File name:

npcap-1.82.exe

Full analysis: https://app.any.run/tasks/8941e221-0421-438b-9dac-b96139f46ff8
Verdict: Malicious activity
Analysis date: May 14, 2025, 23:17:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

BFFB330A7E60C1F6B73DC10A8E7B9C34

SHA1:

AB87F720019E63A4C04628C79112FBCDA6D485D9

SHA256:

DD6A26F07E90FE8308F06B09AF0EAFA188F4FF0A1A184E5ADFA35E37467C705D

SSDEEP:

49152:oTc2+n7LNsFtpZps7BLeILgob7lyKCyuphXM8IOpaxEsn5UZrT5jJWn29PYwdq5P:oTc2+l7BLfgW4fp5rnsyB5jJWn29u5cM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7748)
      • powershell.exe (PID: 7972)
      • powershell.exe (PID: 7420)
      • powershell.exe (PID: 7400)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • npcap-1.82.exe (PID: 7188)

    • The process creates files with name similar to system file names

      • npcap-1.82.exe (PID: 7188)

    • Executable content was dropped or overwritten

      • npcap-1.82.exe (PID: 7188)
      • NPFInstall.exe (PID: 7248)
      • drvinst.exe (PID: 7152)

    • Drops a system driver (possible attempt to evade defenses)

      • npcap-1.82.exe (PID: 7188)
      • drvinst.exe (PID: 7152)
      • NPFInstall.exe (PID: 7248)

    • Creates a software uninstall entry

      • npcap-1.82.exe (PID: 7188)

    • The process hide an interactive prompt from the user

      • npcap-1.82.exe (PID: 7188)

    • Returns all items found within a container (POWERSHELL)

      • powershell.exe (PID: 7748)
      • powershell.exe (PID: 7972)

    • Starts POWERSHELL.EXE for commands execution

      • npcap-1.82.exe (PID: 7188)

    • The process bypasses the loading of PowerShell profile settings

      • npcap-1.82.exe (PID: 7188)

    • Adds/modifies Windows certificates

      • certutil.exe (PID: 4652)
      • certutil.exe (PID: 5380)
      • certutil.exe (PID: 680)

    • Removes files via Powershell

      • powershell.exe (PID: 7972)

    • Creates files in the driver directory

      • drvinst.exe (PID: 7152)
      • NPFInstall.exe (PID: 7248)

    • Creates or modifies Windows services

      • npcap-1.82.exe (PID: 7188)

  • INFO

    • Checks supported languages

      • npcap-1.82.exe (PID: 7188)
      • SearchApp.exe (PID: 2924)
      • NPFInstall.exe (PID: 7680)
      • NPFInstall.exe (PID: 1164)
      • drvinst.exe (PID: 7152)
      • NPFInstall.exe (PID: 1168)
      • NPFInstall.exe (PID: 7248)

    • Creates files in the program directory

      • npcap-1.82.exe (PID: 7188)
      • NPFInstall.exe (PID: 7680)

    • The sample compiled with english language support

      • npcap-1.82.exe (PID: 7188)

    • Reads the computer name

      • npcap-1.82.exe (PID: 7188)
      • NPFInstall.exe (PID: 7680)
      • drvinst.exe (PID: 7152)
      • NPFInstall.exe (PID: 7248)

    • Create files in a temporary directory

      • npcap-1.82.exe (PID: 7188)
      • NPFInstall.exe (PID: 7248)

    • Returns hidden items found within a container (POWERSHELL)

      • conhost.exe (PID: 7756)
      • conhost.exe (PID: 7980)
      • conhost.exe (PID: 8152)
      • conhost.exe (PID: 5216)
      • conhost.exe (PID: 5556)
      • conhost.exe (PID: 5008)
      • conhost.exe (PID: 1184)
      • conhost.exe (PID: 5772)
      • conhost.exe (PID: 7588)
      • conhost.exe (PID: 4620)
      • conhost.exe (PID: 7240)
      • powershell.exe (PID: 7420)
      • conhost.exe (PID: 7500)

    • Reads the software policy settings

      • pnputil.exe (PID: 5800)
      • drvinst.exe (PID: 7152)
      • SearchApp.exe (PID: 2924)

    • Reads security settings of Internet Explorer

      • pnputil.exe (PID: 5800)

    • Reads the machine GUID from the registry

      • drvinst.exe (PID: 7152)
      • SearchApp.exe (PID: 2924)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7420)

    • Process checks computer location settings

      • SearchApp.exe (PID: 2924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:30 16:56:47+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 28672
InitializedDataSize: 150528
UninitializedDataSize: 2048
EntryPoint: 0x3ae9
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.1.82.418
ProductVersionNumber: 5.1.82.418
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Npcap 1.82 installer
FileVersion: 1.82
LegalCopyright: Copyright (c) 2025, Nmap Software LLC. All rights reserved.
ProductName: Npcap
ProductVersion: 1.82
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
170
Monitored processes
35
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start npcap-1.82.exe sppextcomobj.exe no specs slui.exe no specs npfinstall.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs certutil.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs npfinstall.exe no specs conhost.exe no specs pnputil.exe no specs conhost.exe no specs npfinstall.exe no specs conhost.exe no specs npfinstall.exe conhost.exe no specs drvinst.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs shellexperiencehost.exe no specs rundll32.exe no specs npcap-1.82.exe no specs searchapp.exe

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Users\admin\AppData\Local\Temp\npcap-1.82.exe" C:\Users\admin\AppData\Local\Temp\npcap-1.82.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Npcap 1.82 installer
Exit code:
3221226540
Version:
1.82
Modules
Images
c:\users\admin\appdata\local\temp\npcap-1.82.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
680certutil.exe -addstore -f "AddressBook" "C:\Users\admin\AppData\Local\Temp\nsfB75D.tmp\digi-ts-2023.p7b"C:\Windows\SysWOW64\certutil.exenpcap-1.82.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1164"C:\Program Files\Npcap\NPFInstall.exe" -n -cC:\Program Files\Npcap\NPFInstall.exenpcap-1.82.exe
User:
admin
Company:
Nmap Software LLC
Integrity Level:
HIGH
Description:
A LWF & WFP driver installation tool
Exit code:
0
Version:
1.82
Modules
Images
c:\program files\npcap\npfinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1168"C:\Program Files\Npcap\NPFInstall.exe" -n -iwC:\Program Files\Npcap\NPFInstall.exenpcap-1.82.exe
User:
admin
Company:
Nmap Software LLC
Integrity Level:
HIGH
Description:
A LWF & WFP driver installation tool
Exit code:
0
Version:
1.82
Modules
Images
c:\program files\npcap\npfinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1184\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeNPFInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2924"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Search application
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\wincorlib.dll
3240C:\WINDOWS\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
4228"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\dxgi.dll
4620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeNPFInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4652certutil.exe -addstore -f "Root" "C:\Users\admin\AppData\Local\Temp\nsfB75D.tmp\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4.sst"C:\Windows\SysWOW64\certutil.exenpcap-1.82.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
36 533
Read events
36 389
Write events
136
Delete events
8

Modification events

(PID) Process:(2924) SearchApp.exeKey:\REGISTRY\A\{919c907a-b14a-1c2d-b076-c1402ff6e70c}\LocalState\ConstraintIndex
Operation:writeName:CurrentConstraintIndexCabPath
Value:
43003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C005000610063006B0061006700650073005C004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E005300650061007200630068005F006300770035006E003100680032007400780079006500770079005C004C006F00630061006C00530074006100740065005C0043006F006E00730074007200610069006E00740049006E006400650078005C0049006E007000750074005F007B00380033003200620036003800640032002D0037006600650032002D0034006500370031002D0061003300610064002D003200360031003600360062003600350036006500630036007D000000E5A3A65326C5DB01
(PID) Process:(2924) SearchApp.exeKey:\REGISTRY\A\{919c907a-b14a-1c2d-b076-c1402ff6e70c}\LocalState\AppsConstraintIndex
Operation:writeName:LatestConstraintIndexFolder
Value:
43003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C005000610063006B0061006700650073005C004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E005300650061007200630068005F006300770035006E003100680032007400780079006500770079005C004C006F00630061006C00530074006100740065005C0043006F006E00730074007200610069006E00740049006E006400650078005C0041007000700073005F007B00300063006300310030003400660034002D0032006600360031002D0034006500330066002D0038006200340064002D003700640033003500660030003600650038003200380037007D000000E5A3A65326C5DB01
(PID) Process:(2924) SearchApp.exeKey:\REGISTRY\A\{919c907a-b14a-1c2d-b076-c1402ff6e70c}\LocalState\AppsConstraintIndex
Operation:writeName:LastConstraintIndexBuildCompleted
Value:
08FEA75326C5DB01E5A3A65326C5DB01
(PID) Process:(2924) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Microsoft.Windows.Search_cw5n1h2txyewy\AppsConstraintIndex
Operation:writeName:CurrentConstraintIndexCabPath
Value:
C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{832b68d2-7fe2-4e71-a3ad-26166b656ec6}
(PID) Process:(2924) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Microsoft.Windows.Search_cw5n1h2txyewy\AppsConstraintIndex
Operation:writeName:LatestConstraintIndexFolder
Value:
C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0cc104f4-2f61-4e3f-8b4d-7d35f06e8287}
(PID) Process:(2924) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:writeName:SafeSearchMode
Value:
1
(PID) Process:(2924) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Microsoft.Windows.Search_cw5n1h2txyewy\AppsConstraintIndex
Operation:writeName:IndexedLanguage
Value:
en-US
(PID) Process:(2924) SearchApp.exeKey:\REGISTRY\A\{919c907a-b14a-1c2d-b076-c1402ff6e70c}\LocalState\AppIndexer
Operation:writeName:LatestCacheFileName
Value:
410070007000430061006300680065003100330033003900310037003300380032003200370039003100310031003500310032002E007400780074000000E5A3A65326C5DB01
(PID) Process:(2924) SearchApp.exeKey:\REGISTRY\A\{919c907a-b14a-1c2d-b076-c1402ff6e70c}\LocalState\AppIndexer
Operation:writeName:InstalledWin32AppsRevision
Value:
7B00420035003500370031004200310030002D0030003400350030002D0034004400340046002D0038004600370043002D004600360036004200360043004500370045004300450039007D000000E5A3A65326C5DB01
(PID) Process:(7188) npcap-1.82.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NpcapInst
Operation:writeName:UninstallString
Value:
"C:\Program Files\Npcap\uninstall.exe"
Executable files
32
Suspicious files
65
Text files
195
Unknown types
0

Dropped files

PID
Process
Filename
Type
7188npcap-1.82.exeC:\Users\admin\AppData\Local\Temp\nsfB75D.tmp\options.initext
MD5:825DC90C454EF29D15B3340FD9B5E691
SHA256:F9FB88B64E7C8845FB2F4DE82D18474B4AAB1B49B03F4D79EA1D143DC0168D8A
7188npcap-1.82.exeC:\Users\admin\AppData\Local\Temp\nsfB75D.tmp\InstallOptions.dllexecutable
MD5:D1EEFB07ABC2577DFB92EB2E95A975E4
SHA256:89DD7D646278D8BFC41D5446BDC348B9A9AFAA832ABF02C1396272BB7AC7262A
7188npcap-1.82.exeC:\Users\admin\AppData\Local\Temp\nsfB75D.tmp\final.initext
MD5:C2992DF0C584A29B8FB2107D5697A730
SHA256:8AE8385DCC63A47B0EA21BB971E2BFA463DD17F20966F61C8A77E080859F80BD
7188npcap-1.82.exeC:\Users\admin\AppData\Local\Temp\nsfB75D.tmp\nsExec.dllexecutable
MD5:11092C1D3FBB449A60695C44F9F3D183
SHA256:2CD3A2D4053954DB1196E2526545C36DFC138C6DE9B81F6264632F3132843C77
7188npcap-1.82.exeC:\Users\admin\AppData\Local\Temp\nsfB75D.tmp\modern-header.bmpimage
MD5:B514F98A3DF2F23FB0FDF170FA772F5C
SHA256:F22D49EEC7926CDE60DAD056A3A9FA844327F759F38E76BAD4C3119A57E37888
2924SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0cc104f4-2f61-4e3f-8b4d-7d35f06e8287}\0.1.filtertrie.intermediate.txttext
MD5:34BD1DFB9F72CF4F86E6DF6DA0A9E49A
SHA256:8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C
7188npcap-1.82.exeC:\Users\admin\AppData\Local\Temp\nsfB75D.tmp\NPFInstall.exeexecutable
MD5:3E97CDF61E2E0B080E20E52A02B4D744
SHA256:3A51FB2B589114DDB0355AA5162F37DB1EFF731A89475301239CBFB446171E74
2924SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0cc104f4-2f61-4e3f-8b4d-7d35f06e8287}\Apps.ftbinary
MD5:AB5CF5D309581951ACE7978FF8DF0FF0
SHA256:CA45CAA7DE38CB805EC43EDC8B9332E1E95124A27FBB6E5BD3DDD5E8A526AFC7
2924SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0cc104f4-2f61-4e3f-8b4d-7d35f06e8287}\0.2.filtertrie.intermediate.txttext
MD5:C204E9FAAF8565AD333828BEFF2D786E
SHA256:D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F
7188npcap-1.82.exeC:\Users\admin\AppData\Local\Temp\nsfB75D.tmp\System.dllexecutable
MD5:192639861E3DC2DC5C08BB8F8C7260D5
SHA256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
34
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4464
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4464
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2924
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2924
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4464
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.166
  • 23.48.23.173
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.142
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.66
  • 20.190.160.67
  • 20.190.160.14
  • 20.190.160.64
  • 40.126.32.140
  • 20.190.160.130
  • 40.126.32.134
  • 20.190.160.17
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
www.bing.com
  • 104.126.37.161
  • 104.126.37.153
  • 104.126.37.177
  • 104.126.37.128
  • 104.126.37.160
  • 104.126.37.170
  • 104.126.37.152
  • 104.126.37.163
  • 104.126.37.185
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
npcap-1.82.exe