File name:

OInstall.exe

Full analysis: https://app.any.run/tasks/ef2a0e0d-d41b-4ff3-bd38-fe84ae8b6e7e
Verdict: Malicious activity
Analysis date: September 03, 2025, 17:40:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

F2C72FC49DE94B5049A397CE560C0CBB

SHA1:

F13EA923EA86EA760AA35B726F08C8017E68ECBD

SHA256:

F34CB19FAB14F9B20D4030066BE893954BF0E6CB08B06283F4B52A3FAE0DE7AB

SSDEEP:

98304:nhllwGZXMfoxSRr4r6EQI0MME7KjPkGIS5bBoXWznyZA4UO/R34qgLcSPV10PurB:zIYzCKX5V6e79plnsMm7pT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • OInstall.exe (PID: 1096)

    • Uses WMIC.EXE to add exclusions to the Windows Defender

      • cmd.exe (PID: 1132)
      • cmd.exe (PID: 6636)

    • PowerShell executes remote file download (POWERSHELL)

      • powershell.exe (PID: 7020)
      • powershell.exe (PID: 4552)
      • powershell.exe (PID: 5628)
      • powershell.exe (PID: 6404)
      • powershell.exe (PID: 4760)
      • powershell.exe (PID: 5460)
      • powershell.exe (PID: 4892)
      • powershell.exe (PID: 3932)
      • powershell.exe (PID: 5432)
      • powershell.exe (PID: 1948)
      • powershell.exe (PID: 1204)
      • powershell.exe (PID: 904)

  • SUSPICIOUS

    • Found strings related to reading or modifying Windows Defender settings

      • OInstall.exe (PID: 4120)

    • Starts CMD.EXE for commands execution

      • OInstall.exe (PID: 4120)

    • Uses REG/REGEDIT.EXE to modify registry

      • OInstall.exe (PID: 4120)
      • cmd.exe (PID: 5236)
      • cmd.exe (PID: 2432)
      • cmd.exe (PID: 2668)
      • cmd.exe (PID: 6736)
      • cmd.exe (PID: 4752)
      • cmd.exe (PID: 1236)
      • cmd.exe (PID: 4936)
      • cmd.exe (PID: 3860)
      • cmd.exe (PID: 5400)
      • cmd.exe (PID: 700)
      • cmd.exe (PID: 5468)
      • cmd.exe (PID: 6044)
      • cmd.exe (PID: 2924)
      • cmd.exe (PID: 6068)
      • cmd.exe (PID: 1204)

    • Process drops legitimate windows executable

      • OInstall.exe (PID: 4120)
      • files.dat (PID: 5764)
      • expand.exe (PID: 3576)
      • OfficeClickToRun.exe (PID: 3404)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • Executable content was dropped or overwritten

      • OInstall.exe (PID: 4120)
      • files.dat (PID: 5764)
      • expand.exe (PID: 3576)
      • OfficeClickToRun.exe (PID: 3404)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • Drops 7-zip archiver for unpacking

      • OInstall.exe (PID: 4120)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1244)

    • Probably download files using WebClient

      • OInstall.exe (PID: 4120)

    • Unpacks CAB file

      • expand.exe (PID: 6304)
      • expand.exe (PID: 5432)
      • expand.exe (PID: 7080)
      • expand.exe (PID: 3576)
      • expand.exe (PID: 7064)
      • expand.exe (PID: 1380)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 856)
      • expand.exe (PID: 1356)
      • expand.exe (PID: 6192)
      • expand.exe (PID: 6840)
      • expand.exe (PID: 1676)

    • The process drops C-runtime libraries

      • files.dat (PID: 5764)
      • expand.exe (PID: 3576)
      • expand.exe (PID: 1356)
      • expand.exe (PID: 2552)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 1212)
      • cmd.exe (PID: 2880)
      • cmd.exe (PID: 2924)
      • cmd.exe (PID: 3944)

    • Uses TASKKILL.EXE to kill process

      • OInstall.exe (PID: 4120)

    • Stops a currently running service

      • sc.exe (PID: 4400)
      • sc.exe (PID: 5620)
      • sc.exe (PID: 2920)
      • sc.exe (PID: 2964)

    • Starts POWERSHELL.EXE for commands execution

      • OInstall.exe (PID: 4120)

  • INFO

    • Checks supported languages

      • OInstall.exe (PID: 4120)
      • files.dat (PID: 5764)
      • expand.exe (PID: 6304)
      • expand.exe (PID: 5432)
      • expand.exe (PID: 7080)
      • expand.exe (PID: 3576)
      • expand.exe (PID: 7064)
      • OfficeClickToRun.exe (PID: 6028)
      • expand.exe (PID: 1380)
      • expand.exe (PID: 2552)
      • OfficeClickToRun.exe (PID: 3404)
      • OfficeClickToRun.exe (PID: 3232)
      • OfficeClickToRun.exe (PID: 6180)
      • expand.exe (PID: 856)
      • expand.exe (PID: 1356)
      • expand.exe (PID: 6192)
      • OfficeClickToRun.exe (PID: 5716)
      • OfficeClickToRun.exe (PID: 5848)
      • expand.exe (PID: 6840)
      • expand.exe (PID: 1676)

    • Reads Environment values

      • OInstall.exe (PID: 4120)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5288)
      • WMIC.exe (PID: 3100)

    • Reads the computer name

      • OInstall.exe (PID: 4120)
      • OfficeClickToRun.exe (PID: 6028)
      • OfficeClickToRun.exe (PID: 3404)
      • OfficeClickToRun.exe (PID: 3232)
      • OfficeClickToRun.exe (PID: 6180)
      • OfficeClickToRun.exe (PID: 5716)
      • OfficeClickToRun.exe (PID: 5848)

    • The sample compiled with english language support

      • OInstall.exe (PID: 4120)
      • files.dat (PID: 5764)
      • expand.exe (PID: 3576)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • Disables trace logs

      • powershell.exe (PID: 7020)
      • powershell.exe (PID: 4552)
      • powershell.exe (PID: 5628)
      • powershell.exe (PID: 6404)
      • powershell.exe (PID: 4760)
      • powershell.exe (PID: 5460)
      • powershell.exe (PID: 4892)
      • powershell.exe (PID: 3932)
      • powershell.exe (PID: 5432)
      • powershell.exe (PID: 1948)
      • powershell.exe (PID: 904)
      • powershell.exe (PID: 1204)
      • powershell.exe (PID: 6368)

    • Checks proxy server information

      • powershell.exe (PID: 7020)
      • powershell.exe (PID: 4552)
      • powershell.exe (PID: 5628)
      • powershell.exe (PID: 6404)
      • powershell.exe (PID: 4760)
      • OfficeClickToRun.exe (PID: 3404)
      • OfficeClickToRun.exe (PID: 6028)
      • powershell.exe (PID: 5460)
      • powershell.exe (PID: 4892)
      • powershell.exe (PID: 1204)
      • OfficeClickToRun.exe (PID: 3232)
      • OfficeClickToRun.exe (PID: 6180)
      • powershell.exe (PID: 3932)
      • powershell.exe (PID: 5432)
      • powershell.exe (PID: 1948)
      • OfficeClickToRun.exe (PID: 5716)
      • OfficeClickToRun.exe (PID: 5848)
      • slui.exe (PID: 6736)
      • powershell.exe (PID: 904)
      • powershell.exe (PID: 6368)

    • Create files in a temporary directory

      • expand.exe (PID: 6304)
      • expand.exe (PID: 5432)
      • expand.exe (PID: 7080)
      • expand.exe (PID: 1380)
      • OfficeClickToRun.exe (PID: 6028)
      • OfficeClickToRun.exe (PID: 3232)
      • expand.exe (PID: 856)
      • OfficeClickToRun.exe (PID: 5716)
      • expand.exe (PID: 1676)

    • Reads the machine GUID from the registry

      • expand.exe (PID: 5432)
      • expand.exe (PID: 6304)
      • expand.exe (PID: 7080)
      • expand.exe (PID: 3576)
      • expand.exe (PID: 7064)
      • OfficeClickToRun.exe (PID: 3404)
      • expand.exe (PID: 1380)
      • expand.exe (PID: 2552)
      • OfficeClickToRun.exe (PID: 6180)
      • expand.exe (PID: 856)
      • expand.exe (PID: 1356)
      • expand.exe (PID: 6192)
      • expand.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 5848)
      • expand.exe (PID: 1676)

    • UPX packer has been detected

      • OInstall.exe (PID: 4120)

    • Creates files in the program directory

      • OInstall.exe (PID: 4120)
      • expand.exe (PID: 3576)
      • expand.exe (PID: 7064)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 6840)
      • expand.exe (PID: 1356)
      • expand.exe (PID: 6192)

    • The sample compiled with arabic language support

      • expand.exe (PID: 3576)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • The sample compiled with bulgarian language support

      • expand.exe (PID: 3576)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • The sample compiled with french language support

      • expand.exe (PID: 3576)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • The sample compiled with czech language support

      • expand.exe (PID: 3576)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • The sample compiled with german language support

      • expand.exe (PID: 3576)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • The sample compiled with spanish language support

      • expand.exe (PID: 3576)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • The sample compiled with Italian language support

      • expand.exe (PID: 3576)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • The sample compiled with japanese language support

      • expand.exe (PID: 3576)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • The sample compiled with korean language support

      • expand.exe (PID: 3576)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • The sample compiled with slovak language support

      • expand.exe (PID: 3576)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • The sample compiled with polish language support

      • expand.exe (PID: 3576)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • The sample compiled with portuguese language support

      • expand.exe (PID: 3576)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • The sample compiled with swedish language support

      • expand.exe (PID: 3576)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • The sample compiled with Indonesian language support

      • expand.exe (PID: 3576)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • The sample compiled with russian language support

      • expand.exe (PID: 3576)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • The sample compiled with chinese language support

      • expand.exe (PID: 3576)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • The sample compiled with turkish language support

      • expand.exe (PID: 3576)
      • expand.exe (PID: 2552)
      • expand.exe (PID: 1356)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 6028)
      • OfficeClickToRun.exe (PID: 3404)
      • OfficeClickToRun.exe (PID: 3232)
      • OfficeClickToRun.exe (PID: 6180)
      • OfficeClickToRun.exe (PID: 5716)
      • OfficeClickToRun.exe (PID: 5848)

    • Creates files or folders in the user directory

      • OfficeClickToRun.exe (PID: 6028)
      • OfficeClickToRun.exe (PID: 3232)
      • OfficeClickToRun.exe (PID: 5716)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 3404)
      • OfficeClickToRun.exe (PID: 6180)
      • OfficeClickToRun.exe (PID: 5848)

    • Reads the software policy settings

      • slui.exe (PID: 6736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (76)
.exe | Win32 Executable (generic) (12.6)
.exe | Generic Win/DOS Executable (5.6)
.exe | DOS Executable Generic (5.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:06:04 09:26:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 12247040
InitializedDataSize: 90112
UninitializedDataSize: 11354112
EntryPoint: 0x16821e0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 7.4.2.0
ProductVersionNumber: 7.4.2.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
ProductName: Office 2013-2021 C2R Install
FileDescription: Office 2013-2021 C2R Install
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
308
Monitored processes
171
Malicious processes
4
Suspicious processes
14

Behavior graph

Click at the process to see the details

Process information

PID
CMD
Path
Indicators
Parent process
512\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
592\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeexpand.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
700"C:\WINDOWS\Sysnative\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60C:\Windows\System32\cmd.exeOInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
716reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannel" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
856"expand" v32.cab -F:VersionDescriptor.xml C:\Users\admin\AppData\Local\Temp\over437399C:\Windows\SysWOW64\expand.exeOInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
LZ Expansion Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\expand.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
904"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', 'C:\Users\admin\AppData\Local\Temp\over780181\v32.cab') }"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
OInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1036reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannelChanged" /t REG_SZ /d TrueC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1040"taskkill.exe" /t /f /IM OfficeC2RClient.exeC:\Windows\SysWOW64\taskkill.exeOInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1056reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1096"C:\Users\admin\Desktop\OInstall.exe" C:\Users\admin\Desktop\OInstall.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Office 2013-2021 C2R Install
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\oinstall.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
100 325
Read events
99 757
Write events
250
Delete events
318

Modification events

(PID) Process:(3392) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings
Operation:writeName:Enabled
Value:
1
(PID) Process:(7020) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7020) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7020) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7020) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7020) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7020) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7020) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7020) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7020) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
678
Suspicious files
32
Text files
135
Unknown types
0

Dropped files

PID
Process
Filename
Type
5764files.datC:\Users\admin\Desktop\files\x64\msvcr100.dllexecutable
MD5:DF3CA8D16BDED6A54977B30E66864D33
SHA256:1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36
4120OInstall.exeC:\Users\admin\Desktop\files\setup.exeexecutable
MD5:C24281338461BCD09FC59E19B1C23948
SHA256:8A9C0C12CB9DAD39872E74BAB421070E23D72EFFD0B06DBAE9EBE39F3D7FDA6D
4120OInstall.exeC:\Users\admin\Desktop\files\files.datexecutable
MD5:BB5569B15D68C10B7FF2D96B45825120
SHA256:4E3B13B56BEC0E41778E6506430282BBBD75CCAA600FD4B645CE37DD95B44C8E
5764files.datC:\Users\admin\Desktop\files\x64\cleanospp.exeexecutable
MD5:D3467CB7B83B654C2D05407DC7BA2360
SHA256:EDF85F4E2EF1A427B34265A22F261D664EC78DE90C3B5DA4174EF28558C8522A
5764files.datC:\Users\admin\Desktop\files\Uninstall.xmltext
MD5:364F86F97324EA82FE0D142CD01CF6DD
SHA256:09D5B42140BAB13165BA97FBD0E77792304C3C93555BE02C3DCE21A7A69C66DD
4120OInstall.exeC:\Users\admin\Desktop\files\Configure.xmltext
MD5:AC6BE84084E31DBB0E08D188B6C86EC8
SHA256:1879F7DE537C2AA70292C61EBEF9C6477D36E25B2E6A639E318B159E0A22B0FC
7020powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1oo2i32n.iwt.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5764files.datC:\Users\admin\Desktop\files\x86\cleanospp.exeexecutable
MD5:98821A7A5737D656633D10A3AFB724BD
SHA256:04BA4487F95290E0B0557B44300C18F637FBAF0872EE96E3111013B8A1539F25
5764files.datC:\Users\admin\Desktop\files\x86\msvcr100.dllexecutable
MD5:BF38660A9125935658CFA3E53FDC7D65
SHA256:60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
7020powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pqs2ijt1.bjq.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
32
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
4944
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
5628
powershell.exe
GET
200
2.16.168.120:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab
RU
compressed
12.1 Kb
whitelisted
4944
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
4760
powershell.exe
GET
200
199.232.214.172:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.19127.20192/i641033.cab
US
compressed
10.7 Kb
whitelisted
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
6404
powershell.exe
GET
200
2.16.168.120:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.19127.20192/i640.cab
RU
compressed
30.7 Mb
whitelisted
4552
powershell.exe
GET
200
2.16.168.120:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab
RU
compressed
12.1 Kb
whitelisted
5460
powershell.exe
GET
200
199.232.214.172:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab
US
compressed
12.1 Kb
whitelisted
1948
powershell.exe
GET
200
199.232.214.172:80
http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.19127.20192/i641033.cab
US
compressed
10.7 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4944
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4944
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
officecdn.microsoft.com
  • 2.16.168.120
  • 2.16.168.114
  • 199.232.214.172
  • 199.232.210.172
  • 2.18.244.197
  • 2.18.244.201
whitelisted
self.events.data.microsoft.com
  • 20.50.201.200
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted
mobile.events.data.microsoft.com
  • 104.208.16.90
  • 20.189.173.14
  • 40.79.173.40
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OInstall.exe