File name:

OpenALwEAX.exe

Full analysis: https://app.any.run/tasks/c592ee3b-a743-48b7-8292-09fa573917cb
Verdict: Malicious activity
Analysis date: July 07, 2025, 04:20:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

66C6FBD98F24138E5504D889B08EBD81

SHA1:

09C30A18FF8C32F94883471702E8E9C6E283C738

SHA256:

7C767AFB9C8797E03713C908EC5A63051386247C8718B694790A283A8504C545

SSDEEP:

24576:GCPj5oTbEzQD7eW+BTGmXpvyy2oUvQYn47a4+Z+4BFeD7rENHlF2bVH0W:GCPj5oTbEzQDClTDXpyy2oUvQY47a42E

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • OpenALwEAX.exe (PID: 6124)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • OpenALwEAX.exe (PID: 4500)

    • Creates a software uninstall entry

      • OpenALwEAX.exe (PID: 4500)

  • INFO

    • The sample compiled with english language support

      • OpenALwEAX.exe (PID: 4500)

    • Reads the computer name

      • OpenALwEAX.exe (PID: 4500)

    • Creates files in the program directory

      • OpenALwEAX.exe (PID: 4500)

    • Checks supported languages

      • OpenALwEAX.exe (PID: 4500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:10:15 11:26:37+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 118784
InitializedDataSize: 679936
UninitializedDataSize: -
EntryPoint: 0x6c41
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.0.9.0
ProductVersionNumber: 2.0.9.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Installs OpenAL32.dll (6.14.357.24) and wrap_oal.dll (2.2.0.7)
CompanyName: Creative Labs Inc.
FileDescription: OpenAL Installer
FileVersion: 2, 0, 9, 0
InternalName: oalinst.exe
LegalCopyright: Copyright © 2009
OriginalFileName: oalinst.exe
ProductName: OpenAL Installer
ProductVersion: 2, 0, 9, 0
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
3
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start openalweax.exe slui.exe no specs openalweax.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3780C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4500"C:\Users\admin\AppData\Local\Temp\OpenALwEAX.exe" C:\Users\admin\AppData\Local\Temp\OpenALwEAX.exe
explorer.exe
User:
admin
Company:
Creative Labs Inc.
Integrity Level:
HIGH
Description:
OpenAL Installer
Exit code:
0
Version:
2, 0, 9, 0
Modules
Images
c:\users\admin\appdata\local\temp\openalweax.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6124"C:\Users\admin\AppData\Local\Temp\OpenALwEAX.exe" C:\Users\admin\AppData\Local\Temp\OpenALwEAX.exeexplorer.exe
User:
admin
Company:
Creative Labs Inc.
Integrity Level:
MEDIUM
Description:
OpenAL Installer
Exit code:
3221226540
Version:
2, 0, 9, 0
Modules
Images
c:\users\admin\appdata\local\temp\openalweax.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
250
Read events
247
Write events
3
Delete events
0

Modification events

(PID) Process:(4500) OpenALwEAX.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OpenAL
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\OpenAL\OpenALwEAX.exe
(PID) Process:(4500) OpenALwEAX.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OpenAL
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\OpenAL\OpenALwEAX.exe" /U
(PID) Process:(4500) OpenALwEAX.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OpenAL
Operation:writeName:DisplayName
Value:
OpenAL
Executable files
11
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4500OpenALwEAX.exeC:\Windows\SysWOW64\wrap_oal.newexecutable
MD5:23E1442C2957204DE00CE0405BA0C76F
SHA256:1945EF433035BC3462F1C16D9A46C71AC67ADEFFC32BE4F8AA767441FE0E26E4
4500OpenALwEAX.exeC:\Windows\SysWOW64\OpenAL32.dllexecutable
MD5:628321A50ED9558513F8A5E37A5E1FBA
SHA256:C44DC0929255FAF372C3C97B59B67AF40B3DCF7BAAEEB9C03231D978BC770CAF
4500OpenALwEAX.exeC:\Windows\SysWOW64\tmp5BEC.tmpexecutable
MD5:66C6FBD98F24138E5504D889B08EBD81
SHA256:7C767AFB9C8797E03713C908EC5A63051386247C8718B694790A283A8504C545
4500OpenALwEAX.exeC:\Windows\SysWOW64\OpenAL32.newexecutable
MD5:628321A50ED9558513F8A5E37A5E1FBA
SHA256:C44DC0929255FAF372C3C97B59B67AF40B3DCF7BAAEEB9C03231D978BC770CAF
4500OpenALwEAX.exeC:\Windows\System32\OpenAL32.dllexecutable
MD5:7A1A02351FFED3B8550567F31257E968
SHA256:DED0AD6B09FA4EF7A3A17C9E9DBC2ABC6AA0E053CBFC0F1A4FBC8DBE9944B1F8
4500OpenALwEAX.exeC:\Windows\SysWOW64\wrap_oal.dllexecutable
MD5:23E1442C2957204DE00CE0405BA0C76F
SHA256:1945EF433035BC3462F1C16D9A46C71AC67ADEFFC32BE4F8AA767441FE0E26E4
4500OpenALwEAX.exeC:\Windows\System32\OpenAL32.newexecutable
MD5:7A1A02351FFED3B8550567F31257E968
SHA256:DED0AD6B09FA4EF7A3A17C9E9DBC2ABC6AA0E053CBFC0F1A4FBC8DBE9944B1F8
4500OpenALwEAX.exeC:\Windows\System32\wrap_oal.dllexecutable
MD5:D383A7BE36C5CE69A7F9B53FFB89BCF4
SHA256:4443C33EE5EEE1691AED11CA5089EA299234B7ED18A3190E3676BB0254DD95FD
4500OpenALwEAX.exeC:\Windows\SysWOW64\tmp5BBC.tmpexecutable
MD5:66C6FBD98F24138E5504D889B08EBD81
SHA256:7C767AFB9C8797E03713C908EC5A63051386247C8718B694790A283A8504C545
4500OpenALwEAX.exeC:\Program Files (x86)\OpenAL\OpenALwEAX.exeexecutable
MD5:66C6FBD98F24138E5504D889B08EBD81
SHA256:7C767AFB9C8797E03713C908EC5A63051386247C8718B694790A283A8504C545
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
23
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3948
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1480
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1480
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
592
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3948
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3948
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.142
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
login.live.com
  • 40.126.32.76
  • 40.126.32.140
  • 20.190.160.65
  • 40.126.32.72
  • 20.190.160.128
  • 40.126.32.74
  • 40.126.32.138
  • 40.126.32.136
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OpenALwEAX.exe