File name:

npcap-1.82.exe

Full analysis: https://app.any.run/tasks/8941e221-0421-438b-9dac-b96139f46ff8
Verdict: Malicious activity
Analysis date: May 14, 2025, 23:17:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

BFFB330A7E60C1F6B73DC10A8E7B9C34

SHA1:

AB87F720019E63A4C04628C79112FBCDA6D485D9

SHA256:

DD6A26F07E90FE8308F06B09AF0EAFA188F4FF0A1A184E5ADFA35E37467C705D

SSDEEP:

49152:oTc2+n7LNsFtpZps7BLeILgob7lyKCyuphXM8IOpaxEsn5UZrT5jJWn29PYwdq5P:oTc2+l7BLfgW4fp5rnsyB5jJWn29u5cM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7972)
      • powershell.exe (PID: 7748)
      • powershell.exe (PID: 7400)
      • powershell.exe (PID: 7420)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • npcap-1.82.exe (PID: 7188)

    • Executable content was dropped or overwritten

      • npcap-1.82.exe (PID: 7188)
      • NPFInstall.exe (PID: 7248)
      • drvinst.exe (PID: 7152)

    • The process creates files with name similar to system file names

      • npcap-1.82.exe (PID: 7188)

    • Drops a system driver (possible attempt to evade defenses)

      • npcap-1.82.exe (PID: 7188)
      • drvinst.exe (PID: 7152)
      • NPFInstall.exe (PID: 7248)

    • Creates a software uninstall entry

      • npcap-1.82.exe (PID: 7188)

    • The process hide an interactive prompt from the user

      • npcap-1.82.exe (PID: 7188)

    • Returns all items found within a container (POWERSHELL)

      • powershell.exe (PID: 7748)
      • powershell.exe (PID: 7972)

    • Starts POWERSHELL.EXE for commands execution

      • npcap-1.82.exe (PID: 7188)

    • Removes files via Powershell

      • powershell.exe (PID: 7972)

    • Adds/modifies Windows certificates

      • certutil.exe (PID: 4652)
      • certutil.exe (PID: 5380)
      • certutil.exe (PID: 680)

    • The process bypasses the loading of PowerShell profile settings

      • npcap-1.82.exe (PID: 7188)

    • Creates files in the driver directory

      • drvinst.exe (PID: 7152)
      • NPFInstall.exe (PID: 7248)

    • Creates or modifies Windows services

      • npcap-1.82.exe (PID: 7188)

  • INFO

    • Checks supported languages

      • npcap-1.82.exe (PID: 7188)
      • SearchApp.exe (PID: 2924)
      • NPFInstall.exe (PID: 7680)
      • NPFInstall.exe (PID: 7248)
      • drvinst.exe (PID: 7152)
      • NPFInstall.exe (PID: 1164)
      • NPFInstall.exe (PID: 1168)

    • Reads the computer name

      • npcap-1.82.exe (PID: 7188)
      • NPFInstall.exe (PID: 7680)
      • NPFInstall.exe (PID: 7248)
      • drvinst.exe (PID: 7152)

    • Create files in a temporary directory

      • npcap-1.82.exe (PID: 7188)
      • NPFInstall.exe (PID: 7248)

    • Creates files in the program directory

      • npcap-1.82.exe (PID: 7188)
      • NPFInstall.exe (PID: 7680)

    • The sample compiled with english language support

      • npcap-1.82.exe (PID: 7188)

    • Returns hidden items found within a container (POWERSHELL)

      • conhost.exe (PID: 8152)
      • conhost.exe (PID: 7980)
      • conhost.exe (PID: 5556)
      • conhost.exe (PID: 5216)
      • conhost.exe (PID: 5008)
      • conhost.exe (PID: 1184)
      • conhost.exe (PID: 7756)
      • conhost.exe (PID: 7240)
      • conhost.exe (PID: 5772)
      • conhost.exe (PID: 4620)
      • conhost.exe (PID: 7588)
      • powershell.exe (PID: 7420)
      • conhost.exe (PID: 7500)

    • Reads the software policy settings

      • drvinst.exe (PID: 7152)
      • pnputil.exe (PID: 5800)
      • SearchApp.exe (PID: 2924)

    • Reads the machine GUID from the registry

      • drvinst.exe (PID: 7152)
      • SearchApp.exe (PID: 2924)

    • Reads security settings of Internet Explorer

      • pnputil.exe (PID: 5800)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7420)

    • Process checks computer location settings

      • SearchApp.exe (PID: 2924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:30 16:56:47+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 28672
InitializedDataSize: 150528
UninitializedDataSize: 2048
EntryPoint: 0x3ae9
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.1.82.418
ProductVersionNumber: 5.1.82.418
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Npcap 1.82 installer
FileVersion: 1.82
LegalCopyright: Copyright (c) 2025, Nmap Software LLC. All rights reserved.
ProductName: Npcap
ProductVersion: 1.82
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
170
Monitored processes
35
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start npcap-1.82.exe sppextcomobj.exe no specs slui.exe no specs npfinstall.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs certutil.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs certutil.exe no specs conhost.exe no specs npfinstall.exe no specs conhost.exe no specs pnputil.exe no specs conhost.exe no specs npfinstall.exe no specs conhost.exe no specs npfinstall.exe conhost.exe no specs drvinst.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs shellexperiencehost.exe no specs rundll32.exe no specs npcap-1.82.exe no specs searchapp.exe

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Users\admin\AppData\Local\Temp\npcap-1.82.exe" C:\Users\admin\AppData\Local\Temp\npcap-1.82.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Npcap 1.82 installer
Exit code:
3221226540
Version:
1.82
Modules
Images
c:\users\admin\appdata\local\temp\npcap-1.82.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
680certutil.exe -addstore -f "AddressBook" "C:\Users\admin\AppData\Local\Temp\nsfB75D.tmp\digi-ts-2023.p7b"C:\Windows\SysWOW64\certutil.exenpcap-1.82.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1164"C:\Program Files\Npcap\NPFInstall.exe" -n -cC:\Program Files\Npcap\NPFInstall.exenpcap-1.82.exe
User:
admin
Company:
Nmap Software LLC
Integrity Level:
HIGH
Description:
A LWF & WFP driver installation tool
Exit code:
0
Version:
1.82
Modules
Images
c:\program files\npcap\npfinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1168"C:\Program Files\Npcap\NPFInstall.exe" -n -iwC:\Program Files\Npcap\NPFInstall.exenpcap-1.82.exe
User:
admin
Company:
Nmap Software LLC
Integrity Level:
HIGH
Description:
A LWF & WFP driver installation tool
Exit code:
0
Version:
1.82
Modules
Images
c:\program files\npcap\npfinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1184\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeNPFInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2924"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Search application
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\wincorlib.dll
3240C:\WINDOWS\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
4228"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\dxgi.dll
4620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeNPFInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4652certutil.exe -addstore -f "Root" "C:\Users\admin\AppData\Local\Temp\nsfB75D.tmp\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4.sst"C:\Windows\SysWOW64\certutil.exenpcap-1.82.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
CertUtil.exe
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\certutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
36 533
Read events
36 389
Write events
136
Delete events
8

Modification events

(PID) Process:(2924) SearchApp.exeKey:\REGISTRY\A\{919c907a-b14a-1c2d-b076-c1402ff6e70c}\LocalState\ConstraintIndex
Operation:writeName:CurrentConstraintIndexCabPath
Value:
43003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C005000610063006B0061006700650073005C004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E005300650061007200630068005F006300770035006E003100680032007400780079006500770079005C004C006F00630061006C00530074006100740065005C0043006F006E00730074007200610069006E00740049006E006400650078005C0049006E007000750074005F007B00380033003200620036003800640032002D0037006600650032002D0034006500370031002D0061003300610064002D003200360031003600360062003600350036006500630036007D000000E5A3A65326C5DB01
(PID) Process:(2924) SearchApp.exeKey:\REGISTRY\A\{919c907a-b14a-1c2d-b076-c1402ff6e70c}\LocalState\AppsConstraintIndex
Operation:writeName:LatestConstraintIndexFolder
Value:
43003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C005000610063006B0061006700650073005C004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E005300650061007200630068005F006300770035006E003100680032007400780079006500770079005C004C006F00630061006C00530074006100740065005C0043006F006E00730074007200610069006E00740049006E006400650078005C0041007000700073005F007B00300063006300310030003400660034002D0032006600360031002D0034006500330066002D0038006200340064002D003700640033003500660030003600650038003200380037007D000000E5A3A65326C5DB01
(PID) Process:(2924) SearchApp.exeKey:\REGISTRY\A\{919c907a-b14a-1c2d-b076-c1402ff6e70c}\LocalState\AppsConstraintIndex
Operation:writeName:LastConstraintIndexBuildCompleted
Value:
08FEA75326C5DB01E5A3A65326C5DB01
(PID) Process:(2924) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Microsoft.Windows.Search_cw5n1h2txyewy\AppsConstraintIndex
Operation:writeName:CurrentConstraintIndexCabPath
Value:
C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{832b68d2-7fe2-4e71-a3ad-26166b656ec6}
(PID) Process:(2924) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Microsoft.Windows.Search_cw5n1h2txyewy\AppsConstraintIndex
Operation:writeName:LatestConstraintIndexFolder
Value:
C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0cc104f4-2f61-4e3f-8b4d-7d35f06e8287}
(PID) Process:(2924) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:writeName:SafeSearchMode
Value:
1
(PID) Process:(2924) SearchApp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Microsoft.Windows.Search_cw5n1h2txyewy\AppsConstraintIndex
Operation:writeName:IndexedLanguage
Value:
en-US
(PID) Process:(2924) SearchApp.exeKey:\REGISTRY\A\{919c907a-b14a-1c2d-b076-c1402ff6e70c}\LocalState\AppIndexer
Operation:writeName:LatestCacheFileName
Value:
410070007000430061006300680065003100330033003900310037003300380032003200370039003100310031003500310032002E007400780074000000E5A3A65326C5DB01
(PID) Process:(2924) SearchApp.exeKey:\REGISTRY\A\{919c907a-b14a-1c2d-b076-c1402ff6e70c}\LocalState\AppIndexer
Operation:writeName:InstalledWin32AppsRevision
Value:
7B00420035003500370031004200310030002D0030003400350030002D0034004400340046002D0038004600370043002D004600360036004200360043004500370045004300450039007D000000E5A3A65326C5DB01
(PID) Process:(7188) npcap-1.82.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NpcapInst
Operation:writeName:UninstallString
Value:
"C:\Program Files\Npcap\uninstall.exe"
Executable files
32
Suspicious files
65
Text files
195
Unknown types
0

Dropped files

PID
Process
Filename
Type
7188npcap-1.82.exeC:\Users\admin\AppData\Local\Temp\nsfB75D.tmp\System.dllexecutable
MD5:192639861E3DC2DC5C08BB8F8C7260D5
SHA256:23D618A0293C78CE00F7C6E6DD8B8923621DA7DD1F63A070163EF4C0EC3033D6
7188npcap-1.82.exeC:\Users\admin\AppData\Local\Temp\nsfB75D.tmp\InstallOptions.dllexecutable
MD5:D1EEFB07ABC2577DFB92EB2E95A975E4
SHA256:89DD7D646278D8BFC41D5446BDC348B9A9AFAA832ABF02C1396272BB7AC7262A
7188npcap-1.82.exeC:\Users\admin\AppData\Local\Temp\nsfB75D.tmp\final.initext
MD5:C2992DF0C584A29B8FB2107D5697A730
SHA256:8AE8385DCC63A47B0EA21BB971E2BFA463DD17F20966F61C8A77E080859F80BD
7188npcap-1.82.exeC:\Users\admin\AppData\Local\Temp\nsfB75D.tmp\modern-header.bmpimage
MD5:B514F98A3DF2F23FB0FDF170FA772F5C
SHA256:F22D49EEC7926CDE60DAD056A3A9FA844327F759F38E76BAD4C3119A57E37888
7188npcap-1.82.exeC:\Program Files\Npcap\FixInstall.battext
MD5:3DCB581D39D9349A906368B77A4CEDFA
SHA256:C6158E40BDFD88E892EE6C4DA3A16A037EDF2CC77DC008CBD8FBEB44C643DDDA
7188npcap-1.82.exeC:\Users\admin\AppData\Local\Temp\nsfB75D.tmp\options.initext
MD5:825DC90C454EF29D15B3340FD9B5E691
SHA256:F9FB88B64E7C8845FB2F4DE82D18474B4AAB1B49B03F4D79EA1D143DC0168D8A
2924SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0cc104f4-2f61-4e3f-8b4d-7d35f06e8287}\0.2.filtertrie.intermediate.txttext
MD5:C204E9FAAF8565AD333828BEFF2D786E
SHA256:D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F
2924SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0cc104f4-2f61-4e3f-8b4d-7d35f06e8287}\Apps.ftbinary
MD5:AB5CF5D309581951ACE7978FF8DF0FF0
SHA256:CA45CAA7DE38CB805EC43EDC8B9332E1E95124A27FBB6E5BD3DDD5E8A526AFC7
2924SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0cc104f4-2f61-4e3f-8b4d-7d35f06e8287}\0.1.filtertrie.intermediate.txttext
MD5:34BD1DFB9F72CF4F86E6DF6DA0A9E49A
SHA256:8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C
7680NPFInstall.exeC:\Program Files\Npcap\NPFInstall.logtext
MD5:ECAA88F7FA0BF610A5A26CF545DCD3AA
SHA256:F1945CD6C19E56B3C1C78943EF5EC18116907A4CA1EFC40A57D48AB1DB7ADFC5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
34
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4464
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4464
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2924
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2924
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4464
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.166
  • 23.48.23.173
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.142
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.66
  • 20.190.160.67
  • 20.190.160.14
  • 20.190.160.64
  • 40.126.32.140
  • 20.190.160.130
  • 40.126.32.134
  • 20.190.160.17
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
www.bing.com
  • 104.126.37.161
  • 104.126.37.153
  • 104.126.37.177
  • 104.126.37.128
  • 104.126.37.160
  • 104.126.37.170
  • 104.126.37.152
  • 104.126.37.163
  • 104.126.37.185
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
npcap-1.82.exe