File name:

dRUDdqTZv_04fd55d2_marfww8a.exe

Full analysis: https://app.any.run/tasks/56f9fb6c-2b19-4651-932c-d4a6ba2e343d
Verdict: Malicious activity
Analysis date: May 16, 2025, 23:39:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

04FD55D2766264B79762D6C6737A03F0

SHA1:

32FBB5D39B182D9B45D96548026235D1A45BD881

SHA256:

46DFA4653BC1972B9E01E9A9E94151FBBECA3DA6C347567335CC476FAA52B3C1

SSDEEP:

49152:cdjywgx1P9p9wSt0e+BrAPlAnew+5b4Uq6DjMfYB+zJAPejjk5a+jKfrg2FMT2oB:cEPX1p9wSt0BBrAPlAew+5cUBf9+1S8E

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • dRUDdqTZv_04fd55d2_marfww8a.exe (PID: 7568)
      • instocs.exe (PID: 7608)
      • OcsSetup.exe (PID: 7696)

    • Executable content was dropped or overwritten

      • dRUDdqTZv_04fd55d2_marfww8a.exe (PID: 7568)
      • instocs.exe (PID: 7608)
      • OcsSetup.exe (PID: 7696)

    • The process creates files with name similar to system file names

      • dRUDdqTZv_04fd55d2_marfww8a.exe (PID: 7568)
      • instocs.exe (PID: 7608)
      • OcsSetup.exe (PID: 7696)

    • Reads security settings of Internet Explorer

      • instocs.exe (PID: 7608)

    • There is functionality for taking screenshot (YARA)

      • dRUDdqTZv_04fd55d2_marfww8a.exe (PID: 7568)
      • instocs.exe (PID: 7608)
      • OcsSetup.exe (PID: 7696)

    • Creates a software uninstall entry

      • OcsSetup.exe (PID: 7696)

    • Executes as Windows Service

      • OcsService.exe (PID: 8056)

    • Process drops legitimate windows executable

      • OcsSetup.exe (PID: 7696)

  • INFO

    • Checks supported languages

      • dRUDdqTZv_04fd55d2_marfww8a.exe (PID: 7568)
      • instocs.exe (PID: 7608)
      • OcsSetup.exe (PID: 7696)
      • OcsService.exe (PID: 7884)
      • OcsService.exe (PID: 8016)
      • OcsService.exe (PID: 8056)

    • The sample compiled with english language support

      • dRUDdqTZv_04fd55d2_marfww8a.exe (PID: 7568)
      • OcsSetup.exe (PID: 7696)

    • Create files in a temporary directory

      • dRUDdqTZv_04fd55d2_marfww8a.exe (PID: 7568)
      • instocs.exe (PID: 7608)
      • OcsSetup.exe (PID: 7696)

    • Reads the computer name

      • dRUDdqTZv_04fd55d2_marfww8a.exe (PID: 7568)
      • instocs.exe (PID: 7608)
      • OcsSetup.exe (PID: 7696)
      • OcsService.exe (PID: 7884)
      • OcsService.exe (PID: 8016)
      • OcsService.exe (PID: 8056)

    • Creates files in the program directory

      • instocs.exe (PID: 7608)
      • OcsSetup.exe (PID: 7696)
      • OcsService.exe (PID: 8056)

    • Checks proxy server information

      • slui.exe (PID: 2516)

    • Reads the software policy settings

      • slui.exe (PID: 2516)

    • Reads the machine GUID from the registry

      • OcsService.exe (PID: 8056)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2006:11:27 17:36:12+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 23552
InitializedDataSize: 166400
UninitializedDataSize: 1024
EntryPoint: 0x3161
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.0.6.1
ProductVersionNumber: 4.0.6.1
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: OcsAgentSetup.exe v4.0.6.1 for OCS Inventory NG
CompanyName: Ocs Inventory Team
FileDescription: OcsAgentSetup.exe v4.0.6.1 for OCS Inventory NG
FileVersion: 4.0.6.1
LegalCopyright: Ocs Inventory Team
LegalTrademarks: OcsPackager is an addon for Ocs Inventory NG.
ProductName: Package made by OcsPackager
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start druddqtzv_04fd55d2_marfww8a.exe instocs.exe ocssetup.exe ocsservice.exe no specs ocsservice.exe no specs ocsservice.exe no specs slui.exe druddqtzv_04fd55d2_marfww8a.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2516C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7464"C:\Users\admin\Desktop\dRUDdqTZv_04fd55d2_marfww8a.exe" C:\Users\admin\Desktop\dRUDdqTZv_04fd55d2_marfww8a.exeexplorer.exe
User:
admin
Company:
Ocs Inventory Team
Integrity Level:
MEDIUM
Description:
OcsAgentSetup.exe v4.0.6.1 for OCS Inventory NG
Exit code:
3221226540
Version:
4.0.6.1
Modules
Images
c:\users\admin\desktop\druddqtzv_04fd55d2_marfww8a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7568"C:\Users\admin\Desktop\dRUDdqTZv_04fd55d2_marfww8a.exe" C:\Users\admin\Desktop\dRUDdqTZv_04fd55d2_marfww8a.exe
explorer.exe
User:
admin
Company:
Ocs Inventory Team
Integrity Level:
HIGH
Description:
OcsAgentSetup.exe v4.0.6.1 for OCS Inventory NG
Exit code:
0
Version:
4.0.6.1
Modules
Images
c:\users\admin\desktop\druddqtzv_04fd55d2_marfww8a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
7608instocs.exeC:\Users\admin\AppData\Local\Temp\nshC76A.tmp\instocs.exe
dRUDdqTZv_04fd55d2_marfww8a.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nshc76a.tmp\instocs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
7696"C:\Users\admin\AppData\Local\Temp\nshC76A.tmp\OcsSetup.exe" /S /INSTALL /Server:192.168.1.28 /DEBUG /NP /DEPLOY:4061C:\Users\admin\AppData\Local\Temp\nshC76A.tmp\OcsSetup.exe
instocs.exe
User:
admin
Company:
OCS Inventory NG Team
Integrity Level:
HIGH
Description:
OCS Inventory NG Agent for Windows installed as a service
Exit code:
0
Version:
4.0.6.1
Modules
Images
c:\users\admin\appdata\local\temp\nshc76a.tmp\ocssetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
7884"C:\Program Files (x86)\OCS Inventory Agent\ocsservice" -installC:\Program Files (x86)\OCS Inventory Agent\OcsService.exeOcsSetup.exe
User:
admin
Company:
http://www.ocsinventory-ng.org
Integrity Level:
HIGH
Description:
Open Computers and Software Inventory Agent launcher service
Exit code:
0
Version:
4, 0, 6, 0
Modules
Images
c:\program files (x86)\ocs inventory agent\ocsservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
8016"C:\Program Files (x86)\OCS Inventory Agent\ocsservice" -startC:\Program Files (x86)\OCS Inventory Agent\OcsService.exeOcsSetup.exe
User:
admin
Company:
http://www.ocsinventory-ng.org
Integrity Level:
HIGH
Description:
Open Computers and Software Inventory Agent launcher service
Exit code:
0
Version:
4, 0, 6, 0
Modules
Images
c:\program files (x86)\ocs inventory agent\ocsservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
8056"C:\Program Files (x86)\OCS Inventory Agent\ocsservice.exe"C:\Program Files (x86)\OCS Inventory Agent\OcsService.exeservices.exe
User:
SYSTEM
Company:
http://www.ocsinventory-ng.org
Integrity Level:
SYSTEM
Description:
Open Computers and Software Inventory Agent launcher service
Version:
4, 0, 6, 0
Modules
Images
c:\program files (x86)\ocs inventory agent\ocsservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
Total events
4 173
Read events
4 161
Write events
12
Delete events
0

Modification events

(PID) Process:(7608) instocs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib
Operation:writeName:Version
Value:
1.1
(PID) Process:(7608) instocs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib
Operation:writeName:Version
Value:
1.1
(PID) Process:(7608) instocs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Volatile\00\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}\TypeLib
Operation:writeName:Version
Value:
1.1
(PID) Process:(7608) instocs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Volatile\00\MACHINE\SOFTWARE\Classes\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}\TypeLib
Operation:writeName:Version
Value:
1.1
(PID) Process:(7884) OcsService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\OCS INVENTORY SERVICE
Operation:writeName:EventMessageFile
Value:
C:\Program Files (x86)\OCS Inventory Agent\ocsservice.DLL
(PID) Process:(7884) OcsService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\OCS INVENTORY SERVICE
Operation:writeName:TypesSupported
Value:
7
(PID) Process:(7696) OcsSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OCS Inventory Agent
Operation:writeName:DisplayName
Value:
OCS Inventory Agent 4.0.6.1
(PID) Process:(7696) OcsSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OCS Inventory Agent
Operation:writeName:UninstallString
Value:
C:\Program Files (x86)\OCS Inventory Agent\uninst.exe
(PID) Process:(7696) OcsSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OCS Inventory Agent
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\OCS Inventory Agent\OCSInventory.exe
(PID) Process:(7696) OcsSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OCS Inventory Agent
Operation:writeName:DisplayVersion
Value:
4.0.6.1
Executable files
27
Suspicious files
4
Text files
9
Unknown types
1

Dropped files

PID
Process
Filename
Type
7568dRUDdqTZv_04fd55d2_marfww8a.exeC:\Users\admin\AppData\Local\Temp\nshC76A.tmp\OcsSetup.exeexecutable
MD5:E80DF9439AB058DB7BFAAF673C4E6F10
SHA256:02BC0030A5FE05B44A6FFF9760C312F73766B6A04B3527B68F9F3A4BEDFB2DB3
7568dRUDdqTZv_04fd55d2_marfww8a.exeC:\Users\admin\AppData\Local\Temp\nshC76A.tmp\System.dllexecutable
MD5:05E52213CFA17DEE760186462A9645ED
SHA256:D9D3FFA4C7D7A152F435F4777E72AA1B6A6C0555F277E59EEDEBC587C3B66BA5
7568dRUDdqTZv_04fd55d2_marfww8a.exeC:\Users\admin\AppData\Local\Temp\nshC76A.tmp\instocs.exeexecutable
MD5:B3B8801243AA3CAC66CDF3C644C1CC5F
SHA256:25E1B44573DF661A08D187EA52CA942704550BF33C7DD46BCC53CF0C13FD8A4F
7568dRUDdqTZv_04fd55d2_marfww8a.exeC:\Users\admin\Desktop\ocspackage.logtext
MD5:9836433E620C1052C918E3191C4C8BFE
SHA256:B4166A8E4EFA0A5B5089816F6182D4AAA042CD180054239BB256391B62B96038
7568dRUDdqTZv_04fd55d2_marfww8a.exeC:\Users\admin\AppData\Local\Temp\nshC76A.tmp\certreq.pemtext
MD5:1397AB4942E85A08739F88DD64D64707
SHA256:EF978F12D80B764EEC3DAD805520612D47A9DAE5E7BDF0AC4392A70E2E13AC7F
7696OcsSetup.exeC:\Users\admin\AppData\Local\Temp\nsoCC6C.tmp\System.dllexecutable
MD5:00A0194C20EE912257DF53BFE258EE4A
SHA256:DC4DA2CCADB11099076926B02764B2B44AD8F97CD32337421A4CC21A3F5448F3
7696OcsSetup.exeC:\Users\admin\AppData\Local\Temp\nsoCC6C.tmp\AdvSplash.dllexecutable
MD5:A1BBA35C752B36F575350CB7DDF238E4
SHA256:0667863D71A3021AB844069B6DD0485F874BF638AF478AB11C6FB8B7D6C834B6
7696OcsSetup.exeC:\Users\admin\AppData\Local\Temp\nsoCC6C.tmp\UserInfo.dllexecutable
MD5:1E8E11F465AFDABE97F529705786B368
SHA256:7D099352C82612AB27DDFD7310C1AA049B58128FB04EA6EA55816A40A6F6487B
7696OcsSetup.exeC:\Users\admin\AppData\Local\Temp\nsoCC6C.tmp\splash.bmpimage
MD5:EFEF9724C4FE018F07B898F7AD9219A2
SHA256:1B428455EDC82E9C03830D1FB2CB0E1E0926E696AC81B0DB1365148B01A25C75
7696OcsSetup.exeC:\Users\admin\AppData\Local\Temp\nsoCC6C.tmp\SetACL.exeexecutable
MD5:2E5A7D12C3170F61A08866600E74075B
SHA256:F921A1F235DCC23114C359110E63739FC1EB5EED5FE7DCC8346B2B6768D05508
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
41
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7920
SIHClient.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7920
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7920
SIHClient.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7920
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7920
SIHClient.exe
40.69.42.241:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7376
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6544
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
crl.microsoft.com
  • 23.48.23.164
  • 23.48.23.173
  • 23.48.23.176
  • 23.48.23.166
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted
login.live.com
  • 20.190.159.23
  • 40.126.31.128
  • 20.190.159.128
  • 40.126.31.130
  • 20.190.159.131
  • 40.126.31.3
  • 40.126.31.1
  • 20.190.159.130
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dRUDdqTZv_04fd55d2_marfww8a.exe