File name:

Office Converter Pack.exe

Full analysis: https://app.any.run/tasks/e0dca1d1-f79b-4952-8739-ae8931863913
Verdict: Malicious activity
Analysis date: October 09, 2019, 15:22:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
MD5:

C16FE4A973855B9A3944CB035C0DD82A

SHA1:

6FD4CDE3461F634359BFE7DCF837674F51B6752F

SHA256:

6412FA3DCE709FF735B52D21BDAF5CA98CA05F86E2AF9E5B8EE03B511366635F

SSDEEP:

196608:6FQGLMGReuFcN5WKYf0Qm9PmxS1h++L83b6TxcFug9QFo:E4huFEbYvwAi03bh8/K

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • SETUP.EXE (PID: 3076)

    • Changes the autorun value in the registry

      • Office Converter Pack.exe (PID: 3940)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Office Converter Pack.exe (PID: 3940)
      • OSE.EXE (PID: 3452)
      • msiexec.exe (PID: 2720)
      • msiexec.exe (PID: 3728)

    • Starts Microsoft Installer

      • SETUP.EXE (PID: 3076)

    • Executed as Windows Service

      • OSE.EXE (PID: 3452)
      • vssvc.exe (PID: 2240)

    • Executed via COM

      • DrvInst.exe (PID: 3416)

    • Creates COM task schedule object

      • msiexec.exe (PID: 3728)

    • Creates files in the Windows directory

      • msiexec.exe (PID: 3728)

  • INFO

    • Reads Microsoft Office registry keys

      • MsiExec.exe (PID: 3380)
      • MsiExec.exe (PID: 3312)

    • Searches for installed software

      • msiexec.exe (PID: 3728)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2240)

    • Application launched itself

      • msiexec.exe (PID: 3728)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3728)
      • MsiExec.exe (PID: 3312)

    • Creates files in the program directory

      • msiexec.exe (PID: 3728)

    • Manual execution by user

      • cmd.exe (PID: 3012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Microsoft Update - Self Extracting Cabinet (82.1)
.exe | Win32 Executable MS Visual C++ (generic) (7.5)
.exe | Win64 Executable (generic) (6.6)
.dll | Win32 Dynamic Link Library (generic) (1.5)
.exe | Win32 Executable (generic) (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2001:08:18 03:42:57+02:00
PEType: PE32
LinkerVersion: 7
CodeSize: 34816
InitializedDataSize: 7439360
UninitializedDataSize: -
EntryPoint: 0x5a5e
OSVersion: 5.1
ImageVersion: 5.1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 11.0.5614.0
ProductVersionNumber: 11.0.5614.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft Office 2003 Resource Kit Self-Extracting Installer
FileVersion: 11.0.5614
InternalName: ork.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: ork.exe
ProductName: Microsoft Office 2003 Resource Kit
ProductVersion: 11.0.5614
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
12
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start office converter pack.exe setup.exe no specs ose.exe msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs drvinst.exe no specs msiexec.exe no specs msiexec.exe no specs cmd.exe no specs office converter pack.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2240C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2720"C:\Windows\system32\msiexec.exe" /I "C:\MSOCache\All Users\90240409-6000-11D3-8CFE-0150048383C9\ORK.MSI" CDCACHE=2 LAUNCHEDFROMSETUP=1 SETUPEXEPATH=C:\Users\admin\AppData\Local\Temp\IXP000.TMP\ SETUPEXENAME=SETUP.EXE /lpiwaeo "C:\Users\admin\AppData\Local\Temp\Microsoft Office 2003 Resource Kit Setup(0001)_Task(0001).txt" STANDALONEOSE="C:\MSOCache\All Users\90240409-6000-11D3-8CFE-0150048383C9\FILES\SETUP\OSE.EXE" CDCACHE="2" DELETABLECACHE="1" LOCALCACHEDRIVE="C" DWSETUPLOGFILE="C:\Users\admin\AppData\Local\Temp\Microsoft Office 2003 Resource Kit Setup(0001).txt" DWMSILOGFILE="C:\Users\admin\AppData\Local\Temp\Microsoft Office 2003 Resource Kit Setup(0001)_Task(0001).txt"C:\Windows\system32\msiexec.exe
SETUP.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3012"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3076C:\Users\admin\AppData\Local\Temp\IXP000.TMP\SETUP.EXE /iexpress CDCACHE=2C:\Users\admin\AppData\Local\Temp\IXP000.TMP\SETUP.EXEOffice Converter Pack.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Setup Bootstrapper
Exit code:
0
Version:
11.0.5510
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
3296C:\Windows\system32\MsiExec.exe -Embedding D6095E7E85A35C3CB1A50C9089005222 M Global\MSI0000C:\Windows\system32\MsiExec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3312C:\Windows\system32\MsiExec.exe -Embedding 704E1349A4177443310EB23203175081C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3380C:\Windows\system32\MsiExec.exe -Embedding DFADD9E95276F31CB246B71885DB2EB6 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3416DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "00000390" "000005CC"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
3452"C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Office Source Engine
Exit code:
0
Version:
14.0.4730.1010
Modules
Images
c:\program files\common files\microsoft shared\source engine\ose.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\winhttp.dll
3588"C:\Users\admin\AppData\Local\Temp\Office Converter Pack.exe" C:\Users\admin\AppData\Local\Temp\Office Converter Pack.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office 2003 Resource Kit Self-Extracting Installer
Exit code:
3221226540
Version:
11.0.5614
Modules
Images
c:\users\admin\appdata\local\temp\office converter pack.exe
c:\systemroot\system32\ntdll.dll
Total events
1 126
Read events
550
Write events
559
Delete events
17

Modification events

(PID) Process:(3940) Office Converter Pack.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:wextract_cleanup0
Value:
rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\"
(PID) Process:(3076) SETUP.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSetup_Chaining\ChainedInstalls\-1001
Operation:delete keyName:
Value:
(PID) Process:(3076) SETUP.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSetup_Chaining\ChainedInstalls
Operation:writeName:MainTaskName
Value:
Microsoft Office 2003 Resource Kit
(PID) Process:(3076) SETUP.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSetup_Chaining\ChainedInstalls\0
Operation:writeName:TaskName
Value:
Microsoft Office 2003 Resource Kit
(PID) Process:(3076) SETUP.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSetup_Chaining\ChainedInstalls\0
Operation:writeName:Path
Value:
C:\Windows\system32\msiexec.exe
(PID) Process:(3076) SETUP.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSetup_Chaining\ChainedInstalls\0
Operation:writeName:CmdLine
Value:
/I C:\Users\admin\AppData\Local\Temp\IXP000.TMP\ORK.MSI CDCACHE="2" LAUNCHEDFROMSETUP="1" SETUPEXEPATH="C:\Users\admin\AppData\Local\Temp\IXP000.TMP\" SETUPEXENAME="SETUP.EXE"
(PID) Process:(3076) SETUP.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSetup_Chaining\ChainedInstalls\0
Operation:delete keyName:
Value:
(PID) Process:(3452) OSE.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Delivery\SourceEngine\Downloads\90240409-6000-11D3-8CFE-0150048383C9
Operation:writeName:Type
Value:
2
(PID) Process:(3452) OSE.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Delivery\SourceEngine\Downloads\90240409-6000-11D3-8CFE-0150048383C9
Operation:writeName:DefaultDrive
Value:
3
(PID) Process:(3452) OSE.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Delivery\SourceEngine\Downloads\90240409-6000-11D3-8CFE-0150048383C9
Operation:writeName:Priority
Value:
2
Executable files
26
Suspicious files
15
Text files
181
Unknown types
21

Dropped files

PID
Process
Filename
Type
3940Office Converter Pack.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\ORK.CAB
MD5:
SHA256:
2720msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI2E94.tmp
MD5:
SHA256:
2720msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI2F02.tmp
MD5:
SHA256:
2720msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI2F22.tmp
MD5:
SHA256:
2720msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI2F33.tmp
MD5:
SHA256:
2720msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI2F43.tmp
MD5:
SHA256:
2720msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI4732.tmp
MD5:
SHA256:
2720msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI4743.tmp
MD5:
SHA256:
3452OSE.EXEC:\MSOCache\All Users\90240409-6000-11D3-8CFE-0150048383C9\ORK.CAB
MD5:
SHA256:
2720msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI55AC.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Office Converter Pack.exe