Malware analysis SetupProd_OffScrub.exe Malicious activity

Add for printing

File name:	SetupProd_OffScrub.exe
Full analysis:	https://app.any.run/tasks/749d03be-c774-417d-ad9d-ffc7b02cbae1
Verdict:	Malicious activity
Analysis date:	February 23, 2024, 19:41:19
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	A9A189E7C270B711628D3E8C546700BC
SHA1:	A236FFD2C90D5F4E9CEBBC53FA60B17949950CC8
SHA256:	6895CE7DFAFE88CB01C8017E1BAFE31D6B311E72C151D20EDF27BF779C3868BB
SSDEEP:	3072:VA/cdv7411xlZ9bxAZLi7+T6e0Q2vKH2wlh:V44T4VPAci2wlh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - SetupProd_OffScrub.exe (PID: 3892)
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 3352)
  - Setup.exe (PID: 1044)
- Changes powershell execution policy (Unrestricted)
  - Microsoft.Sara.exe (PID: 3352)
  - powershell.exe (PID: 2120)
- Checks whether a specified folder exists (SCRIPT)
  - cscript.exe (PID: 3788)
- Gets TEMP folder path (SCRIPT)
  - cscript.exe (PID: 3788)
- Gets %appdata% folder path (SCRIPT)
  - cscript.exe (PID: 3788)
- Accesses environment variables (SCRIPT)
  - cscript.exe (PID: 3788)
- Gets %windir% folder path (SCRIPT)
  - cscript.exe (PID: 3788)
- Creates a new folder (SCRIPT)
  - cscript.exe (PID: 3788)
- Uses sleep, probably for evasion detection (SCRIPT)
  - cscript.exe (PID: 3788)
- Copies file to a new location (SCRIPT)
  - cscript.exe (PID: 3788)
- Opens a text file (SCRIPT)
  - cscript.exe (PID: 3788)
- Actions looks like stealing of personal data
  - cscript.exe (PID: 3788)
SUSPICIOUS
- Starts a Microsoft application from unusual location
  - SetupProd_OffScrub.exe (PID: 3668)
  - SetupProd_OffScrub.exe (PID: 3892)
  - SetupProd_OffScrub.exe (PID: 1972)
  - SetupProd_OffScrub.exe (PID: 3996)
- Process drops legitimate windows executable
  - SetupProd_OffScrub.exe (PID: 3892)
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 3352)
  - Setup.exe (PID: 1044)
- Uses RUNDLL32.EXE to load library
  - SetupProd_OffScrub.exe (PID: 3892)
  - SetupProd_OffScrub.exe (PID: 1972)
  - Microsoft.Sara.exe (PID: 2248)
- Reads the Internet Settings
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
  - dfsvc.exe (PID: 3504)
  - powershell.exe (PID: 3564)
  - Microsoft.Sara.exe (PID: 3352)
  - powershell.exe (PID: 1492)
- Reads security settings of Internet Explorer
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
  - dfsvc.exe (PID: 3504)
  - Microsoft.Sara.exe (PID: 3352)
- Reads settings of System Certificates
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
  - dfsvc.exe (PID: 3504)
  - Microsoft.Sara.exe (PID: 3352)
- Executable content was dropped or overwritten
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 3352)
  - cscript.exe (PID: 3788)
  - Setup.exe (PID: 1044)
- Reads Internet Explorer settings
  - dfsvc.exe (PID: 2844)
- The process creates files with name similar to system file names
  - dfsvc.exe (PID: 2844)
- Creates a software uninstall entry
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
- Searches for installed software
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
  - Microsoft.Sara.exe (PID: 3352)
- The process drops C-runtime libraries
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 3352)
- Reads the Windows owner or organization settings
  - Microsoft.Sara.exe (PID: 2248)
  - Microsoft.Sara.exe (PID: 3352)
- Using PowerShell to operate with local accounts
  - powershell.exe (PID: 3564)
  - powershell.exe (PID: 1492)
- Starts POWERSHELL.EXE for commands execution
  - Microsoft.Sara.exe (PID: 3352)
  - powershell.exe (PID: 2120)
- Reads Microsoft Outlook installation path
  - Microsoft.Sara.exe (PID: 2248)
  - Microsoft.Sara.exe (PID: 3352)
- The process executes Powershell scripts
  - Microsoft.Sara.exe (PID: 3352)
  - powershell.exe (PID: 2120)
- Application launched itself
  - powershell.exe (PID: 2120)
- Executing commands from a ".bat" file
  - Microsoft.Sara.exe (PID: 3352)
- Starts CMD.EXE for commands execution
  - Microsoft.Sara.exe (PID: 3352)
- Uses WMI to retrieve WMI-managed resources (SCRIPT)
  - cscript.exe (PID: 3788)
- Creates FileSystem object to access computer's file system (SCRIPT)
  - cscript.exe (PID: 3788)
- The process executes VB scripts
  - Microsoft.Sara.exe (PID: 3352)
- Executes WMI query (SCRIPT)
  - cscript.exe (PID: 3788)
- Accesses ComputerSystem(Win32_ComputerSystem) via WMI (SCRIPT)
  - cscript.exe (PID: 3788)
- Accesses OperatingSystem(Win32_OperatingSystem) via WMI (SCRIPT)
  - cscript.exe (PID: 3788)
- Accesses WMI object caption (SCRIPT)
  - cscript.exe (PID: 3788)
- Accesses operating system name via WMI (SCRIPT)
  - cscript.exe (PID: 3788)
- Writes binary data to a Stream object (SCRIPT)
  - cscript.exe (PID: 3788)
- Gets computer name (SCRIPT)
  - cscript.exe (PID: 3788)
- Accesses computer name via WMI (SCRIPT)
  - cscript.exe (PID: 3788)
- Checks whether a specific file exists (SCRIPT)
  - cscript.exe (PID: 3788)
- Accesses language version of the operating system installed via WMI (SCRIPT)
  - cscript.exe (PID: 3788)
- Creates a Folder object (SCRIPT)
  - cscript.exe (PID: 3788)
- Accesses current user name via WMI (SCRIPT)
  - cscript.exe (PID: 3788)
- Executes as Windows Service
  - VSSVC.exe (PID: 2780)
INFO
- Checks supported languages
  - SetupProd_OffScrub.exe (PID: 3892)
  - dfsvc.exe (PID: 2844)
  - SetupProd_OffScrub.exe (PID: 1972)
  - wmpnscfg.exe (PID: 2644)
  - Microsoft.Sara.exe (PID: 2248)
  - dfsvc.exe (PID: 3504)
  - Microsoft.Sara.exe (PID: 3352)
- Reads the machine GUID from the registry
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
  - dfsvc.exe (PID: 3504)
  - Microsoft.Sara.exe (PID: 3352)
- Reads the computer name
  - dfsvc.exe (PID: 2844)
  - wmpnscfg.exe (PID: 2644)
  - Microsoft.Sara.exe (PID: 2248)
  - dfsvc.exe (PID: 3504)
  - Microsoft.Sara.exe (PID: 3352)
- Reads Environment values
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
  - Microsoft.Sara.exe (PID: 3352)
  - dfsvc.exe (PID: 3504)
- Creates files or folders in the user directory
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
  - dfsvc.exe (PID: 3504)
  - Microsoft.Sara.exe (PID: 3352)
- Create files in a temporary directory
  - SetupProd_OffScrub.exe (PID: 3892)
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
  - dfsvc.exe (PID: 3504)
  - Microsoft.Sara.exe (PID: 3352)
  - cscript.exe (PID: 3788)
- Checks proxy server information
  - dfsvc.exe (PID: 2844)
  - dfsvc.exe (PID: 3504)
  - Microsoft.Sara.exe (PID: 3352)
- Reads the software policy settings
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
  - dfsvc.exe (PID: 3504)
  - Microsoft.Sara.exe (PID: 3352)
- Process checks whether UAC notifications are on
  - dfsvc.exe (PID: 2844)
- Manual execution by a user
  - SetupProd_OffScrub.exe (PID: 3996)
  - SetupProd_OffScrub.exe (PID: 1972)
  - wmpnscfg.exe (PID: 2644)
- Dropped object may contain TOR URL's
  - dfsvc.exe (PID: 2844)
- Creates files in the program directory
  - Microsoft.Sara.exe (PID: 2248)
- Reads Microsoft Office registry keys
  - Microsoft.Sara.exe (PID: 2248)
  - Microsoft.Sara.exe (PID: 3352)
- Reads CPU info
  - Microsoft.Sara.exe (PID: 2248)
  - Microsoft.Sara.exe (PID: 3352)
- Reads product name
  - Microsoft.Sara.exe (PID: 2248)
  - Microsoft.Sara.exe (PID: 3352)
- Gets the execution policy for the powershell session
  - Microsoft.Sara.exe (PID: 3352)
- Reads security settings of Internet Explorer
  - cscript.exe (PID: 3788)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:05:30 03:39:47+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.12
CodeSize:	74752
InitializedDataSize:	114688
UninitializedDataSize:	-
EntryPoint:	0x2b03
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft Support and Recovery Assistant for Office 365
FileVersion:	1.0.0.0
LegalCopyright:	© Microsoft Corporation. All rights reserved.
ProductName:	Microsoft Support and Recovery Assistant for Office 365
ProductVersion:	1.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

668

"powershell.exe" (systeminfo /fo csv | ConvertFrom-Csv | Select-Object OS*)

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

Microsoft.Sara.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

956

"cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\tmpDF60.tmp.bat"

C:\Windows\System32\cmd.exe

—

Microsoft.Sara.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

984

C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}

C:\Windows\System32\dllhost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

COM Surrogate

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

1044

"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\setup.exe" /uninstall OMUI.DE-DE /config "C:\Users\admin\AppData\Local\Temp\OffScrub10\config.xml" /dll OSETUP.DLL

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe

cscript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Setup Bootstrapper

Exit code:

Version:

14.0.6010.1000

1492

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -File C:\Users\admin\AppData\Local\Temp\c124cb395d33416bb67f39ce272453d0.ps1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

1636

"C:\Windows\System32\rundll32.exe" dfshim.dll, ShOpenVerbApplication https://outlookdiagnostics.azureedge.net/sarafiles/Microsoft.Sara.Prod.application?usergroup=Prod&Ring=Prod&runasadmin=true

C:\Windows\System32\rundll32.exe

Microsoft.Sara.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows host process (Rundll32)

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll

1972

"C:\Users\admin\Desktop\SetupProd_OffScrub.exe"

C:\Users\admin\Desktop\SetupProd_OffScrub.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Support and Recovery Assistant for Office 365

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\setupprod_offscrub.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

2120

"powershell.exe" PowerShell.exe -ExecutionPolicy UnRestricted -File "C:\Users\admin\AppData\Local\Temp\c124cb395d33416bb67f39ce272453d0.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

Microsoft.Sara.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

2184

NET FILE

C:\Windows\System32\net.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll

2248

"C:\Users\admin\AppData\Local\Apps\2.0\OQVLXTZK.4P5\AK6KX289.K1P\micr..tion_ac9f5adfc2cecd90_0011.0001_0965ff758e4fcdba\Microsoft.Sara.exe"

C:\Users\admin\AppData\Local\Apps\2.0\OQVLXTZK.4P5\AK6KX289.K1P\micr..tion_ac9f5adfc2cecd90_0011.0001_0965ff758e4fcdba\Microsoft.Sara.exe

dfsvc.exe

User:

admin

Company:

Microsoft Corporation.

Integrity Level:

MEDIUM

Description:

Microsoft Support and Recovery Assistant

Exit code:

Version:

17.01.1440.000

Modules

Images
c:\users\admin\appdata\local\apps\2.0\oqvlxtzk.4p5\ak6kx289.k1p\micr..tion_ac9f5adfc2cecd90_0011.0001_0965ff758e4fcdba\microsoft.sara.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

Add for printing

Total events

75 635

Read events

69 126

Write events

5 533

Delete events

976

Modification events


(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager
Operation:	write	Name:	StateStore_RandomString
Value: AW0N8K6CRDZWK0BPZHEXW968
(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASMANCS
Operation:	write	Name:	FileTracingMask
Value:

Add for printing

Executable files

559

Suspicious files

100

Text files

521

Unknown types

107

Dropped files

PID	Process	Filename		Type
2844	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\VTEN99RQ.2B2\TQ2CDN41.L0M\Microsoft.Sara.exe.manifest		xml
		MD5:E25AFCCC4E391C271DBD9BB2A27DC119	SHA256:CD0208DF034A90A186659721811B715D27356D18A072CBDAAD2E381225DACCA0
2844	dfsvc.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\3NQLP1OM.log		text
		MD5:A6CACCCAB1232E7A984DD0F353DEB4D2	SHA256:47E95355E984CA886E3729F9908745196767F87C3B864E31E5A1C4726CE64CD5
2844	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\VTEN99RQ.2B2\TQ2CDN41.L0M\SaraEULA.txt		text
		MD5:A811F7A46C12ED29C5713A64F528569A	SHA256:30AFE28070DD647EFB545549CBDDCBBF9D40C7424BC93FECC8E7AE51A668D7EB
2844	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\3PR7LTP0.EVQ\KB01VMMW.AC7.application		xml
		MD5:9B213711124DBFFDFF31CEACB5655A8A	SHA256:CDD0A53ADCDA4BC804273C4E75BE4E3A7AAA13346E348308C6698705B541F23C
3892	SetupProd_OffScrub.exe	C:\Users\admin\AppData\Local\Temp\SaraSetup.log		binary
		MD5:C5E4E94A8ED0F7B85E7C808BAB2571E0	SHA256:57B9D705B001B8094AF56E8BC2DAFDDC2AB1359EAC5C3BE7A85C22C70DAC3D73
2844	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\VTEN99RQ.2B2\TQ2CDN41.L0M\en\excel.crashes.config.xml		xml
		MD5:18DE8EB6DDFDCADF929D0CEDD963BA6D	SHA256:D8117328E9020E3623AE144BAB81412B189C72D0A8C28BAFDFE8D49933B2FE65
2844	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\VTEN99RQ.2B2\TQ2CDN41.L0M\sara2.ico		image
		MD5:64ABE480FD183A30B203DAAC7A523821	SHA256:38FE914C14F96C6BECB22203D722E15036A49F78E085F339236BC7E18D6D3A06
2844	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\VTEN99RQ.2B2\TQ2CDN41.L0M\tools\x64\mrmapi.exe		executable
		MD5:2B09ABEFDC84D46D10C2A83B0870F3D4	SHA256:973DEE4EE73FDF7BC5815D7EDF3DDEE8E0C40B259BC1DCDE603B0BB3AE732CAA
2844	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\VTEN99RQ.2B2\TQ2CDN41.L0M\Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll		executable
		MD5:DAD75B06FCDBA45BC622BAF0582E806A	SHA256:C24A11C0E4AE4BD202DBC2002CBA4E29B18A5008063DCE2ABC922B7078E7519B
2844	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\VTEN99RQ.2B2\TQ2CDN41.L0M\en\common.config.xml		xml
		MD5:8F5661F6AF76254D95625FE840AD69D5	SHA256:0C55E10A40C8B51CA19C6596A279D3BC44910887A839425BBEC6A0403774D02D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2844	dfsvc.exe	152.199.19.160:443	outlookdiagnostics.azureedge.net	EDGECAST	US	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2248	Microsoft.Sara.exe	20.84.169.20:443	sara.api.support.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
3504	dfsvc.exe	152.199.19.160:443	outlookdiagnostics.azureedge.net	EDGECAST	US	whitelisted
3352	Microsoft.Sara.exe	20.84.169.20:443	sara.api.support.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
3352	Microsoft.Sara.exe	152.199.19.160:443	outlookdiagnostics.azureedge.net	EDGECAST	US	whitelisted
3352	Microsoft.Sara.exe	20.120.45.53:443	sara.api.support.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown

DNS requests

Domain	IP	Reputation
outlookdiagnostics.azureedge.net	152.199.19.160	whitelisted
sara.api.support.microsoft.com	20.84.169.20 20.120.45.53	whitelisted

Threats

No threats detected

Add for printing

Process	Message
SetupProd_OffScrub.exe
SetupProd_OffScrub.exe	Number of uninstallRootKey is 0
SetupProd_OffScrub.exe
SetupProd_OffScrub.exe	C:\Windows\system32\rundll32.exe dfshim.dll, ShOpenVerbApplication https://outlookdiagnostics.azureedge.net/sarafiles/Microsoft.Sara.Prod.application?usergroup=Prod&Ring=Prod&symptomid=3a1b3aa0-0969-4860-a9b8-ad13e3c81cf8
SetupProd_OffScrub.exe
SetupProd_OffScrub.exe	Start to install Office 365 Support and Recovery Assistant
SetupProd_OffScrub.exe
SetupProd_OffScrub.exe	Version verficiation success
SetupProd_OffScrub.exe
SetupProd_OffScrub.exe	Current .net version is 528049

General Info

SetupProd_OffScrub.exe

A9A189E7C270B711628D3E8C546700BC

A236FFD2C90D5F4E9CEBBC53FA60B17949950CC8

6895CE7DFAFE88CB01C8017E1BAFE31D6B311E72C151D20EDF27BF779C3868BB

3072:VA/cdv7411xlZ9bxAZLi7+T6e0Q2vKH2wlh:V44T4VPAci2wlh

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes powershell execution policy (Unrestricted)

Checks whether a specified folder exists (SCRIPT)

Gets TEMP folder path (SCRIPT)

Gets %appdata% folder path (SCRIPT)

Accesses environment variables (SCRIPT)

Gets %windir% folder path (SCRIPT)

Creates a new folder (SCRIPT)

Uses sleep, probably for evasion detection (SCRIPT)

Copies file to a new location (SCRIPT)

Opens a text file (SCRIPT)

Actions looks like stealing of personal data

SUSPICIOUS

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

Uses RUNDLL32.EXE to load library

Reads the Internet Settings

Reads security settings of Internet Explorer

Reads settings of System Certificates

Executable content was dropped or overwritten

Reads Internet Explorer settings

The process creates files with name similar to system file names

Creates a software uninstall entry

Searches for installed software

The process drops C-runtime libraries

Reads the Windows owner or organization settings

Using PowerShell to operate with local accounts

Starts POWERSHELL.EXE for commands execution

Reads Microsoft Outlook installation path

The process executes Powershell scripts

Application launched itself

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Uses WMI to retrieve WMI-managed resources (SCRIPT)

Creates FileSystem object to access computer's file system (SCRIPT)

The process executes VB scripts

Executes WMI query (SCRIPT)

Accesses ComputerSystem(Win32_ComputerSystem) via WMI (SCRIPT)

Accesses OperatingSystem(Win32_OperatingSystem) via WMI (SCRIPT)

Accesses WMI object caption (SCRIPT)

Accesses operating system name via WMI (SCRIPT)

Writes binary data to a Stream object (SCRIPT)

Gets computer name (SCRIPT)

Accesses computer name via WMI (SCRIPT)

Checks whether a specific file exists (SCRIPT)

Accesses language version of the operating system installed via WMI (SCRIPT)

Creates a Folder object (SCRIPT)

Accesses current user name via WMI (SCRIPT)

Executes as Windows Service

INFO

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Reads Environment values

Creates files or folders in the user directory

Create files in a temporary directory

Checks proxy server information

Reads the software policy settings

Process checks whether UAC notifications are on

Manual execution by a user

Dropped object may contain TOR URL's

Creates files in the program directory

Reads Microsoft Office registry keys

Reads CPU info

Reads product name

Gets the execution policy for the powershell session

Reads security settings of Internet Explorer

Malware configuration

Static information