File name:

OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exe

Full analysis: https://app.any.run/tasks/0bdbce39-4f42-4175-b2fb-d32390ebe008
Verdict: Malicious activity
Analysis date: May 30, 2025, 00:15:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

B15E1F7F1BDA27F32558361A22E24203

SHA1:

21FA07F7A0CBC5FBB78BDD2E880562A767AF63B0

SHA256:

EC295CCDC2F03CC642A57B60BF1340FCC3EC2B8ECB61B0EE648C9B3BB6AF7427

SSDEEP:

768:o/3UD7e/xwd6Za8EbKOL0AI7hMeJiJyRPDwGFuvv:oOCs6I8EbKOL0N7tWSPDwPv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exe (PID: 2840)

  • SUSPICIOUS

    • Starts itself from another location

      • OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exe (PID: 2840)

    • Executable content was dropped or overwritten

      • OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exe (PID: 2840)
      • svchsts.exe (PID: 1572)

    • Reads the Internet Settings

      • OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exe (PID: 2840)
      • svchsts.exe (PID: 1572)

  • INFO

    • Checks supported languages

      • OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exe (PID: 2840)
      • svchsts.exe (PID: 1572)

    • Create files in a temporary directory

      • OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exe (PID: 2840)
      • svchsts.exe (PID: 1572)

    • Manual execution by a user

      • explorer.exe (PID: 312)

    • Reads the machine GUID from the registry

      • svchsts.exe (PID: 1572)
      • OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exe (PID: 2840)

    • Launch of the file from Registry key

      • OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exe (PID: 2840)

    • Reads the computer name

      • svchsts.exe (PID: 1572)
      • OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exe (PID: 2840)

    • Disables trace logs

      • OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exe (PID: 2840)
      • svchsts.exe (PID: 1572)

    • Reads Environment values

      • svchsts.exe (PID: 1572)
      • OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exe (PID: 2840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:03:01 15:08:35+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26112
InitializedDataSize: 32256
UninitializedDataSize: -
EntryPoint: 0x8442
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Microsoft
CompanyName: Microsoft
FileDescription: Microsoft
FileVersion: 1.0.0.0
InternalName: bot.exe
LegalCopyright: Copyright © Microsoft 2009
LegalTrademarks: Microsoft
OriginalFileName: bot.exe
ProductName: Microsoft
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ocp.software.wince.cab.manager.v3.0.0.22.incl.keymaker.and.patch-dvt.exe svchsts.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
312"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1572C:\Users\admin\AppData\Local\Temp\svchsts.exeC:\Users\admin\AppData\Local\Temp\svchsts.exe
OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Microsoft
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\svchsts.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2840"C:\Users\admin\AppData\Local\Temp\OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exe" C:\Users\admin\AppData\Local\Temp\OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Microsoft
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\ocp.software.wince.cab.manager.v3.0.0.22.incl.keymaker.and.patch-dvt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
2 209
Read events
2 184
Write events
25
Delete events
0

Modification events

(PID) Process:(2840) OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:svchsts
Value:
C:\Users\admin\AppData\Local\Temp\svchsts.exe
(PID) Process:(1572) svchsts.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchsts_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1572) svchsts.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchsts_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1572) svchsts.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchsts_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1572) svchsts.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchsts_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1572) svchsts.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchsts_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1572) svchsts.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svchsts_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2840) OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OCP_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2840) OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OCP_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2840) OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\OCP_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
3
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2840OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exeC:\Users\admin\AppData\Local\Temp\svchsts.exeexecutable
MD5:B15E1F7F1BDA27F32558361A22E24203
SHA256:EC295CCDC2F03CC642A57B60BF1340FCC3EC2B8ECB61B0EE648C9B3BB6AF7427
2840OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exeC:\Users\admin\AppData\Local\Temp\OCPbp.exeexecutable
MD5:B15E1F7F1BDA27F32558361A22E24203
SHA256:EC295CCDC2F03CC642A57B60BF1340FCC3EC2B8ECB61B0EE648C9B3BB6AF7427
1572svchsts.exeC:\Users\admin\AppData\Local\Temp\svchstsbp.exeexecutable
MD5:B15E1F7F1BDA27F32558361A22E24203
SHA256:EC295CCDC2F03CC642A57B60BF1340FCC3EC2B8ECB61B0EE648C9B3BB6AF7427
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
1080
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
nexus88.scene-hosting.info
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OCP.Software.WinCE.Cab.Manager.v3.0.0.22.Incl.KeyMaker.and.Patch-DVT.exe