Malware analysis Office Installer and Office Installer+ v1.23.7z Malicious activity

Add for printing

File name:	Office Installer and Office Installer+ v1.23.7z
Full analysis:	https://app.any.run/tasks/6e43f6d8-32f9-4d98-a7f8-c29e7416bd45
Verdict:	Malicious activity
Analysis date:	February 26, 2025, 09:18:12
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec arch-doc upx
Indicators:
MIME:	application/x-7z-compressed
File info:	7-zip archive data, version 0.4
MD5:	B37A498F9394FA2EA2D5B1763F51359E
SHA1:	1F4CEEDAD5AEB62A2CB08C8FAAD3B13F5DE750C5
SHA256:	67DCF604E1A41B1BBB7955C457B60804EDD0652C40B67B754A91B71E1BB0FDA5
SSDEEP:	98304:rv8oNVI4LtuY+kL9qfTDWE6MvUoMXDpdvSVyl06SHowjBFMsN/2kdK0vm0vmzghx:3sXdUAAfnj2VB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 2568)
- Script downloads file (POWERSHELL)
  - powershell.exe (PID: 5416)
  - powershell.exe (PID: 5204)
  - powershell.exe (PID: 208)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 2568)
  - Office Installer+.exe (PID: 7052)
- Uses REG/REGEDIT.EXE to modify registry
  - Office Installer+.exe (PID: 7052)
- Stops a currently running service
  - sc.exe (PID: 1244)
- Unpacks CAB file
  - expand.exe (PID: 5084)
  - expand.exe (PID: 5932)
- Uses TASKKILL.EXE to kill process
  - Office Installer+.exe (PID: 7052)
- Executes script without checking the security policy
  - powershell.exe (PID: 5204)
- The process bypasses the loading of PowerShell profile settings
  - Office Installer+.exe (PID: 7052)
- Probably download files using WebClient
  - Office Installer+.exe (PID: 7052)
- Starts POWERSHELL.EXE for commands execution
  - Office Installer+.exe (PID: 7052)
- Starts CMD.EXE for commands execution
  - Office Installer+.exe (PID: 7052)
- Starts SC.EXE for service management
  - cmd.exe (PID: 5640)
- Executable content was dropped or overwritten
  - expand.exe (PID: 5084)
- Process drops legitimate windows executable
  - expand.exe (PID: 5084)
- The process drops C-runtime libraries
  - expand.exe (PID: 5084)
- Reads the date of Windows installation
  - Office Installer+.exe (PID: 7052)
INFO
- Local mutex for internet shortcut management
  - WinRAR.exe (PID: 2568)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2568)
- Manual execution by a user
  - Office Installer+.exe (PID: 1628)
  - Office Installer+.exe (PID: 7052)
- Reads product name
  - Office Installer+.exe (PID: 7052)
- Checks supported languages
  - Office Installer+.exe (PID: 7052)
  - expand.exe (PID: 5084)
  - expand.exe (PID: 5932)
  - OfficeClickToRun.exe (PID: 5972)
  - OfficeClickToRun.exe (PID: 6656)
- UPX packer has been detected
  - Office Installer+.exe (PID: 7052)
- Disables trace logs
  - powershell.exe (PID: 5416)
  - powershell.exe (PID: 5204)
  - powershell.exe (PID: 208)
- Checks proxy server information
  - powershell.exe (PID: 5416)
  - powershell.exe (PID: 5204)
  - powershell.exe (PID: 208)
  - OfficeClickToRun.exe (PID: 6656)
  - OfficeClickToRun.exe (PID: 5972)
- Reads Environment values
  - Office Installer+.exe (PID: 7052)
- Reads the computer name
  - Office Installer+.exe (PID: 7052)
  - OfficeClickToRun.exe (PID: 5972)
  - OfficeClickToRun.exe (PID: 6656)
- Creates files in the program directory
  - Office Installer+.exe (PID: 7052)
  - expand.exe (PID: 5084)
  - expand.exe (PID: 5932)
  - OfficeClickToRun.exe (PID: 5972)
- The sample compiled with japanese language support
  - expand.exe (PID: 5084)
- The sample compiled with english language support
  - expand.exe (PID: 5084)
- The sample compiled with arabic language support
  - expand.exe (PID: 5084)
- The sample compiled with bulgarian language support
  - expand.exe (PID: 5084)
- The sample compiled with czech language support
  - expand.exe (PID: 5084)
- The sample compiled with Indonesian language support
  - expand.exe (PID: 5084)
- The sample compiled with french language support
  - expand.exe (PID: 5084)
- The sample compiled with Italian language support
  - expand.exe (PID: 5084)
- The sample compiled with korean language support
  - expand.exe (PID: 5084)
- Reads the machine GUID from the registry
  - expand.exe (PID: 5084)
  - expand.exe (PID: 5932)
  - OfficeClickToRun.exe (PID: 5972)
- The sample compiled with spanish language support
  - expand.exe (PID: 5084)
- The sample compiled with german language support
  - expand.exe (PID: 5084)
- The sample compiled with polish language support
  - expand.exe (PID: 5084)
- The sample compiled with turkish language support
  - expand.exe (PID: 5084)
- The sample compiled with russian language support
  - expand.exe (PID: 5084)
- The sample compiled with portuguese language support
  - expand.exe (PID: 5084)
- The sample compiled with slovak language support
  - expand.exe (PID: 5084)
- The sample compiled with swedish language support
  - expand.exe (PID: 5084)
- The sample compiled with chinese language support
  - expand.exe (PID: 5084)
- Reads Microsoft Office registry keys
  - OfficeClickToRun.exe (PID: 5972)
  - OfficeClickToRun.exe (PID: 6656)
- Create files in a temporary directory
  - OfficeClickToRun.exe (PID: 6656)
- Process checks computer location settings
  - Office Installer+.exe (PID: 7052)
- Executes as Windows Service
  - OfficeClickToRun.exe (PID: 5972)
- Reads the software policy settings
  - OfficeClickToRun.exe (PID: 5972)
  - slui.exe (PID: 1132)
- Creates files or folders in the user directory
  - OfficeClickToRun.exe (PID: 6656)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.7z	\|	7-Zip compressed archive (v0.4) (57.1)
.7z	\|	7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion:	7z v0.04
ModifyDate:	2025:02:26 09:16:30+00:00
ArchivedFileName:	Office Installer and Office Installer+ v1.23

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

158

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

208

"powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20857/i641049.cab', 'C:\Users\admin\AppData\Local\Temp\i641049.cab') }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Office Installer+.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

1052

"taskkill.exe" /t /f /IM OfficeC2RClient.exe

C:\Windows\System32\taskkill.exe

—

Office Installer+.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Terminates Processes

Exit code:

128

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1132

"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent

C:\Windows\System32\slui.exe

SppExtComObj.Exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

1244

sc.exe stop ClickToRunSvc

C:\Windows\System32\sc.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll

1324

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1628

"C:\Users\admin\Desktop\Office Installer+.exe"

C:\Users\admin\Desktop\Office Installer+.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\desktop\office installer+.exe
c:\windows\system32\ntdll.dll

2152

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2568

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Office Installer and Office Installer+ v1.23.7z"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

2904

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

taskkill.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3096

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

reg.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

30 644

Read events

30 474

Write events

Delete events

104

Modification events


(PID) Process:	(2568) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(2568) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(2568) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(2568) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Office Installer and Office Installer+ v1.23.7z
(PID) Process:	(2568) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(2568) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(2568) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(2568) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6324) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings
Operation:	write	Name:	Enabled
Value: 1
(PID) Process:	(6656) OfficeClickToRun.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2

Add for printing

Executable files

227

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5416	powershell.exe	C:\Users\admin\AppData\Local\Temp\i640.cab		—
		MD5:—	SHA256:—
2568	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2568.31580\Office Installer and Office Installer+ v1.23\TrucNet com.url		binary
		MD5:83C366FC52C23CDD84730CFBA47B1B2A	SHA256:692AB43C0C2CE3572DABD608FD634125C9CF3D8EE75417D9779D942BE3707D9C
5204	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kjf0prae.bxw.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2568	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2568.31580\Office Installer and Office Installer+ v1.23\x86\Office Installer x86.exe		executable
		MD5:3F02DD1C5D6329B7187BD7FC6C00650A	SHA256:559A26CD984B671BAC7D004413067C7F1C419BE63B0148615AE979A44C855C6E
2568	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2568.31580\Office Installer and Office Installer+ v1.23\x86\Office Installer+ x86.exe		executable
		MD5:0CEB63031498D7736742A4810B00C8FA	SHA256:B6600A6A379E8490EF65A03C58AD11391009D51379485A2EF811570C9606B4C4
7052	Office Installer+.exe	C:\Users\admin\Desktop\Office Installer+.ini		text
		MD5:B90C44F46D9B2EC51569FAEB1D4D6E59	SHA256:0E9A740B0A4318193F144080001DE18EB7CC66843490D4F001CC6AC24F49340A
5204	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hbrq2toj.chn.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5084	expand.exe	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll		executable
		MD5:ADB3471F89E47CD93B6854D629906809	SHA256:355633A84DB0816AB6A340A086FB41C65854C313BD08D427A17389C42A1E5B69
2568	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa2568.31580\Office Installer and Office Installer+ v1.23\readme.txt		text
		MD5:12375B2DDE747D77BF0B7DB82AB4156A	SHA256:E04333CF761799984427DF864BADC3810DDF588F7E022B84B3D6C555934B2811
5204	powershell.exe	C:\Users\admin\AppData\Local\Temp\files\ver.txt		text
		MD5:EEBC76213CCE2BBDBB1DBDAB9476870A	SHA256:2EF0FDFEF22AA979D41A076361241ED423B960B29BE3BC04795F751A6DA095F4

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3768	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
3768	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5416	powershell.exe	GET	200	199.232.210.172:80	http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20857/i640.cab	unknown	—	—	whitelisted
208	powershell.exe	GET	200	199.232.210.172:80	http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20857/i641049.cab	unknown	—	—	whitelisted
3116	svchost.exe	GET	200	199.232.210.172:80	http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20857/s640.cab.phf	unknown	—	—	whitelisted
3116	svchost.exe	GET	206	199.232.210.172:80	http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20857/s641049.cab	unknown	—	—	whitelisted
3116	svchost.exe	GET	206	199.232.214.172:80	http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20857/s641040.cab	unknown	—	—	whitelisted
3116	svchost.exe	GET	206	199.232.214.172:80	http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20857/s640.cab	unknown	—	—	whitelisted
3116	svchost.exe	GET	206	199.232.214.172:80	http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20857/s641036.cab	unknown	—	—	whitelisted
3116	svchost.exe	GET	206	199.232.214.172:80	http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20857/s640.cab	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6544	svchost.exe	20.190.160.4:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3216	svchost.exe	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3008	backgroundTaskHost.exe	184.86.251.4:443	www.bing.com	Akamai International B.V.	DE	whitelisted
2040	backgroundTaskHost.exe	20.31.169.57:443	fd.api.iris.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5204	powershell.exe	52.109.89.117:443	mrodevicemgr.officeapps.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5416	powershell.exe	199.232.210.172:80	officecdn.microsoft.com	FASTLY	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.185.110	whitelisted
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
login.live.com	20.190.160.4 40.126.32.133 40.126.32.76 40.126.32.68 20.190.160.5 20.190.160.131 40.126.32.72 40.126.32.74	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted
www.bing.com	184.86.251.4 184.86.251.19 184.86.251.30 184.86.251.21 184.86.251.5 184.86.251.25 184.86.251.26 184.86.251.27 184.86.251.23	whitelisted
fd.api.iris.microsoft.com	20.31.169.57	whitelisted
mrodevicemgr.officeapps.live.com	52.109.89.117	whitelisted
self.events.data.microsoft.com	20.42.73.26 20.189.173.24	whitelisted
officecdn.microsoft.com	199.232.210.172 199.232.214.172	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

Office Installer and Office Installer+ v1.23.7z

B37A498F9394FA2EA2D5B1763F51359E

1F4CEEDAD5AEB62A2CB08C8FAAD3B13F5DE750C5

67DCF604E1A41B1BBB7955C457B60804EDD0652C40B67B754A91B71E1BB0FDA5

98304:rv8oNVI4LtuY+kL9qfTDWE6MvUoMXDpdvSVyl06SHowjBFMsN/2kdK0vm0vmzghx:3sXdUAAfnj2VB

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Script downloads file (POWERSHELL)

SUSPICIOUS

Reads security settings of Internet Explorer

Uses REG/REGEDIT.EXE to modify registry

Stops a currently running service

Unpacks CAB file

Uses TASKKILL.EXE to kill process

Executes script without checking the security policy

The process bypasses the loading of PowerShell profile settings

Probably download files using WebClient

Starts POWERSHELL.EXE for commands execution

Starts CMD.EXE for commands execution

Starts SC.EXE for service management

Executable content was dropped or overwritten

Process drops legitimate windows executable

The process drops C-runtime libraries

Reads the date of Windows installation

INFO

Local mutex for internet shortcut management

Executable content was dropped or overwritten

Manual execution by a user

Reads product name

Checks supported languages

UPX packer has been detected

Disables trace logs

Checks proxy server information

Reads Environment values

Reads the computer name

Creates files in the program directory

The sample compiled with japanese language support

The sample compiled with english language support

The sample compiled with arabic language support

The sample compiled with bulgarian language support

The sample compiled with czech language support

The sample compiled with Indonesian language support

The sample compiled with french language support

The sample compiled with Italian language support

The sample compiled with korean language support

Reads the machine GUID from the registry

The sample compiled with spanish language support

The sample compiled with german language support

The sample compiled with polish language support

The sample compiled with turkish language support

The sample compiled with russian language support

The sample compiled with portuguese language support

The sample compiled with slovak language support

The sample compiled with swedish language support

The sample compiled with chinese language support

Reads Microsoft Office registry keys

Create files in a temporary directory

Process checks computer location settings

Executes as Windows Service

Reads the software policy settings

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information