Malware analysis ProjectOnlineDesktopClient.exe Malicious activity

Add for printing

File name:	ProjectOnlineDesktopClient.exe
Full analysis:	https://app.any.run/tasks/e302b548-6cb3-4b9b-9f96-702758d015c5
Verdict:	Malicious activity
Analysis date:	January 15, 2025, 13:45:29
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 5 sections
MD5:	2BEEC840DC451666A6465043C7908720
SHA1:	4906A5E21B74409B47BCCC310845EE07F1185570
SHA256:	8F17FDECF0C98FBDD657FBEE8340FB04875F4FFAC3CE9763B7E60A5DDB936F63
SSDEEP:	98304:8yogGvOtNnWHEoRn/1t1ZFwakhQkxPuIMa2gPys/jjBB42iuWZRCyVWtDq5UdrQK:WRx/RG3NF3FyKjr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Process drops legitimate windows executable
  - ProjectOnlineDesktopClient.exe (PID: 6480)
  - OfficeClickToRun.exe (PID: 6860)
  - OfficeClickToRun.exe (PID: 6184)
- Executing commands from a ".bat" file
  - ProjectOnlineDesktopClient.exe (PID: 6480)
- Executable content was dropped or overwritten
  - ProjectOnlineDesktopClient.exe (PID: 6480)
  - OfficeClickToRun.exe (PID: 6860)
  - OfficeClickToRun.exe (PID: 6184)
- Starts CMD.EXE for commands execution
  - ProjectOnlineDesktopClient.exe (PID: 6480)
- Starts a Microsoft application from unusual location
  - setup.exe (PID: 6564)
- The executable file from the user directory is run by the CMD process
  - setup.exe (PID: 6564)
- Reads security settings of Internet Explorer
  - setup.exe (PID: 6564)
- Checks Windows Trust Settings
  - setup.exe (PID: 6564)
- The process drops C-runtime libraries
  - OfficeClickToRun.exe (PID: 6860)
INFO
- Checks supported languages
  - ProjectOnlineDesktopClient.exe (PID: 6480)
  - setup.exe (PID: 6564)
  - OfficeClickToRun.exe (PID: 6860)
- Reads Microsoft Office registry keys
  - setup.exe (PID: 6564)
  - OfficeClickToRun.exe (PID: 6860)
- Process checks computer location settings
  - setup.exe (PID: 6564)
- Checks proxy server information
  - setup.exe (PID: 6564)
- Reads the machine GUID from the registry
  - setup.exe (PID: 6564)
- Create files in a temporary directory
  - ProjectOnlineDesktopClient.exe (PID: 6480)
- Creates files in the program directory
  - OfficeClickToRun.exe (PID: 6860)
- Reads the software policy settings
  - OfficeClickToRun.exe (PID: 6860)
  - setup.exe (PID: 6564)
- The sample compiled with Indonesian language support
  - OfficeClickToRun.exe (PID: 6860)
- The sample compiled with english language support
  - OfficeClickToRun.exe (PID: 6860)
- The sample compiled with bulgarian language support
  - OfficeClickToRun.exe (PID: 6860)
- The sample compiled with german language support
  - OfficeClickToRun.exe (PID: 6860)
- The sample compiled with spanish language support
  - OfficeClickToRun.exe (PID: 6860)
- The sample compiled with french language support
  - OfficeClickToRun.exe (PID: 6860)
- The sample compiled with polish language support
  - OfficeClickToRun.exe (PID: 6860)
- The sample compiled with Italian language support
  - OfficeClickToRun.exe (PID: 6860)
- The sample compiled with japanese language support
  - OfficeClickToRun.exe (PID: 6860)
- The sample compiled with russian language support
  - OfficeClickToRun.exe (PID: 6860)
- The sample compiled with portuguese language support
  - OfficeClickToRun.exe (PID: 6860)
- The sample compiled with slovak language support
  - OfficeClickToRun.exe (PID: 6860)
- The sample compiled with swedish language support
  - OfficeClickToRun.exe (PID: 6860)
- The sample compiled with korean language support
  - OfficeClickToRun.exe (PID: 6860)
- Executes as Windows Service
  - OfficeClickToRun.exe (PID: 6184)
- The sample compiled with turkish language support
  - OfficeClickToRun.exe (PID: 6860)
- The sample compiled with chinese language support
  - OfficeClickToRun.exe (PID: 6860)
- The sample compiled with arabic language support
  - OfficeClickToRun.exe (PID: 6860)
- The sample compiled with czech language support
  - OfficeClickToRun.exe (PID: 6860)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2011:12:22 20:35:23+00:00
ImageFileCharacteristics:	No relocs, Executable, Large address aware
PEType:	PE32+
LinkerVersion:	9
CodeSize:	84992
InitializedDataSize:	7653888
UninitializedDataSize:	-
EntryPoint:	0x10940
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.1
ProductVersionNumber:	1.0.0.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Windows, Latin1
Comments:	-
CompanyName:	UNISYS CORPORATION
FileDescription:	Project Online
FileVersion:	1. 0. 0. 1
LegalCopyright:	UNISYS CORPORATION
ProductName:	Project Online
ProductVersion:	1. 0. 0. 1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

137

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

5880

OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=ProjectProRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/55336b82-a18d-4dd6-b5f6-9e5095c314a6 baseurl.16=http://officecdn.microsoft.com/pr/55336b82-a18d-4dd6-b5f6-9e5095c314a6 version.16=16.0.18227.20222 mediatype.16=CDN sourcetype.16=CDN updatesenabled.16=True acceptalleulas.16=True displaylevel=True bitnessmigration=False deliverymechanism=55336b82-a18d-4dd6-b5f6-9e5095c314a6 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.UseTeamsOnInstallConsumer=unknown flt.UseTeamsOnUpdateConsumer=unknown uninstallcentennial=True besteffortcultureinstall=True

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

setup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Office Click-to-Run (SxS)

Version:

16.0.18227.20222

Modules

Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6184

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Office Click-to-Run (SxS)

Version:

16.0.18227.20222

Modules

Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll

6312

"C:\Users\admin\AppData\Local\Temp\ProjectOnlineDesktopClient.exe"

C:\Users\admin\AppData\Local\Temp\ProjectOnlineDesktopClient.exe

—

explorer.exe

User:

admin

Company:

UNISYS CORPORATION

Integrity Level:

MEDIUM

Description:

Project Online

Exit code:

3221226540

Version:

1. 0. 0. 1

Modules

Images
c:\users\admin\appdata\local\temp\projectonlinedesktopclient.exe
c:\windows\system32\ntdll.dll

6480

"C:\Users\admin\AppData\Local\Temp\ProjectOnlineDesktopClient.exe"

C:\Users\admin\AppData\Local\Temp\ProjectOnlineDesktopClient.exe

explorer.exe

User:

admin

Company:

UNISYS CORPORATION

Integrity Level:

HIGH

Description:

Project Online

Version:

1. 0. 0. 1

Modules

Images
c:\users\admin\appdata\local\temp\projectonlinedesktopclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

6504

C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\ProjectOnline.bat" > NUL"

C:\Windows\System32\cmd.exe

—

ProjectOnlineDesktopClient.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll

6512

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6564

"C:\Users\admin\AppData\Local\Temp\setup.exe" /configure "C:\Users\admin\AppData\Local\Temp\ProjectOnline.xml"

C:\Users\admin\AppData\Local\Temp\setup.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft 365 and Office

Version:

16.0.17830.20162

Modules

Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

6860

OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=ProjectProRetail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/55336b82-a18d-4dd6-b5f6-9e5095c314a6 baseurl=http://officecdn.microsoft.com/pr/55336b82-a18d-4dd6-b5f6-9e5095c314a6 version=16.0.18227.20222 mediatype=CDN sourcetype=CDN updatesenabled=True acceptalleulas=True displaylevel=True bitnessmigration=False deliverymechanism=55336b82-a18d-4dd6-b5f6-9e5095c314a6 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.UseTeamsOnInstallConsumer=unknown flt.UseTeamsOnUpdateConsumer=unknown uninstallcentennial=True besteffortcultureinstall=True scenario=CLIENTUPDATE

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

setup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Office Click-to-Run (SxS)

Exit code:

Version:

16.0.16026.20140

Modules

Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6992

C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}

C:\Windows\System32\dllhost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

COM Surrogate

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll

Add for printing

Total events

23 842

Read events

23 489

Write events

159

Delete events

194

Modification events


(PID) Process:	(6564) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Registration
Operation:	write	Name:	AcceptAllEulas
Value: 1
(PID) Process:	(6564) setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Registration
Operation:	write	Name:	AcceptAllEulas
Value: 1
(PID) Process:	(6564) setup.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\General
Operation:	write	Name:	ShownFirstRunOptin
Value: 1
(PID) Process:	(6564) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2
(PID) Process:	(6564) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	de-de
Value: 2
(PID) Process:	(6564) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	fr-fr
Value: 2
(PID) Process:	(6564) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	es-es
Value: 2
(PID) Process:	(6564) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	it-it
Value: 2
(PID) Process:	(6564) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	ja-jp
Value: 2
(PID) Process:	(6564) setup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	ko-kr
Value: 2

Add for printing

Executable files

386

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6480	ProjectOnlineDesktopClient.exe	C:\Users\admin\AppData\Local\Temp\setup.exe		executable
		MD5:2BA6246A85064DB4978F19EC71C347F7	SHA256:335932E68D7A8BFA4FA00BBCDEA09256ED6ECAB2BEDD640E2580B0B43E3B7744
6564	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\36AC0BE60E1243344AE145F746D881FE		binary
		MD5:308CB430482682D6435224F3172D5C85	SHA256:F85E47E980B7526B2B818B1E6C83DA26364D007FA3754AFD4B637B2C6F586A68
6564	setup.exe	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E7D501D2-F8C1-488A-B618-39189D33D287		xml
		MD5:5AAB540A18C055EDCE2A26D6D9CD5727	SHA256:ED89369A8DD38F0B62624DEC3D7BC2518D2E884AEFC6CC88782FE1B0374D0CE0
6564	setup.exe	C:\Users\admin\AppData\Local\Temp\OfficeC2RA5DF0A4A-239C-4CB4-982D-418AAE0B193DOfficeC2R6049C45E-319E-4554-85BB-C5AF8A8FC28A\v64.hash		binary
		MD5:4D27B8814AB19369B472B9BDD1B96146	SHA256:C0FB41BF277C0BCE5AB24B7464921FFF63B73C5DBCAF6537AD90DFCBC64EA049
6480	ProjectOnlineDesktopClient.exe	C:\Users\admin\AppData\Local\Temp\ProjectOnline.xml		text
		MD5:9E758837C0B477ADE857C90748CD340A	SHA256:EE222E979D269A0D52366C5CAFC7F6FB58A9A6B1CC9168E450B18C79BE57AF39
6564	setup.exe	C:\Users\admin\AppData\Local\Microsoft\Office\OTele\setup.exe.db-journal		binary
		MD5:DB48C0CF10AD8736B1FD04D7E28886F4	SHA256:33C0765711727EF3689202FE1464380914782A9DFD43E57389E2E91C0F7DF295
6564	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0B8A20E1F3F4D73D52A19929F922C892		binary
		MD5:930C50C27FFA88FAD93A989B842DC12B	SHA256:68B98DDEA270D34B572424618D037E780A7715D2F81A8EF67D3CB76EE6E0EF41
6564	setup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0B8A20E1F3F4D73D52A19929F922C892		binary
		MD5:4BB71C446533E3B735C069A975FDEC3A	SHA256:D854D6E3CFD975FB2B6E7BEF5B32815F18F2128C1892584383500C14D3B0BAAC
6564	setup.exe	C:\Users\admin\AppData\Local\Temp\OfficeC2RA5DF0A4A-239C-4CB4-982D-418AAE0B193D\v64.hash		binary
		MD5:4D27B8814AB19369B472B9BDD1B96146	SHA256:C0FB41BF277C0BCE5AB24B7464921FFF63B73C5DBCAF6537AD90DFCBC64EA049
6564	setup.exe	C:\Users\admin\AppData\Local\Temp\OfficeC2RA5DF0A4A-239C-4CB4-982D-418AAE0B193D\VersionDescriptor.xml		xml
		MD5:7828BDC7F34247AF0DD37F29B868D5BD	SHA256:842792033677BDEEC816C9E765C89FBC00549B69859803C6F7CA0BB23AE57D0F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6564	setup.exe	HEAD	200	23.48.23.48:80	http://f.c2r.ts.cdn.office.net/pr/55336b82-a18d-4dd6-b5f6-9e5095c314a6/Office/Data/v64_16.0.18227.20222.cab	unknown	—	—	whitelisted
—	—	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6564	setup.exe	HEAD	400	23.48.23.48:80	http://f.c2r.ts.cdn.office.net/pr/55336b82-a18d-4dd6-b5f6-9e5095c314a6/Office/Data/v64_16.0.16026.20146.cab	unknown	—	—	whitelisted
6564	setup.exe	HEAD	200	23.48.23.48:80	http://f.c2r.ts.cdn.office.net/pr/55336b82-a18d-4dd6-b5f6-9e5095c314a6/Office/Data/v64_16.0.18227.20222.cab	unknown	—	—	whitelisted
6680	svchost.exe	HEAD	200	23.48.23.48:80	http://f.c2r.ts.cdn.office.net/pr/55336b82-a18d-4dd6-b5f6-9e5095c314a6/Office/Data/v64_16.0.18227.20222.cab	unknown	—	—	whitelisted
6680	svchost.exe	HEAD	200	23.48.23.48:80	http://f.c2r.ts.cdn.office.net/pr/55336b82-a18d-4dd6-b5f6-9e5095c314a6/Office/Data/v64_16.0.18227.20222.cab	unknown	—	—	whitelisted
6564	setup.exe	GET	200	23.48.23.166:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
6680	svchost.exe	GET	206	23.48.23.48:80	http://f.c2r.ts.cdn.office.net/pr/55336b82-a18d-4dd6-b5f6-9e5095c314a6/Office/Data/v64_16.0.18227.20222.cab	unknown	—	—	whitelisted
6680	svchost.exe	GET	200	23.48.23.48:80	http://f.c2r.ts.cdn.office.net/pr/55336b82-a18d-4dd6-b5f6-9e5095c314a6/Office/Data/v64_16.0.18227.20222.cab	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5064	SearchApp.exe	104.126.37.128:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1176	svchost.exe	40.126.32.72:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6564	setup.exe	52.109.89.18:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1076	svchost.exe	69.192.162.125:443	go.microsoft.com	AKAMAI-AS	DE	whitelisted
6564	setup.exe	52.113.194.132:443	ecs.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6564	setup.exe	52.109.89.117:443	mrodevicemgr.officeapps.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
www.bing.com	104.126.37.128 104.126.37.186 104.126.37.130 104.126.37.178 104.126.37.179 104.126.37.144 104.126.37.177 104.126.37.137 104.126.37.185	whitelisted
ocsp.digicert.com	2.17.190.73 184.30.131.245	whitelisted
login.live.com	40.126.32.72 40.126.32.140 20.190.160.17 20.190.160.14 40.126.32.134 40.126.32.76 40.126.32.133 20.190.160.22	whitelisted
officeclient.microsoft.com	52.109.89.18	whitelisted
go.microsoft.com	69.192.162.125	whitelisted
ecs.office.com	52.113.194.132	whitelisted
mrodevicemgr.officeapps.live.com	52.109.89.117	whitelisted
f.c2r.ts.cdn.office.net	23.48.23.48 23.48.23.41 23.48.23.50 23.48.23.40 23.48.23.32 23.48.23.37 23.48.23.42 23.48.23.43 23.48.23.35 23.48.23.54 23.48.23.44 23.48.23.46 23.48.23.61 23.48.23.59 23.48.23.58 23.48.23.51	whitelisted
geo.prod.do.dsp.mp.microsoft.com	52.158.246.138	whitelisted
kv501.prod.do.dsp.mp.microsoft.com	23.32.101.112	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

ProjectOnlineDesktopClient.exe

2BEEC840DC451666A6465043C7908720

4906A5E21B74409B47BCCC310845EE07F1185570

8F17FDECF0C98FBDD657FBEE8340FB04875F4FFAC3CE9763B7E60A5DDB936F63

98304:8yogGvOtNnWHEoRn/1t1ZFwakhQkxPuIMa2gPys/jjBB42iuWZRCyVWtDq5UdrQK:WRx/RG3NF3FyKjr

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Process drops legitimate windows executable

Executing commands from a ".bat" file

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Starts a Microsoft application from unusual location

The executable file from the user directory is run by the CMD process

Reads security settings of Internet Explorer

Checks Windows Trust Settings

The process drops C-runtime libraries

INFO

Checks supported languages

Reads Microsoft Office registry keys

Process checks computer location settings

Checks proxy server information

Reads the machine GUID from the registry

Create files in a temporary directory

Creates files in the program directory

Reads the software policy settings

The sample compiled with Indonesian language support

The sample compiled with english language support

The sample compiled with bulgarian language support

The sample compiled with german language support

The sample compiled with spanish language support

The sample compiled with french language support

The sample compiled with polish language support

The sample compiled with Italian language support

The sample compiled with japanese language support

The sample compiled with russian language support

The sample compiled with portuguese language support

The sample compiled with slovak language support

The sample compiled with swedish language support

The sample compiled with korean language support

Executes as Windows Service

The sample compiled with turkish language support

The sample compiled with chinese language support

The sample compiled with arabic language support

The sample compiled with czech language support

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events