File name:

Microsoft Office 365 ProPlus - Online Installer 3.2.6 [FileCR].zip

Full analysis: https://app.any.run/tasks/673efafe-adba-4f19-9b2d-b528933cc8d3
Verdict: Malicious activity
Analysis date: August 27, 2024, 10:40:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

A7A3607691E597A7940DE9580BB2EBE2

SHA1:

48EB3F31FB5055C3FCBA6819CBC40B537051A98E

SHA256:

16E9F7231C4ED888FC2C374E1D40FBC3C97544EB5665750B8FC2581C4844804C

SSDEEP:

98304:kTnXTeGs148KCDwE4Qwv9lXuu6/AHjEuCYQbKb4xGIrHg0ieY2n8nLDsiWONbEdK:1p7sVr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • setup.exe (PID: 1568)
      • setup.exe (PID: 5988)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 6152)
      • OfficeClickToRun.exe (PID: 3112)
      • OfficeClickToRun.exe (PID: 5524)

    • Executing commands from ".cmd" file

      • powershell.exe (PID: 3332)
      • powershell.exe (PID: 6260)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 2040)
      • cmd.exe (PID: 2768)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 2040)
      • cmd.exe (PID: 2768)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2040)
      • cmd.exe (PID: 4576)
      • cmd.exe (PID: 2768)
      • cmd.exe (PID: 6780)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 3332)
      • cmd.exe (PID: 5164)
      • cmd.exe (PID: 6748)
      • cmd.exe (PID: 5552)
      • cmd.exe (PID: 6568)
      • cmd.exe (PID: 2728)
      • cmd.exe (PID: 4576)
      • cmd.exe (PID: 6376)
      • cmd.exe (PID: 4016)
      • cmd.exe (PID: 7076)
      • cmd.exe (PID: 3140)
      • cmd.exe (PID: 320)
      • cmd.exe (PID: 6840)
      • cmd.exe (PID: 5724)
      • cmd.exe (PID: 6980)
      • cmd.exe (PID: 6016)
      • cmd.exe (PID: 2112)
      • cmd.exe (PID: 1436)
      • cmd.exe (PID: 6844)
      • cmd.exe (PID: 6696)
      • cmd.exe (PID: 3292)
      • cmd.exe (PID: 2036)
      • cmd.exe (PID: 6500)
      • cmd.exe (PID: 5164)
      • cmd.exe (PID: 5644)
      • cmd.exe (PID: 3972)
      • cmd.exe (PID: 7156)
      • cmd.exe (PID: 5920)
      • cmd.exe (PID: 6884)
      • cmd.exe (PID: 5124)
      • cmd.exe (PID: 1780)
      • cmd.exe (PID: 6212)
      • cmd.exe (PID: 2092)
      • cmd.exe (PID: 3448)
      • cmd.exe (PID: 7108)
      • cmd.exe (PID: 3292)
      • cmd.exe (PID: 6724)
      • cmd.exe (PID: 3972)
      • cmd.exe (PID: 7156)
      • cmd.exe (PID: 7032)
      • cmd.exe (PID: 7068)
      • cmd.exe (PID: 2572)
      • cmd.exe (PID: 1752)
      • cmd.exe (PID: 2112)
      • cmd.exe (PID: 3980)
      • cmd.exe (PID: 4132)
      • cmd.exe (PID: 3140)
      • cmd.exe (PID: 4668)
      • cmd.exe (PID: 7076)
      • cmd.exe (PID: 5760)
      • cmd.exe (PID: 2264)
      • cmd.exe (PID: 6500)
      • cmd.exe (PID: 3568)
      • cmd.exe (PID: 1168)
      • cmd.exe (PID: 6332)
      • cmd.exe (PID: 6320)
      • cmd.exe (PID: 5244)
      • cmd.exe (PID: 6908)
      • cmd.exe (PID: 376)
      • cmd.exe (PID: 888)
      • cmd.exe (PID: 7020)
      • cmd.exe (PID: 6400)
      • cmd.exe (PID: 4708)
      • cmd.exe (PID: 4088)
      • cmd.exe (PID: 3304)
      • cmd.exe (PID: 6488)
      • cmd.exe (PID: 188)
      • cmd.exe (PID: 4528)
      • cmd.exe (PID: 3104)
      • cmd.exe (PID: 4392)
      • cmd.exe (PID: 2804)
      • cmd.exe (PID: 5344)
      • powershell.exe (PID: 6260)
      • cmd.exe (PID: 6780)
      • cmd.exe (PID: 6384)
      • cmd.exe (PID: 5760)
      • cmd.exe (PID: 4820)
      • cmd.exe (PID: 3708)
      • cmd.exe (PID: 2960)
      • cmd.exe (PID: 6792)
      • cmd.exe (PID: 3544)
      • cmd.exe (PID: 7076)
      • cmd.exe (PID: 5048)
      • cmd.exe (PID: 1944)
      • cmd.exe (PID: 5644)
      • cmd.exe (PID: 376)
      • cmd.exe (PID: 6480)
      • cmd.exe (PID: 2144)
      • cmd.exe (PID: 1776)
      • cmd.exe (PID: 5816)
      • cmd.exe (PID: 6540)
      • cmd.exe (PID: 6052)
      • cmd.exe (PID: 6416)
      • cmd.exe (PID: 6872)
      • cmd.exe (PID: 7088)
      • cmd.exe (PID: 7016)
      • cmd.exe (PID: 6604)
      • cmd.exe (PID: 2688)
      • cmd.exe (PID: 6580)
      • cmd.exe (PID: 5064)
      • cmd.exe (PID: 5548)
      • cmd.exe (PID: 2640)

    • Application launched itself

      • cmd.exe (PID: 5164)
      • cmd.exe (PID: 6748)
      • cmd.exe (PID: 6568)
      • cmd.exe (PID: 2728)
      • cmd.exe (PID: 4576)
      • cmd.exe (PID: 6376)
      • cmd.exe (PID: 5724)
      • cmd.exe (PID: 7076)
      • cmd.exe (PID: 320)
      • cmd.exe (PID: 6980)
      • cmd.exe (PID: 6500)
      • cmd.exe (PID: 5552)
      • cmd.exe (PID: 6840)
      • cmd.exe (PID: 4016)
      • cmd.exe (PID: 3140)
      • cmd.exe (PID: 6016)
      • cmd.exe (PID: 6696)
      • cmd.exe (PID: 6844)
      • cmd.exe (PID: 3292)
      • cmd.exe (PID: 2112)
      • cmd.exe (PID: 2036)
      • cmd.exe (PID: 5164)
      • cmd.exe (PID: 5644)
      • cmd.exe (PID: 1436)
      • cmd.exe (PID: 7156)
      • cmd.exe (PID: 5124)
      • cmd.exe (PID: 5920)
      • cmd.exe (PID: 6884)
      • cmd.exe (PID: 1780)
      • cmd.exe (PID: 2092)
      • cmd.exe (PID: 6212)
      • cmd.exe (PID: 3448)
      • cmd.exe (PID: 3972)
      • cmd.exe (PID: 7108)
      • cmd.exe (PID: 2112)
      • cmd.exe (PID: 3292)
      • cmd.exe (PID: 6724)
      • cmd.exe (PID: 3972)
      • cmd.exe (PID: 7156)
      • cmd.exe (PID: 7068)
      • cmd.exe (PID: 7032)
      • cmd.exe (PID: 2572)
      • cmd.exe (PID: 3980)
      • cmd.exe (PID: 7076)
      • cmd.exe (PID: 4132)
      • cmd.exe (PID: 4668)
      • cmd.exe (PID: 1752)
      • cmd.exe (PID: 3140)
      • cmd.exe (PID: 5760)
      • cmd.exe (PID: 2264)
      • cmd.exe (PID: 3568)
      • cmd.exe (PID: 6332)
      • cmd.exe (PID: 6500)
      • cmd.exe (PID: 1168)
      • cmd.exe (PID: 6320)
      • cmd.exe (PID: 5244)
      • cmd.exe (PID: 6908)
      • cmd.exe (PID: 376)
      • cmd.exe (PID: 888)
      • cmd.exe (PID: 7020)
      • cmd.exe (PID: 4708)
      • cmd.exe (PID: 4088)
      • cmd.exe (PID: 6400)
      • cmd.exe (PID: 2804)
      • cmd.exe (PID: 3304)
      • cmd.exe (PID: 6488)
      • cmd.exe (PID: 188)
      • cmd.exe (PID: 3104)
      • cmd.exe (PID: 4528)
      • cmd.exe (PID: 4392)
      • cmd.exe (PID: 5344)
      • cmd.exe (PID: 6384)
      • cmd.exe (PID: 4820)
      • cmd.exe (PID: 5760)
      • cmd.exe (PID: 2960)
      • cmd.exe (PID: 6792)
      • cmd.exe (PID: 3708)
      • cmd.exe (PID: 3544)
      • cmd.exe (PID: 5048)
      • cmd.exe (PID: 6780)
      • cmd.exe (PID: 7076)
      • cmd.exe (PID: 5644)
      • cmd.exe (PID: 6480)
      • cmd.exe (PID: 1944)
      • cmd.exe (PID: 376)
      • cmd.exe (PID: 2144)
      • cmd.exe (PID: 1776)
      • cmd.exe (PID: 6540)
      • cmd.exe (PID: 5816)
      • cmd.exe (PID: 6052)
      • cmd.exe (PID: 5064)
      • cmd.exe (PID: 7088)
      • cmd.exe (PID: 7016)
      • cmd.exe (PID: 6416)
      • cmd.exe (PID: 6872)
      • cmd.exe (PID: 6604)
      • cmd.exe (PID: 2688)
      • cmd.exe (PID: 6580)
      • cmd.exe (PID: 2640)
      • cmd.exe (PID: 5548)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 4576)
      • cmd.exe (PID: 6780)

    • Reads security settings of Internet Explorer

      • setup.exe (PID: 1568)
      • setup.exe (PID: 5988)

    • Checks Windows Trust Settings

      • setup.exe (PID: 1568)
      • setup.exe (PID: 5988)

    • Searches for installed software

      • setup.exe (PID: 1568)
      • setup.exe (PID: 5988)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 4576)
      • cmd.exe (PID: 6780)

    • Starts a Microsoft application from unusual location

      • setup.exe (PID: 1568)
      • setup.exe (PID: 5988)

    • The process drops C-runtime libraries

      • OfficeClickToRun.exe (PID: 3112)

    • Executable content was dropped or overwritten

      • OfficeClickToRun.exe (PID: 3112)
      • OfficeClickToRun.exe (PID: 5524)

    • Drops the executable file immediately after the start

      • OfficeClickToRun.exe (PID: 3112)
      • OfficeClickToRun.exe (PID: 5524)

  • INFO

    • Checks supported languages

      • chcp.com (PID: 2576)
      • chcp.com (PID: 1020)
      • OfficeClickToRun.exe (PID: 3112)
      • setup.exe (PID: 1568)
      • OfficeClickToRun.exe (PID: 5524)
      • chcp.com (PID: 6240)
      • OfficeClickToRun.exe (PID: 3304)
      • chcp.com (PID: 2904)
      • setup.exe (PID: 5988)
      • OfficeClickToRun.exe (PID: 6132)

    • Manual execution by a user

      • cmd.exe (PID: 2040)
      • cmd.exe (PID: 2768)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6152)

    • Changes the display of characters in the console

      • chcp.com (PID: 2576)
      • chcp.com (PID: 1020)
      • chcp.com (PID: 6240)
      • chcp.com (PID: 2904)

    • Reads Microsoft Office registry keys

      • setup.exe (PID: 1568)
      • OfficeClickToRun.exe (PID: 5524)
      • OfficeClickToRun.exe (PID: 3112)
      • OfficeClickToRun.exe (PID: 3304)
      • setup.exe (PID: 5988)
      • OfficeClickToRun.exe (PID: 6132)

    • Reads the computer name

      • setup.exe (PID: 1568)
      • OfficeClickToRun.exe (PID: 3112)
      • OfficeClickToRun.exe (PID: 5524)
      • OfficeClickToRun.exe (PID: 3304)
      • setup.exe (PID: 5988)
      • OfficeClickToRun.exe (PID: 6132)

    • Process checks computer location settings

      • setup.exe (PID: 1568)
      • setup.exe (PID: 5988)

    • Reads the software policy settings

      • setup.exe (PID: 1568)
      • OfficeClickToRun.exe (PID: 3112)
      • OfficeClickToRun.exe (PID: 3304)
      • setup.exe (PID: 5988)
      • OfficeClickToRun.exe (PID: 6132)

    • Checks proxy server information

      • setup.exe (PID: 1568)
      • OfficeClickToRun.exe (PID: 5524)
      • OfficeClickToRun.exe (PID: 3112)
      • OfficeClickToRun.exe (PID: 3304)
      • setup.exe (PID: 5988)
      • OfficeClickToRun.exe (PID: 6132)

    • Creates files or folders in the user directory

      • setup.exe (PID: 1568)
      • OfficeClickToRun.exe (PID: 3112)
      • OfficeClickToRun.exe (PID: 3304)
      • setup.exe (PID: 5988)
      • OfficeClickToRun.exe (PID: 6132)

    • Reads Environment values

      • setup.exe (PID: 1568)
      • setup.exe (PID: 5988)

    • Create files in a temporary directory

      • setup.exe (PID: 1568)
      • OfficeClickToRun.exe (PID: 3112)
      • OfficeClickToRun.exe (PID: 3304)
      • setup.exe (PID: 5988)
      • OfficeClickToRun.exe (PID: 6132)

    • Reads the machine GUID from the registry

      • setup.exe (PID: 1568)
      • OfficeClickToRun.exe (PID: 3112)
      • OfficeClickToRun.exe (PID: 5524)
      • OfficeClickToRun.exe (PID: 3304)
      • setup.exe (PID: 5988)
      • OfficeClickToRun.exe (PID: 6132)

    • Creates files in the program directory

      • OfficeClickToRun.exe (PID: 3112)
      • OfficeClickToRun.exe (PID: 5524)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 5524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:05:16 11:27:08
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Microsoft Office 365 ProPlus - Online Installer 3.2.6/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
574
Monitored processes
447
Malicious processes
10
Suspicious processes
92

Behavior graph

Click at the process to see the details
start winrar.exe rundll32.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs fltmc.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs chcp.com no specs fltmc.exe no specs where.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs choice.exe no specs fltmc.exe no specs where.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs choice.exe no specs fltmc.exe no specs where.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs choice.exe no specs fltmc.exe no specs where.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs choice.exe no specs fltmc.exe no specs where.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs choice.exe no specs cmd.exe no specs findstr.exe no specs ping.exe no specs ping.exe no specs setup.exe officeclicktorun.exe Delivery Optimization User no specs officeclicktorun.exe officeclicktorun.exe ping.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs fltmc.exe no specs powershell.exe no specs cmd.exe conhost.exe no specs chcp.com no specs fltmc.exe no specs where.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs choice.exe no specs fltmc.exe no specs where.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs choice.exe no specs cmd.exe no specs findstr.exe no specs ping.exe no specs ping.exe no specs setup.exe officeclicktorun.exe

Process information

PID
CMD
Path
Indicators
Parent process
32C:\WINDOWS\system32\cmd.exe /S /D /c" Echo PROMPT $H "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
32C:\WINDOWS\system32\cmd.exe /S /D /c" Echo PROMPT $H "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
188C:\WINDOWS\system32\cmd.exe /c Echo PROMPT $H | "CMD"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
208FindStr /l /i /b /p /a:0a /s /c:"_" ""(YES)""C:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
208"CMD"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\wldp.dll
232"CMD"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\wldp.dll
320C:\WINDOWS\system32\cmd.exe /c Echo PROMPT $H | "CMD"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
320C:\WINDOWS\system32\cmd.exe /S /D /c" Echo PROMPT $H "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
376C:\WINDOWS\system32\cmd.exe /S /D /c" Echo PROMPT $H "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
376C:\WINDOWS\system32\cmd.exe /c Echo PROMPT $H | "CMD"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
62 384
Read events
61 577
Write events
458
Delete events
349

Modification events

(PID) Process:(6152) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6152) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6152) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6152) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Microsoft Office 365 ProPlus - Online Installer 3.2.6 [FileCR].zip
(PID) Process:(6152) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6152) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6152) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6152) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6152) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(6152) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
Executable files
392
Suspicious files
138
Text files
76
Unknown types
10

Dropped files

PID
Process
Filename
Type
6152WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb6152.5487\Microsoft Office 365 ProPlus - Online Installer 3.2.6\setup.exeexecutable
MD5:7488D696F9A3D74E093B4C31EF7282C6
SHA256:B03C4CC3C1377EE81B1F94DA126E58A30F484D4D935889538FAE1C650DD6828B
1568setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\36AC0BE60E1243344AE145F746D881FEder
MD5:DDF4DE0DC1AC39C22F605957A1FE614B
SHA256:0ACF9791F2CBBF8330653DF8D90E760108DD7ED3B5DB03C4DE164BD5047E4D4A
4576cmd.exeC:\Users\admin\AppData\Local\Temp\_(YES)\(YES)binary
MD5:B14A7B8059D9C055954C92674CE60032
SHA256:
4576cmd.exeC:\Users\admin\AppData\Local\Temp\_(64-bit)\(64-bit)binary
MD5:B14A7B8059D9C055954C92674CE60032
SHA256:
3332powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:FB8EB94AEACA868D61A75A8792FB2878
SHA256:213FF7EE7DEA358EB03EAF4D328DB842F126C34B27B1B14C8C42DB8382AB7BFE
4576cmd.exeC:\Users\admin\Desktop\Microsoft Office 365 ProPlus - Online Installer 3.2.6\Office 365 Setup Config.xmltext
MD5:78F4E24C56550AB2621EE652849786E6
SHA256:A77144AA552B42F5C843FEC95EDB9629E90DB2797897DA1DC27B67918D3D8AA6
3332powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pcoumqea.bm1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1568setup.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\17278173-FD18-4BEE-8D7E-ABE32809C51Fxml
MD5:CB6BF6E021C786939C1E0E619E3DEDE1
SHA256:4859ED3A01641AFCF685CAD9E30DC2C9FFDD578545751E9DCEFE6A08B5C8426B
1568setup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850der
MD5:C7D1234376F3389D6C220F0DCF24341B
SHA256:F67F7E62B47D1C4D9059F9F01FF40D52044EE81F594C5B8C8925C254381061E5
4576cmd.exeC:\Users\admin\AppData\Local\Temp\_(32-bit)\(32-bit)binary
MD5:B14A7B8059D9C055954C92674CE60032
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
119
TCP/UDP connections
44
DNS requests
32
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6112
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3784
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1568
setup.exe
HEAD
200
163.177.116.4:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.16026.20146.cab
unknown
whitelisted
3784
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1568
setup.exe
HEAD
200
163.177.116.4:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.17928.20114.cab
unknown
whitelisted
240
svchost.exe
HEAD
200
163.177.116.4:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.17928.20114.cab
unknown
whitelisted
1568
setup.exe
HEAD
200
163.177.116.4:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.17928.20114.cab
unknown
whitelisted
240
svchost.exe
HEAD
200
163.177.116.4:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.17928.20114.cab
unknown
whitelisted
240
svchost.exe
GET
206
163.177.116.4:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.17928.20114.cab
unknown
whitelisted
240
svchost.exe
GET
200
163.177.116.4:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.17928.20114.cab
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6612
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6776
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4324
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6112
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6112
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.238
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 20.190.160.20
  • 40.126.32.74
  • 40.126.32.72
  • 40.126.32.138
  • 40.126.32.76
  • 40.126.32.136
  • 40.126.32.140
  • 20.190.160.14
  • 40.126.32.134
  • 40.126.32.133
  • 40.126.32.68
  • 20.190.160.17
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
  • 23.218.209.163
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
officeclient.microsoft.com
  • 52.109.8.89
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Microsoft Office 365 ProPlus - Online Installer 3.2.6 [FileCR].zip