File name:

Wireshark-4.4.1-x64.exe

Full analysis: https://app.any.run/tasks/753dc38f-a192-4b6e-ae34-2addf013a76b
Verdict: Malicious activity
Analysis date: October 13, 2024, 07:46:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

01031C48A2D1417A33999B121EA77CAF

SHA1:

2EC7A04154538D63DAD26E9E527AD55FA50CCF01

SHA256:

456AEC8658BAEE56FF4ADD4BCFD95ED532219536B568B5E45106A0120921E58D

SSDEEP:

786432:pqfhgWiAzOlTCz/qWLP4Z/5LvuCxa0g2caIAedF/KL:0CWiAzyTC7qWT4F5LvuAjgGI7F/KL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6088)
      • powershell.exe (PID: 5852)
      • powershell.exe (PID: 3952)
      • powershell.exe (PID: 6196)
      • powershell.exe (PID: 6972)
      • powershell.exe (PID: 5048)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Wireshark-4.4.1-x64.exe (PID: 6996)
      • vc_redist.x64.exe (PID: 7160)
      • vc_redist.x64.exe (PID: 6956)
      • VC_redist.x64.exe (PID: 3772)
      • VC_redist.x64.exe (PID: 6892)
      • VC_redist.x64.exe (PID: 5160)
      • npcap-1.79.exe (PID: 2056)
      • NPFInstall.exe (PID: 6604)
      • drvinst.exe (PID: 6828)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Wireshark-4.4.1-x64.exe (PID: 6996)
      • npcap-1.79.exe (PID: 2056)

    • Searches for installed software

      • Wireshark-4.4.1-x64.exe (PID: 6996)
      • vc_redist.x64.exe (PID: 6956)
      • dllhost.exe (PID: 3944)

    • The process creates files with name similar to system file names

      • Wireshark-4.4.1-x64.exe (PID: 6996)

    • Starts a Microsoft application from unusual location

      • vc_redist.x64.exe (PID: 6956)
      • VC_redist.x64.exe (PID: 3772)

    • Process drops legitimate windows executable

      • vc_redist.x64.exe (PID: 6956)
      • msiexec.exe (PID: 5588)
      • VC_redist.x64.exe (PID: 3772)
      • VC_redist.x64.exe (PID: 5160)
      • vc_redist.x64.exe (PID: 7160)
      • Wireshark-4.4.1-x64.exe (PID: 6996)

    • Reads security settings of Internet Explorer

      • vc_redist.x64.exe (PID: 6956)

    • Executes as Windows Service

      • VSSVC.exe (PID: 1784)

    • Starts itself from another location

      • vc_redist.x64.exe (PID: 6956)

    • Application launched itself

      • VC_redist.x64.exe (PID: 7000)
      • VC_redist.x64.exe (PID: 6892)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 5588)

    • Drops a system driver (possible attempt to evade defenses)

      • npcap-1.79.exe (PID: 2056)
      • NPFInstall.exe (PID: 6604)
      • drvinst.exe (PID: 6828)

    • The process bypasses the loading of PowerShell profile settings

      • npcap-1.79.exe (PID: 2056)

    • The process hide an interactive prompt from the user

      • npcap-1.79.exe (PID: 2056)

    • Starts POWERSHELL.EXE for commands execution

      • npcap-1.79.exe (PID: 2056)

  • INFO

    • Checks supported languages

      • Wireshark-4.4.1-x64.exe (PID: 6996)
      • vc_redist.x64.exe (PID: 7160)
      • vc_redist.x64.exe (PID: 6956)
      • VC_redist.x64.exe (PID: 3772)

    • Create files in a temporary directory

      • Wireshark-4.4.1-x64.exe (PID: 6996)
      • vc_redist.x64.exe (PID: 6956)

    • Creates files in the program directory

      • Wireshark-4.4.1-x64.exe (PID: 6996)

    • Reads the computer name

      • vc_redist.x64.exe (PID: 7160)
      • Wireshark-4.4.1-x64.exe (PID: 6996)
      • vc_redist.x64.exe (PID: 6956)
      • VC_redist.x64.exe (PID: 3772)

    • The process uses the downloaded file

      • vc_redist.x64.exe (PID: 6956)

    • Process checks computer location settings

      • vc_redist.x64.exe (PID: 6956)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5588)

    • Manages system restore points

      • SrTasks.exe (PID: 5932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:02 02:09:43+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3645
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.4.1.0
ProductVersionNumber: 4.4.1.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: It's a great product with a great story to tell. I'm pumped!
CompanyName: Wireshark development team
FileDescription: Wireshark installer for Windows on x64
FileVersion: 4.4.1.0
Language: English
LegalCopyright: © Gerald Combs and many others
LegalTrademarks: Wireshark and the 'fin' logo are registered trademarks of the Wireshark Foundation
ProductName: Wireshark
ProductVersion: 4.4.1.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
167
Monitored processes
49
Malicious processes
5
Suspicious processes
3

Behavior graph

Click at the process to see the details
start wireshark-4.4.1-x64.exe vc_redist.x64.exe vc_redist.x64.exe vc_redist.x64.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe vc_redist.x64.exe no specs vc_redist.x64.exe vc_redist.x64.exe npcap-1.79.exe npfinstall.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs certutil.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs certutil.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs npfinstall.exe no specs conhost.exe no specs pnputil.exe no specs conhost.exe no specs npfinstall.exe no specs conhost.exe no specs npfinstall.exe conhost.exe no specs drvinst.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wireshark-4.4.1-x64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
204\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepnputil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
700"C:\Program Files\Npcap\NPFInstall.exe" -n -cC:\Program Files\Npcap\NPFInstall.exenpcap-1.79.exe
User:
admin
Company:
Insecure.Com LLC.
Integrity Level:
HIGH
Description:
A LWF & WFP driver installation tool
Exit code:
0
Version:
1.79
Modules
Images
c:\program files\npcap\npfinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
712certutil.exe -verifystore "Root" "0563b8630d62d75abbc8ab1e4bdfb5a899b24d43"C:\Windows\SysWOW64\certutil.exenpcap-1.79.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
2148073489
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1396\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1784C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2056"C:\Program Files\Wireshark\npcap-1.79.exe" /winpcap_mode=no /loopback_support=noC:\Program Files\Wireshark\npcap-1.79.exe
Wireshark-4.4.1-x64.exe
User:
admin
Integrity Level:
HIGH
Description:
Npcap 1.79 installer
Version:
1.79
Modules
Images
c:\program files\wireshark\npcap-1.79.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2808"C:\Program Files\Npcap\NPFInstall.exe" -n -iwC:\Program Files\Npcap\NPFInstall.exenpcap-1.79.exe
User:
admin
Company:
Insecure.Com LLC.
Integrity Level:
HIGH
Description:
A LWF & WFP driver installation tool
Exit code:
0
Version:
1.79
Modules
Images
c:\program files\npcap\npfinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
3008"C:\Users\admin\AppData\Local\Temp\nsv398F.tmp\NPFInstall.exe" -n -check_dllC:\Users\admin\AppData\Local\Temp\nsv398F.tmp\NPFInstall.exenpcap-1.79.exe
User:
admin
Company:
Insecure.Com LLC.
Integrity Level:
HIGH
Description:
A LWF & WFP driver installation tool
Exit code:
0
Version:
1.79
Modules
Images
c:\users\admin\appdata\local\temp\nsv398f.tmp\npfinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
3508\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeNPFInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
58 457
Read events
57 373
Write events
697
Delete events
387

Modification events

(PID) Process:(3772) VC_redist.x64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000774D3731441DDB01BC0E00009C0E0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3944) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000774D3731441DDB01680F0000700B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3944) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000010469431441DDB01680F0000700B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3944) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000010469431441DDB01680F0000700B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3944) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
48000000000000009CA99631441DDB01680F0000700B0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3944) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000390D9931441DDB01680F0000700B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3944) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(3944) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000BA881E32441DDB01680F0000700B0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3944) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000049EC2032441DDB01680F0000E4120000E8030000010000000000000000000000CBE8768786436D429F7BE4C8D82A73C800000000000000000000000000000000
(PID) Process:(1784) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000537D2A32441DDB01F806000058190000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
148
Suspicious files
69
Text files
402
Unknown types
7

Dropped files

PID
Process
Filename
Type
6996Wireshark-4.4.1-x64.exeC:\Program Files\Wireshark\libwireshark.dll
MD5:
SHA256:
6996Wireshark-4.4.1-x64.exeC:\Users\admin\AppData\Local\Temp\nsj1DBF.tmp\DonatePage.initext
MD5:A0580CB2D6831AB488353AB56658E59D
SHA256:B23B78B14231A2B48506BAB2AB82EE9477BA280A1BC31E2370640E644F5D35FF
6996Wireshark-4.4.1-x64.exeC:\Program Files\Wireshark\gmodule-2.0-0.dllexecutable
MD5:E62F2835B4BE70A9DCA46714D6421F43
SHA256:77FB20A4C86C27F7488644A3F7A0A1C40805463FE97EF405C80180786122E4E6
6996Wireshark-4.4.1-x64.exeC:\Program Files\Wireshark\iconv-2.dllexecutable
MD5:9D5EE52BF59E84B8778B571524FC3074
SHA256:80CB7CA7B14776FEF5593B1AC91CA971EF0CA5E4EC8DA9E833D298BEEB9D6C51
6996Wireshark-4.4.1-x64.exeC:\Users\admin\AppData\Local\Temp\nsj1DBF.tmp\NpcapPage.initext
MD5:96909F6D41A24839661D126CB8F1949F
SHA256:6E726FFB528C6135E2405AC37626A7537EF1AE0A354CBFB55DE0E6E5DBC325EF
6996Wireshark-4.4.1-x64.exeC:\Program Files\Wireshark\gthread-2.0-0.dllexecutable
MD5:24CA4FBDC565930ECD979E743F5515E9
SHA256:1080722177972014C9DC1114269C06EC5459194602CCA5B042A7B2DF6C380F2F
6996Wireshark-4.4.1-x64.exeC:\Program Files\Wireshark\charset-1.dllexecutable
MD5:5193C4DD36157A59295EB1CECF4312D8
SHA256:8E1CBBD370B4B358726426C0FDE4E5DE08F9D4FA6D1B51D5AA3CB0E241AD6A5F
6996Wireshark-4.4.1-x64.exeC:\Program Files\Wireshark\libwsutil.dllexecutable
MD5:1FB0239E47701441E075A0B282C162C5
SHA256:5504961E8C945CAE97CCB982EE56C19B3140D054FE012673C00A6ADF6AE45FF8
6996Wireshark-4.4.1-x64.exeC:\Program Files\Wireshark\cares.dllexecutable
MD5:F64B9F2E7297E1622234F96677088279
SHA256:053F2B9BDCD9AFF9A6483857DBD711AEA8AA2EB0770265F2352646919D34E118
6996Wireshark-4.4.1-x64.exeC:\Program Files\Wireshark\libwiretap.dllexecutable
MD5:7AB890CD09D1F048045FCA9E127C0D71
SHA256:10D07D4769856F774AB7F59DD96D26B8E356D3D047311AB63D908A8F5BD1D906
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
23
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5588
msiexec.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5588
msiexec.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5488
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 52.182.143.213
whitelisted

Threats

No threats detected
Process
Message
msiexec.exe
Failed to release Service
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Wireshark-4.4.1-x64.exe