Malware analysis SetupProd_OffScrub.exe Malicious activity

Add for printing

File name:	SetupProd_OffScrub.exe
Full analysis:	https://app.any.run/tasks/749d03be-c774-417d-ad9d-ffc7b02cbae1
Verdict:	Malicious activity
Analysis date:	February 23, 2024, 19:41:19
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	A9A189E7C270B711628D3E8C546700BC
SHA1:	A236FFD2C90D5F4E9CEBBC53FA60B17949950CC8
SHA256:	6895CE7DFAFE88CB01C8017E1BAFE31D6B311E72C151D20EDF27BF779C3868BB
SSDEEP:	3072:VA/cdv7411xlZ9bxAZLi7+T6e0Q2vKH2wlh:V44T4VPAci2wlh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - SetupProd_OffScrub.exe (PID: 3892)
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 3352)
  - Setup.exe (PID: 1044)
- Changes powershell execution policy (Unrestricted)
  - powershell.exe (PID: 2120)
  - Microsoft.Sara.exe (PID: 3352)
- Gets %windir% folder path (SCRIPT)
  - cscript.exe (PID: 3788)
- Accesses environment variables (SCRIPT)
  - cscript.exe (PID: 3788)
- Gets TEMP folder path (SCRIPT)
  - cscript.exe (PID: 3788)
- Gets %appdata% folder path (SCRIPT)
  - cscript.exe (PID: 3788)
- Creates a new folder (SCRIPT)
  - cscript.exe (PID: 3788)
- Checks whether a specified folder exists (SCRIPT)
  - cscript.exe (PID: 3788)
- Copies file to a new location (SCRIPT)
  - cscript.exe (PID: 3788)
- Opens a text file (SCRIPT)
  - cscript.exe (PID: 3788)
- Actions looks like stealing of personal data
  - cscript.exe (PID: 3788)
- Uses sleep, probably for evasion detection (SCRIPT)
  - cscript.exe (PID: 3788)
SUSPICIOUS
- Uses RUNDLL32.EXE to load library
  - SetupProd_OffScrub.exe (PID: 3892)
  - SetupProd_OffScrub.exe (PID: 1972)
  - Microsoft.Sara.exe (PID: 2248)
- Starts a Microsoft application from unusual location
  - SetupProd_OffScrub.exe (PID: 3668)
  - SetupProd_OffScrub.exe (PID: 3892)
  - SetupProd_OffScrub.exe (PID: 1972)
  - SetupProd_OffScrub.exe (PID: 3996)
- Process drops legitimate windows executable
  - SetupProd_OffScrub.exe (PID: 3892)
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 3352)
  - Setup.exe (PID: 1044)
- Reads the Internet Settings
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
  - dfsvc.exe (PID: 3504)
  - Microsoft.Sara.exe (PID: 3352)
  - powershell.exe (PID: 3564)
  - powershell.exe (PID: 1492)
- Reads security settings of Internet Explorer
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
  - dfsvc.exe (PID: 3504)
  - Microsoft.Sara.exe (PID: 3352)
- Reads settings of System Certificates
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
  - dfsvc.exe (PID: 3504)
  - Microsoft.Sara.exe (PID: 3352)
- Executable content was dropped or overwritten
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 3352)
  - cscript.exe (PID: 3788)
  - Setup.exe (PID: 1044)
- Reads Internet Explorer settings
  - dfsvc.exe (PID: 2844)
- The process creates files with name similar to system file names
  - dfsvc.exe (PID: 2844)
- The process drops C-runtime libraries
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 3352)
- Searches for installed software
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
  - Microsoft.Sara.exe (PID: 3352)
- Creates a software uninstall entry
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
- Reads the Windows owner or organization settings
  - Microsoft.Sara.exe (PID: 2248)
  - Microsoft.Sara.exe (PID: 3352)
- Reads Microsoft Outlook installation path
  - Microsoft.Sara.exe (PID: 2248)
  - Microsoft.Sara.exe (PID: 3352)
- Starts POWERSHELL.EXE for commands execution
  - Microsoft.Sara.exe (PID: 3352)
  - powershell.exe (PID: 2120)
- Using PowerShell to operate with local accounts
  - powershell.exe (PID: 3564)
  - powershell.exe (PID: 1492)
- Application launched itself
  - powershell.exe (PID: 2120)
- The process executes Powershell scripts
  - powershell.exe (PID: 2120)
  - Microsoft.Sara.exe (PID: 3352)
- Executing commands from a ".bat" file
  - Microsoft.Sara.exe (PID: 3352)
- Starts CMD.EXE for commands execution
  - Microsoft.Sara.exe (PID: 3352)
- Accesses language version of the operating system installed via WMI (SCRIPT)
  - cscript.exe (PID: 3788)
- Accesses ComputerSystem(Win32_ComputerSystem) via WMI (SCRIPT)
  - cscript.exe (PID: 3788)
- Creates FileSystem object to access computer's file system (SCRIPT)
  - cscript.exe (PID: 3788)
- Uses WMI to retrieve WMI-managed resources (SCRIPT)
  - cscript.exe (PID: 3788)
- The process executes VB scripts
  - Microsoft.Sara.exe (PID: 3352)
- Accesses operating system name via WMI (SCRIPT)
  - cscript.exe (PID: 3788)
- Executes WMI query (SCRIPT)
  - cscript.exe (PID: 3788)
- Accesses OperatingSystem(Win32_OperatingSystem) via WMI (SCRIPT)
  - cscript.exe (PID: 3788)
- Accesses WMI object caption (SCRIPT)
  - cscript.exe (PID: 3788)
- Writes binary data to a Stream object (SCRIPT)
  - cscript.exe (PID: 3788)
- Creates a Folder object (SCRIPT)
  - cscript.exe (PID: 3788)
- Gets computer name (SCRIPT)
  - cscript.exe (PID: 3788)
- Checks whether a specific file exists (SCRIPT)
  - cscript.exe (PID: 3788)
- Accesses computer name via WMI (SCRIPT)
  - cscript.exe (PID: 3788)
- Accesses current user name via WMI (SCRIPT)
  - cscript.exe (PID: 3788)
- Executes as Windows Service
  - VSSVC.exe (PID: 2780)
INFO
- Checks supported languages
  - dfsvc.exe (PID: 2844)
  - SetupProd_OffScrub.exe (PID: 3892)
  - SetupProd_OffScrub.exe (PID: 1972)
  - Microsoft.Sara.exe (PID: 2248)
  - wmpnscfg.exe (PID: 2644)
  - Microsoft.Sara.exe (PID: 3352)
  - dfsvc.exe (PID: 3504)
- Reads the machine GUID from the registry
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
  - dfsvc.exe (PID: 3504)
  - Microsoft.Sara.exe (PID: 3352)
- Reads the computer name
  - dfsvc.exe (PID: 2844)
  - wmpnscfg.exe (PID: 2644)
  - Microsoft.Sara.exe (PID: 2248)
  - Microsoft.Sara.exe (PID: 3352)
  - dfsvc.exe (PID: 3504)
- Create files in a temporary directory
  - SetupProd_OffScrub.exe (PID: 3892)
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
  - dfsvc.exe (PID: 3504)
  - Microsoft.Sara.exe (PID: 3352)
  - cscript.exe (PID: 3788)
- Reads Environment values
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
  - Microsoft.Sara.exe (PID: 3352)
  - dfsvc.exe (PID: 3504)
- Checks proxy server information
  - dfsvc.exe (PID: 2844)
  - dfsvc.exe (PID: 3504)
  - Microsoft.Sara.exe (PID: 3352)
- Reads the software policy settings
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
  - dfsvc.exe (PID: 3504)
  - Microsoft.Sara.exe (PID: 3352)
- Process checks whether UAC notifications are on
  - dfsvc.exe (PID: 2844)
- Manual execution by a user
  - SetupProd_OffScrub.exe (PID: 3996)
  - SetupProd_OffScrub.exe (PID: 1972)
  - wmpnscfg.exe (PID: 2644)
- Creates files or folders in the user directory
  - dfsvc.exe (PID: 2844)
  - Microsoft.Sara.exe (PID: 2248)
  - dfsvc.exe (PID: 3504)
  - Microsoft.Sara.exe (PID: 3352)
- Dropped object may contain TOR URL's
  - dfsvc.exe (PID: 2844)
- Creates files in the program directory
  - Microsoft.Sara.exe (PID: 2248)
- Reads CPU info
  - Microsoft.Sara.exe (PID: 2248)
  - Microsoft.Sara.exe (PID: 3352)
- Reads Microsoft Office registry keys
  - Microsoft.Sara.exe (PID: 2248)
  - Microsoft.Sara.exe (PID: 3352)
- Reads product name
  - Microsoft.Sara.exe (PID: 2248)
  - Microsoft.Sara.exe (PID: 3352)
- Gets the execution policy for the powershell session
  - Microsoft.Sara.exe (PID: 3352)
- Reads security settings of Internet Explorer
  - cscript.exe (PID: 3788)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:05:30 03:39:47+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.12
CodeSize:	74752
InitializedDataSize:	114688
UninitializedDataSize:	-
EntryPoint:	0x2b03
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft Support and Recovery Assistant for Office 365
FileVersion:	1.0.0.0
LegalCopyright:	© Microsoft Corporation. All rights reserved.
ProductName:	Microsoft Support and Recovery Assistant for Office 365
ProductVersion:	1.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

668

"powershell.exe" (systeminfo /fo csv | ConvertFrom-Csv | Select-Object OS*)

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

Microsoft.Sara.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

956

"cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\tmpDF60.tmp.bat"

C:\Windows\System32\cmd.exe

—

Microsoft.Sara.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

984

C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}

C:\Windows\System32\dllhost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

COM Surrogate

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

1044

"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\setup.exe" /uninstall OMUI.DE-DE /config "C:\Users\admin\AppData\Local\Temp\OffScrub10\config.xml" /dll OSETUP.DLL

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe

cscript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Setup Bootstrapper

Exit code:

Version:

14.0.6010.1000

1492

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -File C:\Users\admin\AppData\Local\Temp\c124cb395d33416bb67f39ce272453d0.ps1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

1636

"C:\Windows\System32\rundll32.exe" dfshim.dll, ShOpenVerbApplication https://outlookdiagnostics.azureedge.net/sarafiles/Microsoft.Sara.Prod.application?usergroup=Prod&Ring=Prod&runasadmin=true

C:\Windows\System32\rundll32.exe

Microsoft.Sara.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows host process (Rundll32)

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll

1972

"C:\Users\admin\Desktop\SetupProd_OffScrub.exe"

C:\Users\admin\Desktop\SetupProd_OffScrub.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Support and Recovery Assistant for Office 365

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\desktop\setupprod_offscrub.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

2120

"powershell.exe" PowerShell.exe -ExecutionPolicy UnRestricted -File "C:\Users\admin\AppData\Local\Temp\c124cb395d33416bb67f39ce272453d0.ps1"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

Microsoft.Sara.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll

2184

NET FILE

C:\Windows\System32\net.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Net Command

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll

2248

"C:\Users\admin\AppData\Local\Apps\2.0\OQVLXTZK.4P5\AK6KX289.K1P\micr..tion_ac9f5adfc2cecd90_0011.0001_0965ff758e4fcdba\Microsoft.Sara.exe"

C:\Users\admin\AppData\Local\Apps\2.0\OQVLXTZK.4P5\AK6KX289.K1P\micr..tion_ac9f5adfc2cecd90_0011.0001_0965ff758e4fcdba\Microsoft.Sara.exe

dfsvc.exe

User:

admin

Company:

Microsoft Corporation.

Integrity Level:

MEDIUM

Description:

Microsoft Support and Recovery Assistant

Exit code:

Version:

17.01.1440.000

Modules

Images
c:\users\admin\appdata\local\apps\2.0\oqvlxtzk.4p5\ak6kx289.k1p\micr..tion_ac9f5adfc2cecd90_0011.0001_0965ff758e4fcdba\microsoft.sara.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

Add for printing

Total events

75 635

Read events

69 126

Write events

5 533

Delete events

976

Modification events


(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager
Operation:	write	Name:	StateStore_RandomString
Value: AW0N8K6CRDZWK0BPZHEXW968
(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(2844) dfsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dfsvc_RASMANCS
Operation:	write	Name:	FileTracingMask
Value:

Add for printing

Executable files

559

Suspicious files

100

Text files

521

Unknown types

107

Dropped files

PID	Process	Filename		Type
2844	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\VTEN99RQ.2B2\TQ2CDN41.L0M\en\excel.crashes.config.xml		xml
		MD5:18DE8EB6DDFDCADF929D0CEDD963BA6D	SHA256:D8117328E9020E3623AE144BAB81412B189C72D0A8C28BAFDFE8D49933B2FE65
2844	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\VTEN99RQ.2B2\TQ2CDN41.L0M\Microsoft.Sara.exe.manifest		xml
		MD5:E25AFCCC4E391C271DBD9BB2A27DC119	SHA256:CD0208DF034A90A186659721811B715D27356D18A072CBDAAD2E381225DACCA0
2844	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\3PR7LTP0.EVQ\KB01VMMW.AC7.application		xml
		MD5:9B213711124DBFFDFF31CEACB5655A8A	SHA256:CDD0A53ADCDA4BC804273C4E75BE4E3A7AAA13346E348308C6698705B541F23C
2844	dfsvc.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\3NQLP1OM.log		text
		MD5:A6CACCCAB1232E7A984DD0F353DEB4D2	SHA256:47E95355E984CA886E3729F9908745196767F87C3B864E31E5A1C4726CE64CD5
2844	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\VTEN99RQ.2B2\TQ2CDN41.L0M\Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll		executable
		MD5:DAD75B06FCDBA45BC622BAF0582E806A	SHA256:C24A11C0E4AE4BD202DBC2002CBA4E29B18A5008063DCE2ABC922B7078E7519B
2844	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\VTEN99RQ.2B2\TQ2CDN41.L0M\SaraEULA.txt		text
		MD5:A811F7A46C12ED29C5713A64F528569A	SHA256:30AFE28070DD647EFB545549CBDDCBBF9D40C7424BC93FECC8E7AE51A668D7EB
2844	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\VTEN99RQ.2B2\TQ2CDN41.L0M\en\access.config.xml		xml
		MD5:39E98A49311231F92ADF4FAF229B8E0B	SHA256:BF42C275185C0F4C15705F30A2429461EEC6B0005688C5D33C44DF4FAA628443
2844	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\VTEN99RQ.2B2\TQ2CDN41.L0M\en\lync.config.xml		xml
		MD5:C9AED8918515A0B7D64080E75E55705D	SHA256:2CA2FD970AABE2682C3D851C41F0A4058246BC39CCAA98BA6B6136CB9979D072
2844	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\VTEN99RQ.2B2\TQ2CDN41.L0M\en\publisher.crashes.config.xml		xml
		MD5:6A46AEA92080C7190A38D54FC59C5469	SHA256:10182233F5D8F3E808F3C9170B093BEDD718D6BEDA28F8EA242A84F20706B599
2844	dfsvc.exe	C:\Users\admin\AppData\Local\Temp\Deployment\VTEN99RQ.2B2\TQ2CDN41.L0M\en\roiscan.config.xml		xml
		MD5:7936522251318CDCFFDB9A75C879FF34	SHA256:D152B95508CF08BEB65A6C85E5B779CAFCFB59C778411B0DBD431828C09428A9

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2844	dfsvc.exe	152.199.19.160:443	outlookdiagnostics.azureedge.net	EDGECAST	US	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2248	Microsoft.Sara.exe	20.84.169.20:443	sara.api.support.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
3504	dfsvc.exe	152.199.19.160:443	outlookdiagnostics.azureedge.net	EDGECAST	US	whitelisted
3352	Microsoft.Sara.exe	20.84.169.20:443	sara.api.support.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
3352	Microsoft.Sara.exe	152.199.19.160:443	outlookdiagnostics.azureedge.net	EDGECAST	US	whitelisted
3352	Microsoft.Sara.exe	20.120.45.53:443	sara.api.support.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown

DNS requests

Domain	IP	Reputation
outlookdiagnostics.azureedge.net	152.199.19.160	whitelisted
sara.api.support.microsoft.com	20.84.169.20 20.120.45.53	whitelisted

Threats

No threats detected

Add for printing

Process	Message
SetupProd_OffScrub.exe
SetupProd_OffScrub.exe	Number of uninstallRootKey is 0
SetupProd_OffScrub.exe
SetupProd_OffScrub.exe	C:\Windows\system32\rundll32.exe dfshim.dll, ShOpenVerbApplication https://outlookdiagnostics.azureedge.net/sarafiles/Microsoft.Sara.Prod.application?usergroup=Prod&Ring=Prod&symptomid=3a1b3aa0-0969-4860-a9b8-ad13e3c81cf8
SetupProd_OffScrub.exe
SetupProd_OffScrub.exe	Start to install Office 365 Support and Recovery Assistant
SetupProd_OffScrub.exe
SetupProd_OffScrub.exe	Version verficiation success
SetupProd_OffScrub.exe
SetupProd_OffScrub.exe	Current .net version is 528049

General Info

SetupProd_OffScrub.exe

A9A189E7C270B711628D3E8C546700BC

A236FFD2C90D5F4E9CEBBC53FA60B17949950CC8

6895CE7DFAFE88CB01C8017E1BAFE31D6B311E72C151D20EDF27BF779C3868BB

3072:VA/cdv7411xlZ9bxAZLi7+T6e0Q2vKH2wlh:V44T4VPAci2wlh

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes powershell execution policy (Unrestricted)

Gets %windir% folder path (SCRIPT)

Accesses environment variables (SCRIPT)

Gets TEMP folder path (SCRIPT)

Gets %appdata% folder path (SCRIPT)

Creates a new folder (SCRIPT)

Checks whether a specified folder exists (SCRIPT)

Copies file to a new location (SCRIPT)

Opens a text file (SCRIPT)

Actions looks like stealing of personal data

Uses sleep, probably for evasion detection (SCRIPT)

SUSPICIOUS

Uses RUNDLL32.EXE to load library

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

Reads the Internet Settings

Reads security settings of Internet Explorer

Reads settings of System Certificates

Executable content was dropped or overwritten

Reads Internet Explorer settings

The process creates files with name similar to system file names

The process drops C-runtime libraries

Searches for installed software

Creates a software uninstall entry

Reads the Windows owner or organization settings

Reads Microsoft Outlook installation path

Starts POWERSHELL.EXE for commands execution

Using PowerShell to operate with local accounts

Application launched itself

The process executes Powershell scripts

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Accesses language version of the operating system installed via WMI (SCRIPT)

Accesses ComputerSystem(Win32_ComputerSystem) via WMI (SCRIPT)

Creates FileSystem object to access computer's file system (SCRIPT)

Uses WMI to retrieve WMI-managed resources (SCRIPT)

The process executes VB scripts

Accesses operating system name via WMI (SCRIPT)

Executes WMI query (SCRIPT)

Accesses OperatingSystem(Win32_OperatingSystem) via WMI (SCRIPT)

Accesses WMI object caption (SCRIPT)

Writes binary data to a Stream object (SCRIPT)

Creates a Folder object (SCRIPT)

Gets computer name (SCRIPT)

Checks whether a specific file exists (SCRIPT)

Accesses computer name via WMI (SCRIPT)

Accesses current user name via WMI (SCRIPT)

Executes as Windows Service

INFO

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Create files in a temporary directory

Reads Environment values

Checks proxy server information

Reads the software policy settings

Process checks whether UAC notifications are on

Manual execution by a user

Creates files or folders in the user directory

Dropped object may contain TOR URL's

Creates files in the program directory

Reads CPU info

Reads Microsoft Office registry keys

Reads product name

Gets the execution policy for the powershell session

Reads security settings of Internet Explorer

Malware configuration

Static information