File name:

install-interception.exe

Full analysis: https://app.any.run/tasks/2dc37ae9-4232-4a74-ba48-a4a46d85c0cf
Verdict: Malicious activity
Analysis date: February 19, 2025, 17:55:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386, for MS Windows, 4 sections
MD5:

0F0B50D92E030B8965CE669C8058FA6E

SHA1:

257B3F0402285A29F4618B32958C208B3E9D4C4D

SHA256:

E137863A79DA797F08E7A137280FF2A123809044A888FD75CE9C973198915ABE

SSDEEP:

6144:+sglhAWORQG8O1dMDmJPjQy4xZWLUKc2y:+s4LjGvMk74+B4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates or modifies Windows services

      • install-interception.exe (PID: 7104)

    • Drops a system driver (possible attempt to evade defenses)

      • install-interception.exe (PID: 7104)

    • Executable content was dropped or overwritten

      • install-interception.exe (PID: 7104)

    • Creates files in the driver directory

      • install-interception.exe (PID: 7104)

  • INFO

    • Checks supported languages

      • install-interception.exe (PID: 4392)
      • install-interception.exe (PID: 6536)

    • The sample compiled with english language support

      • install-interception.exe (PID: 6536)
      • install-interception.exe (PID: 7104)

    • Manual execution by a user

      • cmd.exe (PID: 6652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:03:24 23:52:36+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 29696
InitializedDataSize: 441344
UninitializedDataSize: -
EntryPoint: 0x614c
OSVersion: 6.1
ImageVersion: 6.1
SubsystemVersion: 5.1
Subsystem: Windows command line
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Francisco Lopes
FileDescription: Interception command line installation tool
FileVersion: 1.00 built by: WinDDK
InternalName: install-interception.exe
LegalCopyright: Copyright (C) 2008-2018 Francisco Lopes da Silva
OriginalFileName: install-interception.exe
ProductName: Interception
ProductVersion: 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start install-interception.exe conhost.exe no specs rundll32.exe no specs cmd.exe conhost.exe no specs install-interception.exe no specs install-interception.exe install-interception.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3568C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
4392install-interception.exeC:\Users\admin\AppData\Local\Temp\install-interception.execmd.exe
User:
admin
Company:
Francisco Lopes
Integrity Level:
HIGH
Description:
Interception command line installation tool
Exit code:
1
Version:
1.00 built by: WinDDK
Modules
Images
c:\users\admin\appdata\local\temp\install-interception.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
5388\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6400"C:\Users\admin\AppData\Local\Temp\install-interception.exe" C:\Users\admin\AppData\Local\Temp\install-interception.exeexplorer.exe
User:
admin
Company:
Francisco Lopes
Integrity Level:
MEDIUM
Description:
Interception command line installation tool
Exit code:
3221226540
Version:
1.00 built by: WinDDK
Modules
Images
c:\users\admin\appdata\local\temp\install-interception.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6536"C:\Users\admin\AppData\Local\Temp\install-interception.exe" C:\Users\admin\AppData\Local\Temp\install-interception.exe
explorer.exe
User:
admin
Company:
Francisco Lopes
Integrity Level:
HIGH
Description:
Interception command line installation tool
Exit code:
1
Version:
1.00 built by: WinDDK
Modules
Images
c:\users\admin\appdata\local\temp\install-interception.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6548\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeinstall-interception.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6652"C:\WINDOWS\system32\cmd.exe" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\wldp.dll
7104install-interception.exe /installC:\Users\admin\AppData\Local\Temp\install-interception.exe
cmd.exe
User:
admin
Company:
Francisco Lopes
Integrity Level:
HIGH
Description:
Interception command line installation tool
Exit code:
0
Version:
1.00 built by: WinDDK
Modules
Images
c:\users\admin\appdata\local\temp\install-interception.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
Total events
359
Read events
349
Write events
10
Delete events
0

Modification events

(PID) Process:(7104) install-interception.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\keyboard
Operation:writeName:Type
Value:
1
(PID) Process:(7104) install-interception.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\keyboard
Operation:writeName:ErrorControl
Value:
1
(PID) Process:(7104) install-interception.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\keyboard
Operation:writeName:Start
Value:
3
(PID) Process:(7104) install-interception.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mouse
Operation:writeName:DisplayName
Value:
Mouse Upper Filter Driver
(PID) Process:(7104) install-interception.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mouse
Operation:writeName:Type
Value:
1
(PID) Process:(7104) install-interception.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mouse
Operation:writeName:ErrorControl
Value:
1
(PID) Process:(7104) install-interception.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mouse
Operation:writeName:Start
Value:
3
(PID) Process:(7104) install-interception.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}
Operation:writeName:UpperFilters
Value:
keyboard
(PID) Process:(7104) install-interception.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}
Operation:writeName:UpperFilters
Value:
mouse
(PID) Process:(7104) install-interception.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\keyboard
Operation:writeName:DisplayName
Value:
Keyboard Upper Filter Driver
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7104install-interception.exeC:\Windows\System32\drivers\keyboard.sysexecutable
MD5:9D39232310190DC8C0CB7472DB523A1E
SHA256:2CB5EC142CFAC879BCE4A2F9549258DB972AEBBD24F4551B6B748B464EB7DBA9
7104install-interception.exeC:\Windows\System32\drivers\mouse.sysexecutable
MD5:CCF564011EEFA7B44D74915D231B8FD7
SHA256:0F12D47D01864CA5E1EB663A52B3D2C060521E57B68FF99D70E7F01506E400F9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
40
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4308
svchost.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4308
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4144
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4144
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6868
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
184.86.251.9:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
5064
SearchApp.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4308
svchost.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4308
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2124
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.238
whitelisted
www.bing.com
  • 184.86.251.9
  • 184.86.251.30
  • 184.86.251.22
  • 184.86.251.25
  • 184.86.251.7
  • 184.86.251.16
  • 184.86.251.20
  • 184.86.251.4
  • 184.86.251.15
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
login.live.com
  • 40.126.31.131
  • 20.190.159.2
  • 40.126.31.2
  • 20.190.159.73
  • 20.190.159.129
  • 40.126.31.69
  • 40.126.31.1
  • 20.190.159.64
whitelisted
go.microsoft.com
  • 2.19.246.123
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
install-interception.exe