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
121
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start packetstreaminstaller.exe pslauncher.exe psclient.exe pslauncher.exe psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs pslauncher.exe psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs rundll32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs rundll32.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs pslauncher.exe psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs psclient.exe no specs packetstreaminstaller.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
316"C:\Program Files\PacketStream\psclient.exe" --versionC:\Program Files\PacketStream\psclient.exepslauncher.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\packetstream\psclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
452"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1256 --field-trial-handle=872,i,4186068532475117917,8152438641344645428,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
492C:\Users\admin\AppData\Roaming\packetstream/psclient.exe --launcher "C:\Program Files\PacketStream/pslauncher.exe"C:\Users\admin\AppData\Roaming\packetstream\psclient.exepslauncher.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\roaming\packetstream\psclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
532C:\Users\admin\AppData\Roaming\packetstream/psclient.exe --launcher "C:\Program Files\PacketStream/pslauncher.exe"C:\Users\admin\AppData\Roaming\packetstream\psclient.exepslauncher.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\roaming\packetstream\psclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
532C:\Users\admin\AppData\Roaming\packetstream/psclient.exe --versionC:\Users\admin\AppData\Roaming\packetstream\psclient.exepslauncher.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\packetstream\psclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
604"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6a76f598,0x6a76f5a8,0x6a76f5b4C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
680"C:\Program Files\PacketStream\psclient.exe" --versionC:\Program Files\PacketStream\psclient.exepslauncher.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\packetstream\psclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
840"C:\Program Files\PacketStream\psclient.exe" --versionC:\Program Files\PacketStream\psclient.exepslauncher.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\packetstream\psclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
840"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1452 --field-trial-handle=1332,i,753215616183249872,12593202332484993928,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
900"C:\Program Files\PacketStream\psclient.exe" --versionC:\Program Files\PacketStream\psclient.exepslauncher.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\packetstream\psclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
31 151
Read events
31 012
Write events
121
Delete events
18

Modification events

(PID) Process:(2408) PacketStreamInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PacketStream
Operation:writeName:DisplayName
Value:
PacketStream
(PID) Process:(2408) PacketStreamInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PacketStream
Operation:writeName:UninstallString
Value:
C:\Program Files\PacketStream\uninstaller.exe
(PID) Process:(2408) PacketStreamInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PacketStream
Operation:writeName:DisplayIcon
Value:
C:\Program Files\PacketStream\icon.ico
(PID) Process:(3164) psclient.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3164) psclient.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
Operation:delete valueName:9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Value:
(PID) Process:(3164) psclient.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(3164) psclient.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
1400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D70300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB60F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D8200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(3164) psclient.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:D1CBCA5DB2D52A7F693B674DE5F05A1D0C957DF0
Value:
(PID) Process:(3164) psclient.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1CBCA5DB2D52A7F693B674DE5F05A1D0C957DF0
Operation:writeName:Blob
Value:
040000000100000010000000FA68BCD9B57FADFDC91D068328CC24C1090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F00000001000000300000000B043572C899DEC43EFD590CFCE610CF443A6315925EBFE589F7506907E44824608489581C7CA0E041458514CF157614030000000100000014000000D1CBCA5DB2D52A7F693B674DE5F05A1D0C957DF01D0000000100000010000000280CF6042C30A2646644BA7286A3AA971400000001000000140000003AE10986D4CF19C29676744976DCE035C663639A0B00000001000000180000005300650063007400690067006F00200045004300430000006200000001000000200000004FF460D54B9C86DABFBCFC5712E0400D2BED3FBC4D4FBDAA86E06ADCD2A9AD7A19000000010000001000000076935B5C5A037216DAAF8AAC76DF42C153000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C02000000001000000930200003082028F30820215A00302010202105C8B99C55A94C5D27156DECD8980CC26300A06082A8648CE3D040303308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374204543432043657274696669636174696F6E20417574686F72697479301E170D3130303230313030303030305A170D3338303131383233353935395A308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374204543432043657274696669636174696F6E20417574686F726974793076301006072A8648CE3D020106052B81040022036200041AAC545AA9F96823E77AD5246F53C65AD84BABC6D5B6D1E67371AEDD9CD60C61FDDBA08903B80514EC57CEEE5D3FE221B3CEF7D48A79E0A3837E2D97D061C4F199DC259163AB7F30A3B470E2C7A1339CF3BF2E5C53B15FB37D327F8A34E37979A3423040301D0603551D0E041604143AE10986D4CF19C29676744976DCE035C663639A300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF300A06082A8648CE3D040303036800306502303667A11608DCE49700411D4EBEE16301CF3BAA421164A09D94390211795C7B1DFA64B9EE1642B3BF8AC209C4ECE4B14D023100E92A61478C524A4B4E1870F6D644D66EF583BA6D58BD24D95648EAEFC4A24681886A3A46D1A99B4DC961DAD15D576A18
(PID) Process:(3164) psclient.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1CBCA5DB2D52A7F693B674DE5F05A1D0C957DF0
Operation:writeName:Blob
Value:
5C00000001000000040000008001000053000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C019000000010000001000000076935B5C5A037216DAAF8AAC76DF42C16200000001000000200000004FF460D54B9C86DABFBCFC5712E0400D2BED3FBC4D4FBDAA86E06ADCD2A9AD7A0B00000001000000180000005300650063007400690067006F00200045004300430000001400000001000000140000003AE10986D4CF19C29676744976DCE035C663639A1D0000000100000010000000280CF6042C30A2646644BA7286A3AA97030000000100000014000000D1CBCA5DB2D52A7F693B674DE5F05A1D0C957DF00F00000001000000300000000B043572C899DEC43EFD590CFCE610CF443A6315925EBFE589F7506907E44824608489581C7CA0E041458514CF157614090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B06010505070308040000000100000010000000FA68BCD9B57FADFDC91D068328CC24C12000000001000000930200003082028F30820215A00302010202105C8B99C55A94C5D27156DECD8980CC26300A06082A8648CE3D040303308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374204543432043657274696669636174696F6E20417574686F72697479301E170D3130303230313030303030305A170D3338303131383233353935395A308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374204543432043657274696669636174696F6E20417574686F726974793076301006072A8648CE3D020106052B81040022036200041AAC545AA9F96823E77AD5246F53C65AD84BABC6D5B6D1E67371AEDD9CD60C61FDDBA08903B80514EC57CEEE5D3FE221B3CEF7D48A79E0A3837E2D97D061C4F199DC259163AB7F30A3B470E2C7A1339CF3BF2E5C53B15FB37D327F8A34E37979A3423040301D0603551D0E041604143AE10986D4CF19C29676744976DCE035C663639A300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF300A06082A8648CE3D040303036800306502303667A11608DCE49700411D4EBEE16301CF3BAA421164A09D94390211795C7B1DFA64B9EE1642B3BF8AC209C4ECE4B14D023100E92A61478C524A4B4E1870F6D644D66EF583BA6D58BD24D95648EAEFC4A24681886A3A46D1A99B4DC961DAD15D576A18
Executable files
9
Suspicious files
76
Text files
129
Unknown types
55

Dropped files

PID
Process
Filename
Type
2408PacketStreamInstaller.exeC:\Users\admin\AppData\Local\Temp\nsq296D.tmp
MD5:
SHA256:
2408PacketStreamInstaller.exeC:\Users\admin\AppData\Local\Temp\nsq296E.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
3728msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\3b7b2cb1-cafe-4bd7-b70c-727378206d19.tmptext
MD5:B0B2BCA56E064D57BD2D9051A9FF04B2
SHA256:79638D450D12F2720D71F68C793BBD6512FB2EF70C711452279E538F100216FD
3728msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datbinary
MD5:DF0BCCD68449F07F531D76F53C718178
SHA256:12025F4DA9E53A8B91892D4F6E6A9B89513F3488BFE9F1EEEC3C05F7EF96BDD8
2968msedge.exe
MD5:
SHA256:
3404msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1a4586.TMP
MD5:
SHA256:
3404msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
2908msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics.pmabinary
MD5:886E82F2CA62ECCCE64601B30592078A
SHA256:E5E13D53601100FF3D6BB71514CBCCC4C73FE9B7EF5E930100E644187B42948E
3164psclient.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PacketStream.lnkbinary
MD5:C08704010C093455C21F8FE938AF042D
SHA256:0D42D62B233D654E82F0F9C3EED4248FDFAD0E9AB844D692E144CD554DEB6343
3728msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Last Versiontext
MD5:61FE7896F9494DCDF53480A325F4FB85
SHA256:ACFD3CD36E0DFCF1DCB67C7F31F2A5B9BA0815528A0C604D4330DFAA9E683E51
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
163
DNS requests
80
Threats
3

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
3164
psclient.exe
172.64.145.29:443
client-dl.packetstream.io
CLOUDFLARENET
US
unknown
3164
psclient.exe
104.18.42.227:443
client-dl.packetstream.io
CLOUDFLARENET
shared
3164
psclient.exe
143.198.246.222:443
api.packetstream.io
DIGITALOCEAN-ASN
US
unknown
840
msedge.exe
24.144.71.189:443
packetstream.io
US
unknown
3404
msedge.exe
239.255.255.250:1900
unknown
840
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
client-dl.packetstream.io
  • 172.64.145.29
  • 104.18.42.227
unknown
api.packetstream.io
  • 143.198.246.222
unknown
dns.msftncsi.com
  • 131.107.255.255
shared
config.edge.skype.com
  • 13.107.42.16
whitelisted
packetstream.io
  • 24.144.71.189
unknown
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
www.bing.com
  • 104.126.37.130
  • 104.126.37.163
  • 104.126.37.153
  • 104.126.37.131
  • 104.126.37.139
  • 104.126.37.145
  • 104.126.37.162
  • 104.126.37.184
  • 104.126.37.171
  • 104.126.37.146
  • 104.126.37.168
  • 104.126.37.155
  • 104.126.37.137
  • 104.126.37.161
  • 104.126.37.160
whitelisted
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
  • 152.199.21.175
whitelisted
fonts.googleapis.com
  • 142.250.186.106
whitelisted
fonts.gstatic.com
  • 142.250.186.163
whitelisted

Threats

PID
Process
Class
Message
840
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
840
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
2228
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare turnstile CAPTCHA challenge
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PacketStreamInstaller.exe