File name:

OculusSetup.exe

Full analysis: https://app.any.run/tasks/0a5aa48f-1719-4c65-8cfa-b7380e574c72
Verdict: Malicious activity
Analysis date: October 30, 2023, 14:55:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0D7114F88D79212E0721313EF8F12D2F

SHA1:

F9360641DB1E40C61EACD091AECA88C211419AF1

SHA256:

641D4E0072A2A8C428EE462F47F1108FE21C252D58BD9F25B0F32E451878ED15

SSDEEP:

49152:v1Jqf+Y5IbozeXfM6CvifgaAwS0ct1CPwDv3uF/XjxBZdKdaRH7wW732:wEozevblfgaAQo1CPwDv3uF/XmgRj2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • OculusSetup.exe (PID: 3928)
      • OculusSetup.exe (PID: 1992)

    • Application was dropped or rewritten from another process

      • OculusSetup.exe (PID: 1992)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • OculusSetup.exe (PID: 1992)

    • Reads the Internet Settings

      • OculusSetup.exe (PID: 1992)

    • Reads settings of System Certificates

      • OculusSetup.exe (PID: 1992)

  • INFO

    • Checks supported languages

      • OculusSetup.exe (PID: 3928)
      • OculusSetup.exe (PID: 1992)

    • Create files in a temporary directory

      • OculusSetup.exe (PID: 3928)
      • OculusSetup.exe (PID: 1992)

    • Reads the computer name

      • OculusSetup.exe (PID: 3928)
      • OculusSetup.exe (PID: 1992)

    • Creates files or folders in the user directory

      • OculusSetup.exe (PID: 1992)

    • Reads Environment values

      • OculusSetup.exe (PID: 1992)

    • Reads the machine GUID from the registry

      • OculusSetup.exe (PID: 1992)

    • Reads CPU info

      • OculusSetup.exe (PID: 1992)

    • Reads product name

      • OculusSetup.exe (PID: 1992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:05:15 03:24:50+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 57344
InitializedDataSize: 5009408
UninitializedDataSize: -
EntryPoint: 0x2a6c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.86.0.0
ProductVersionNumber: 1.86.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Facebook Technologies, LLC
FileDescription: Oculus Setup
FileVersion: 1.86.0.0
InternalName: OculusSetup.exe
LegalCopyright: Copyright © Facebook Technologies, LLC
OriginalFileName: OculusSetup.exe
ProductName: Oculus Setup
ProductVersion: 1.86.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start oculussetup.exe oculussetup.exe wisptis.exe no specs wisptis.exe no specs oculussetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1992C:\Users\admin\AppData\Local\Temp\\OculusSetup-89e5138e-a992-4420-864c-898d1b385f2f\OculusSetup.exe --setupPath "C:\Users\admin\AppData\Local\Temp\OculusSetup.exe"C:\Users\admin\AppData\Local\Temp\OculusSetup-89e5138e-a992-4420-864c-898d1b385f2f\OculusSetup.exe
OculusSetup.exe
User:
admin
Company:
Facebook Technologies, LLC
Integrity Level:
HIGH
Description:
Oculus Setup
Exit code:
1
Version:
1.86.0.0
Modules
Images
c:\users\admin\appdata\local\temp\oculussetup-89e5138e-a992-4420-864c-898d1b385f2f\oculussetup.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
2464"C:\Users\admin\AppData\Local\Temp\OculusSetup.exe" C:\Users\admin\AppData\Local\Temp\OculusSetup.exeexplorer.exe
User:
admin
Company:
Facebook Technologies, LLC
Integrity Level:
MEDIUM
Description:
Oculus Setup
Exit code:
3221226540
Version:
1.86.0.0
Modules
Images
c:\users\admin\appdata\local\temp\oculussetup.exe
c:\windows\system32\ntdll.dll
2692"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\System32\wisptis.exeOculusSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Pen and Touch Input Component
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wisptis.exe
c:\windows\system32\ntdll.dll
3712"C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch;C:\Windows\System32\wisptis.exeOculusSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Pen and Touch Input Component
Exit code:
24
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wisptis.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\lpk.dll
3928"C:\Users\admin\AppData\Local\Temp\OculusSetup.exe" C:\Users\admin\AppData\Local\Temp\OculusSetup.exe
explorer.exe
User:
admin
Company:
Facebook Technologies, LLC
Integrity Level:
HIGH
Description:
Oculus Setup
Exit code:
1
Version:
1.86.0.0
Modules
Images
c:\users\admin\appdata\local\temp\oculussetup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
3 842
Read events
3 820
Write events
22
Delete events
0

Modification events

(PID) Process:(1992) OculusSetup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1992) OculusSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Explorer.EXE
(PID) Process:(1992) OculusSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1992) OculusSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1992) OculusSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1992) OculusSetup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3712) wisptis.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
OculusSetup.exe
Executable files
4
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3928OculusSetup.exeC:\Users\admin\AppData\Local\Temp\OculusSetup-89e5138e-a992-4420-864c-898d1b385f2f\OculusSetup.exeexecutable
MD5:5D8AF1252F8F543725EBE0177CD70FE4
SHA256:F9A6C7909D6F2066834B31A384EFD46FA3CF8B35573BADBB2677D1A1643F1E57
1992OculusSetup.exeC:\Users\admin\AppData\Local\Temp\OculusSetup-400cd590-db84-4fe8-867f-194b78f39e04\libcrypto.dllexecutable
MD5:5E346D3611A909C930C81A1B852C7D17
SHA256:AD2698AA52E4ECFDE9FAAE4793E871E9DB4C4D5C927B0AC44FF2067A2EA491E1
1992OculusSetup.exeC:\Users\admin\AppData\Local\Oculus\OculusSetup.logtext
MD5:DBFF839F7515648AAF44409A2BCA4C88
SHA256:7B87C6CA0DE644B717B37AC89E31F7257FD1F53339A38FAB7DE3E4536B36D81D
1992OculusSetup.exeC:\Users\admin\AppData\Local\Temp\OculusSetup-400cd590-db84-4fe8-867f-194b78f39e04\DaybreakNative.dllexecutable
MD5:1887CCD296F84B9D040AD48670B928C6
SHA256:9E4447FD751B8E6052A5B822FD981A657DD27FC6EB5A672C0C67E78CD9A55564
1992OculusSetup.exeC:\Users\admin\AppData\Local\Temp\OculusSetup-400cd590-db84-4fe8-867f-194b78f39e04\OafIpc.dllexecutable
MD5:4559DAE30A87671A4B1C0D7027ECFC7A
SHA256:7BD5CA653D856622B4DCAF85C5782EEF9F49764CFC960469BB9533A0E1C814E0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
15
DNS requests
2
Threats
2

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
2656
svchost.exe
239.255.255.250:1900
whitelisted
1992
OculusSetup.exe
157.240.252.53:443
graph.oculus.com
FACEBOOK
DE
unknown
1992
OculusSetup.exe
157.240.0.13:443
graph.facebook.com
FACEBOOK
US
unknown

DNS requests

Domain
IP
Reputation
graph.oculus.com
  • 157.240.252.53
unknown
graph.facebook.com
  • 157.240.0.13
whitelisted

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OculusSetup.exe