File name:

OInstallLite_x64.exe

Full analysis: https://app.any.run/tasks/644e67fa-d652-4853-899e-4d62a9419b5e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 17, 2024, 10:35:58
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

54ED82C9A96FAB05860D449EF6AD66C1

SHA1:

B870D4A6832B87C150D5609CAAF6060EDEEE31B0

SHA256:

4C3BB0D872AFD14CB7AD2ABABC48098F4D11D55F14C93BE4E26D249B41FCACEC

SSDEEP:

98304:Hr70fBbzKtHucp+r4laH0hWD9yfsIB+O7xEjeA6aKJqMBOQr0W9TX62Ap4oj/Hdb:kW9l7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses WMIC.EXE to add exclusions to the Windows Defender

      • cmd.exe (PID: 6444)
      • cmd.exe (PID: 6772)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 6928)
      • powershell.exe (PID: 5496)
      • powershell.exe (PID: 4076)

  • SUSPICIOUS

    • Found strings related to reading or modifying Windows Defender settings

      • OInstallLite_x64.exe (PID: 6408)

    • Drops 7-zip archiver for unpacking

      • OInstallLite_x64.exe (PID: 6408)

    • Executable content was dropped or overwritten

      • OInstallLite_x64.exe (PID: 6408)
      • files.dat (PID: 6628)
      • expand.exe (PID: 6956)

    • The executable file from the user directory is run by the CMD process

      • files.dat (PID: 6628)

    • Starts CMD.EXE for commands execution

      • OInstallLite_x64.exe (PID: 6408)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6564)

    • Uses REG/REGEDIT.EXE to modify registry

      • OInstallLite_x64.exe (PID: 6408)

    • Probably download files using WebClient

      • OInstallLite_x64.exe (PID: 6408)

    • Executes script without checking the security policy

      • powershell.exe (PID: 6928)

    • Starts POWERSHELL.EXE for commands execution

      • OInstallLite_x64.exe (PID: 6408)

    • The process bypasses the loading of PowerShell profile settings

      • OInstallLite_x64.exe (PID: 6408)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6824)

    • Uses TASKKILL.EXE to kill process

      • OInstallLite_x64.exe (PID: 6408)

    • Unpacks CAB file

      • expand.exe (PID: 6956)
      • expand.exe (PID: 4640)

    • Process drops legitimate windows executable

      • expand.exe (PID: 6956)
      • files.dat (PID: 6628)

    • The process drops C-runtime libraries

      • files.dat (PID: 6628)
      • expand.exe (PID: 6956)

    • Reads security settings of Internet Explorer

      • OInstallLite_x64.exe (PID: 6408)
      • OfficeC2RClient.exe (PID: 5904)

    • Reads the date of Windows installation

      • OInstallLite_x64.exe (PID: 6408)

  • INFO

    • Checks supported languages

      • OInstallLite_x64.exe (PID: 6408)
      • files.dat (PID: 6628)
      • expand.exe (PID: 6956)
      • OfficeClickToRun.exe (PID: 6776)
      • OfficeClickToRun.exe (PID: 6656)

    • Reads Environment values

      • OInstallLite_x64.exe (PID: 6408)

    • Reads Microsoft Office registry keys

      • OInstallLite_x64.exe (PID: 6408)
      • OfficeClickToRun.exe (PID: 6656)
      • OfficeClickToRun.exe (PID: 6776)
      • OfficeC2RClient.exe (PID: 5904)

    • The sample compiled with english language support

      • OInstallLite_x64.exe (PID: 6408)
      • files.dat (PID: 6628)
      • expand.exe (PID: 6956)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 6556)
      • WMIC.exe (PID: 6832)

    • Create files in a temporary directory

      • files.dat (PID: 6628)
      • OInstallLite_x64.exe (PID: 6408)
      • OfficeC2RClient.exe (PID: 5904)

    • Disables trace logs

      • powershell.exe (PID: 6928)
      • powershell.exe (PID: 5496)
      • powershell.exe (PID: 4076)

    • Checks proxy server information

      • powershell.exe (PID: 5496)
      • powershell.exe (PID: 6928)
      • powershell.exe (PID: 4076)
      • OfficeClickToRun.exe (PID: 6776)
      • OfficeClickToRun.exe (PID: 6656)
      • OfficeC2RClient.exe (PID: 5904)

    • Reads the machine GUID from the registry

      • expand.exe (PID: 6956)
      • OfficeClickToRun.exe (PID: 6776)

    • The sample compiled with bulgarian language support

      • expand.exe (PID: 6956)

    • The sample compiled with czech language support

      • expand.exe (PID: 6956)

    • The sample compiled with arabic language support

      • expand.exe (PID: 6956)

    • The sample compiled with german language support

      • expand.exe (PID: 6956)

    • The sample compiled with spanish language support

      • expand.exe (PID: 6956)

    • The sample compiled with french language support

      • expand.exe (PID: 6956)

    • Creates files in the program directory

      • expand.exe (PID: 6956)
      • expand.exe (PID: 4640)
      • OfficeClickToRun.exe (PID: 6776)

    • The sample compiled with Indonesian language support

      • expand.exe (PID: 6956)

    • The sample compiled with Italian language support

      • expand.exe (PID: 6956)

    • The sample compiled with polish language support

      • expand.exe (PID: 6956)

    • The sample compiled with russian language support

      • expand.exe (PID: 6956)

    • The sample compiled with japanese language support

      • expand.exe (PID: 6956)

    • The sample compiled with slovak language support

      • expand.exe (PID: 6956)

    • Reads the computer name

      • OInstallLite_x64.exe (PID: 6408)

    • The sample compiled with chinese language support

      • expand.exe (PID: 6956)

    • The sample compiled with turkish language support

      • expand.exe (PID: 6956)

    • The process uses the downloaded file

      • OInstallLite_x64.exe (PID: 6408)

    • Process checks computer location settings

      • OInstallLite_x64.exe (PID: 6408)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 6776)

    • Creates files or folders in the user directory

      • OfficeClickToRun.exe (PID: 6656)
      • OfficeC2RClient.exe (PID: 5904)

    • Manual execution by a user

      • OfficeC2RClient.exe (PID: 5904)

    • Reads the software policy settings

      • OfficeClickToRun.exe (PID: 6776)

    • The sample compiled with portuguese language support

      • expand.exe (PID: 6956)

    • The sample compiled with korean language support

      • expand.exe (PID: 6956)

    • The sample compiled with swedish language support

      • expand.exe (PID: 6956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.3)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:04:13 05:34:24+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware
PEType: PE32+
LinkerVersion: 2.5
CodeSize: 1411584
InitializedDataSize: 10929152
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 7.7.7.7
ProductVersionNumber: 7.7.7.7
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
ProductName: Office 2013-2024 C2R Install Lite
FileDescription: Office 2013-2024 C2R Install Lite
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
178
Monitored processes
49
Malicious processes
2
Suspicious processes
5

Behavior graph

Click at the process to see the details
start oinstalllite_x64.exe cmd.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs files.dat cmd.exe no specs conhost.exe no specs wmic.exe no specs powershell.exe conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs regedit.exe no specs reg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs expand.exe conhost.exe no specs powershell.exe conhost.exe no specs expand.exe no specs conhost.exe no specs officeclicktorun.exe officeclicktorun.exe Delivery Optimization User no specs officec2rclient.exe oinstalllite_x64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1476sc.exe stop ClickToRunSvcC:\Windows\System32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1944"taskkill.exe" /t /f /IM IntegratedOffice.exeC:\Windows\System32\taskkill.exeOInstallLite_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2260\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3224"C:\WINDOWS\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v KeyManagementServiceName /t REG_SZ /d kms.loli.best /fC:\Windows\System32\reg.exeOInstallLite_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3436"C:\WINDOWS\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v KeyManagementServicePort /t REG_SZ /d 1688 /fC:\Windows\System32\reg.exeOInstallLite_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3440C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
3988\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4076"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20828/i641033.cab', 'C:\Users\admin\AppData\Local\Temp\over644176\i641033.cab') }"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
OInstallLite_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
4468"C:\WINDOWS\System32\cmd.exe" /D /c regedit.exe -s C:\Users\admin\AppData\Local\Temp\newui.regC:\Windows\System32\cmd.exeOInstallLite_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
4548"C:\WINDOWS\System32\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v KeyManagementServicePort /t REG_SZ /d 1688 /fC:\Windows\System32\reg.exeOInstallLite_x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
67 637
Read events
67 325
Write events
203
Delete events
109

Modification events

(PID) Process:(6472) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(6408) OInstallLite_x64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\DirectSound\Speaker Configuration
Operation:writeName:Speaker Configuration
Value:
4
(PID) Process:(5592) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform
Operation:writeName:KeyManagementServiceName
Value:
kms.loli.best
(PID) Process:(6512) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Office\16.0\Common\OfficeUpdate
Operation:writeName:UpdateBranch
Value:
PerpetualVL2021
(PID) Process:(4548) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform
Operation:writeName:KeyManagementServicePort
Value:
1688
(PID) Process:(6536) regedit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\word
Operation:writeName:Microsoft.Office.UXPlatform.FluentSVRefresh
Value:
true
(PID) Process:(6536) regedit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\word
Operation:writeName:Microsoft.Office.UXPlatform.RibbonTouchOptimization
Value:
true
(PID) Process:(6536) regedit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\word
Operation:writeName:Microsoft.Office.UXPlatform.FluentSVRibbonOptionsMenu
Value:
true
(PID) Process:(6536) regedit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\excel
Operation:writeName:Microsoft.Office.UXPlatform.FluentSVRefresh
Value:
true
(PID) Process:(6536) regedit.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\excel
Operation:writeName:Microsoft.Office.UXPlatform.RibbonTouchOptimization
Value:
true
Executable files
225
Suspicious files
80
Text files
77
Unknown types
3

Dropped files

PID
Process
Filename
Type
5496powershell.exeC:\Users\admin\AppData\Local\Temp\over644176\i640.cab
MD5:
SHA256:
6628files.datC:\Users\admin\AppData\Local\Temp\files\x86\cleanospp.exeexecutable
MD5:98821A7A5737D656633D10A3AFB724BD
SHA256:04BA4487F95290E0B0557B44300C18F637FBAF0872EE96E3111013B8A1539F25
6628files.datC:\Users\admin\AppData\Local\Temp\files\x64\msvcr100.dllexecutable
MD5:DF3CA8D16BDED6A54977B30E66864D33
SHA256:1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36
6408OInstallLite_x64.exeC:\Users\admin\AppData\Local\Temp\files\files.datexecutable
MD5:BB5569B15D68C10B7FF2D96B45825120
SHA256:4E3B13B56BEC0E41778E6506430282BBBD75CCAA600FD4B645CE37DD95B44C8E
6628files.datC:\Users\admin\AppData\Local\Temp\files\x86\msvcr100.dllexecutable
MD5:BF38660A9125935658CFA3E53FDC7D65
SHA256:60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
6928powershell.exeC:\Users\admin\AppData\Local\Temp\ver.txttext
MD5:44325E13F8ED9219FA0D857782363DBC
SHA256:6F5DB1A0ED194320A6CF7B8B5D7B8E9CD9BB512A8A16A73CC13243A9C54A837C
6928powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rvu2y24w.ohb.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6628files.datC:\Users\admin\AppData\Local\Temp\files\Uninstall.xmltext
MD5:364F86F97324EA82FE0D142CD01CF6DD
SHA256:09D5B42140BAB13165BA97FBD0E77792304C3C93555BE02C3DCE21A7A69C66DD
6628files.datC:\Users\admin\AppData\Local\Temp\files\x64\cleanospp.exeexecutable
MD5:D3467CB7B83B654C2D05407DC7BA2360
SHA256:EDF85F4E2EF1A427B34265A22F261D664EC78DE90C3B5DA4174EF28558C8522A
6928powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ithb4g2y.pn4.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2 034
TCP/UDP connections
148
DNS requests
79
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
powershell.exe
GET
200
23.48.23.64:80
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20828/i640.cab
unknown
whitelisted
5992
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3612
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5992
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3612
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
4076
powershell.exe
GET
200
23.48.23.7:80
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20828/i641033.cab
unknown
whitelisted
3116
svchost.exe
GET
200
23.48.23.7:80
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20828/s640.cab.phf
unknown
whitelisted
GET
206
23.48.23.64:80
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20828/s640.cab
unknown
whitelisted
GET
206
23.48.23.7:80
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20828/s640.cab
unknown
whitelisted
GET
206
23.48.23.7:80
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20828/s640.cab
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3700
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.147:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
92.123.104.64:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1176
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.48.23.147
  • 23.48.23.166
  • 23.48.23.143
  • 23.48.23.176
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 184.30.21.171
whitelisted
www.bing.com
  • 92.123.104.64
  • 92.123.104.67
  • 92.123.104.66
  • 92.123.104.65
  • 92.123.104.11
  • 92.123.104.14
  • 92.123.104.63
  • 92.123.104.10
  • 92.123.104.5
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.160.22
  • 40.126.32.133
  • 40.126.32.74
  • 40.126.32.136
  • 40.126.32.134
  • 40.126.32.140
  • 20.190.160.14
  • 20.190.160.20
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.109.89.117
whitelisted
self.events.data.microsoft.com
  • 51.116.246.104
  • 20.189.173.25
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OInstallLite_x64.exe