File name:

OInstall.exe

Full analysis: https://app.any.run/tasks/39cf570c-1f84-4e6f-ac34-7f69c14275a8
Verdict: Malicious activity
Analysis date: March 24, 2025, 23:35:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

0736EE70196BC57D0094D3CFA069E667

SHA1:

AC8A676940B44F9727275A6A05C89F3643C973E1

SHA256:

315690F31973F127E8FB59BFF4369663EF033DE0037CA51252A4B731AB238D4A

SSDEEP:

98304:NMgUkCUH5Lt9E0o819rIiPxhawKUrIxKjzmCeZiYAkdHmx+ZgGdpiGPepVb+y3m/:vWismCWVR4n86dR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • OInstall.exe (PID: 7464)
      • OInstall.exe (PID: 7568)
      • setup.exe (PID: 5576)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)

    • Uses WMIC.EXE to add exclusions to the Windows Defender

      • cmd.exe (PID: 7596)
      • cmd.exe (PID: 7772)

  • SUSPICIOUS

    • Found strings related to reading or modifying Windows Defender settings

      • OInstall.exe (PID: 7568)

    • Process drops legitimate windows executable

      • OInstall.exe (PID: 7568)
      • files.dat (PID: 7996)

    • Executable content was dropped or overwritten

      • OInstall.exe (PID: 7568)
      • files.dat (PID: 7996)

    • Drops 7-zip archiver for unpacking

      • OInstall.exe (PID: 7568)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7944)

    • The process drops C-runtime libraries

      • files.dat (PID: 7996)

    • Starts CMD.EXE for commands execution

      • OInstall.exe (PID: 7568)

    • Starts a Microsoft application from unusual location

      • setup.exe (PID: 5576)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)

    • Reads security settings of Internet Explorer

      • setup.exe (PID: 5576)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)

    • Searches for installed software

      • setup.exe (PID: 5576)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 5552)

  • INFO

    • Reads Environment values

      • OInstall.exe (PID: 7568)
      • identity_helper.exe (PID: 7932)

    • Checks supported languages

      • OInstall.exe (PID: 7568)
      • files.dat (PID: 7996)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5576)
      • setup.exe (PID: 5552)
      • identity_helper.exe (PID: 7932)

    • Reads the computer name

      • OInstall.exe (PID: 7568)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)
      • setup.exe (PID: 5576)
      • identity_helper.exe (PID: 7932)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7656)
      • WMIC.exe (PID: 7832)

    • The sample compiled with english language support

      • OInstall.exe (PID: 7568)
      • files.dat (PID: 7996)

    • Creates files or folders in the user directory

      • setup.exe (PID: 5576)

    • Create files in a temporary directory

      • setup.exe (PID: 5576)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)

    • Checks proxy server information

      • setup.exe (PID: 5576)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)
      • slui.exe (PID: 3900)

    • Process checks computer location settings

      • setup.exe (PID: 5576)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)

    • Reads the software policy settings

      • setup.exe (PID: 5576)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • slui.exe (PID: 3900)
      • setup.exe (PID: 5552)

    • Reads Microsoft Office registry keys

      • setup.exe (PID: 6964)
      • setup.exe (PID: 5576)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)

    • Reads the machine GUID from the registry

      • setup.exe (PID: 5576)
      • setup.exe (PID: 6964)
      • setup.exe (PID: 7316)
      • setup.exe (PID: 4784)
      • setup.exe (PID: 7628)
      • setup.exe (PID: 7932)
      • setup.exe (PID: 5552)

    • Manual execution by a user

      • msedge.exe (PID: 8184)

    • Application launched itself

      • msedge.exe (PID: 5436)
      • msedge.exe (PID: 8184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (72.3)
.exe | Win32 Executable (generic) (11.7)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)
.exe | DOS Executable Generic (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:07:11 05:19:12+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 808448
InitializedDataSize: 19369984
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.8.0.0
ProductVersionNumber: 6.8.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
ProductName: Office 2013-2016 C2R Install
FileDescription: Office 2013-2016 C2R Install
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
197
Monitored processes
72
Malicious processes
8
Suspicious processes
9

Behavior graph

Click at the process to see the details
start oinstall.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs files.dat cmd.exe no specs conhost.exe no specs setup.exe cmd.exe no specs conhost.exe no specs setup.exe cmd.exe no specs conhost.exe no specs setup.exe slui.exe cmd.exe no specs conhost.exe no specs setup.exe cmd.exe no specs conhost.exe no specs setup.exe cmd.exe no specs conhost.exe no specs setup.exe cmd.exe no specs conhost.exe no specs setup.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs oinstall.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6468 --field-trial-handle=2376,i,11430189233352849613,16948942578226533806,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
444"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5348 --field-trial-handle=2376,i,11430189233352849613,16948942578226533806,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1240"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7052 --field-trial-handle=2376,i,11430189233352849613,16948942578226533806,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1660"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x120,0x228,0x318,0x248,0x320,0x7ffc897a5fd8,0x7ffc897a5fe4,0x7ffc897a5ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1676"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2304 --field-trial-handle=2324,i,7373027507742818812,2889402375639724554,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2092"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7052 --field-trial-handle=2376,i,11430189233352849613,16948942578226533806,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2096"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5784 --field-trial-handle=2376,i,11430189233352849613,16948942578226533806,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2268"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6756 --field-trial-handle=2376,i,11430189233352849613,16948942578226533806,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2776"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --no-appcompat-clear --mojo-platform-channel-handle=5328 --field-trial-handle=2376,i,11430189233352849613,16948942578226533806,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
42 894
Read events
42 665
Write events
227
Delete events
2

Modification events

(PID) Process:(7568) OInstall.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\DirectSound\Speaker Configuration
Operation:writeName:Speaker Configuration
Value:
4
(PID) Process:(5576) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(5576) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(5576) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(5576) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(5576) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(5576) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(5576) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(5576) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(5576) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
Executable files
13
Suspicious files
251
Text files
64
Unknown types
3

Dropped files

PID
Process
Filename
Type
7996files.datC:\Users\admin\Desktop\files\x64\cleanospp.exeexecutable
MD5:162AB955CB2F002A73C1530AA796477F
SHA256:5CE462E5F34065FC878362BA58617FAB28C22D631B9D836DDDCF43FB1AD4DE6E
5576setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956binary
MD5:1EA27366E034EB9447A33CE639C01489
SHA256:788D210EF206A4D11B6B506BF52124EE03FCA4E8A9389FAD43772202A7E29452
7568OInstall.exeC:\Users\admin\Desktop\files\Configure.xmltext
MD5:AC6BE84084E31DBB0E08D188B6C86EC8
SHA256:1879F7DE537C2AA70292C61EBEF9C6477D36E25B2E6A639E318B159E0A22B0FC
7996files.datC:\Users\admin\Desktop\files\x64\msvcr100.dllexecutable
MD5:DF3CA8D16BDED6A54977B30E66864D33
SHA256:1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36
5576setup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2RCCAE3B15-1400-4FA1-8EE9-3FCDEEF1CA84\v32_16.0.18526.20168.cabcompressed
MD5:C52A5B32E563E4AB5EFC5FC5B5CE0DA0
SHA256:F8A87BB7D3D17327AB07B130C29C17AC8A25B34F08973E35D527D651898B4DCD
5576setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEbinary
MD5:3B5E0BD6640456A749D9155E6C135727
SHA256:C362A3D2B661C6066A02FC169FAAA1976C2F6160DA5837C7E68B7E0F67B794ED
5576setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:195434F5F93B2179743CFEF475BCFAE5
SHA256:FA4EF1C80E9248ADEE70DF8026EC8BBB64B814EAA059FFB83AE93DC0B309EC1F
5576setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:86BEC7A51419CF6F8277608E79B2B807
SHA256:1AE99C253A484A9CB6814FB52AFD40E347DFE2CD6273E50B245695B87C1BC6E5
7996files.datC:\Users\admin\Desktop\files\x86\cleanospp.exeexecutable
MD5:5FD363D52D04AC200CD24F3BCC903200
SHA256:3FDEFE2AD092A9A7FE0EDF0AC4DC2DE7E5B9CE6A0804F6511C06564194966CF9
7568OInstall.exeC:\Users\admin\Desktop\files\files.datexecutable
MD5:55D21B2C272A5D6B9F54FA9ED82BF9EB
SHA256:7A1C82E264258470D14CA345EA1A9B6FC34FA19B393A92077A01BE5F1AD08F47
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
106
TCP/UDP connections
81
DNS requests
55
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5576
setup.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6964
setup.exe
HEAD
200
199.232.214.172:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16026.20146.cab
unknown
whitelisted
5576
setup.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5576
setup.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
6964
setup.exe
GET
200
199.232.214.172:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.18526.20168.cab
unknown
whitelisted
5576
setup.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5576
setup.exe
HEAD
200
199.232.210.172:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.18526.20168.cab
unknown
whitelisted
6964
setup.exe
HEAD
200
199.232.214.172:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.18526.20168.cab
unknown
whitelisted
7316
setup.exe
HEAD
200
199.232.214.172:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16026.20146.cab
unknown
whitelisted
5576
setup.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5576
setup.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5576
setup.exe
52.110.17.39:443
mrodevicemgr.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5576
setup.exe
199.232.210.172:80
officecdn.microsoft.com
FASTLY
US
whitelisted
5576
setup.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5576
setup.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6964
setup.exe
52.109.89.117:443
mrodevicemgr.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6964
setup.exe
199.232.214.172:80
officecdn.microsoft.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.142
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
officecdn.microsoft.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.110.17.39
  • 52.110.17.75
  • 52.110.17.63
  • 52.110.17.62
  • 52.110.17.26
  • 52.110.17.28
  • 52.110.17.59
  • 52.110.17.43
  • 52.109.89.117
  • 52.110.17.42
  • 52.110.17.66
  • 52.110.17.18
  • 52.110.17.3
  • 52.110.17.38
  • 52.110.17.21
  • 52.110.17.46
  • 52.110.17.61
  • 52.110.17.11
  • 52.110.17.68
  • 52.110.17.69
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.166
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.253.45
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Possible Chrome Plugin install
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OInstall.exe