File name:

tailscale-setup-1.80.0.exe

Full analysis: https://app.any.run/tasks/80da2626-4a93-4fb2-9b08-9390233b256b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 13, 2025, 18:43:27
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

99EA93736664716ADB66F9CD173C3155

SHA1:

F7AE4FC39DCF4D4577430673115433E5DA787152

SHA256:

B61712872A636E1A78C1FF6CEA39F5F65AAEB2910436CE19E26109CF7C2905D3

SSDEEP:

24576:m1cgiCevXJG6jlAhIxY6KS71cAbtv0UF9msd6LTyrGL:m1cgiCevXJG6jlAhIS6KS71cARv0UF9C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • tailscale-setup-1.80.0.exe (PID: 4476)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • tailscale-setup-1.80.0.exe (PID: 876)
      • tailscale-setup-1.80.0.exe (PID: 6916)
      • tailscale-setup-1.80.0.exe (PID: 4476)
      • drvinst.exe (PID: 1220)
      • tailscaled.exe (PID: 3604)

    • Starts itself from another location

      • tailscale-setup-1.80.0.exe (PID: 876)
      • tailscale-setup-1.80.0.exe (PID: 6916)

    • Searches for installed software

      • tailscale-setup-1.80.0.exe (PID: 6916)
      • tailscale-setup-1.80.0.exe (PID: 4476)
      • dllhost.exe (PID: 1572)

    • Reads the Internet Settings

      • tailscale-setup-1.80.0.exe (PID: 6916)
      • tailscale-ipn.exe (PID: 780)
      • msiexec.exe (PID: 5228)

    • Reads security settings of Internet Explorer

      • tailscale-setup-1.80.0.exe (PID: 6916)
      • msiexec.exe (PID: 5228)
      • tailscale-ipn.exe (PID: 780)

    • Creates a software uninstall entry

      • tailscale-setup-1.80.0.exe (PID: 4476)

    • Reads settings of System Certificates

      • tailscale-setup-1.80.0.exe (PID: 6916)
      • tailscale-ipn.exe (PID: 780)

    • Checks Windows Trust Settings

      • tailscale-setup-1.80.0.exe (PID: 6916)
      • msiexec.exe (PID: 5660)
      • drvinst.exe (PID: 1220)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3256)
      • tailscaled.exe (PID: 2452)

    • Adds/modifies Windows certificates

      • msiexec.exe (PID: 5660)

    • Restarts service on failure

      • sc.exe (PID: 1484)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 5660)

    • Starts SC.EXE for service management

      • msiexec.exe (PID: 3752)

    • Drops a system driver (possible attempt to evade defenses)

      • tailscaled.exe (PID: 3604)
      • drvinst.exe (PID: 1220)

    • Application launched itself

      • tailscaled.exe (PID: 2452)

    • Creates or modifies Windows services

      • drvinst.exe (PID: 6988)

    • Process uses IPCONFIG to clear DNS cache

      • tailscaled.exe (PID: 3604)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • tailscaled.exe (PID: 3604)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • tailscaled.exe (PID: 3604)

    • Process uses IPCONFIG to get network configuration information

      • tailscaled.exe (PID: 3604)

  • INFO

    • The sample compiled with english language support

      • tailscale-setup-1.80.0.exe (PID: 876)
      • tailscale-setup-1.80.0.exe (PID: 6916)
      • tailscale-setup-1.80.0.exe (PID: 4476)
      • msiexec.exe (PID: 5660)
      • tailscaled.exe (PID: 3604)
      • drvinst.exe (PID: 1220)

    • Checks supported languages

      • tailscale-setup-1.80.0.exe (PID: 876)
      • tailscale-setup-1.80.0.exe (PID: 6916)
      • tailscale-setup-1.80.0.exe (PID: 4476)
      • msiexec.exe (PID: 5660)
      • msiexec.exe (PID: 5228)
      • tailscale-ipn.exe (PID: 3828)
      • msiexec.exe (PID: 2996)
      • msiexec.exe (PID: 3752)
      • tailscaled.exe (PID: 2452)
      • tailscaled.exe (PID: 3604)
      • drvinst.exe (PID: 1220)
      • tailscale-ipn.exe (PID: 780)
      • drvinst.exe (PID: 6988)
      • identity_helper.exe (PID: 7660)
      • pwahelper.exe (PID: 7848)

    • Create files in a temporary directory

      • tailscale-setup-1.80.0.exe (PID: 876)
      • tailscale-setup-1.80.0.exe (PID: 6916)

    • Reads the computer name

      • tailscale-setup-1.80.0.exe (PID: 6916)
      • tailscale-setup-1.80.0.exe (PID: 4476)
      • msiexec.exe (PID: 5228)
      • msiexec.exe (PID: 2996)
      • tailscale-ipn.exe (PID: 3828)
      • msiexec.exe (PID: 3752)
      • msiexec.exe (PID: 5660)
      • tailscaled.exe (PID: 2452)
      • tailscaled.exe (PID: 3604)
      • drvinst.exe (PID: 1220)
      • drvinst.exe (PID: 6988)
      • tailscale-ipn.exe (PID: 780)

    • Checks proxy server information

      • tailscale-setup-1.80.0.exe (PID: 6916)
      • tailscale-ipn.exe (PID: 780)

    • Reads the machine GUID from the registry

      • tailscale-setup-1.80.0.exe (PID: 6916)
      • tailscale-setup-1.80.0.exe (PID: 4476)
      • msiexec.exe (PID: 5660)
      • drvinst.exe (PID: 1220)
      • tailscaled.exe (PID: 2452)
      • tailscale-ipn.exe (PID: 780)

    • Reads the software policy settings

      • tailscale-setup-1.80.0.exe (PID: 6916)
      • msiexec.exe (PID: 5660)
      • tailscaled.exe (PID: 2452)
      • drvinst.exe (PID: 1220)
      • tailscale-ipn.exe (PID: 780)

    • Manages system restore points

      • SrTasks.exe (PID: 1908)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5660)

    • Application launched itself

      • msiexec.exe (PID: 5660)
      • msedge.exe (PID: 7080)
      • msedge.exe (PID: 6716)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 5660)

    • Detects GO elliptic curve encryption (YARA)

      • tailscaled.exe (PID: 2452)

    • Connects to unusual port

      • msedge.exe (PID: 6016)

    • Application based on Golang

      • tailscaled.exe (PID: 2452)

    • Manual execution by a user

      • msedge.exe (PID: 6716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:22 22:14:43+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.16
CodeSize: 314368
InitializedDataSize: 302080
UninitializedDataSize: -
EntryPoint: 0x302e5
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.80.0.0
ProductVersionNumber: 1.80.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Tailscale Inc.
FileDescription: Tailscale
FileVersion: 1.80.0
InternalName: setup
LegalCopyright: Copyright (c) Tailscale Inc.. All rights reserved.
OriginalFileName: tailscale-setup-1.80.0.exe
ProductName: Tailscale
ProductVersion: 1.80.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
182
Monitored processes
68
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start tailscale-setup-1.80.0.exe tailscale-setup-1.80.0.exe tailscale-setup-1.80.0.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs tailscale-ipn.exe no specs msiexec.exe no specs sc.exe no specs conhost.exe no specs tailscaled.exe tailscaled.exe drvinst.exe drvinst.exe no specs tailscale-ipn.exe wsl.exe no specs conhost.exe no specs netsh.exe no specs ipconfig.exe no specs ipconfig.exe no specs ipconfig.exe no specs ipconfig.exe no specs netsh.exe no specs netsh.exe no specs ipconfig.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs pwahelper.exe no specs msedge.exe no specs msedge.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
148\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exesc.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
780"C:\Program Files\Tailscale\tailscale-ipn.exe" C:\Program Files\Tailscale\tailscale-ipn.exe
msiexec.exe
User:
admin
Company:
Tailscale Inc.
Integrity Level:
HIGH
Description:
Tailscale GUI client
Version:
1.80.0-t4f4686503-gccb3ce01b
Modules
Images
c:\program files\tailscale\tailscale-ipn.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
c:\windows\system32\secur32.dll
876"C:\Users\admin\Desktop\tailscale-setup-1.80.0.exe" C:\Users\admin\Desktop\tailscale-setup-1.80.0.exe
explorer.exe
User:
admin
Company:
Tailscale Inc.
Integrity Level:
MEDIUM
Description:
Tailscale
Version:
1.80.0
Modules
Images
c:\users\admin\desktop\tailscale-setup-1.80.0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1096ipconfig /registerdnsC:\Windows\System32\ipconfig.exetailscaled.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dhcpcsvc.dll
1096"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3436 --field-trial-handle=1928,i,12131785544159450610,7504618349245042868,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1160\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1220DrvInst.exe "4" "9" "C:\Windows\Temp\21d0ae8fd809b7a5e8197860686e0a437f6ce5e97f51062b7315582b91b74893\wintun.inf" "9" "4f3a57eff" "00000000000000C8" "Service-0x0-3e7$\Default" "0000000000000178" "208" "C:\Windows\Temp\21d0ae8fd809b7a5e8197860686e0a437f6ce5e97f51062b7315582b91b74893"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.22000.653 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
1360"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6524 --field-trial-handle=1928,i,12131785544159450610,7504618349245042868,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1484"C:\Windows\system32\sc.exe" failure Tailscale reset= 60 actions= restart/1000/restart/2000/restart/4000/restart/9000/restart/16000/restart/25000/restart/36000/restart/49000/restart/64000C:\Windows\System32\sc.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1484"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4844 --field-trial-handle=1928,i,12131785544159450610,7504618349245042868,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
55 097
Read events
53 783
Write events
1 278
Delete events
36

Modification events

(PID) Process:(6916) tailscale-setup-1.80.0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6916) tailscale-setup-1.80.0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6916) tailscale-setup-1.80.0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6916) tailscale-setup-1.80.0.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4476) tailscale-setup-1.80.0.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
40000000000000008FE5F333477EDB017C110000D40A0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1572) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000008FE5F333477EDB012406000084070000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1572) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000027A6D34477EDB012406000084070000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1572) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000027A6D34477EDB012406000084070000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1572) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000069DF6F34477EDB012406000084070000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1572) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000E3E57434477EDB012406000084070000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
26
Suspicious files
456
Text files
108
Unknown types
6

Dropped files

PID
Process
Filename
Type
1572dllhost.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6916tailscale-setup-1.80.0.exeC:\Users\admin\AppData\Local\Temp\{429A021A-33A4-47D6-8652-8A81EC221416}\MsiAMD64
MD5:
SHA256:
4476tailscale-setup-1.80.0.exeC:\ProgramData\Package Cache\.unverified\MsiAMD64
MD5:
SHA256:
4476tailscale-setup-1.80.0.exeC:\ProgramData\Package Cache\{B79D11C0-44DD-57F7-A32D-661FCF28188D}v1.80.0\tailscale-setup-1.80.0-amd64.msi
MD5:
SHA256:
5660msiexec.exeC:\Windows\Installer\25b215.msi
MD5:
SHA256:
6916tailscale-setup-1.80.0.exeC:\Users\admin\AppData\Local\Temp\{429A021A-33A4-47D6-8652-8A81EC221416}\.ba\wixstdba.dllexecutable
MD5:87C8A7EA44E8EE0D9358E25B7DCD397D
SHA256:B7DE0A0CA3A94738747ABD708E30BA1F9638A8C8B7D8173C76D4F39FAE3D9346
6916tailscale-setup-1.80.0.exeC:\Users\admin\AppData\Local\Temp\{429A021A-33A4-47D6-8652-8A81EC221416}\.ba\thm.xmlxml
MD5:C29A69F34FF31FF63C3EC6B2D4F903E5
SHA256:8D67851408A62B0F04DBAADDC588CD98499CF3630EC5DF9F7C0699F0D367F79C
6916tailscale-setup-1.80.0.exeC:\Users\admin\AppData\Local\Temp\{429A021A-33A4-47D6-8652-8A81EC221416}\.be\tailscale-setup-1.80.0.exeexecutable
MD5:99EA93736664716ADB66F9CD173C3155
SHA256:B61712872A636E1A78C1FF6CEA39F5F65AAEB2910436CE19E26109CF7C2905D3
4476tailscale-setup-1.80.0.exeC:\ProgramData\Package Cache\{893ea997-2768-4a77-b8aa-e5a58353fb5d}\state.rsmbinary
MD5:091EFE6F67DEB1E5F6AB966BE3BF12D2
SHA256:F23079AE54FC792DB66B7ADE9ECFFE16D08EF633C35A4284CD8C7BECC905DF87
6916tailscale-setup-1.80.0.exeC:\Users\admin\AppData\Local\Temp\{429A021A-33A4-47D6-8652-8A81EC221416}\MsiAMD64.Rbinary
MD5:3D0CF5291D2C03F9F64F7B020C842C56
SHA256:BB152486E2192114D47A4B126548254A9BDCE703418F4AFE97D9F5B8549E2584
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
150
TCP/UDP connections
212
DNS requests
158
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1296
svchost.exe
GET
200
88.221.110.216:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
HEAD
200
199.38.181.239:443
https://pkgs.tailscale.com/stable/tailscale-setup-1.80.0-amd64.msi
unknown
2744
MoUsoCoreWorker.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?66e008a29d2c543a
unknown
whitelisted
5660
msiexec.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
5660
msiexec.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
5660
msiexec.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAGSuURxj1Rlh15b2U5S69o%3D
unknown
whitelisted
1168
svchost.exe
POST
403
2.18.97.227:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
whitelisted
1168
svchost.exe
POST
403
2.18.97.227:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
whitelisted
1168
svchost.exe
POST
403
2.18.97.227:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
whitelisted
1168
svchost.exe
POST
403
2.18.97.227:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1296
svchost.exe
88.221.110.216:80
Akamai International B.V.
DE
unknown
2744
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2744
MoUsoCoreWorker.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
6916
tailscale-setup-1.80.0.exe
199.38.181.239:443
pkgs.tailscale.com
NETACTUATE
US
suspicious
6916
tailscale-setup-1.80.0.exe
109.105.218.17:443
dl.tailscale.com
FLY
US
unknown
5660
msiexec.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2452
tailscaled.exe
52.207.202.187:443
log.tailscale.com
AMAZON-AES
US
unknown
780
tailscale-ipn.exe
52.207.202.187:443
log.tailscale.com
AMAZON-AES
US
unknown
1656
svchost.exe
224.0.0.252:5355
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
pkgs.tailscale.com
  • 199.38.181.239
unknown
dl.tailscale.com
  • 109.105.218.17
unknown
ocsp.digicert.com
  • 2.23.77.188
whitelisted
log.tailscale.com
  • 52.207.202.187
unknown
go.microsoft.com
  • 2.18.97.227
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
tailscale.com
  • 76.76.21.21
unknown

Threats

PID
Process
Class
Message
1296
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
Potentially Bad Traffic
ET INFO Possible Chrome Plugin install
Potential Corporate Privacy Violation
ET INFO Outgoing Basic Auth Base64 HTTP Password detected unencrypted
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
tailscale-setup-1.80.0.exe