File name:

WiresharkPortable64_4.4.5.paf.exe

Full analysis: https://app.any.run/tasks/66a56d92-c38a-4223-98a2-ae1ddf75633f
Verdict: Malicious activity
Analysis date: March 15, 2025, 20:34:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

A5CF4AB9E84A1640DD9410DC4209170F

SHA1:

4170D03763860D812C087A117DE87AE90AC945AB

SHA256:

9DDF1720D31707DAA4F57FA61F43861602BD0F11F1298DCF56EA3CFC96F07A31

SSDEEP:

393216:THQDGuIcI6ZPuyo8nXQBwcWgiyAvTB0hYU3uFu2Orv2R7hR6xQtr0uJqQd:bcVK6kP86xeN0hYUD2SvIlcxQx0uJqg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WiresharkPortable64_4.4.5.paf.exe (PID: 7456)

    • The process creates files with name similar to system file names

      • WiresharkPortable64_4.4.5.paf.exe (PID: 7456)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • WiresharkPortable64_4.4.5.paf.exe (PID: 7456)

    • The process drops C-runtime libraries

      • WiresharkPortable64_4.4.5.paf.exe (PID: 7456)

    • There is functionality for taking screenshot (YARA)

      • WiresharkPortable64_4.4.5.paf.exe (PID: 7456)

    • Process drops legitimate windows executable

      • WiresharkPortable64_4.4.5.paf.exe (PID: 7456)

  • INFO

    • Checks supported languages

      • WiresharkPortable64_4.4.5.paf.exe (PID: 7456)

    • Reads the computer name

      • WiresharkPortable64_4.4.5.paf.exe (PID: 7456)

    • The sample compiled with english language support

      • WiresharkPortable64_4.4.5.paf.exe (PID: 7456)

    • Checks proxy server information

      • slui.exe (PID: 7736)

    • Create files in a temporary directory

      • WiresharkPortable64_4.4.5.paf.exe (PID: 7456)

    • Reads the software policy settings

      • slui.exe (PID: 7736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 22:04:50+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 428544
UninitializedDataSize: 16384
EntryPoint: 0x3640
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.4.5.0
ProductVersionNumber: 4.4.5.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: For additional details, visit PortableApps.com
CompanyName: PortableApps.com
FileDescription: Wireshark Portable (64-bit)
FileVersion: 4.4.5.0
InternalName: Wireshark Portable (64-bit)
LegalCopyright: 2007-2022 PortableApps.com, PortableApps.com Installer 3.7.6.0
LegalTrademarks: Wireshark and the fin logo are registered trademarks of the Wireshark Foundation. PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFileName: WiresharkPortable64_4.4.5.paf.exe
PortableAppscomAppID: WiresharkPortable64
PortableAppscomFormatVersion: 3.7.6
PortableAppscomInstallerVersion: 3.7.6.0
ProductName: Wireshark Portable (64-bit)
ProductVersion: 4.4.5.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wiresharkportable64_4.4.5.paf.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7456"C:\Users\admin\Desktop\WiresharkPortable64_4.4.5.paf.exe" C:\Users\admin\Desktop\WiresharkPortable64_4.4.5.paf.exe
explorer.exe
User:
admin
Company:
PortableApps.com
Integrity Level:
MEDIUM
Description:
Wireshark Portable (64-bit)
Version:
4.4.5.0
Modules
Images
c:\users\admin\desktop\wiresharkportable64_4.4.5.paf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7736C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 483
Read events
3 483
Write events
0
Delete events
0

Modification events

No data
Executable files
135
Suspicious files
45
Text files
1 174
Unknown types
0

Dropped files

PID
Process
Filename
Type
7456WiresharkPortable64_4.4.5.paf.exeC:\Users\admin\AppData\Local\Temp\nsqEB9C.tmp\modern-wizard.bmpimage
MD5:4DF53EFCAA2C52F39618B2AAD77BB552
SHA256:EE13539F3D66CC0592942EA1A4C35D8FD9AF67B1A7F272D0D791931E6E9CE4EB
7456WiresharkPortable64_4.4.5.paf.exeC:\Users\admin\AppData\Local\Temp\nsqEB9C.tmp\System.dllexecutable
MD5:CFF85C549D536F651D4FB8387F1976F2
SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
7456WiresharkPortable64_4.4.5.paf.exeC:\Users\admin\AppData\Local\Temp\nsqEB9C.tmp\w7tbp.dllexecutable
MD5:9A3031CC4CEF0DBA236A28EECDF0AFB5
SHA256:53BB519E3293164947AC7CBD7E612F637D77A7B863E3534BA1A7E39B350D3C00
7456WiresharkPortable64_4.4.5.paf.exeC:\Users\admin\Desktop\WiresharkPortable64\App\AppInfo\appicon.icoimage
MD5:A908F92B45F18825C62D89F72E7479DD
SHA256:B82F7D64E872A939339FCAD5E1F65B189415A16B20CA49C392A3510D376F409C
7456WiresharkPortable64_4.4.5.paf.exeC:\Users\admin\Desktop\WiresharkPortable64\App\AppInfo\appicon_32.pngimage
MD5:F52B2175FE0CD0F77367EDF0ACD7793D
SHA256:1E14D3BCDEEAC1BF9FD3699AA3385D30AFF82DEEC2FBB77F592439D3D2C5AF1F
7456WiresharkPortable64_4.4.5.paf.exeC:\Users\admin\Desktop\WiresharkPortable64\App\AppInfo\Launcher\WiresharkPortable64.initext
MD5:205C7A933E1AE0C468EB07992842D02D
SHA256:31E648F31B2FCDF0D93A7168520E6DE903E337445D4CC3DCEA373E68717418A2
7456WiresharkPortable64_4.4.5.paf.exeC:\Users\admin\AppData\Local\Temp\nsqEB9C.tmp\LangDLL.dllexecutable
MD5:68B287F4067BA013E34A1339AFDB1EA8
SHA256:18E8B40BA22C7A1687BD16E8D585380BC2773FFF5002D7D67E9485FCC0C51026
7456WiresharkPortable64_4.4.5.paf.exeC:\Users\admin\Desktop\WiresharkPortable64\help.htmlhtml
MD5:D94742A4BB1DDCC4B06AE4C3AB60DDE5
SHA256:4269517FDDC0C87D5602BE323485A2F73CBD3C9C0478DC644E310A1903431A71
7456WiresharkPortable64_4.4.5.paf.exeC:\Users\admin\AppData\Local\Temp\nsqEB9C.tmp\modern-header.bmpimage
MD5:EF7002C05FA20587367AFC21B45E79D3
SHA256:37A4EE6B0C147DBC5E0BE0CCE1DFE24E9A02F87D4955975BFD7A7045A2F47CBE
7456WiresharkPortable64_4.4.5.paf.exeC:\Users\admin\Desktop\WiresharkPortable64\WiresharkPortable64.exeexecutable
MD5:ABC58DD0FCB73F8BEA21A8EE2E008B68
SHA256:6518D4406FAD6C0C6F0F4260D115A6E2F3EDD1C9388E1B8A26C549BFBE78DEF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
19
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1244
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
7268
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7736
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.174
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WiresharkPortable64_4.4.5.paf.exe