File name:

dRUDdqTZv_04fd55d2_marfww8a.exe

Full analysis: https://app.any.run/tasks/56f9fb6c-2b19-4651-932c-d4a6ba2e343d
Verdict: Malicious activity
Analysis date: May 16, 2025, 23:39:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

04FD55D2766264B79762D6C6737A03F0

SHA1:

32FBB5D39B182D9B45D96548026235D1A45BD881

SHA256:

46DFA4653BC1972B9E01E9A9E94151FBBECA3DA6C347567335CC476FAA52B3C1

SSDEEP:

49152:cdjywgx1P9p9wSt0e+BrAPlAnew+5b4Uq6DjMfYB+zJAPejjk5a+jKfrg2FMT2oB:cEPX1p9wSt0BBrAPlAew+5cUBf9+1S8E

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • dRUDdqTZv_04fd55d2_marfww8a.exe (PID: 7568)
      • instocs.exe (PID: 7608)
      • OcsSetup.exe (PID: 7696)

    • Executable content was dropped or overwritten

      • dRUDdqTZv_04fd55d2_marfww8a.exe (PID: 7568)
      • instocs.exe (PID: 7608)
      • OcsSetup.exe (PID: 7696)

    • The process creates files with name similar to system file names

      • instocs.exe (PID: 7608)
      • dRUDdqTZv_04fd55d2_marfww8a.exe (PID: 7568)
      • OcsSetup.exe (PID: 7696)

    • Reads security settings of Internet Explorer

      • instocs.exe (PID: 7608)

    • There is functionality for taking screenshot (YARA)

      • instocs.exe (PID: 7608)
      • dRUDdqTZv_04fd55d2_marfww8a.exe (PID: 7568)
      • OcsSetup.exe (PID: 7696)

    • Executes as Windows Service

      • OcsService.exe (PID: 8056)

    • Creates a software uninstall entry

      • OcsSetup.exe (PID: 7696)

    • Process drops legitimate windows executable

      • OcsSetup.exe (PID: 7696)

  • INFO

    • Checks supported languages

      • dRUDdqTZv_04fd55d2_marfww8a.exe (PID: 7568)
      • instocs.exe (PID: 7608)
      • OcsSetup.exe (PID: 7696)
      • OcsService.exe (PID: 7884)
      • OcsService.exe (PID: 8016)
      • OcsService.exe (PID: 8056)

    • The sample compiled with english language support

      • dRUDdqTZv_04fd55d2_marfww8a.exe (PID: 7568)
      • OcsSetup.exe (PID: 7696)

    • Reads the computer name

      • dRUDdqTZv_04fd55d2_marfww8a.exe (PID: 7568)
      • instocs.exe (PID: 7608)
      • OcsSetup.exe (PID: 7696)
      • OcsService.exe (PID: 7884)
      • OcsService.exe (PID: 8056)
      • OcsService.exe (PID: 8016)

    • Creates files in the program directory

      • instocs.exe (PID: 7608)
      • OcsService.exe (PID: 8056)
      • OcsSetup.exe (PID: 7696)

    • Create files in a temporary directory

      • instocs.exe (PID: 7608)
      • dRUDdqTZv_04fd55d2_marfww8a.exe (PID: 7568)
      • OcsSetup.exe (PID: 7696)

    • Reads the machine GUID from the registry

      • OcsService.exe (PID: 8056)

    • Checks proxy server information

      • slui.exe (PID: 2516)

    • Reads the software policy settings

      • slui.exe (PID: 2516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2006:11:27 17:36:12+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 23552
InitializedDataSize: 166400
UninitializedDataSize: 1024
EntryPoint: 0x3161
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.0.6.1
ProductVersionNumber: 4.0.6.1
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: OcsAgentSetup.exe v4.0.6.1 for OCS Inventory NG
CompanyName: Ocs Inventory Team
FileDescription: OcsAgentSetup.exe v4.0.6.1 for OCS Inventory NG
FileVersion: 4.0.6.1
LegalCopyright: Ocs Inventory Team
LegalTrademarks: OcsPackager is an addon for Ocs Inventory NG.
ProductName: Package made by OcsPackager
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start druddqtzv_04fd55d2_marfww8a.exe instocs.exe ocssetup.exe ocsservice.exe no specs ocsservice.exe no specs ocsservice.exe no specs slui.exe druddqtzv_04fd55d2_marfww8a.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2516C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7464"C:\Users\admin\Desktop\dRUDdqTZv_04fd55d2_marfww8a.exe" C:\Users\admin\Desktop\dRUDdqTZv_04fd55d2_marfww8a.exeexplorer.exe
User:
admin
Company:
Ocs Inventory Team
Integrity Level:
MEDIUM
Description:
OcsAgentSetup.exe v4.0.6.1 for OCS Inventory NG
Exit code:
3221226540
Version:
4.0.6.1
Modules
Images
c:\users\admin\desktop\druddqtzv_04fd55d2_marfww8a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7568"C:\Users\admin\Desktop\dRUDdqTZv_04fd55d2_marfww8a.exe" C:\Users\admin\Desktop\dRUDdqTZv_04fd55d2_marfww8a.exe
explorer.exe
User:
admin
Company:
Ocs Inventory Team
Integrity Level:
HIGH
Description:
OcsAgentSetup.exe v4.0.6.1 for OCS Inventory NG
Exit code:
0
Version:
4.0.6.1
Modules
Images
c:\users\admin\desktop\druddqtzv_04fd55d2_marfww8a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
7608instocs.exeC:\Users\admin\AppData\Local\Temp\nshC76A.tmp\instocs.exe
dRUDdqTZv_04fd55d2_marfww8a.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nshc76a.tmp\instocs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
7696"C:\Users\admin\AppData\Local\Temp\nshC76A.tmp\OcsSetup.exe" /S /INSTALL /Server:192.168.1.28 /DEBUG /NP /DEPLOY:4061C:\Users\admin\AppData\Local\Temp\nshC76A.tmp\OcsSetup.exe
instocs.exe
User:
admin
Company:
OCS Inventory NG Team
Integrity Level:
HIGH
Description:
OCS Inventory NG Agent for Windows installed as a service
Exit code:
0
Version:
4.0.6.1
Modules
Images
c:\users\admin\appdata\local\temp\nshc76a.tmp\ocssetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
7884"C:\Program Files (x86)\OCS Inventory Agent\ocsservice" -installC:\Program Files (x86)\OCS Inventory Agent\OcsService.exeOcsSetup.exe
User:
admin
Company:
http://www.ocsinventory-ng.org
Integrity Level:
HIGH
Description:
Open Computers and Software Inventory Agent launcher service
Exit code:
0
Version:
4, 0, 6, 0
Modules
Images
c:\program files (x86)\ocs inventory agent\ocsservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
8016"C:\Program Files (x86)\OCS Inventory Agent\ocsservice" -startC:\Program Files (x86)\OCS Inventory Agent\OcsService.exeOcsSetup.exe
User:
admin
Company:
http://www.ocsinventory-ng.org
Integrity Level:
HIGH
Description:
Open Computers and Software Inventory Agent launcher service
Exit code:
0
Version:
4, 0, 6, 0
Modules
Images
c:\program files (x86)\ocs inventory agent\ocsservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
8056"C:\Program Files (x86)\OCS Inventory Agent\ocsservice.exe"C:\Program Files (x86)\OCS Inventory Agent\OcsService.exeservices.exe
User:
SYSTEM
Company:
http://www.ocsinventory-ng.org
Integrity Level:
SYSTEM
Description:
Open Computers and Software Inventory Agent launcher service
Version:
4, 0, 6, 0
Modules
Images
c:\program files (x86)\ocs inventory agent\ocsservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
Total events
4 173
Read events
4 161
Write events
12
Delete events
0

Modification events

(PID) Process:(7608) instocs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib
Operation:writeName:Version
Value:
1.1
(PID) Process:(7608) instocs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib
Operation:writeName:Version
Value:
1.1
(PID) Process:(7608) instocs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Volatile\00\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}\TypeLib
Operation:writeName:Version
Value:
1.1
(PID) Process:(7608) instocs.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Volatile\00\MACHINE\SOFTWARE\Classes\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}\TypeLib
Operation:writeName:Version
Value:
1.1
(PID) Process:(7884) OcsService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\OCS INVENTORY SERVICE
Operation:writeName:EventMessageFile
Value:
C:\Program Files (x86)\OCS Inventory Agent\ocsservice.DLL
(PID) Process:(7884) OcsService.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\OCS INVENTORY SERVICE
Operation:writeName:TypesSupported
Value:
7
(PID) Process:(7696) OcsSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OCS Inventory Agent
Operation:writeName:DisplayName
Value:
OCS Inventory Agent 4.0.6.1
(PID) Process:(7696) OcsSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OCS Inventory Agent
Operation:writeName:UninstallString
Value:
C:\Program Files (x86)\OCS Inventory Agent\uninst.exe
(PID) Process:(7696) OcsSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OCS Inventory Agent
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\OCS Inventory Agent\OCSInventory.exe
(PID) Process:(7696) OcsSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OCS Inventory Agent
Operation:writeName:DisplayVersion
Value:
4.0.6.1
Executable files
27
Suspicious files
4
Text files
9
Unknown types
1

Dropped files

PID
Process
Filename
Type
7568dRUDdqTZv_04fd55d2_marfww8a.exeC:\Users\admin\Desktop\ocspackage.logtext
MD5:9836433E620C1052C918E3191C4C8BFE
SHA256:B4166A8E4EFA0A5B5089816F6182D4AAA042CD180054239BB256391B62B96038
7568dRUDdqTZv_04fd55d2_marfww8a.exeC:\Users\admin\AppData\Local\Temp\nshC76A.tmp\certreq.pemtext
MD5:1397AB4942E85A08739F88DD64D64707
SHA256:EF978F12D80B764EEC3DAD805520612D47A9DAE5E7BDF0AC4392A70E2E13AC7F
7608instocs.exeC:\Program Files (x86)\OCS Inventory Agent\certreq.pemtext
MD5:1397AB4942E85A08739F88DD64D64707
SHA256:EF978F12D80B764EEC3DAD805520612D47A9DAE5E7BDF0AC4392A70E2E13AC7F
7568dRUDdqTZv_04fd55d2_marfww8a.exeC:\Users\admin\AppData\Local\Temp\nshC76A.tmp\OcsSetup.exeexecutable
MD5:E80DF9439AB058DB7BFAAF673C4E6F10
SHA256:02BC0030A5FE05B44A6FFF9760C312F73766B6A04B3527B68F9F3A4BEDFB2DB3
7568dRUDdqTZv_04fd55d2_marfww8a.exeC:\Users\admin\AppData\Local\Temp\nshC76A.tmp\RemCom.exeexecutable
MD5:CEC4BB3B2F4D2CA2F3468103EFB5967D
SHA256:B60445B7128B1D5C86F85B364C21F84CEE7A77A3CD9856808D9561581666E1D8
7568dRUDdqTZv_04fd55d2_marfww8a.exeC:\Users\admin\AppData\Local\Temp\nshC76A.tmp\System.dllexecutable
MD5:05E52213CFA17DEE760186462A9645ED
SHA256:D9D3FFA4C7D7A152F435F4777E72AA1B6A6C0555F277E59EEDEBC587C3B66BA5
7696OcsSetup.exeC:\Users\admin\AppData\Local\Temp\nshC76A.tmp\OcsAgentSetup.logtext
MD5:85CB0A7C85F412D906A259BF9492EE74
SHA256:432203B41A8E419BCD746E5922A2EB43C3502C6799302F117D59DC58D1E662FC
7696OcsSetup.exeC:\Users\admin\AppData\Local\Temp\nsoCC6C.tmp\System.dllexecutable
MD5:00A0194C20EE912257DF53BFE258EE4A
SHA256:DC4DA2CCADB11099076926B02764B2B44AD8F97CD32337421A4CC21A3F5448F3
7568dRUDdqTZv_04fd55d2_marfww8a.exeC:\Users\admin\AppData\Local\Temp\nshC76A.tmp\ocsdat.initext
MD5:81C448B67507B835E0474E7F14805F9B
SHA256:CD58EAE51FB6289B9F6539B5B6F9DC4A7E4FC0BB0BAF6CB5E1FB12E4DD66FCB4
7568dRUDdqTZv_04fd55d2_marfww8a.exeC:\Users\admin\AppData\Local\Temp\nshC76A.tmp\UserInfo.dllexecutable
MD5:B27F488ADB12BEF2CCF9B9B900EC090C
SHA256:62F30CA60CFC2E2A64C159F28B5CAF59C6AF96FAC64C59ED8D8512D7083E9439
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
41
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7920
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7920
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7920
SIHClient.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7920
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7920
SIHClient.exe
40.69.42.241:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7376
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6544
svchost.exe
20.190.159.23:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
crl.microsoft.com
  • 23.48.23.164
  • 23.48.23.173
  • 23.48.23.176
  • 23.48.23.166
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted
login.live.com
  • 20.190.159.23
  • 40.126.31.128
  • 20.190.159.128
  • 40.126.31.130
  • 20.190.159.131
  • 40.126.31.3
  • 40.126.31.1
  • 20.190.159.130
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dRUDdqTZv_04fd55d2_marfww8a.exe