File name:

TABSimulator_installer_39734987.msi

Full analysis: https://app.any.run/tasks/aea7e5e7-adf5-4d1d-a07f-93eadd6018da
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: February 06, 2025, 20:43:37
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
adware
bbwc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {CDE0ABA5-0AE9-4CDC-BBA7-645FA44D11D5}, Number of Words: 10, Subject: Installer Assistant, Author: Eclipse Media Inc, Name of Creating Application: Advanced Installer 15.8 build b14c769f44, Template: ;1033, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5:

05353E5AC101EE2AF41C61F96F45CF09

SHA1:

771FB4A74E4021F7E3B35629E916C8E1DD5C37DD

SHA256:

D99B2EEDC405BD5A8447CB189DFF3B2E831174F94D2F98DD49A3716F347D11BA

SSDEEP:

98304:LwAfqNgh2z/bqac+oUKi4sO8Lyt6S+w1BhpvsMl1QJ5Hs7jylBAQfCpwAfqNghXu:5LKFhS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6784)
      • powershell.exe (PID: 2728)
      • powershell.exe (PID: 1512)
      • powershell.exe (PID: 1540)
      • powershell.exe (PID: 4020)
      • powershell.exe (PID: 1224)
      • powershell.exe (PID: 3172)
      • powershell.exe (PID: 3736)
      • powershell.exe (PID: 5712)
      • powershell.exe (PID: 4716)
      • powershell.exe (PID: 4536)
      • powershell.exe (PID: 1064)
      • powershell.exe (PID: 7124)

    • Changes powershell execution policy (Bypass)

      • msiexec.exe (PID: 6692)
      • msiexec.exe (PID: 6220)
      • msiexec.exe (PID: 6236)
      • MSICB16.tmp (PID: 1292)
      • MSI3803.tmp (PID: 7156)
      • msiexec.exe (PID: 6668)

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 6692)
      • msiexec.exe (PID: 6608)

    • BBWC has been detected (SURICATA)

      • powershell.exe (PID: 1512)
      • powershell.exe (PID: 3172)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 1224)
      • powershell.exe (PID: 4716)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 1064)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 6692)
      • msiexec.exe (PID: 6220)
      • MSICB16.tmp (PID: 1292)
      • msiexec.exe (PID: 6236)
      • MSI3803.tmp (PID: 7156)
      • msiexec.exe (PID: 6668)

    • The process executes Powershell scripts

      • msiexec.exe (PID: 6692)
      • msiexec.exe (PID: 6220)
      • msiexec.exe (PID: 6236)
      • msiexec.exe (PID: 6668)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 6692)
      • msiexec.exe (PID: 6220)
      • msiexec.exe (PID: 6236)
      • msiexec.exe (PID: 6668)

    • The process hide an interactive prompt from the user

      • msiexec.exe (PID: 6692)
      • msiexec.exe (PID: 6220)
      • MSICB16.tmp (PID: 1292)
      • msiexec.exe (PID: 6236)
      • msiexec.exe (PID: 6668)

    • Retrieves command line args for running process (POWERSHELL)

      • powershell.exe (PID: 6784)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6692)
      • MSICB16.tmp (PID: 1292)
      • MSI3803.tmp (PID: 7156)
      • msiexec.exe (PID: 6668)
      • MSI9149.tmp (PID: 5456)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 6524)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6608)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 1512)
      • powershell.exe (PID: 1540)
      • powershell.exe (PID: 3172)
      • powershell.exe (PID: 5712)

    • Access to an unwanted program domain was detected

      • powershell.exe (PID: 1512)
      • powershell.exe (PID: 3172)

    • Manipulates environment variables

      • powershell.exe (PID: 1224)
      • powershell.exe (PID: 4716)

    • Executes as Windows Service

      • VSSVC.exe (PID: 4708)
      • WmiApSrv.exe (PID: 7052)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 6608)
      • msiexec.exe (PID: 6668)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 6524)

    • Starts CMD.EXE for commands execution

      • msiexec.exe (PID: 6692)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 1864)

    • Reverses array data (POWERSHELL)

      • powershell.exe (PID: 1064)
      • powershell.exe (PID: 7124)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 1064)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 6524)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 6360)

    • Process drops legitimate windows executable

      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 6524)

    • The executable file from the user directory is run by the CMD process

      • sysinfo-app.exe (PID: 3620)

  • INFO

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6360)
      • powershell.exe (PID: 6784)
      • powershell.exe (PID: 2728)
      • powershell.exe (PID: 1512)
      • powershell.exe (PID: 1540)
      • powershell.exe (PID: 4020)
      • powershell.exe (PID: 3172)
      • powershell.exe (PID: 3736)
      • powershell.exe (PID: 5712)
      • powershell.exe (PID: 4536)
      • powershell.exe (PID: 1064)
      • powershell.exe (PID: 7124)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 6360)
      • powershell.exe (PID: 6784)
      • msiexec.exe (PID: 6692)
      • msiexec.exe (PID: 6608)
      • msiexec.exe (PID: 6668)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 6524)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 1864)

    • Checks supported languages

      • msiexec.exe (PID: 6608)
      • msiexec.exe (PID: 6692)
      • msiexec.exe (PID: 6220)
      • MSICB16.tmp (PID: 1292)
      • msiexec.exe (PID: 6236)
      • MSI3803.tmp (PID: 7156)
      • msiexec.exe (PID: 6668)
      • MSI9149.tmp (PID: 5456)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 1864)
      • identity_helper.exe (PID: 1540)
      • sysinfo-app.exe (PID: 3620)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 6524)

    • Reads the computer name

      • msiexec.exe (PID: 6692)
      • msiexec.exe (PID: 6608)
      • msiexec.exe (PID: 6220)
      • MSICB16.tmp (PID: 1292)
      • msiexec.exe (PID: 6236)
      • MSI3803.tmp (PID: 7156)
      • msiexec.exe (PID: 6668)
      • MSI9149.tmp (PID: 5456)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 6524)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 1864)
      • identity_helper.exe (PID: 1540)
      • sysinfo-app.exe (PID: 3620)

    • Reads Environment values

      • msiexec.exe (PID: 6692)
      • msiexec.exe (PID: 6220)
      • MSICB16.tmp (PID: 1292)
      • msiexec.exe (PID: 6236)
      • MSI3803.tmp (PID: 7156)
      • msiexec.exe (PID: 6668)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 1864)
      • identity_helper.exe (PID: 1540)

    • The sample compiled with english language support

      • msiexec.exe (PID: 6360)
      • msiexec.exe (PID: 6608)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 6524)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6360)
      • msiexec.exe (PID: 6692)
      • msiexec.exe (PID: 6608)
      • msiexec.exe (PID: 6668)

    • Checks proxy server information

      • msiexec.exe (PID: 6360)
      • powershell.exe (PID: 2728)
      • powershell.exe (PID: 1512)
      • powershell.exe (PID: 1540)
      • powershell.exe (PID: 1224)
      • powershell.exe (PID: 3172)
      • powershell.exe (PID: 5712)
      • powershell.exe (PID: 4536)
      • msiexec.exe (PID: 6668)
      • powershell.exe (PID: 4716)
      • powershell.exe (PID: 1064)
      • MSI9149.tmp (PID: 5456)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 6524)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 1864)

    • Reads the software policy settings

      • msiexec.exe (PID: 6360)
      • powershell.exe (PID: 6784)
      • powershell.exe (PID: 2728)
      • powershell.exe (PID: 1512)
      • powershell.exe (PID: 1540)
      • powershell.exe (PID: 4020)
      • powershell.exe (PID: 3172)
      • powershell.exe (PID: 3736)
      • powershell.exe (PID: 5712)
      • powershell.exe (PID: 4536)
      • msiexec.exe (PID: 6608)
      • msiexec.exe (PID: 6668)
      • powershell.exe (PID: 1064)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 6524)
      • powershell.exe (PID: 7124)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 1864)

    • Create files in a temporary directory

      • msiexec.exe (PID: 6692)
      • powershell.exe (PID: 6784)
      • powershell.exe (PID: 2728)
      • msiexec.exe (PID: 6220)
      • powershell.exe (PID: 1512)
      • powershell.exe (PID: 1540)
      • powershell.exe (PID: 4020)
      • powershell.exe (PID: 3172)
      • msiexec.exe (PID: 6236)
      • powershell.exe (PID: 3736)
      • powershell.exe (PID: 5712)
      • powershell.exe (PID: 4536)
      • powershell.exe (PID: 1064)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 6524)

    • Disables trace logs

      • powershell.exe (PID: 2728)
      • powershell.exe (PID: 1512)
      • powershell.exe (PID: 1540)
      • powershell.exe (PID: 1224)
      • powershell.exe (PID: 3172)
      • powershell.exe (PID: 4716)
      • powershell.exe (PID: 5712)
      • powershell.exe (PID: 4536)
      • powershell.exe (PID: 1064)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 1864)

    • Process checks computer location settings

      • msiexec.exe (PID: 6692)
      • MSICB16.tmp (PID: 1292)
      • MSI3803.tmp (PID: 7156)
      • MSI9149.tmp (PID: 5456)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 6524)

    • Application launched itself

      • msiexec.exe (PID: 6692)
      • msedge.exe (PID: 2392)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1512)
      • powershell.exe (PID: 1540)
      • powershell.exe (PID: 3172)
      • powershell.exe (PID: 5712)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6608)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 6608)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4020)

    • Manages system restore points

      • SrTasks.exe (PID: 3224)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 6608)
      • msiexec.exe (PID: 6668)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 6524)
      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 1864)

    • Local mutex for internet shortcut management

      • MSI9149.tmp (PID: 5456)

    • Reads product name

      • setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe (PID: 1864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

LastPrinted: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
ModifyDate: 2009:12:11 11:47:44
Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {CDE0ABA5-0AE9-4CDC-BBA7-645FA44D11D5}
Words: 10
Subject: Installer Assistant
Author: Eclipse Media Inc
LastModifiedBy: -
Software: Advanced Installer 15.8 build b14c769f44
Template: ;1033
Comments: -
Title: Installation Database
Keywords: Installer, MSI, Database
Pages: 200
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
227
Monitored processes
86
Malicious processes
6
Suspicious processes
9

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs msiexec.exe no specs msiexec.exe no specs #BBWC powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs msicb16.tmp no specs powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs msiexec.exe no specs msiexec.exe no specs #BBWC powershell.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs msi3803.tmp no specs powershell.exe conhost.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe powershell.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs msi9149.tmp no specs msedge.exe powershell.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs setup_com.kiloo.subwaysurf_flow6mkt_39734987.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs cmd.exe no specs conhost.exe no specs sysinfo-app.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wmiapsrv.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
444"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6200 --field-trial-handle=2392,i,13856127076164865198,10565999326765818343,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
512\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1064 -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\pss8627.tmp.ps1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1192"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3128 --field-trial-handle=2392,i,13856127076164865198,10565999326765818343,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
1200\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1224"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noninteractive -ExecutionPolicy bypass -c "$w="$env:APPDATA"+'/BBWC/'; [Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+'WebCompanion.dll'));[WebCompanion.StartUp]::Start()"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
MSICB16.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1292"C:\WINDOWS\Installer\MSICB16.tmp" /DontWait /HideWindow /dir "C:\Users\admin\AppData\Roaming\BBWC\" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noninteractive -ExecutionPolicy bypass -c "$w="$env:APPDATA"+'/BBWC/'; [Reflection.Assembly]::Load([System.IO.File]::ReadAllBytes($w+'WebCompanion.dll'));[WebCompanion.StartUp]::Start()"C:\Windows\Installer\MSICB16.tmpmsiexec.exe
User:
admin
Company:
Caphyon LTD
Integrity Level:
MEDIUM
Description:
File that launches another file
Exit code:
0
Version:
15.8.0.0
Modules
Images
c:\windows\installer\msicb16.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1512 -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\pss9DE6.tmp.ps1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1540 -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\pssBFE9.tmp.ps1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
90 178
Read events
89 694
Write events
445
Delete events
39

Modification events

(PID) Process:(2728) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2728) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2728) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2728) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2728) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2728) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2728) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2728) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2728) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2728) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
74
Suspicious files
331
Text files
111
Unknown types
9

Dropped files

PID
Process
Filename
Type
6692msiexec.exeC:\Users\admin\AppData\Local\Temp\msiBECF.tmp.txt
MD5:
SHA256:
6692msiexec.exeC:\Users\admin\AppData\Local\Temp\pssBED0.tmp.ps1
MD5:
SHA256:
6692msiexec.exeC:\Users\admin\AppData\Local\Temp\pssC190.tmp.ps1
MD5:
SHA256:
6692msiexec.exeC:\Users\admin\AppData\Local\Temp\msi7B3D.tmp.txt
MD5:
SHA256:
6692msiexec.exeC:\Users\admin\AppData\Local\Temp\pss7B3E.tmp.ps1
MD5:
SHA256:
6692msiexec.exeC:\Users\admin\AppData\Local\Temp\pss7C1A.tmp.ps1
MD5:
SHA256:
6360msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:896EDEFDC2C45677A96AEBB0CD1183F2
SHA256:084BEF8A485B2D8984A5920AC8BA8D53056F12B8D4DB6EE045B0C09D9CC92013
6360msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIBEB1.tmpexecutable
MD5:07EBB743BBD7230E04C23BCBAA03FC44
SHA256:194B29C26D925FDC1F1AA1802714118D0CA30E413C7FEA5C19A928EBA7CC43B0
6784powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_f0juiwiw.kca.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6360msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:C7187584BBCEA4F96751077447515E8B
SHA256:CC6704CC4CA24D778F91B9AD2FE903ADE51FE2AB07DBF07C3B3F8A17E9645ED6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
106
DNS requests
96
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6360
msiexec.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
6360
msiexec.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEANaOQEpbKrXUTLrp8kRbbA%3D
unknown
whitelisted
6360
msiexec.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
6848
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6848
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6536
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
1176
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2728
powershell.exe
POST
200
108.138.2.106:80
http://d2vtta4ibs40qt.cloudfront.net/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
6360
msiexec.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted
4
System
192.168.100.255:137
whitelisted
2.21.65.154:443
www.bing.com
Akamai International B.V.
NL
whitelisted
6848
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6848
SIHClient.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.14
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
www.bing.com
  • 2.21.65.154
  • 2.21.65.132
  • 104.126.37.153
  • 104.126.37.160
  • 104.126.37.139
  • 104.126.37.162
  • 104.126.37.146
  • 104.126.37.176
  • 104.126.37.154
  • 104.126.37.170
  • 104.126.37.171
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
login.live.com
  • 20.190.159.73
  • 20.190.159.71
  • 20.190.159.2
  • 40.126.31.2
  • 40.126.31.3
  • 20.190.159.0
  • 40.126.31.69
  • 20.190.159.4
whitelisted
arc.msn.com
  • 20.74.47.205
whitelisted

Threats

PID
Process
Class
Message
1512
powershell.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] BBWC a browser hijacker app (PUP)
1512
powershell.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] BBWC a browser hijacker app (PUP)
3172
powershell.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] BBWC a browser hijacker app (PUP)
2976
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2976
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2976
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2976
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2976
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
2976
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
2976
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TABSimulator_installer_39734987.msi