File name:

Wireshark-4.4.5-x64.exe

Full analysis: https://app.any.run/tasks/9400fe2e-0015-4304-b10d-998dab2eb474
Verdict: Malicious activity
Analysis date: March 18, 2025, 22:46:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
wireshark
tool
autorun-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

602BDAF1B0B20F59BACCD81767777981

SHA1:

AC0063F772A126C2D8D46E2342B465281580311C

SHA256:

2DFDD1116D1F2C5A916A223B3E421F43FD15A6D2FDB7E2BE23CE280D2062E19F

SSDEEP:

1572864:Rq52kSiYQEh1SMnbtCjuDzt6W7TZTS5xl7pLzGc:Rq5bSizELhnbt8szz7TZuzlFv/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • VC_redist.x64.exe (PID: 7940)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7444)
      • powershell.exe (PID: 7380)
      • powershell.exe (PID: 7640)
      • powershell.exe (PID: 6640)
      • powershell.exe (PID: 6944)
      • powershell.exe (PID: 7224)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • Wireshark-4.4.5-x64.exe (PID: 7668)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • npcap-1.79.exe (PID: 6572)

    • There is functionality for taking screenshot (YARA)

      • Wireshark-4.4.5-x64.exe (PID: 7668)

    • Searches for installed software

      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • vc_redist.x64.exe (PID: 7888)
      • VC_redist.x64.exe (PID: 7224)
      • dllhost.exe (PID: 7984)
      • VC_redist.x64.exe (PID: 7336)

    • Executable content was dropped or overwritten

      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • vc_redist.x64.exe (PID: 7864)
      • vc_redist.x64.exe (PID: 7888)
      • VC_redist.x64.exe (PID: 7940)
      • VC_redist.x64.exe (PID: 7224)
      • npcap-1.79.exe (PID: 6572)
      • VC_redist.x64.exe (PID: 7336)
      • NPFInstall.exe (PID: 976)
      • drvinst.exe (PID: 8144)

    • Starts a Microsoft application from unusual location

      • vc_redist.x64.exe (PID: 7888)
      • VC_redist.x64.exe (PID: 7940)

    • Process drops legitimate windows executable

      • vc_redist.x64.exe (PID: 7864)
      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • vc_redist.x64.exe (PID: 7888)
      • VC_redist.x64.exe (PID: 7940)
      • msiexec.exe (PID: 1628)
      • VC_redist.x64.exe (PID: 7336)

    • Reads security settings of Internet Explorer

      • vc_redist.x64.exe (PID: 7888)
      • VC_redist.x64.exe (PID: 7224)

    • Starts itself from another location

      • vc_redist.x64.exe (PID: 7888)

    • Executes as Windows Service

      • VSSVC.exe (PID: 8028)

    • Creates a software uninstall entry

      • VC_redist.x64.exe (PID: 7940)
      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • npcap-1.79.exe (PID: 6572)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 1628)

    • The process checks if it is being run in the virtual environment

      • msiexec.exe (PID: 1628)

    • Application launched itself

      • VC_redist.x64.exe (PID: 4880)
      • VC_redist.x64.exe (PID: 7224)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 1628)

    • Drops a system driver (possible attempt to evade defenses)

      • npcap-1.79.exe (PID: 6572)
      • NPFInstall.exe (PID: 976)
      • drvinst.exe (PID: 8144)

    • Starts POWERSHELL.EXE for commands execution

      • npcap-1.79.exe (PID: 6572)

    • The process bypasses the loading of PowerShell profile settings

      • npcap-1.79.exe (PID: 6572)

    • The process hide an interactive prompt from the user

      • npcap-1.79.exe (PID: 6572)

    • Returns all items found within a container (POWERSHELL)

      • powershell.exe (PID: 7380)
      • powershell.exe (PID: 7444)
      • powershell.exe (PID: 7640)
      • powershell.exe (PID: 6640)

    • Removes files via Powershell

      • powershell.exe (PID: 7444)
      • powershell.exe (PID: 6640)

    • Adds/modifies Windows certificates

      • certutil.exe (PID: 780)
      • certutil.exe (PID: 6724)
      • certutil.exe (PID: 2664)

    • Creates files in the driver directory

      • drvinst.exe (PID: 8144)

    • Creates or modifies Windows services

      • npcap-1.79.exe (PID: 6572)

  • INFO

    • Checks supported languages

      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • vc_redist.x64.exe (PID: 7864)
      • vc_redist.x64.exe (PID: 7888)
      • VC_redist.x64.exe (PID: 7940)
      • msiexec.exe (PID: 1628)
      • VC_redist.x64.exe (PID: 4880)
      • VC_redist.x64.exe (PID: 7224)
      • VC_redist.x64.exe (PID: 7336)
      • NPFInstall.exe (PID: 7344)
      • npcap-1.79.exe (PID: 6572)
      • NPFInstall.exe (PID: 1164)
      • NPFInstall.exe (PID: 5188)
      • NPFInstall.exe (PID: 976)
      • drvinst.exe (PID: 8144)

    • WIRESHARK mutex has been found

      • Wireshark-4.4.5-x64.exe (PID: 7668)

    • Create files in a temporary directory

      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • vc_redist.x64.exe (PID: 7888)
      • VC_redist.x64.exe (PID: 7940)
      • VC_redist.x64.exe (PID: 7224)
      • npcap-1.79.exe (PID: 6572)

    • Reads the computer name

      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • vc_redist.x64.exe (PID: 7864)
      • vc_redist.x64.exe (PID: 7888)
      • msiexec.exe (PID: 1628)
      • VC_redist.x64.exe (PID: 7940)
      • VC_redist.x64.exe (PID: 7224)
      • VC_redist.x64.exe (PID: 7336)
      • npcap-1.79.exe (PID: 6572)
      • NPFInstall.exe (PID: 7344)
      • NPFInstall.exe (PID: 976)
      • drvinst.exe (PID: 8144)

    • Creates files in the program directory

      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • VC_redist.x64.exe (PID: 7940)
      • NPFInstall.exe (PID: 7344)
      • npcap-1.79.exe (PID: 6572)

    • The sample compiled with english language support

      • Wireshark-4.4.5-x64.exe (PID: 7668)
      • vc_redist.x64.exe (PID: 7864)
      • vc_redist.x64.exe (PID: 7888)
      • VC_redist.x64.exe (PID: 7940)
      • msiexec.exe (PID: 1628)
      • VC_redist.x64.exe (PID: 7224)
      • npcap-1.79.exe (PID: 6572)
      • VC_redist.x64.exe (PID: 7336)

    • Process checks computer location settings

      • vc_redist.x64.exe (PID: 7888)
      • VC_redist.x64.exe (PID: 7224)

    • Reads the software policy settings

      • msiexec.exe (PID: 1628)
      • pnputil.exe (PID: 5864)
      • drvinst.exe (PID: 8144)
      • slui.exe (PID: 6244)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1628)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 1628)
      • VC_redist.x64.exe (PID: 7940)
      • drvinst.exe (PID: 8144)

    • Manages system restore points

      • SrTasks.exe (PID: 2236)

    • Autorun file from Registry key

      • VC_redist.x64.exe (PID: 7940)

    • Manual execution by a user

      • OpenWith.exe (PID: 5064)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 5064)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 1628)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 1628)

    • Returns hidden items found within a container (POWERSHELL)

      • conhost.exe (PID: 5164)
      • conhost.exe (PID: 7488)
      • conhost.exe (PID: 1568)
      • conhost.exe (PID: 6876)
      • conhost.exe (PID: 5728)
      • conhost.exe (PID: 4988)
      • conhost.exe (PID: 5796)
      • conhost.exe (PID: 3156)
      • conhost.exe (PID: 8020)
      • conhost.exe (PID: 2852)
      • conhost.exe (PID: 4272)
      • conhost.exe (PID: 7656)
      • powershell.exe (PID: 7224)
      • conhost.exe (PID: 7984)
      • conhost.exe (PID: 7952)

    • Reads security settings of Internet Explorer

      • pnputil.exe (PID: 5864)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:02 02:09:43+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3645
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.4.5.0
ProductVersionNumber: 4.4.5.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: It's a great product with a great story to tell. I'm pumped!
CompanyName: Wireshark development team
FileDescription: Wireshark installer for Windows on x64
FileVersion: 4.4.5.0
Language: English
LegalCopyright: © Gerald Combs and many others
LegalTrademarks: Wireshark and the 'fin' logo are registered trademarks of the Wireshark Foundation
ProductName: Wireshark
ProductVersion: 4.4.5.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
175
Monitored processes
51
Malicious processes
10
Suspicious processes
3

Behavior graph

Click at the process to see the details
start wireshark-4.4.5-x64.exe vc_redist.x64.exe vc_redist.x64.exe vc_redist.x64.exe SPPSurrogate no specs vssvc.exe no specs slui.exe srtasks.exe no specs conhost.exe no specs msiexec.exe openwith.exe no specs vc_redist.x64.exe no specs vc_redist.x64.exe vc_redist.x64.exe npcap-1.79.exe npfinstall.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs certutil.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs certutil.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs npfinstall.exe no specs conhost.exe no specs pnputil.exe no specs conhost.exe no specs npfinstall.exe no specs conhost.exe no specs npfinstall.exe conhost.exe no specs drvinst.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wireshark-4.4.5-x64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
664\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeNPFInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
780certutil.exe -addstore -f "Root" "C:\Users\admin\AppData\Local\Temp\nsh569.tmp\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43.sst"C:\Windows\SysWOW64\certutil.exenpcap-1.79.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
864certutil.exe -verifystore "Root" "5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25"C:\Windows\SysWOW64\certutil.exenpcap-1.79.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
2148073489
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
976"C:\Program Files\Npcap\NPFInstall.exe" -n -iC:\Program Files\Npcap\NPFInstall.exe
npcap-1.79.exe
User:
admin
Company:
Insecure.Com LLC.
Integrity Level:
HIGH
Description:
A LWF & WFP driver installation tool
Exit code:
0
Version:
1.79
Modules
Images
c:\program files\npcap\npfinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1164"C:\Program Files\Npcap\NPFInstall.exe" -n -iwC:\Program Files\Npcap\NPFInstall.exenpcap-1.79.exe
User:
admin
Company:
Insecure.Com LLC.
Integrity Level:
HIGH
Description:
A LWF & WFP driver installation tool
Exit code:
0
Version:
1.79
Modules
Images
c:\program files\npcap\npfinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1568\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execertutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1628C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2236C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2664certutil.exe -addstore -f "Root" "C:\Users\admin\AppData\Local\Temp\nsh569.tmp\5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25.sst"C:\Windows\SysWOW64\certutil.exenpcap-1.79.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2852\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
62 539
Read events
61 446
Write events
706
Delete events
387

Modification events

(PID) Process:(7984) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000350FD1BF5798DB01301F0000481F0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7984) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000C3D226C05798DB01301F0000481F0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7984) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000F19B2BC05798DB01301F0000481F0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7940) VC_redist.x64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000350FD1BF5798DB01041F0000081F0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7984) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000C51D22C05798DB01301F0000481F0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7984) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000C51D22C05798DB01301F0000481F0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8028) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
(PID) Process:(8028) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:(8028) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:delete keyName:(default)
Value:
(PID) Process:(8028) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:writeName:Element
Value:
\EFI\Microsoft\Boot\bootmgfw.efi
Executable files
202
Suspicious files
122
Text files
548
Unknown types
0

Dropped files

PID
Process
Filename
Type
7668Wireshark-4.4.5-x64.exeC:\Program Files\Wireshark\libwireshark.dll
MD5:
SHA256:
7668Wireshark-4.4.5-x64.exeC:\Users\admin\AppData\Local\Temp\nsb11A3.tmp\InstallOptions.dllexecutable
MD5:D095B082B7C5BA4665D40D9C5042AF6D
SHA256:B2091205E225FC07DAF1101218C64CE62A4690CACAC9C3D0644D12E93E4C213C
7668Wireshark-4.4.5-x64.exeC:\Users\admin\AppData\Local\Temp\nsb11A3.tmp\nsDialogs.dllexecutable
MD5:1D8F01A83DDD259BC339902C1D33C8F1
SHA256:4B7D17DA290F41EBE244827CC295CE7E580DA2F7E9F7CC3EFC1ABC6898E3C9ED
7668Wireshark-4.4.5-x64.exeC:\Users\admin\AppData\Local\Temp\nsb11A3.tmp\DonatePage.initext
MD5:A0580CB2D6831AB488353AB56658E59D
SHA256:B23B78B14231A2B48506BAB2AB82EE9477BA280A1BC31E2370640E644F5D35FF
7668Wireshark-4.4.5-x64.exeC:\Users\admin\AppData\Local\Temp\nsb11A3.tmp\USBPcapPage.initext
MD5:4C6AEB296901325B87C5A1F71D6F4A2B
SHA256:D23EDA000D48F52278FA0160D673B9D05C355F7A8030A940F8985B5D07B34B6C
7668Wireshark-4.4.5-x64.exeC:\Users\admin\AppData\Local\Temp\nsb11A3.tmp\NpcapPage.initext
MD5:96909F6D41A24839661D126CB8F1949F
SHA256:6E726FFB528C6135E2405AC37626A7537EF1AE0A354CBFB55DE0E6E5DBC325EF
7668Wireshark-4.4.5-x64.exeC:\Users\admin\AppData\Local\Temp\nsb11A3.tmp\System.dllexecutable
MD5:4ADD245D4BA34B04F213409BFE504C07
SHA256:9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
7668Wireshark-4.4.5-x64.exeC:\Program Files\Wireshark\uninstall-wireshark.exeexecutable
MD5:992C4309547549FF9F3B6E19C05C7D51
SHA256:46E5B42F5A627343E03DB0E3A409A8BB071CAB6EDD4966CD256A5A1554981DF8
7668Wireshark-4.4.5-x64.exeC:\Program Files\Wireshark\libwiretap.dllexecutable
MD5:AFEAF61F6CEFA39F5A4113BC2A2E0245
SHA256:585CB7D0E27F8098B67EB8DFC581CECC6F499089DC4D2AC4F0FD56CCFA0F80B6
7668Wireshark-4.4.5-x64.exeC:\Program Files\Wireshark\glib-2.0-0.dllexecutable
MD5:135BCA15D205B832F0C9DFD6B1BC5B90
SHA256:F1437014610F61DF3BEF72BB4DC6A9BE83894A3B1D742EAED998D031F6C2F524
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1628
msiexec.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1628
msiexec.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
192.168.100.255:138
whitelisted
2104
svchost.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6456
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1628
msiexec.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1628
msiexec.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6244
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
  • 23.53.40.176
  • 23.53.40.178
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted

Threats

No threats detected
Process
Message
msiexec.exe
Failed to release Service
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Wireshark-4.4.5-x64.exe