File name:

SetupProd_OffScrub.exe

Full analysis: https://app.any.run/tasks/11ea1618-eec0-4425-984c-6cadca6d629f
Verdict: Malicious activity
Analysis date: August 09, 2024, 03:38:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A9A189E7C270B711628D3E8C546700BC

SHA1:

A236FFD2C90D5F4E9CEBBC53FA60B17949950CC8

SHA256:

6895CE7DFAFE88CB01C8017E1BAFE31D6B311E72C151D20EDF27BF779C3868BB

SSDEEP:

3072:VA/cdv7411xlZ9bxAZLi7+T6e0Q2vKH2wlh:V44T4VPAci2wlh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Unrestricted)

      • Microsoft.Sara.exe (PID: 4436)
      • powershell.exe (PID: 6720)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • SetupProd_OffScrub.exe (PID: 6428)
      • dfsvc.exe (PID: 6488)
      • Microsoft.Sara.exe (PID: 4436)

    • Process drops legitimate windows executable

      • SetupProd_OffScrub.exe (PID: 6428)
      • dfsvc.exe (PID: 6488)

    • Starts a Microsoft application from unusual location

      • SetupProd_OffScrub.exe (PID: 6380)
      • SetupProd_OffScrub.exe (PID: 6428)

    • Searches for installed software

      • SetupProd_OffScrub.exe (PID: 6428)
      • dfsvc.exe (PID: 6488)
      • Microsoft.Sara.exe (PID: 6748)
      • Microsoft.Sara.exe (PID: 4436)

    • Reads security settings of Internet Explorer

      • dfsvc.exe (PID: 6488)
      • Microsoft.Sara.exe (PID: 6748)
      • dfsvc.exe (PID: 5464)
      • Microsoft.Sara.exe (PID: 4436)

    • Reads Internet Explorer settings

      • dfsvc.exe (PID: 6488)

    • Executable content was dropped or overwritten

      • dfsvc.exe (PID: 6488)
      • Microsoft.Sara.exe (PID: 4436)

    • Reads the date of Windows installation

      • dfsvc.exe (PID: 6488)
      • Microsoft.Sara.exe (PID: 6748)
      • dfsvc.exe (PID: 5464)

    • Creates a software uninstall entry

      • dfsvc.exe (PID: 6488)
      • Microsoft.Sara.exe (PID: 6748)

    • The process drops C-runtime libraries

      • dfsvc.exe (PID: 6488)

    • The process creates files with name similar to system file names

      • dfsvc.exe (PID: 6488)

    • Checks Windows Trust Settings

      • dfsvc.exe (PID: 6488)
      • dfsvc.exe (PID: 5464)

    • Reads the Windows owner or organization settings

      • Microsoft.Sara.exe (PID: 6748)
      • Microsoft.Sara.exe (PID: 4436)

    • Reads Microsoft Outlook installation path

      • Microsoft.Sara.exe (PID: 6748)
      • Microsoft.Sara.exe (PID: 4436)

    • Starts POWERSHELL.EXE for commands execution

      • Microsoft.Sara.exe (PID: 4436)
      • powershell.exe (PID: 6720)

    • Uses SYSTEMINFO.EXE to read the environment

      • powershell.exe (PID: 7048)

    • The process executes Powershell scripts

      • Microsoft.Sara.exe (PID: 4436)
      • powershell.exe (PID: 6720)

    • Application launched itself

      • powershell.exe (PID: 6720)

  • INFO

    • Checks supported languages

      • SetupProd_OffScrub.exe (PID: 6428)
      • dfsvc.exe (PID: 6488)
      • Microsoft.Sara.exe (PID: 6748)
      • dfsvc.exe (PID: 5464)
      • Microsoft.Sara.exe (PID: 4436)

    • Create files in a temporary directory

      • SetupProd_OffScrub.exe (PID: 6428)
      • dfsvc.exe (PID: 6488)
      • Microsoft.Sara.exe (PID: 6748)
      • dfsvc.exe (PID: 5464)
      • Microsoft.Sara.exe (PID: 4436)

    • Reads the machine GUID from the registry

      • dfsvc.exe (PID: 6488)
      • dfsvc.exe (PID: 5464)
      • Microsoft.Sara.exe (PID: 6748)
      • Microsoft.Sara.exe (PID: 4436)

    • Creates files or folders in the user directory

      • dfsvc.exe (PID: 6488)
      • Microsoft.Sara.exe (PID: 6748)
      • Microsoft.Sara.exe (PID: 4436)
      • dfsvc.exe (PID: 5464)

    • Reads Environment values

      • dfsvc.exe (PID: 6488)
      • Microsoft.Sara.exe (PID: 6748)
      • dfsvc.exe (PID: 5464)
      • Microsoft.Sara.exe (PID: 4436)

    • Reads the computer name

      • dfsvc.exe (PID: 6488)
      • Microsoft.Sara.exe (PID: 6748)
      • dfsvc.exe (PID: 5464)
      • Microsoft.Sara.exe (PID: 4436)

    • Disables trace logs

      • dfsvc.exe (PID: 6488)
      • Microsoft.Sara.exe (PID: 6748)
      • dfsvc.exe (PID: 5464)
      • Microsoft.Sara.exe (PID: 4436)

    • Checks proxy server information

      • dfsvc.exe (PID: 6488)
      • Microsoft.Sara.exe (PID: 6748)
      • dfsvc.exe (PID: 5464)
      • Microsoft.Sara.exe (PID: 4436)

    • Reads the software policy settings

      • dfsvc.exe (PID: 6488)
      • Microsoft.Sara.exe (PID: 6748)
      • dfsvc.exe (PID: 5464)
      • Microsoft.Sara.exe (PID: 4436)

    • Process checks whether UAC notifications are on

      • dfsvc.exe (PID: 6488)

    • Dropped object may contain TOR URL's

      • dfsvc.exe (PID: 6488)

    • The process uses the downloaded file

      • dfsvc.exe (PID: 6488)
      • dfsvc.exe (PID: 5464)

    • Process checks computer location settings

      • dfsvc.exe (PID: 6488)
      • Microsoft.Sara.exe (PID: 6748)
      • dfsvc.exe (PID: 5464)

    • Reads Microsoft Office registry keys

      • Microsoft.Sara.exe (PID: 6748)
      • Microsoft.Sara.exe (PID: 4436)

    • Creates files in the program directory

      • Microsoft.Sara.exe (PID: 6748)

    • Reads CPU info

      • Microsoft.Sara.exe (PID: 6748)
      • Microsoft.Sara.exe (PID: 4436)

    • Gets the execution policy for the powershell session

      • Microsoft.Sara.exe (PID: 4436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:05:30 03:39:47+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.12
CodeSize: 74752
InitializedDataSize: 114688
UninitializedDataSize: -
EntryPoint: 0x2b03
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft Support and Recovery Assistant for Office 365
FileVersion: 1.0.0.0
LegalCopyright: © Microsoft Corporation. All rights reserved.
ProductName: Microsoft Support and Recovery Assistant for Office 365
ProductVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
19
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start setupprod_offscrub.exe rundll32.exe no specs dfsvc.exe microsoft.sara.exe rundll32.exe dfsvc.exe microsoft.sara.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs systeminfo.exe no specs tiworker.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs setupprod_offscrub.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1948"powershell.exe" Get-ExecutionPolicyC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMicrosoft.Sara.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
2228"C:\WINDOWS\system32\systeminfo.exe" /fo csvC:\Windows\SysWOW64\systeminfo.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Displays system information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\systeminfo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2872\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3076\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4436"C:\Users\admin\AppData\Local\Apps\2.0\HL3OWQTJ.505\7PLRGVR9.0ZV\micr..tion_5661bd3e342e4e9f_0011.0001_26fca47aefbf1d7f\Microsoft.Sara.exe" C:\Users\admin\AppData\Local\Apps\2.0\HL3OWQTJ.505\7PLRGVR9.0ZV\micr..tion_5661bd3e342e4e9f_0011.0001_26fca47aefbf1d7f\Microsoft.Sara.exe
dfsvc.exe
User:
admin
Company:
Microsoft Corporation.
Integrity Level:
HIGH
Description:
Microsoft Support and Recovery Assistant
Version:
17.01.2011.000
Modules
Images
c:\users\admin\appdata\local\apps\2.0\hl3owqtj.505\7plrgvr9.0zv\micr..tion_5661bd3e342e4e9f_0011.0001_26fca47aefbf1d7f\microsoft.sara.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
5040C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
5464"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
ClickOnce
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\dfsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6124"C:\WINDOWS\SysWOW64\rundll32.exe" dfshim.dll, ShOpenVerbApplication https://outlookdiagnostics.azureedge.net/sarafiles/Microsoft.Sara.Prod.application?usergroup=Prod&Ring=Prod&runasadmin=trueC:\Windows\SysWOW64\rundll32.exe
Microsoft.Sara.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6380"C:\Users\admin\AppData\Local\Temp\SetupProd_OffScrub.exe" C:\Users\admin\AppData\Local\Temp\SetupProd_OffScrub.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Support and Recovery Assistant for Office 365
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\setupprod_offscrub.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6428"C:\Users\admin\AppData\Local\Temp\SetupProd_OffScrub.exe" C:\Users\admin\AppData\Local\Temp\SetupProd_OffScrub.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Support and Recovery Assistant for Office 365
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\setupprod_offscrub.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
Total events
63 730
Read events
59 311
Write events
3 467
Delete events
952

Modification events

(PID) Process:(6488) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
5H5TMMCG4Q7B8RYMMW6PAQMC
(PID) Process:(6488) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete valueName:ComponentStore_RandomString
Value:
5H5TMMCG4Q7B8RYMMW6PAQMC
(PID) Process:(6488) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:delete keyName:(default)
Value:
(PID) Process:(6488) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
Operation:writeName:ComponentStore_RandomString
Value:
HL3OWQTJ5057PLRGVR90ZV2E
(PID) Process:(6488) dfsvc.exeKey:HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager
Operation:writeName:StateStore_RandomString
Value:
MWJXOQNW2LMXC713XM4MGKVL
(PID) Process:(6488) dfsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6488) dfsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6488) dfsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6488) dfsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6488) dfsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
Executable files
396
Suspicious files
203
Text files
527
Unknown types
0

Dropped files

PID
Process
Filename
Type
6488dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\CKANDN45.P9V\5QPG5JMR.M91\SaraEULA.txttext
MD5:A811F7A46C12ED29C5713A64F528569A
SHA256:30AFE28070DD647EFB545549CBDDCBBF9D40C7424BC93FECC8E7AE51A668D7EB
6488dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\CKANDN45.P9V\5QPG5JMR.M91\en\excel.crashes.config.xmlxml
MD5:18DE8EB6DDFDCADF929D0CEDD963BA6D
SHA256:D8117328E9020E3623AE144BAB81412B189C72D0A8C28BAFDFE8D49933B2FE65
6488dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\36AC0BE60E1243344AE145F746D881FEbinary
MD5:DA10A40995DF7CA317BA9329E52EB18F
SHA256:AFF064F84D210DA2D02F18052AD09ADA2552A8E73ADEF7C1001C63F0148ACA26
6488dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:4A67FCAB16594BE8EE51280A71FAA68B
SHA256:6A60108FF005C1CDEB2EF06934A8F6E4DA09932A512EABBD54A6B417A78B8F05
6488dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\CKANDN45.P9V\5QPG5JMR.M91\en\offcat.config.xmlxml
MD5:146D0C42C4F6111DC20CCE076B7F5DB4
SHA256:FD3D83ABB166819AD9EA49350456BC39A191F7C58F4B97C94B309DD2C71D2587
6428SetupProd_OffScrub.exeC:\Users\admin\AppData\Local\Temp\SaraSetup.logbinary
MD5:396047AFCE4DED80E2777C9CA6CB8209
SHA256:474437587D28CC67F9076DA89FEDBF0286AB572B492467494301FCB404138585
6488dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\36AC0BE60E1243344AE145F746D881FEder
MD5:A20961D8BD1A5A7D241026D0011751FB
SHA256:4D6AE5BBEF0EACFDC09D5ADE4D145E883CF41B131E4C6988738769F1D32E12F3
6488dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\CKANDN45.P9V\5QPG5JMR.M91\Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dllexecutable
MD5:DAD75B06FCDBA45BC622BAF0582E806A
SHA256:C24A11C0E4AE4BD202DBC2002CBA4E29B18A5008063DCE2ABC922B7078E7519B
6488dfsvc.exeC:\Users\admin\AppData\Local\Temp\Deployment\CKANDN45.P9V\5QPG5JMR.M91\en\lync.config.xmlxml
MD5:C9AED8918515A0B7D64080E75E55705D
SHA256:2CA2FD970AABE2682C3D851C41F0A4058246BC39CCAA98BA6B6136CB9979D072
6488dfsvc.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:C7D1234376F3389D6C220F0DCF24341B
SHA256:F67F7E62B47D1C4D9059F9F01FF40D52044EE81F594C5B8C8925C254381061E5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
51
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6488
dfsvc.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
6488
dfsvc.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6488
dfsvc.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl
unknown
whitelisted
3160
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6868
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6896
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6488
dfsvc.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2436
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2388
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6488
dfsvc.exe
152.199.19.160:443
outlookdiagnostics.azureedge.net
EDGECAST
US
whitelisted
4
System
192.168.100.255:137
whitelisted
2436
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6488
dfsvc.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
6488
dfsvc.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.74.206
whitelisted
outlookdiagnostics.azureedge.net
  • 152.199.19.160
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.106
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
www.bing.com
  • 2.23.209.187
  • 2.23.209.182
  • 2.23.209.130
  • 2.23.209.133
  • 2.23.209.149
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 40.126.32.74
  • 40.126.32.140
  • 40.126.32.68
  • 20.190.160.17
  • 20.190.160.14
  • 20.190.160.20
  • 40.126.32.136
  • 40.126.32.138
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

No threats detected
Process
Message
SetupProd_OffScrub.exe
Version verficiation success
SetupProd_OffScrub.exe
SetupProd_OffScrub.exe
Current .net version is 533325
SetupProd_OffScrub.exe
SetupProd_OffScrub.exe
Fail to query SaraInstalled value
SetupProd_OffScrub.exe
SetupProd_OffScrub.exe
C:\WINDOWS\system32\rundll32.exe dfshim.dll, ShOpenVerbApplication https://outlookdiagnostics.azureedge.net/sarafiles/Microsoft.Sara.Prod.application?usergroup=Prod&Ring=Prod&symptomid=3a1b3aa0-0969-4860-a9b8-ad13e3c81cf8
SetupProd_OffScrub.exe
SetupProd_OffScrub.exe
Start to install Office 365 Support and Recovery Assistant
SetupProd_OffScrub.exe
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SetupProd_OffScrub.exe