File name:

OInstall.exe

Full analysis: https://app.any.run/tasks/39cf570c-1f84-4e6f-ac34-7f69c14275a8
Verdict: Malicious activity
Analysis date: March 24, 2025, 23:35:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

0736EE70196BC57D0094D3CFA069E667

SHA1:

AC8A676940B44F9727275A6A05C89F3643C973E1

SHA256:

315690F31973F127E8FB59BFF4369663EF033DE0037CA51252A4B731AB238D4A

SSDEEP:

98304:NMgUkCUH5Lt9E0o819rIiPxhawKUrIxKjzmCeZiYAkdHmx+ZgGdpiGPepVb+y3m/:vWismCWVR4n86dR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • OInstall.exe (PID: 7464)
      • OInstall.exe (PID: 7568)
      • setup.exe (PID: 5576)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)

    • Uses WMIC.EXE to add exclusions to the Windows Defender

      • cmd.exe (PID: 7772)
      • cmd.exe (PID: 7596)

  • SUSPICIOUS

    • Found strings related to reading or modifying Windows Defender settings

      • OInstall.exe (PID: 7568)

    • Starts CMD.EXE for commands execution

      • OInstall.exe (PID: 7568)

    • Process drops legitimate windows executable

      • OInstall.exe (PID: 7568)
      • files.dat (PID: 7996)

    • Drops 7-zip archiver for unpacking

      • OInstall.exe (PID: 7568)

    • Executable content was dropped or overwritten

      • OInstall.exe (PID: 7568)
      • files.dat (PID: 7996)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7944)

    • Reads security settings of Internet Explorer

      • setup.exe (PID: 5576)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)

    • Starts a Microsoft application from unusual location

      • setup.exe (PID: 5576)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)

    • The process drops C-runtime libraries

      • files.dat (PID: 7996)

    • Searches for installed software

      • setup.exe (PID: 5576)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)
      • setup.exe (PID: 6964)

  • INFO

    • Checks supported languages

      • OInstall.exe (PID: 7568)
      • files.dat (PID: 7996)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 5576)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)
      • identity_helper.exe (PID: 7932)

    • Reads Environment values

      • OInstall.exe (PID: 7568)
      • identity_helper.exe (PID: 7932)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7832)
      • WMIC.exe (PID: 7656)

    • The sample compiled with english language support

      • OInstall.exe (PID: 7568)
      • files.dat (PID: 7996)

    • Reads the computer name

      • setup.exe (PID: 5576)
      • setup.exe (PID: 6964)
      • OInstall.exe (PID: 7568)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)
      • identity_helper.exe (PID: 7932)

    • Process checks computer location settings

      • setup.exe (PID: 5576)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)

    • Creates files or folders in the user directory

      • setup.exe (PID: 5576)

    • Reads Microsoft Office registry keys

      • setup.exe (PID: 5576)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)

    • Reads the software policy settings

      • setup.exe (PID: 5576)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)
      • slui.exe (PID: 3900)

    • Checks proxy server information

      • setup.exe (PID: 5576)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)
      • slui.exe (PID: 3900)

    • Reads the machine GUID from the registry

      • setup.exe (PID: 5576)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)

    • Create files in a temporary directory

      • setup.exe (PID: 5576)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 5552)

    • Manual execution by a user

      • msedge.exe (PID: 8184)

    • Application launched itself

      • msedge.exe (PID: 8184)
      • msedge.exe (PID: 5436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (72.3)
.exe | Win32 Executable (generic) (11.7)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)
.exe | DOS Executable Generic (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:07:11 05:19:12+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 808448
InitializedDataSize: 19369984
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.8.0.0
ProductVersionNumber: 6.8.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
ProductName: Office 2013-2016 C2R Install
FileDescription: Office 2013-2016 C2R Install
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
197
Monitored processes
72
Malicious processes
8
Suspicious processes
9

Behavior graph

Click at the process to see the details
start oinstall.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs files.dat cmd.exe no specs conhost.exe no specs setup.exe cmd.exe no specs conhost.exe no specs setup.exe cmd.exe no specs conhost.exe no specs setup.exe slui.exe cmd.exe no specs conhost.exe no specs setup.exe cmd.exe no specs conhost.exe no specs setup.exe cmd.exe no specs conhost.exe no specs setup.exe cmd.exe no specs conhost.exe no specs setup.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs oinstall.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6468 --field-trial-handle=2376,i,11430189233352849613,16948942578226533806,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
444"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5348 --field-trial-handle=2376,i,11430189233352849613,16948942578226533806,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1240"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7052 --field-trial-handle=2376,i,11430189233352849613,16948942578226533806,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1660"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x120,0x228,0x318,0x248,0x320,0x7ffc897a5fd8,0x7ffc897a5fe4,0x7ffc897a5ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1676"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2304 --field-trial-handle=2324,i,7373027507742818812,2889402375639724554,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2092"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7052 --field-trial-handle=2376,i,11430189233352849613,16948942578226533806,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2096"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5784 --field-trial-handle=2376,i,11430189233352849613,16948942578226533806,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2268"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6756 --field-trial-handle=2376,i,11430189233352849613,16948942578226533806,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2776"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --mojo-platform-channel-handle=5328 --field-trial-handle=2376,i,11430189233352849613,16948942578226533806,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
42 894
Read events
42 665
Write events
227
Delete events
2

Modification events

(PID) Process:(7568) OInstall.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\DirectSound\Speaker Configuration
Operation:writeName:Speaker Configuration
Value:
4
(PID) Process:(5576) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(5576) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(5576) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(5576) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(5576) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(5576) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(5576) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(5576) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(5576) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
Executable files
13
Suspicious files
251
Text files
64
Unknown types
3

Dropped files

PID
Process
Filename
Type
7996files.datC:\Users\admin\Desktop\files\x86\cleanospp.exeexecutable
MD5:5FD363D52D04AC200CD24F3BCC903200
SHA256:3FDEFE2AD092A9A7FE0EDF0AC4DC2DE7E5B9CE6A0804F6511C06564194966CF9
7996files.datC:\Users\admin\Desktop\files\x64\msvcr100.dllexecutable
MD5:DF3CA8D16BDED6A54977B30E66864D33
SHA256:1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36
5576setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956binary
MD5:5F6E079FD88723464AC1C8D250CBF749
SHA256:D985D713B9C8A7935A99BAD4F15CE7E7C5903DAB92A8EAC982221434939A671B
7568OInstall.exeC:\Users\admin\Desktop\files\Configure.xmltext
MD5:AC6BE84084E31DBB0E08D188B6C86EC8
SHA256:1879F7DE537C2AA70292C61EBEF9C6477D36E25B2E6A639E318B159E0A22B0FC
7996files.datC:\Users\admin\Desktop\files\x86\msvcr100.dllexecutable
MD5:BF38660A9125935658CFA3E53FDC7D65
SHA256:60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
7568OInstall.exeC:\Users\admin\Desktop\files\setup.exeexecutable
MD5:64B22215CCA284010E9BF96EB5AE2F02
SHA256:1542ED413C1D21CA7B5CDE39CE4E0D4EE592DE26A25A9868ECE77B875A16639E
7568OInstall.exeC:\Users\admin\Desktop\files\files.datexecutable
MD5:55D21B2C272A5D6B9F54FA9ED82BF9EB
SHA256:7A1C82E264258470D14CA345EA1A9B6FC34FA19B393A92077A01BE5F1AD08F47
5576setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:195434F5F93B2179743CFEF475BCFAE5
SHA256:FA4EF1C80E9248ADEE70DF8026EC8BBB64B814EAA059FFB83AE93DC0B309EC1F
5576setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:202EA0252477801A6408E8FAEB445F6A
SHA256:559F48E94C4BF42B4E928B207C4535E9718A94955FAD573476A971EB832C20B9
5576setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEbinary
MD5:3B5E0BD6640456A749D9155E6C135727
SHA256:C362A3D2B661C6066A02FC169FAAA1976C2F6160DA5837C7E68B7E0F67B794ED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
106
TCP/UDP connections
81
DNS requests
55
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5576
setup.exe
HEAD
200
199.232.210.172:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16026.20146.cab
unknown
whitelisted
5576
setup.exe
HEAD
200
199.232.210.172:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.18526.20168.cab
unknown
whitelisted
5576
setup.exe
HEAD
200
199.232.210.172:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.18526.20168.cab
unknown
whitelisted
5576
setup.exe
GET
200
199.232.210.172:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.18526.20168.cab
unknown
whitelisted
5576
setup.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5576
setup.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
5576
setup.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
6964
setup.exe
HEAD
200
199.232.214.172:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.18526.20168.cab
unknown
whitelisted
6964
setup.exe
HEAD
200
199.232.214.172:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16026.20146.cab
unknown
whitelisted
6964
setup.exe
HEAD
200
199.232.214.172:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.18526.20168.cab
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5576
setup.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5576
setup.exe
52.110.17.39:443
mrodevicemgr.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5576
setup.exe
199.232.210.172:80
officecdn.microsoft.com
FASTLY
US
whitelisted
5576
setup.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5576
setup.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6964
setup.exe
52.109.89.117:443
mrodevicemgr.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6964
setup.exe
199.232.214.172:80
officecdn.microsoft.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.142
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
officecdn.microsoft.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.110.17.39
  • 52.110.17.75
  • 52.110.17.63
  • 52.110.17.62
  • 52.110.17.26
  • 52.110.17.28
  • 52.110.17.59
  • 52.110.17.43
  • 52.109.89.117
  • 52.110.17.42
  • 52.110.17.66
  • 52.110.17.18
  • 52.110.17.3
  • 52.110.17.38
  • 52.110.17.21
  • 52.110.17.46
  • 52.110.17.61
  • 52.110.17.11
  • 52.110.17.68
  • 52.110.17.69
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.166
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.253.45
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Possible Chrome Plugin install
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OInstall.exe