File name:

Activador Office 2010 Windows 7 y 8.rar

Full analysis: https://app.any.run/tasks/36441815-eb12-435b-97d5-44860301c9ad
Verdict: Malicious activity
Analysis date: March 09, 2020, 00:05:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

93E98070A5BB96B8C4696B08EC14D39C

SHA1:

D329E2D532C5E69F394E98F67AF5872D26E24AE8

SHA256:

4B057D1798DD88485CD22106128E58E1DC8D0A7D5F8C33E31A0EADF9C6C0AFC5

SSDEEP:

393216:38Le1VvaEqQAS6nbCX2dOsspNjJ/VeY+z++0:38Le1uykfDeTC+Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads the Task Scheduler DLL interface

      • Office 2010 Toolkit.exe (PID: 2364)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • Office 2010 Toolkit.exe (PID: 2364)

    • Executes scripts

      • Office 2010 Toolkit.exe (PID: 2364)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2540)
      • cmd.exe (PID: 2408)
      • cmd.exe (PID: 3616)
      • cmd.exe (PID: 3732)

  • INFO

    • Manual execution by user

      • Office 2010 Toolkit.exe (PID: 256)
      • Office 2010 Toolkit.exe (PID: 2364)

    • Dropped object may contain Bitcoin addresses

      • Office 2010 Toolkit.exe (PID: 2364)

    • Reads Microsoft Office registry keys

      • Office 2010 Toolkit.exe (PID: 2364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 12642511
UncompressedSize: 37329920
OperatingSystem: Win32
ModifyDate: 2011:08:02 18:57:00
PackingMethod: Best Compression
ArchivedFileName: Office 2010 Toolkit.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
59
Monitored processes
12
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs office 2010 toolkit.exe no specs office 2010 toolkit.exe vbc.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
256"C:\Users\admin\Desktop\Office 2010 Toolkit.exe" C:\Users\admin\Desktop\Office 2010 Toolkit.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Office 2010 Toolkit
Exit code:
3221226540
Version:
2.2.3.0
Modules
Images
c:\users\admin\desktop\office 2010 toolkit.exe
c:\systemroot\system32\ntdll.dll
604REG EXPORT HKLM\SOFTWARE\Microsoft\Office\14.0\Registration "C:\Users\admin\AppData\Local\Temp\Backups\EZ-TEMP\Registry\Registration32.reg"C:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
620"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Activador Office 2010 Windows 7 y 8.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2236REG EXPORT HKLM\SOFTWARE\Microsoft\Office\14.0\Registration "C:\Users\admin\AppData\Local\Temp\Backups\EZ-TEMP\Registry\RegistrationWOW.reg"C:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2364"C:\Users\admin\Desktop\Office 2010 Toolkit.exe" C:\Users\admin\Desktop\Office 2010 Toolkit.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Office 2010 Toolkit
Exit code:
0
Version:
2.2.3.0
Modules
Images
c:\users\admin\desktop\office 2010 toolkit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2408"cmd.exe" /C REG SAVE HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform "C:\Users\admin\AppData\Local\Temp\Backups\EZ-TEMP\Registry\OfficeSPPInfo.hiv"C:\Windows\system32\cmd.exeOffice 2010 Toolkit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2420C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeOffice 2010 Toolkit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual Basic Command Line Compiler
Exit code:
0
Version:
8.0.50727.5420
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2540"cmd.exe" /C REG EXPORT HKLM\SOFTWARE\Microsoft\Office\14.0\Registration "C:\Users\admin\AppData\Local\Temp\Backups\EZ-TEMP\Registry\Registration64.reg"C:\Windows\system32\cmd.exeOffice 2010 Toolkit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2612REG EXPORT HKLM\SOFTWARE\Microsoft\Office\14.0\Registration "C:\Users\admin\AppData\Local\Temp\Backups\EZ-TEMP\Registry\Registration64.reg"C:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2848REG SAVE HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform "C:\Users\admin\AppData\Local\Temp\Backups\EZ-TEMP\Registry\OfficeSPPInfo.hiv"C:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
468
Read events
460
Write events
8
Delete events
0

Modification events

(PID) Process:(620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(620) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Activador Office 2010 Windows 7 y 8.rar
(PID) Process:(620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(620) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
0
Suspicious files
1
Text files
5
Unknown types
1

Dropped files

PID
Process
Filename
Type
620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa620.36491\Settings.ini
MD5:
SHA256:
620WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa620.36959\Office 2010 Toolkit.exe
MD5:
SHA256:
2364Office 2010 Toolkit.exeC:\Users\admin\AppData\Local\Temp\Backups\EZ-TEMP\Files\Tokens\tokens.dat
MD5:
SHA256:
604reg.exeC:\Users\admin\AppData\Local\Temp\REGBDB6.tmp
MD5:
SHA256:
2612reg.exeC:\Users\admin\AppData\Local\Temp\REGBE23.tmp
MD5:
SHA256:
2236reg.exeC:\Users\admin\AppData\Local\Temp\REGBE90.tmp
MD5:
SHA256:
2364Office 2010 Toolkit.exeC:\Users\admin\AppData\Local\Temp\Backups\EZ-TEMP\Files\Tokens\Cache\Cache.datbinary
MD5:
SHA256:
2364Office 2010 Toolkit.exeC:\Users\admin\AppData\Local\Temp\Backups\EZ-TEMP\Registry\Registration64.regtext
MD5:
SHA256:
2364Office 2010 Toolkit.exeC:\Users\admin\AppData\Local\Temp\Backups\EZ-TEMP\Registry\RegistrationWOW.regtext
MD5:
SHA256:
2848reg.exeC:\Users\admin\AppData\Local\Temp\Backups\EZ-TEMP\Registry\OfficeSPPInfo.hivhiv
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Activador Office 2010 Windows 7 y 8.rar