File name:

tailscale-setup-1.78.1.exe

Full analysis: https://app.any.run/tasks/fd548070-b3c0-46c8-b8a0-e1a84f88a5a3
Verdict: Malicious activity
Analysis date: December 21, 2024, 01:53:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

18467621346C05541AF74F525EF0F334

SHA1:

DDCF7C1590DE75CE9ABE526B838EE18905868D2A

SHA256:

F90DEEF624630AFE3503EC63B59035E65E7B6CEA02D675C8514A5B6B8F5075FD

SSDEEP:

24576:j1cgiCevXJG6jlAhIxY6KS7DcAVtphRmsd6LTyr:j1cgiCevXJG6jlAhIS6KS7DcALphRmsr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • tailscale-setup-1.78.1.exe (PID: 6736)

  • SUSPICIOUS

    • Searches for installed software

      • tailscale-setup-1.78.1.exe (PID: 3840)
      • dllhost.exe (PID: 6784)

    • Reads security settings of Internet Explorer

      • tailscale-setup-1.78.1.exe (PID: 3840)
      • msiexec.exe (PID: 6432)

    • Starts itself from another location

      • tailscale-setup-1.78.1.exe (PID: 3840)
      • tailscale-setup-1.78.1.exe (PID: 1200)

    • Executable content was dropped or overwritten

      • tailscale-setup-1.78.1.exe (PID: 3840)
      • tailscale-setup-1.78.1.exe (PID: 1200)
      • tailscale-setup-1.78.1.exe (PID: 6736)
      • tailscaled.exe (PID: 3540)
      • drvinst.exe (PID: 2756)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6828)
      • tailscaled.exe (PID: 7100)

    • Creates a software uninstall entry

      • tailscale-setup-1.78.1.exe (PID: 6736)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 6204)
      • tailscale-setup-1.78.1.exe (PID: 3840)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6204)

    • Application launched itself

      • tailscaled.exe (PID: 7100)

    • Starts SC.EXE for service management

      • msiexec.exe (PID: 5968)

    • Restarts service on failure

      • sc.exe (PID: 6996)

    • Drops a system driver (possible attempt to evade defenses)

      • tailscaled.exe (PID: 3540)
      • drvinst.exe (PID: 2756)

    • Creates files in the driver directory

      • drvinst.exe (PID: 2756)

    • Process uses IPCONFIG to clear DNS cache

      • tailscaled.exe (PID: 3540)

    • Process uses IPCONFIG to get network configuration information

      • tailscaled.exe (PID: 3540)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • tailscaled.exe (PID: 3540)

    • Uses NETSH.EXE to delete a firewall rule or allowed programs

      • tailscaled.exe (PID: 3540)

  • INFO

    • Create files in a temporary directory

      • tailscale-setup-1.78.1.exe (PID: 1200)
      • tailscale-setup-1.78.1.exe (PID: 3840)
      • tailscale-setup-1.78.1.exe (PID: 6736)

    • Process checks computer location settings

      • tailscale-setup-1.78.1.exe (PID: 3840)
      • msiexec.exe (PID: 6432)

    • Checks supported languages

      • tailscale-setup-1.78.1.exe (PID: 6736)
      • tailscale-setup-1.78.1.exe (PID: 1200)
      • tailscale-setup-1.78.1.exe (PID: 3840)
      • msiexec.exe (PID: 6204)
      • tailscale-ipn.exe (PID: 6704)
      • msiexec.exe (PID: 6328)
      • tailscaled.exe (PID: 7100)
      • msiexec.exe (PID: 5968)
      • tailscaled.exe (PID: 3540)
      • drvinst.exe (PID: 3532)
      • msiexec.exe (PID: 6432)
      • tailscale-ipn.exe (PID: 6932)
      • drvinst.exe (PID: 2756)

    • The sample compiled with english language support

      • tailscale-setup-1.78.1.exe (PID: 1200)
      • tailscale-setup-1.78.1.exe (PID: 3840)
      • tailscale-setup-1.78.1.exe (PID: 6736)
      • tailscaled.exe (PID: 3540)
      • msiexec.exe (PID: 6204)
      • drvinst.exe (PID: 2756)

    • Manages system restore points

      • SrTasks.exe (PID: 536)

    • Reads the computer name

      • tailscale-setup-1.78.1.exe (PID: 6736)
      • tailscale-setup-1.78.1.exe (PID: 3840)
      • msiexec.exe (PID: 6204)
      • msiexec.exe (PID: 6328)
      • tailscale-ipn.exe (PID: 6704)
      • msiexec.exe (PID: 5968)
      • tailscaled.exe (PID: 7100)
      • tailscaled.exe (PID: 3540)
      • tailscale-ipn.exe (PID: 6932)
      • drvinst.exe (PID: 2756)

    • The process uses the downloaded file

      • tailscale-setup-1.78.1.exe (PID: 3840)
      • msiexec.exe (PID: 6432)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6204)

    • Creates files in the program directory

      • tailscale-setup-1.78.1.exe (PID: 6736)
      • tailscaled.exe (PID: 7100)
      • tailscaled.exe (PID: 3540)

    • Reads the software policy settings

      • tailscale-setup-1.78.1.exe (PID: 3840)
      • msiexec.exe (PID: 6204)
      • drvinst.exe (PID: 2756)
      • tailscale-ipn.exe (PID: 6932)
      • tailscaled.exe (PID: 7100)

    • Reads the machine GUID from the registry

      • tailscale-setup-1.78.1.exe (PID: 3840)
      • tailscale-setup-1.78.1.exe (PID: 6736)
      • msiexec.exe (PID: 6204)
      • drvinst.exe (PID: 2756)
      • tailscaled.exe (PID: 7100)

    • Checks proxy server information

      • tailscale-setup-1.78.1.exe (PID: 3840)
      • tailscale-ipn.exe (PID: 6932)

    • Creates files or folders in the user directory

      • tailscale-setup-1.78.1.exe (PID: 3840)
      • msiexec.exe (PID: 6204)
      • tailscale-ipn.exe (PID: 6932)

    • Application launched itself

      • msiexec.exe (PID: 6204)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • tailscaled.exe (PID: 3540)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • tailscaled.exe (PID: 3540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:22 22:14:43+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.16
CodeSize: 314368
InitializedDataSize: 302080
UninitializedDataSize: -
EntryPoint: 0x302e5
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.78.1.0
ProductVersionNumber: 1.78.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Tailscale Inc.
FileDescription: Tailscale
FileVersion: 1.78.1
InternalName: setup
LegalCopyright: Copyright (c) Tailscale Inc.. All rights reserved.
OriginalFileName: tailscale-setup-1.78.1.exe
ProductName: Tailscale
ProductVersion: 1.78.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
162
Monitored processes
29
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start tailscale-setup-1.78.1.exe tailscale-setup-1.78.1.exe tailscale-setup-1.78.1.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs tailscale-ipn.exe no specs msiexec.exe no specs sc.exe no specs conhost.exe no specs tailscaled.exe tailscaled.exe drvinst.exe drvinst.exe no specs tailscale-ipn.exe wsl.exe no specs netsh.exe no specs conhost.exe no specs ipconfig.exe no specs netsh.exe no specs ipconfig.exe no specs ipconfig.exe no specs netsh.exe no specs ipconfig.exe no specs ipconfig.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
536C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1200"C:\Users\admin\AppData\Local\Temp\tailscale-setup-1.78.1.exe" C:\Users\admin\AppData\Local\Temp\tailscale-setup-1.78.1.exe
explorer.exe
User:
admin
Company:
Tailscale Inc.
Integrity Level:
MEDIUM
Description:
Tailscale
Exit code:
0
Version:
1.78.1
Modules
Images
c:\users\admin\appdata\local\temp\tailscale-setup-1.78.1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1752ipconfig /registerdnsC:\Windows\System32\ipconfig.exetailscaled.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\dhcpcsvc.dll
2756DrvInst.exe "4" "9" "C:\WINDOWS\Temp\fa8f78122ff0b4e5f9dafcf1c2a593c12f1300b7205edb2a33560a7bc1443526\wintun.inf" "9" "42fff0963" "00000000000001C0" "Service-0x0-3e7$\Default" "00000000000001D4" "208" "C:\WINDOWS\Temp\fa8f78122ff0b4e5f9dafcf1c2a593c12f1300b7205edb2a33560a7bc1443526"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
3532DrvInst.exe "1" "0" "SWD\Wintun\{37217669-42DA-4657-A55B-0D995D328250}" "" "" "43f7a302b" "0000000000000000"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll
3540"C:\Program Files\Tailscale\tailscaled.exe" /subproc f0f9efd34a63da5fc3a83221c424911310741740f93a3311015600b294504884C:\Program Files\Tailscale\tailscaled.exe
tailscaled.exe
User:
SYSTEM
Company:
Tailscale Inc.
Integrity Level:
SYSTEM
Description:
Tailscale service
Version:
1.78.1-t8903926f7-gc4163954e
Modules
Images
c:\program files\tailscale\tailscaled.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\umpdc.dll
c:\windows\system32\secur32.dll
3840"C:\Users\admin\AppData\Local\Temp\{6D37AE34-7546-4BEC-B3E3-979FB4630D00}\.cr\tailscale-setup-1.78.1.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\tailscale-setup-1.78.1.exe" -burn.filehandle.attached=584 -burn.filehandle.self=592 C:\Users\admin\AppData\Local\Temp\{6D37AE34-7546-4BEC-B3E3-979FB4630D00}\.cr\tailscale-setup-1.78.1.exe
tailscale-setup-1.78.1.exe
User:
admin
Company:
Tailscale Inc.
Integrity Level:
MEDIUM
Description:
Tailscale
Exit code:
0
Version:
1.78.1
Modules
Images
c:\users\admin\appdata\local\temp\{6d37ae34-7546-4bec-b3e3-979fb4630d00}\.cr\tailscale-setup-1.78.1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4384wsl.exe -lC:\Windows\System32\wsl.exetailscaled.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Subsystem for Linux Launcher
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wsl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
4472ipconfig /flushdnsC:\Windows\System32\ipconfig.exetailscaled.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
4592C:\WINDOWS\system32\netsh.exe advfirewall firewall delete rule name=Tailscale-In dir=inC:\Windows\System32\netsh.exetailscaled.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
22 437
Read events
22 036
Write events
360
Delete events
41

Modification events

(PID) Process:(6784) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000D7312C2E4B53DB01801A0000981A0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6784) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(6828) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000066D2F62E4B53DB01AC1A0000C81A0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6828) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000066D2F62E4B53DB01AC1A0000241B0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6828) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000066D2F62E4B53DB01AC1A0000CC1A0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6828) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Leave)
Value:
48000000000000003961002F4B53DB01AC1A0000CC1A0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6736) tailscale-setup-1.78.1.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000D7312C2E4B53DB01501A0000541A0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6784) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000F8E66E2E4B53DB01801A0000981A0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6784) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000F8E66E2E4B53DB01801A0000981A0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6784) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000554A712E4B53DB01801A0000981A0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
Executable files
16
Suspicious files
44
Text files
11
Unknown types
4

Dropped files

PID
Process
Filename
Type
6784dllhost.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3840tailscale-setup-1.78.1.exeC:\Users\admin\AppData\Local\Temp\{3508D912-5812-4F01-BCBA-2D21BF95129F}\MsiAMD64
MD5:
SHA256:
6736tailscale-setup-1.78.1.exeC:\ProgramData\Package Cache\.unverified\MsiAMD64
MD5:
SHA256:
6736tailscale-setup-1.78.1.exeC:\ProgramData\Package Cache\{8953D312-9D00-5A03-B1DA-1327670D15B7}v1.78.1\tailscale-setup-1.78.1-amd64.msi
MD5:
SHA256:
6204msiexec.exeC:\Windows\Installer\13d564.msi
MD5:
SHA256:
3840tailscale-setup-1.78.1.exeC:\Users\admin\AppData\Local\Temp\{3508D912-5812-4F01-BCBA-2D21BF95129F}\.ba\wixstdba.dllexecutable
MD5:87C8A7EA44E8EE0D9358E25B7DCD397D
SHA256:B7DE0A0CA3A94738747ABD708E30BA1F9638A8C8B7D8173C76D4F39FAE3D9346
6736tailscale-setup-1.78.1.exeC:\ProgramData\Package Cache\{03ab1d4f-777b-464c-bf99-55595cfe747d}\state.rsmbinary
MD5:73EDAB526261EBF36C801B2232204F0C
SHA256:07C1D8D01FEA61586F244E0E2259D3595722ECDABE43F6B4ADB5C2290DFF4022
3840tailscale-setup-1.78.1.exeC:\Users\admin\AppData\Local\Temp\{3508D912-5812-4F01-BCBA-2D21BF95129F}\.ba\BootstrapperApplicationData.xmlxml
MD5:743CF2EB609B13351101BF098A46C033
SHA256:61F5FF4E99E692346DD608170E811E3816092CC59AC4136AC88EB8B6E5932832
3840tailscale-setup-1.78.1.exeC:\Users\admin\AppData\Local\Temp\{3508D912-5812-4F01-BCBA-2D21BF95129F}\.ba\thm.wxlxml
MD5:FC0DB4142556D3F38B0744A12F5F9D3D
SHA256:8FBEB7F0B546D394D99B49D678D516402E8F54E5DEA590CC91733F502F288019
3840tailscale-setup-1.78.1.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F1841237B7F1CCB929D18253084BF6B3binary
MD5:E3ABE5B243280FD99EFB281B3E6A8B16
SHA256:45A4D522F7A40A3DEE9E27A9EE069DBC7A167BF159F8C521D375D190E656A598
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
49
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3840
tailscale-setup-1.78.1.exe
GET
200
184.24.77.48:80
http://e5.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQeEcDJrP2kU%2B9LL2pzIRVgTVStuQQUmc0pw6FYJq96ekyEWo9ziGCw394CEgROop%2BGgB4bOZkft4N%2BOucCjQ%3D%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3544
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3544
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6204
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
5208
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6204
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
3568
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
104.126.37.123:443
www.bing.com
Akamai International B.V.
DE
whitelisted
1176
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
www.bing.com
  • 104.126.37.123
  • 104.126.37.155
  • 104.126.37.160
  • 104.126.37.131
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.23
  • 20.190.159.73
  • 20.190.159.64
  • 20.190.159.4
  • 20.190.159.0
  • 20.190.159.2
  • 40.126.31.71
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
pkgs.tailscale.com
  • 199.38.181.239
unknown
e5.o.lencr.org
  • 184.24.77.48
  • 184.24.77.54
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
tailscale-setup-1.78.1.exe