File name:

Wireshark-4.4.5-x64.exe

Full analysis: https://app.any.run/tasks/9400fe2e-0015-4304-b10d-998dab2eb474
Verdict: Malicious activity
Analysis date: March 18, 2025, 22:46:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
wireshark
tool
autorun-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

602BDAF1B0B20F59BACCD81767777981

SHA1:

AC0063F772A126C2D8D46E2342B465281580311C

SHA256:

2DFDD1116D1F2C5A916A223B3E421F43FD15A6D2FDB7E2BE23CE280D2062E19F

SSDEEP:

1572864:Rq52kSiYQEh1SMnbtCjuDzt6W7TZTS5xl7pLzGc:Rq5bSizELhnbt8szz7TZuzlFv/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • VC_redist.x64.exe (PID: 7940)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7380)
      • powershell.exe (PID: 7640)
      • powershell.exe (PID: 7444)
      • powershell.exe (PID: 6640)
      • powershell.exe (PID: 6944)
      • powershell.exe (PID: 7224)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • npcap-1.79.exe (PID: 6572)

    • The process creates files with name similar to system file names

      • Wireshark-4.4.5-x64.exe (PID: 7668)

    • There is functionality for taking screenshot (YARA)

      • Wireshark-4.4.5-x64.exe (PID: 7668)

    • Searches for installed software

      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • vc_redist.x64.exe (PID: 7888)
      • VC_redist.x64.exe (PID: 7224)
      • VC_redist.x64.exe (PID: 7336)
      • dllhost.exe (PID: 7984)

    • Executable content was dropped or overwritten

      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • vc_redist.x64.exe (PID: 7864)
      • vc_redist.x64.exe (PID: 7888)
      • VC_redist.x64.exe (PID: 7940)
      • VC_redist.x64.exe (PID: 7224)
      • VC_redist.x64.exe (PID: 7336)
      • npcap-1.79.exe (PID: 6572)
      • NPFInstall.exe (PID: 976)
      • drvinst.exe (PID: 8144)

    • Process drops legitimate windows executable

      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • vc_redist.x64.exe (PID: 7864)
      • vc_redist.x64.exe (PID: 7888)
      • VC_redist.x64.exe (PID: 7940)
      • msiexec.exe (PID: 1628)
      • VC_redist.x64.exe (PID: 7336)

    • Starts a Microsoft application from unusual location

      • vc_redist.x64.exe (PID: 7888)
      • VC_redist.x64.exe (PID: 7940)

    • Reads security settings of Internet Explorer

      • vc_redist.x64.exe (PID: 7888)
      • VC_redist.x64.exe (PID: 7224)

    • Executes as Windows Service

      • VSSVC.exe (PID: 8028)

    • Starts itself from another location

      • vc_redist.x64.exe (PID: 7888)

    • Creates a software uninstall entry

      • VC_redist.x64.exe (PID: 7940)
      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • npcap-1.79.exe (PID: 6572)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 1628)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 1628)

    • Application launched itself

      • VC_redist.x64.exe (PID: 4880)
      • VC_redist.x64.exe (PID: 7224)

    • The process checks if it is being run in the virtual environment

      • msiexec.exe (PID: 1628)

    • Starts POWERSHELL.EXE for commands execution

      • npcap-1.79.exe (PID: 6572)

    • The process bypasses the loading of PowerShell profile settings

      • npcap-1.79.exe (PID: 6572)

    • Returns all items found within a container (POWERSHELL)

      • powershell.exe (PID: 7380)
      • powershell.exe (PID: 7640)
      • powershell.exe (PID: 7444)
      • powershell.exe (PID: 6640)

    • The process hide an interactive prompt from the user

      • npcap-1.79.exe (PID: 6572)

    • Removes files via Powershell

      • powershell.exe (PID: 7444)
      • powershell.exe (PID: 6640)

    • Adds/modifies Windows certificates

      • certutil.exe (PID: 780)
      • certutil.exe (PID: 6724)
      • certutil.exe (PID: 2664)

    • Drops a system driver (possible attempt to evade defenses)

      • npcap-1.79.exe (PID: 6572)
      • NPFInstall.exe (PID: 976)
      • drvinst.exe (PID: 8144)

    • Creates files in the driver directory

      • drvinst.exe (PID: 8144)

    • Creates or modifies Windows services

      • npcap-1.79.exe (PID: 6572)

  • INFO

    • Checks supported languages

      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • vc_redist.x64.exe (PID: 7864)
      • vc_redist.x64.exe (PID: 7888)
      • VC_redist.x64.exe (PID: 7940)
      • msiexec.exe (PID: 1628)
      • VC_redist.x64.exe (PID: 4880)
      • VC_redist.x64.exe (PID: 7224)
      • npcap-1.79.exe (PID: 6572)
      • NPFInstall.exe (PID: 7344)
      • VC_redist.x64.exe (PID: 7336)
      • NPFInstall.exe (PID: 5188)
      • NPFInstall.exe (PID: 1164)
      • drvinst.exe (PID: 8144)
      • NPFInstall.exe (PID: 976)

    • Create files in a temporary directory

      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • vc_redist.x64.exe (PID: 7888)
      • VC_redist.x64.exe (PID: 7940)
      • VC_redist.x64.exe (PID: 7224)
      • npcap-1.79.exe (PID: 6572)

    • Creates files in the program directory

      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • VC_redist.x64.exe (PID: 7940)
      • NPFInstall.exe (PID: 7344)
      • npcap-1.79.exe (PID: 6572)

    • Reads the computer name

      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • vc_redist.x64.exe (PID: 7864)
      • vc_redist.x64.exe (PID: 7888)
      • VC_redist.x64.exe (PID: 7940)
      • msiexec.exe (PID: 1628)
      • VC_redist.x64.exe (PID: 7224)
      • npcap-1.79.exe (PID: 6572)
      • NPFInstall.exe (PID: 7344)
      • VC_redist.x64.exe (PID: 7336)
      • NPFInstall.exe (PID: 976)
      • drvinst.exe (PID: 8144)

    • WIRESHARK mutex has been found

      • Wireshark-4.4.5-x64.exe (PID: 7668)

    • The sample compiled with english language support

      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • vc_redist.x64.exe (PID: 7864)
      • vc_redist.x64.exe (PID: 7888)
      • msiexec.exe (PID: 1628)
      • VC_redist.x64.exe (PID: 7940)
      • VC_redist.x64.exe (PID: 7224)
      • VC_redist.x64.exe (PID: 7336)
      • npcap-1.79.exe (PID: 6572)

    • Process checks computer location settings

      • vc_redist.x64.exe (PID: 7888)
      • VC_redist.x64.exe (PID: 7224)

    • Manual execution by a user

      • OpenWith.exe (PID: 5064)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1628)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 1628)
      • VC_redist.x64.exe (PID: 7940)
      • drvinst.exe (PID: 8144)

    • Reads the software policy settings

      • msiexec.exe (PID: 1628)
      • pnputil.exe (PID: 5864)
      • drvinst.exe (PID: 8144)
      • slui.exe (PID: 6244)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 5064)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 1628)

    • Manages system restore points

      • SrTasks.exe (PID: 2236)

    • Autorun file from Registry key

      • VC_redist.x64.exe (PID: 7940)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 1628)

    • Returns hidden items found within a container (POWERSHELL)

      • conhost.exe (PID: 5164)
      • conhost.exe (PID: 7488)
      • conhost.exe (PID: 1568)
      • conhost.exe (PID: 7656)
      • conhost.exe (PID: 2852)
      • conhost.exe (PID: 3156)
      • conhost.exe (PID: 4272)
      • conhost.exe (PID: 5796)
      • conhost.exe (PID: 8020)
      • conhost.exe (PID: 4988)
      • conhost.exe (PID: 6876)
      • conhost.exe (PID: 5728)
      • conhost.exe (PID: 7984)
      • powershell.exe (PID: 7224)
      • conhost.exe (PID: 7952)

    • Reads security settings of Internet Explorer

      • pnputil.exe (PID: 5864)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:02 02:09:43+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3645
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.4.5.0
ProductVersionNumber: 4.4.5.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: It's a great product with a great story to tell. I'm pumped!
CompanyName: Wireshark development team
FileDescription: Wireshark installer for Windows on x64
FileVersion: 4.4.5.0
Language: English
LegalCopyright: © Gerald Combs and many others
LegalTrademarks: Wireshark and the 'fin' logo are registered trademarks of the Wireshark Foundation
ProductName: Wireshark
ProductVersion: 4.4.5.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
175
Monitored processes
51
Malicious processes
10
Suspicious processes
3

Behavior graph

Click at the process to see the details
start wireshark-4.4.5-x64.exe vc_redist.x64.exe vc_redist.x64.exe vc_redist.x64.exe SPPSurrogate no specs vssvc.exe no specs slui.exe srtasks.exe no specs conhost.exe no specs msiexec.exe openwith.exe no specs vc_redist.x64.exe no specs vc_redist.x64.exe vc_redist.x64.exe npcap-1.79.exe npfinstall.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs certutil.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs certutil.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs npfinstall.exe no specs conhost.exe no specs pnputil.exe no specs conhost.exe no specs npfinstall.exe no specs conhost.exe no specs npfinstall.exe conhost.exe no specs drvinst.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wireshark-4.4.5-x64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
664\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeNPFInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
780certutil.exe -addstore -f "Root" "C:\Users\admin\AppData\Local\Temp\nsh569.tmp\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43.sst"C:\Windows\SysWOW64\certutil.exenpcap-1.79.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
864certutil.exe -verifystore "Root" "5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25"C:\Windows\SysWOW64\certutil.exenpcap-1.79.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
2148073489
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
976"C:\Program Files\Npcap\NPFInstall.exe" -n -iC:\Program Files\Npcap\NPFInstall.exe
npcap-1.79.exe
User:
admin
Company:
Insecure.Com LLC.
Integrity Level:
HIGH
Description:
A LWF & WFP driver installation tool
Exit code:
0
Version:
1.79
Modules
Images
c:\program files\npcap\npfinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1164"C:\Program Files\Npcap\NPFInstall.exe" -n -iwC:\Program Files\Npcap\NPFInstall.exenpcap-1.79.exe
User:
admin
Company:
Insecure.Com LLC.
Integrity Level:
HIGH
Description:
A LWF & WFP driver installation tool
Exit code:
0
Version:
1.79
Modules
Images
c:\program files\npcap\npfinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1568\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execertutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1628C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2236C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2664certutil.exe -addstore -f "Root" "C:\Users\admin\AppData\Local\Temp\nsh569.tmp\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25.sst"C:\Windows\SysWOW64\certutil.exenpcap-1.79.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2852\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
62 539
Read events
61 446
Write events
706
Delete events
387

Modification events

(PID) Process:(7984) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000350FD1BF5798DB01301F0000481F0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7984) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000C3D226C05798DB01301F0000481F0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7984) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000F19B2BC05798DB01301F0000481F0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7940) VC_redist.x64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000350FD1BF5798DB01041F0000081F0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7984) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000C51D22C05798DB01301F0000481F0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7984) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000C51D22C05798DB01301F0000481F0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8028) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(8028) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:(8028) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:delete keyName:(default)
Value:
(PID) Process:(8028) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:writeName:Element
Value:
\EFI\Microsoft\Boot\bootmgfw.efi
Executable files
202
Suspicious files
122
Text files
548
Unknown types
0

Dropped files

PID
Process
Filename
Type
7668Wireshark-4.4.5-x64.exeC:\Program Files\Wireshark\libwireshark.dll
MD5:
SHA256:
7668Wireshark-4.4.5-x64.exeC:\Users\admin\AppData\Local\Temp\nsb11A3.tmp\DonatePage.initext
MD5:A0580CB2D6831AB488353AB56658E59D
SHA256:B23B78B14231A2B48506BAB2AB82EE9477BA280A1BC31E2370640E644F5D35FF
7668Wireshark-4.4.5-x64.exeC:\Users\admin\AppData\Local\Temp\nsb11A3.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
7668Wireshark-4.4.5-x64.exeC:\Users\admin\AppData\Local\Temp\nsb11A3.tmp\nsDialogs.dllexecutable
MD5:1D8F01A83DDD259BC339902C1D33C8F1
SHA256:4B7D17DA290F41EBE244827CC295CE7E580DA2F7E9F7CC3EFC1ABC6898E3C9ED
7668Wireshark-4.4.5-x64.exeC:\Users\admin\AppData\Local\Temp\nsb11A3.tmp\NpcapPage.initext
MD5:96909F6D41A24839661D126CB8F1949F
SHA256:6E726FFB528C6135E2405AC37626A7537EF1AE0A354CBFB55DE0E6E5DBC325EF
7668Wireshark-4.4.5-x64.exeC:\Users\admin\AppData\Local\Temp\nsb11A3.tmp\USBPcapPage.initext
MD5:4C6AEB296901325B87C5A1F71D6F4A2B
SHA256:D23EDA000D48F52278FA0160D673B9D05C355F7A8030A940F8985B5D07B34B6C
7668Wireshark-4.4.5-x64.exeC:\Program Files\Wireshark\uninstall-wireshark.exeexecutable
MD5:992C4309547549FF9F3B6E19C05C7D51
SHA256:46E5B42F5A627343E03DB0E3A409A8BB071CAB6EDD4966CD256A5A1554981DF8
7668Wireshark-4.4.5-x64.exeC:\Program Files\Wireshark\intl-8.dllexecutable
MD5:92B3E7545014716B3F650ECC7EC68DDF
SHA256:EABC2067D875FE863102788D06E950B4B91FACA8396C59AF67C94F029BE898F1
7668Wireshark-4.4.5-x64.exeC:\Program Files\Wireshark\libwsutil.dllexecutable
MD5:B337D684A31045F123944F02E8C3B336
SHA256:A4537243411817CB3237DFC59FD2946089012211E73146EF54A0FDAED226D660
7668Wireshark-4.4.5-x64.exeC:\Program Files\Wireshark\charset-1.dllexecutable
MD5:2A9A6634DF8B9C07291764448B1A8D72
SHA256:CE12137E81F9A9FBB439AC1C224158D9E01BC99D784B1BCDBF809A75E48CC78F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1628
msiexec.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1628
msiexec.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
192.168.100.255:138
whitelisted
2104
svchost.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6456
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1628
msiexec.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1628
msiexec.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6244
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
  • 23.53.40.176
  • 23.53.40.178
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted

Threats

No threats detected
Process
Message
msiexec.exe
Failed to release Service
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Wireshark-4.4.5-x64.exe