File name:

oculus.exe

Full analysis: https://app.any.run/tasks/7dd1b538-77db-4fcb-86ce-0148c7942bb1
Verdict: Malicious activity
Analysis date: July 11, 2024, 20:01:37
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FDBCB6A25136C9CBC24D159E863BAE13

SHA1:

A8D379375EC516EDC86951A20B89D82155B12713

SHA256:

A4A31D6D1AF581F983398DB33BBC0FDFE3B321EF45A9E7658306E0459C59D24D

SSDEEP:

98304:scyZDo3oAhWqs0nkLn54RBm7tVnytHB1V14eaDn3q1CPwDv3uF/XWDS5mwIoQuc5:j1CPwDv3uF/X0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • oculus.exe (PID: 2416)
      • OculusSetup.exe (PID: 3668)
      • avira_en_sptl1_675585946-1720726949-1720726948-1__phpws-spotlight-release.exe (PID: 6760)
      • MicrosoftEdgeWebView2RuntimeInstallerX64.exe (PID: 7068)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 6788)
      • MicrosoftEdgeWebView2RuntimeInstallerX64.exe (PID: 6704)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 3396)

    • Uses Task Scheduler to run other applications

      • avira_en_sptl1_675585946-1720726949-1720726948-1__phpws-spotlight-release.exe (PID: 6760)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • oculus.exe (PID: 2416)
      • OculusSetup.exe (PID: 3668)
      • avira_en_sptl1_675585946-1720726949-1720726948-1__phpws-spotlight-release.exe (PID: 6760)
      • MicrosoftEdgeWebView2RuntimeInstallerX64.exe (PID: 7068)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 6788)
      • MicrosoftEdgeWebView2RuntimeInstallerX64.exe (PID: 6704)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 3396)

    • Reads the Windows owner or organization settings

      • OculusSetup.exe (PID: 3668)

    • Reads security settings of Internet Explorer

      • OculusSetup.exe (PID: 3668)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 6788)
      • ShellExperienceHost.exe (PID: 6364)
      • MicrosoftEdgeUpdate.exe (PID: 1228)
      • MicrosoftEdgeUpdate.exe (PID: 6812)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 3396)

    • Checks Windows Trust Settings

      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 6788)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 3396)

    • The process creates files with name similar to system file names

      • avira_en_sptl1_675585946-1720726949-1720726948-1__phpws-spotlight-release.exe (PID: 6760)
      • avira_en_sptl1_675585946-1720726949-1720726948-1__phpws-spotlight-release.exe (PID: 4796)

    • Searches for installed software

      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 6788)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 3396)

    • The process verifies whether the antivirus software is installed

      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 6788)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 3396)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 1228)
      • MicrosoftEdgeWebView2RuntimeInstallerX64.exe (PID: 7068)
      • MicrosoftEdgeWebView2RuntimeInstallerX64.exe (PID: 6704)
      • MicrosoftEdgeUpdate.exe (PID: 6812)

    • Process drops legitimate windows executable

      • MicrosoftEdgeWebView2RuntimeInstallerX64.exe (PID: 7068)
      • MicrosoftEdgeUpdate.exe (PID: 1228)
      • MicrosoftEdgeUpdate.exe (PID: 6812)
      • MicrosoftEdgeWebView2RuntimeInstallerX64.exe (PID: 6704)

    • Disables SEHOP

      • MicrosoftEdgeUpdate.exe (PID: 1228)
      • MicrosoftEdgeUpdate.exe (PID: 6812)

    • Creates a software uninstall entry

      • MicrosoftEdgeUpdate.exe (PID: 1228)
      • MicrosoftEdgeUpdate.exe (PID: 6812)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 3396)

    • Reads the date of Windows installation

      • MicrosoftEdgeUpdate.exe (PID: 1228)
      • MicrosoftEdgeUpdate.exe (PID: 6812)

    • Adds/modifies Windows certificates

      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 6788)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 3128)

  • INFO

    • Checks supported languages

      • oculus.exe (PID: 2416)
      • OculusSetup.exe (PID: 3668)
      • avira_en_sptl1_675585946-1720726949-1720726948-1__phpws-spotlight-release.exe (PID: 6760)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 6788)
      • ShellExperienceHost.exe (PID: 6364)
      • MicrosoftEdgeWebView2RuntimeInstallerX64.exe (PID: 7068)
      • MicrosoftEdgeUpdate.exe (PID: 1228)
      • ACSSIGNEDIC.EXE (PID: 6928)
      • MicrosoftEdgeWebView2RuntimeInstallerX64.exe (PID: 6704)
      • MicrosoftEdgeUpdate.exe (PID: 6812)
      • avira_en_sptl1_675585946-1720726949-1720726948-1__phpws-spotlight-release.exe (PID: 4796)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.REPORTINGTOOL.EXE (PID: 6644)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 3396)
      • ACSSIGNEDIC.EXE (PID: 2064)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.REPORTINGTOOL.EXE (PID: 6432)

    • Reads the computer name

      • oculus.exe (PID: 2416)
      • OculusSetup.exe (PID: 3668)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 6788)
      • ShellExperienceHost.exe (PID: 6364)
      • MicrosoftEdgeUpdate.exe (PID: 1228)
      • MicrosoftEdgeUpdate.exe (PID: 6812)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.REPORTINGTOOL.EXE (PID: 6644)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 3396)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.REPORTINGTOOL.EXE (PID: 6432)

    • Creates files or folders in the user directory

      • OculusSetup.exe (PID: 3668)

    • Reads Environment values

      • OculusSetup.exe (PID: 3668)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 6788)
      • MicrosoftEdgeUpdate.exe (PID: 1228)
      • MicrosoftEdgeUpdate.exe (PID: 6812)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.REPORTINGTOOL.EXE (PID: 6644)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 3396)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.REPORTINGTOOL.EXE (PID: 6432)

    • Reads the machine GUID from the registry

      • OculusSetup.exe (PID: 3668)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 6788)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.REPORTINGTOOL.EXE (PID: 6644)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 3396)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.REPORTINGTOOL.EXE (PID: 6432)

    • Create files in a temporary directory

      • oculus.exe (PID: 2416)
      • OculusSetup.exe (PID: 3668)
      • avira_en_sptl1_675585946-1720726949-1720726948-1__phpws-spotlight-release.exe (PID: 6760)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 6788)
      • avira_en_sptl1_675585946-1720726949-1720726948-1__phpws-spotlight-release.exe (PID: 4796)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 3396)

    • Disables trace logs

      • OculusSetup.exe (PID: 3668)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 6788)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 3396)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.REPORTINGTOOL.EXE (PID: 6432)

    • Checks proxy server information

      • OculusSetup.exe (PID: 3668)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 6788)
      • MicrosoftEdgeUpdate.exe (PID: 1228)
      • wermgr.exe (PID: 5980)
      • MicrosoftEdgeUpdate.exe (PID: 6812)
      • wermgr.exe (PID: 6732)
      • slui.exe (PID: 2808)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 3396)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.REPORTINGTOOL.EXE (PID: 6432)

    • Reads CPU info

      • OculusSetup.exe (PID: 3668)

    • Reads the software policy settings

      • OculusSetup.exe (PID: 3668)
      • slui.exe (PID: 6612)
      • MicrosoftEdgeUpdate.exe (PID: 1228)
      • wermgr.exe (PID: 5980)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 6788)
      • MicrosoftEdgeUpdate.exe (PID: 6812)
      • wermgr.exe (PID: 6732)
      • slui.exe (PID: 2808)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 3396)

    • Reads product name

      • OculusSetup.exe (PID: 3668)

    • Manual execution by a user

      • avira_en_sptl1_675585946-1720726949-1720726948-1__phpws-spotlight-release.exe (PID: 6760)

    • Creates files in the program directory

      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 6788)
      • MicrosoftEdgeWebView2RuntimeInstallerX64.exe (PID: 7068)
      • MicrosoftEdgeWebView2RuntimeInstallerX64.exe (PID: 6704)
      • AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE (PID: 3396)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 1228)
      • MicrosoftEdgeUpdate.exe (PID: 6812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:05:01 21:19:10+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 57344
InitializedDataSize: 4702720
UninitializedDataSize: -
EntryPoint: 0x2a6c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.97.0.0
ProductVersionNumber: 1.97.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Facebook Technologies, LLC
FileDescription: Oculus Setup
FileVersion: 1.97.0.0
InternalName: OculusSetup.exe
LegalCopyright: Copyright © Facebook Technologies, LLC
OriginalFileName: OculusSetup.exe
ProductName: Oculus Setup
ProductVersion: 1.97.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
177
Monitored processes
27
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start oculus.exe oculussetup.exe avira_en_sptl1_675585946-1720726949-1720726948-1__phpws-spotlight-release.exe avira.spotlight.bootstrapper.exe schtasks.exe no specs conhost.exe no specs acssignedic.exe no specs sppextcomobj.exe no specs slui.exe shellexperiencehost.exe no specs slui.exe microsoftedgewebview2runtimeinstallerx64.exe microsoftedgeupdate.exe wermgr.exe microsoftedgewebview2runtimeinstallerx64.exe microsoftedgeupdate.exe wermgr.exe avira.spotlight.bootstrapper.reportingtool.exe no specs avira_en_sptl1_675585946-1720726949-1720726948-1__phpws-spotlight-release.exe no specs conhost.exe no specs avira.spotlight.bootstrapper.exe acssignedic.exe no specs schtasks.exe no specs conhost.exe no specs avira.spotlight.bootstrapper.reportingtool.exe no specs conhost.exe no specs oculus.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
452\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1228"C:\Program Files (x86)\Microsoft\Temp\EU3801.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView2%20Runtime&needsadmin=Prefers"C:\Program Files (x86)\Microsoft\Temp\EU3801.tmp\MicrosoftEdgeUpdate.exe
MicrosoftEdgeWebView2RuntimeInstallerX64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge Update
Exit code:
2147747592
Version:
1.3.187.41
Modules
Images
c:\program files (x86)\microsoft\temp\eu3801.tmp\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
2064"C:\Users\admin\AppData\Local\Temp\.CR.20942\1a623b46-bf17-4eb0-8e5b-5bfb789b5e0d\.CR.14135\ACSSignedIC.exe"C:\Users\admin\AppData\Local\Temp\.CR.20942\1a623b46-bf17-4eb0-8e5b-5bfb789b5e0d\.CR.14135\ACSSIGNEDIC.EXEAVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE
User:
admin
Company:
Avira Operations GmbH
Integrity Level:
HIGH
Description:
ASCSigned
Exit code:
0
Version:
255.255.255.255
Modules
Images
c:\users\admin\appdata\local\temp\.cr.20942\1a623b46-bf17-4eb0-8e5b-5bfb789b5e0d\.cr.14135\acssignedic.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\kernel.appcore.dll
2416"C:\Users\admin\Desktop\oculus.exe" C:\Users\admin\Desktop\oculus.exe
explorer.exe
User:
admin
Company:
Facebook Technologies, LLC
Integrity Level:
HIGH
Description:
Oculus Setup
Exit code:
1
Version:
1.97.0.0
Modules
Images
c:\users\admin\desktop\oculus.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2472C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
2808C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3128"C:\WINDOWS\system32\schtasks.exe" /Delete /F /TN "Avira_Security_Installation"C:\Windows\SysWOW64\schtasks.exeavira_en_sptl1_675585946-1720726949-1720726948-1__phpws-spotlight-release.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3396"C:\Users\admin\AppData\Local\Temp\.CR.20942\1a623b46-bf17-4eb0-8e5b-5bfb789b5e0d\.CR.14135\Avira.Spotlight.Bootstrapper.exe" "C:\Users\admin\AppData\Local\Temp\.CR.20942\1a623b46-bf17-4eb0-8e5b-5bfb789b5e0d\.CR.14135\Avira.Spotlight.Bootstrapper.exe" OriginalFileName=avira_en_sptl1_675585946-1720726949-1720726948-1__phpws-spotlight-release.exe Action=RegisterFallbackUpdater AllowMultipleInstances=true C:\Users\admin\AppData\Local\Temp\.CR.20942\1a623b46-bf17-4eb0-8e5b-5bfb789b5e0d\.CR.14135\AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE
avira_en_sptl1_675585946-1720726949-1720726948-1__phpws-spotlight-release.exe
User:
admin
Company:
Avira Operations GmbH
Integrity Level:
HIGH
Description:
Avira Security
Exit code:
0
Version:
1.0.49.727
Modules
Images
c:\users\admin\appdata\local\temp\.cr.20942\1a623b46-bf17-4eb0-8e5b-5bfb789b5e0d\.cr.14135\avira.spotlight.bootstrapper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
3668C:\Users\admin\AppData\Local\Temp\\OculusSetup-c7f30283-a675-42e1-886d-cd686f397b11\OculusSetup.exe --setupPath "C:\Users\admin\Desktop\oculus.exe"C:\Users\admin\AppData\Local\Temp\OculusSetup-c7f30283-a675-42e1-886d-cd686f397b11\OculusSetup.exe
oculus.exe
User:
admin
Company:
Facebook Technologies, LLC
Integrity Level:
HIGH
Description:
Oculus Setup
Exit code:
1
Version:
1.97.0.0
Modules
Images
c:\users\admin\appdata\local\temp\oculussetup-c7f30283-a675-42e1-886d-cd686f397b11\oculussetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4180"C:\Users\admin\Desktop\oculus.exe" C:\Users\admin\Desktop\oculus.exeexplorer.exe
User:
admin
Company:
Facebook Technologies, LLC
Integrity Level:
MEDIUM
Description:
Oculus Setup
Exit code:
3221226540
Version:
1.97.0.0
Modules
Images
c:\users\admin\desktop\oculus.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
84 546
Read events
83 466
Write events
1 044
Delete events
36

Modification events

(PID) Process:(3668) OculusSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3668) OculusSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\OculusSetup_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3668) OculusSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\OculusSetup_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3668) OculusSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\OculusSetup_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3668) OculusSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\OculusSetup_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3668) OculusSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\OculusSetup_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3668) OculusSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\OculusSetup_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3668) OculusSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\OculusSetup_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3668) OculusSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\OculusSetup_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3668) OculusSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\OculusSetup_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
314
Suspicious files
3
Text files
17
Unknown types
2

Dropped files

PID
Process
Filename
Type
6788AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXEC:\Users\admin\AppData\Local\Temp\.CR.20942\289ceed2-db77-40f7-b8bb-7977282262bb\b2848fba-66a2-4a49-ad6f-b4a15c165b91.tmp
MD5:
SHA256:
6788AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXEC:\Users\admin\AppData\Local\Temp\.CR.20942\289ceed2-db77-40f7-b8bb-7977282262bb\MicrosoftEdgeWebView2RuntimeInstallerX64.exe
MD5:
SHA256:
3668OculusSetup.exeC:\Users\admin\AppData\Local\Oculus\OculusSetup.logtext
MD5:04DB431FB5EB32FF2A0C263B28424465
SHA256:B1B8A55EE68E78F97FCD4A2A7E78828C16FF86199809323B046A2D4CF3E96E39
2416oculus.exeC:\Users\admin\AppData\Local\Temp\OculusSetup-c7f30283-a675-42e1-886d-cd686f397b11\OculusSetup.exeexecutable
MD5:42AFEB7C2C6204BB372ABF8899A8FF5C
SHA256:3DBC59CCED7356559DAB60D9072648A012FF25C01EDC1B9D655705B2973AE004
3668OculusSetup.exeC:\Users\admin\AppData\Local\Temp\OculusSetup-e07441b6-7294-44fa-be36-c41e9ba33024\libcrypto.dllexecutable
MD5:5E346D3611A909C930C81A1B852C7D17
SHA256:AD2698AA52E4ECFDE9FAAE4793E871E9DB4C4D5C927B0AC44FF2067A2EA491E1
7068MicrosoftEdgeWebView2RuntimeInstallerX64.exeC:\Program Files (x86)\Microsoft\Temp\EU3801.tmp\msedgeupdate.dllexecutable
MD5:1125E435063E7C722C0079FDF0A5B751
SHA256:7D8D1756343598BC651D62A0E81835820E0D6CF7A995503BB6B129B4BCC37DF4
3668OculusSetup.exeC:\Users\admin\AppData\Local\Temp\OculusSetup-e07441b6-7294-44fa-be36-c41e9ba33024\DaybreakNative.dllexecutable
MD5:D7219F79F4E7CDE626B56E8B5F5092EB
SHA256:68600D7F1F63C212085743D2842D59BF9E8BDD0B88ADF393F6DF7726501306BE
6760avira_en_sptl1_675585946-1720726949-1720726948-1__phpws-spotlight-release.exeC:\Users\admin\AppData\Local\Temp\.CR.17989\Avira.Spotlight.Bootstrapper.Runner.exeexecutable
MD5:B687F5C3C1D5330F6CDC62B6DA564426
SHA256:8B8607979E0FDB616A0049984BE58C8830C111FF350D3BEDDB8A8DF385D3C42E
7068MicrosoftEdgeWebView2RuntimeInstallerX64.exeC:\Program Files (x86)\Microsoft\Temp\EU3801.tmp\psmachine.dllexecutable
MD5:23588D50954BF3C9F02ED82F356E7DE4
SHA256:2AB1F12FEBE8ED3FB9E7E01B3611B34120997E55AE227BDA7AF11B25BC756DBF
6760avira_en_sptl1_675585946-1720726949-1720726948-1__phpws-spotlight-release.exeC:\Users\admin\AppData\Local\Temp\.CR.17989\Avira.Spotlight.Bootstrapper.Runner.exe.configxml
MD5:58410F4F50391A09970644AC99DC692C
SHA256:CDDC4ED76E18D72D144809A86CADE27F7B5AA1833B7900E40739B59852999245
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
92
DNS requests
46
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2056
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2056
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3716
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6604
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6604
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3972
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5980
wermgr.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5980
wermgr.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3040
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
900
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2056
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2476
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
3668
OculusSetup.exe
157.240.0.128:443
graph.oculus.com
FACEBOOK
US
unknown
2056
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2056
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
2056
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.78
whitelisted
graph.oculus.com
  • 157.240.0.128
whitelisted
securecdn.oculus.com
  • 157.240.0.128
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
graph.facebook.com
  • 157.240.0.13
whitelisted
www.bing.com
  • 92.123.104.22
  • 92.123.104.34
  • 92.123.104.21
  • 92.123.104.30
  • 92.123.104.23
  • 92.123.104.32
  • 92.123.104.31
  • 92.123.104.26
  • 92.123.104.18
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.71
  • 20.190.159.64
  • 40.126.31.69
  • 40.126.31.71
  • 20.190.159.0
  • 20.190.159.2
  • 20.190.159.23
  • 20.190.160.14
  • 20.190.160.22
  • 40.126.32.74
  • 40.126.32.134
  • 40.126.32.140
  • 20.190.160.17
  • 20.190.160.20
  • 40.126.32.136
  • 40.126.32.138
  • 40.126.32.72
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
oculus.exe