File name:

Gwyddion-2.45.win32.exe

Full analysis: https://app.any.run/tasks/7e8ed8f8-bb0d-4b12-9ce0-df146bdb5039
Verdict: Malicious activity
Analysis date: September 14, 2025, 02:27:06
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

E5E2042F6EA526ADC749CC401ECFA37C

SHA1:

99DC3CBCFEC619C2626926332D3914C9AAEDCA2C

SHA256:

DE41204FE584C7D9E70CE08F313C53D9ED2AC2FD0A42737586372B7AAE5126C6

SSDEEP:

196608:Nx5DnVtRrVn+Dzs7ocRRXo/10kXGWkfeh:bxnL9Vn+M7XRRcakJCeh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops python dynamic module

      • Gwyddion-2.45.win32.exe (PID: 7064)

    • There is functionality for taking screenshot (YARA)

      • Gwyddion-2.45.win32.exe (PID: 7064)

    • Executable content was dropped or overwritten

      • Gwyddion-2.45.win32.exe (PID: 7064)

    • Creates a software uninstall entry

      • Gwyddion-2.45.win32.exe (PID: 7064)

  • INFO

    • Checks supported languages

      • Gwyddion-2.45.win32.exe (PID: 7064)

    • The sample compiled with english language support

      • Gwyddion-2.45.win32.exe (PID: 7064)

    • Creates files in the program directory

      • Gwyddion-2.45.win32.exe (PID: 7064)

    • Create files in a temporary directory

      • Gwyddion-2.45.win32.exe (PID: 7064)

    • Reads the software policy settings

      • slui.exe (PID: 4476)

    • Reads the computer name

      • Gwyddion-2.45.win32.exe (PID: 7064)

    • Checks proxy server information

      • slui.exe (PID: 4476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:12:05 22:50:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 23552
InitializedDataSize: 119808
UninitializedDataSize: 1024
EntryPoint: 0x323c
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start gwyddion-2.45.win32.exe slui.exe gwyddion-2.45.win32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3732"C:\Users\admin\Desktop\Gwyddion-2.45.win32.exe" C:\Users\admin\Desktop\Gwyddion-2.45.win32.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\gwyddion-2.45.win32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4476C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7064"C:\Users\admin\Desktop\Gwyddion-2.45.win32.exe" C:\Users\admin\Desktop\Gwyddion-2.45.win32.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\gwyddion-2.45.win32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 697
Read events
3 686
Write events
11
Delete events
0

Modification events

(PID) Process:(7064) Gwyddion-2.45.win32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Gwyddion\2.0
Operation:writeName:InstallDir
Value:
C:\Program Files (x86)\Gwyddion
(PID) Process:(7064) Gwyddion-2.45.win32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Gwyddion\2.0
Operation:writeName:Locale
Value:
en_US.UTF-8
(PID) Process:(7064) Gwyddion-2.45.win32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Gwyddion\2.0
Operation:writeName:Version
Value:
2.45.win32
(PID) Process:(7064) Gwyddion-2.45.win32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\gwyddion.exe
Operation:writeName:Path
Value:
C:\Program Files (x86)\Gwyddion\bin
(PID) Process:(7064) Gwyddion-2.45.win32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gwyddion
Operation:writeName:DisplayName
Value:
Gwyddion
(PID) Process:(7064) Gwyddion-2.45.win32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gwyddion
Operation:writeName:UninstallString
Value:
C:\Program Files (x86)\Gwyddion\uninstall.exe
(PID) Process:(7064) Gwyddion-2.45.win32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gwyddion
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\Gwyddion
(PID) Process:(7064) Gwyddion-2.45.win32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gwyddion
Operation:writeName:Publisher
Value:
Gwyddion developers
(PID) Process:(7064) Gwyddion-2.45.win32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gwyddion
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\Gwyddion\share\gwyddion\pixmaps\gwyddion.ico
(PID) Process:(7064) Gwyddion-2.45.win32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Gwyddion
Operation:writeName:URLInfoAbout
Value:
http://gwyddion.net/
Executable files
359
Suspicious files
71
Text files
298
Unknown types
0

Dropped files

PID
Process
Filename
Type
7064Gwyddion-2.45.win32.exeC:\Program Files (x86)\Gwyddion\COPYING-MPL-1.1.txttext
MD5:
SHA256:
7064Gwyddion-2.45.win32.exeC:\Users\admin\AppData\Local\Temp\nsaF2AA.tmp\nsDialogs.dllexecutable
MD5:
SHA256:
7064Gwyddion-2.45.win32.exeC:\Program Files (x86)\Gwyddion\COPYING-zlib.txttext
MD5:
SHA256:
7064Gwyddion-2.45.win32.exeC:\Program Files (x86)\Gwyddion\COPYING-expat.txttext
MD5:
SHA256:
7064Gwyddion-2.45.win32.exeC:\Program Files (x86)\Gwyddion\COPYING-LGPLv2.txttext
MD5:
SHA256:
7064Gwyddion-2.45.win32.exeC:\Program Files (x86)\Gwyddion\LICENSE-JasPer.txttext
MD5:
SHA256:
7064Gwyddion-2.45.win32.exeC:\Program Files (x86)\Gwyddion\Copyright-libxml2.txttext
MD5:
SHA256:
7064Gwyddion-2.45.win32.exeC:\Program Files (x86)\Gwyddion\LICENSE-libffi.txttext
MD5:
SHA256:
7064Gwyddion-2.45.win32.exeC:\Program Files (x86)\Gwyddion\bin\fc-cache.exeexecutable
MD5:
SHA256:
7064Gwyddion-2.45.win32.exeC:\Program Files (x86)\Gwyddion\COPYING-libjpeg.txttext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
unknown
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.216.77.42
  • 23.216.77.28
  • 23.216.77.20
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 52.168.117.168
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Gwyddion-2.45.win32.exe