File name:

Office por script.rar

Full analysis: https://app.any.run/tasks/1b4462f2-7be8-4543-810a-5a212420778a
Verdict: Malicious activity
Analysis date: April 19, 2024, 06:33:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

5E2D1BD62DF0BD5D7F86AEEB13C25FB0

SHA1:

F715368B1722CB6EE5811C52F08944347BE74C98

SHA256:

E0924BF8DAC1A147718E6AFA95BAB4E2CA2D91984CFA70DC0C703339597A2188

SSDEEP:

98304:OX9TcbvJKCP5xJzUxf2A83TY2CIegUVpRKnOzsv8gZV0SD9+9ANcZ+pq9RawWRqe:OTyUelQdNvkh44h4I9uO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Accesses Processor(Win32_Processor, may evade sandboxes) via WMI (SCRIPT)

      • cscript.exe (PID: 1368)
      • cscript.exe (PID: 2052)

    • The DLL Hijacking

      • DismHost.exe (PID: 3748)
      • DismHost.exe (PID: 3732)
      • DismHost.exe (PID: 3644)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 3072)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3020)
      • powershell.exe (PID: 2124)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 3072)

    • Drops the executable file immediately after the start

      • csc.exe (PID: 3844)
      • cmd.exe (PID: 3072)

    • Starts Visual C# compiler

      • powershell.exe (PID: 3020)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3972)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • WinRAR.exe (PID: 3768)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3768)
      • Dism.exe (PID: 3104)
      • Dism.exe (PID: 1924)
      • Dism.exe (PID: 3696)
      • cmd.exe (PID: 3072)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3592)
      • cmd.exe (PID: 3072)

    • Application launched itself

      • cmd.exe (PID: 3592)
      • cmd.exe (PID: 3072)
      • cmd.exe (PID: 3688)
      • cmd.exe (PID: 924)
      • cmd.exe (PID: 2920)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 572)
      • cmd.exe (PID: 2156)
      • cmd.exe (PID: 3592)
      • cmd.exe (PID: 1336)
      • cmd.exe (PID: 3916)
      • cmd.exe (PID: 3072)
      • cmd.exe (PID: 3688)
      • cmd.exe (PID: 956)

    • Hides command output

      • cmd.exe (PID: 572)
      • cmd.exe (PID: 2156)
      • cmd.exe (PID: 1336)
      • cmd.exe (PID: 3916)
      • cmd.exe (PID: 3288)
      • cmd.exe (PID: 3900)
      • cmd.exe (PID: 3992)
      • cmd.exe (PID: 2912)
      • cmd.exe (PID: 3372)
      • cmd.exe (PID: 3632)
      • cmd.exe (PID: 2956)
      • cmd.exe (PID: 3620)
      • cmd.exe (PID: 1928)
      • cmd.exe (PID: 2956)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3592)
      • powershell.exe (PID: 3612)
      • cmd.exe (PID: 3072)
      • cmd.exe (PID: 3688)
      • cmd.exe (PID: 924)
      • cmd.exe (PID: 2920)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3592)
      • cmd.exe (PID: 3072)
      • cmd.exe (PID: 3372)
      • cmd.exe (PID: 3620)
      • cmd.exe (PID: 3632)
      • cmd.exe (PID: 2956)
      • setup.exe (PID: 376)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3592)
      • cmd.exe (PID: 3072)
      • cmd.exe (PID: 3372)
      • cmd.exe (PID: 3620)
      • cmd.exe (PID: 3632)
      • cmd.exe (PID: 2956)
      • setup.exe (PID: 376)

    • Reads the Internet Settings

      • powershell.exe (PID: 3612)
      • powershell.exe (PID: 3140)
      • WMIC.exe (PID: 4076)
      • WMIC.exe (PID: 2148)
      • WMIC.exe (PID: 3636)
      • powershell.exe (PID: 3420)
      • powershell.exe (PID: 2124)
      • cscript.exe (PID: 1876)
      • powershell.exe (PID: 3972)
      • setup.exe (PID: 376)
      • powershell.exe (PID: 3820)
      • powershell.exe (PID: 2880)

    • Executing commands from ".cmd" file

      • powershell.exe (PID: 3612)
      • cmd.exe (PID: 3072)

    • The process creates files with name similar to system file names

      • Dism.exe (PID: 3104)
      • Dism.exe (PID: 1924)
      • Dism.exe (PID: 3696)

    • Starts a Microsoft application from unusual location

      • DismHost.exe (PID: 3732)
      • DismHost.exe (PID: 3748)
      • DismHost.exe (PID: 3644)
      • setup.exe (PID: 376)

    • Executable content was dropped or overwritten

      • Dism.exe (PID: 3104)
      • Dism.exe (PID: 1924)
      • csc.exe (PID: 3844)
      • Dism.exe (PID: 3696)
      • cmd.exe (PID: 3072)

    • The process executes VB scripts

      • cmd.exe (PID: 3072)

    • Executes WMI query (SCRIPT)

      • cscript.exe (PID: 1368)
      • cscript.exe (PID: 2052)
      • cscript.exe (PID: 1056)
      • cscript.exe (PID: 3392)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • cscript.exe (PID: 1368)
      • cscript.exe (PID: 2052)
      • cscript.exe (PID: 1056)
      • cscript.exe (PID: 3392)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 3072)

    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 3140)
      • powershell.exe (PID: 3420)
      • powershell.exe (PID: 2124)
      • powershell.exe (PID: 3820)
      • powershell.exe (PID: 2880)

    • Uses WMIC.EXE

      • cmd.exe (PID: 3072)

    • Get information on the list of running processes

      • cmd.exe (PID: 3072)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 3020)

    • The process executes Powershell scripts

      • cmd.exe (PID: 3072)

    • Reads settings of System Certificates

      • wget.exe (PID: 3404)
      • setup.exe (PID: 376)

    • Decoding a file from Base64 using CertUtil

      • cmd.exe (PID: 3072)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 3072)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3072)

    • Reads security settings of Internet Explorer

      • setup.exe (PID: 376)

  • INFO

    • Checks supported languages

      • chcp.com (PID: 3456)
      • mode.com (PID: 3844)
      • mode.com (PID: 1308)
      • more.com (PID: 1544)
      • chcp.com (PID: 2240)
      • DismHost.exe (PID: 3748)
      • DismHost.exe (PID: 3732)
      • more.com (PID: 864)
      • csc.exe (PID: 3844)
      • cvtres.exe (PID: 3484)
      • more.com (PID: 2360)
      • mode.com (PID: 3576)
      • chcp.com (PID: 2576)
      • chcp.com (PID: 2724)
      • wget.exe (PID: 3404)
      • DismHost.exe (PID: 3644)
      • mode.com (PID: 3900)
      • wget.exe (PID: 2044)
      • mode.com (PID: 3252)
      • setup.exe (PID: 376)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3768)

    • Manual execution by a user

      • cmd.exe (PID: 3592)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3768)
      • Dism.exe (PID: 3104)
      • Dism.exe (PID: 1924)
      • Dism.exe (PID: 3696)

    • Create files in a temporary directory

      • Dism.exe (PID: 3104)
      • Dism.exe (PID: 1924)
      • csc.exe (PID: 3844)
      • cvtres.exe (PID: 3484)
      • Dism.exe (PID: 3696)
      • expand.exe (PID: 2940)
      • wget.exe (PID: 2044)
      • setup.exe (PID: 376)

    • Reads the machine GUID from the registry

      • DismHost.exe (PID: 3748)
      • DismHost.exe (PID: 3732)
      • csc.exe (PID: 3844)
      • cvtres.exe (PID: 3484)
      • wget.exe (PID: 3404)
      • DismHost.exe (PID: 3644)
      • setup.exe (PID: 376)

    • Reads the computer name

      • DismHost.exe (PID: 3748)
      • DismHost.exe (PID: 3732)
      • wget.exe (PID: 3404)
      • wget.exe (PID: 2044)
      • setup.exe (PID: 376)
      • DismHost.exe (PID: 3644)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 1368)
      • cscript.exe (PID: 2052)
      • cscript.exe (PID: 1056)
      • cscript.exe (PID: 3392)
      • cscript.exe (PID: 1876)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3140)
      • powershell.exe (PID: 3420)
      • powershell.exe (PID: 3820)
      • powershell.exe (PID: 2880)

    • Checks operating system version

      • cmd.exe (PID: 3072)

    • Reads the time zone

      • DismHost.exe (PID: 3644)

    • Checks Windows language

      • DismHost.exe (PID: 3644)

    • Reads Microsoft Office registry keys

      • setup.exe (PID: 376)

    • Process checks computer location settings

      • setup.exe (PID: 376)

    • Creates files or folders in the user directory

      • setup.exe (PID: 376)

    • Reads the software policy settings

      • setup.exe (PID: 376)

    • Reads CPU info

      • setup.exe (PID: 376)

    • Reads Environment values

      • setup.exe (PID: 376)

    • Checks proxy server information

      • setup.exe (PID: 376)

    • Reads product name

      • setup.exe (PID: 376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
351
Monitored processes
298
Malicious processes
15
Suspicious processes
8

Behavior graph

Click at the process to see the details
start winrar.exe cmd.exe no specs chcp.com no specs mode.com no specs reg.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs fltmc.exe no specs powershell.exe no specs cmd.exe chcp.com no specs mode.com no specs reg.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs fltmc.exe no specs reg.exe no specs reg.exe no specs more.com no specs reg.exe no specs find.exe no specs dism.exe find.exe no specs dismhost.exe find.exe no specs dism.exe dismhost.exe cscript.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs find.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs powershell.exe no specs wmic.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs more.com no specs wmic.exe no specs more.com no specs wmic.exe no specs cmd.exe no specs mode.com no specs cmd.exe no specs chcp.com no specs chcp.com no specs wget.exe where.exe no specs cmd.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs dism.exe dismhost.exe cmd.exe no specs cscript.exe no specs cmd.exe no specs cscript.exe no specs cmd.exe no specs cmd.exe no specs findstr.exe no specs powershell.exe no specs schtasks.exe no specs schtasks.exe no specs timeout.exe no specs cscript.exe no specs cmd.exe no specs mode.com no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs mode.com no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs choice.exe no specs wget.exe expand.exe no specs find.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs find.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs timeout.exe no specs timeout.exe no specs findstr.exe no specs powershell.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs find.exe no specs cmd.exe no specs findstr.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs powershell.exe no specs setup.exe timeout.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs findstr.exe no specs choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116C:\Windows\system32\cmd.exe /S /D /c" type Settings.ini "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
120find /i "Force_Terminal="C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
240C:\Windows\System32\reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" /f /v DisableKeyManagementServiceHostCachingC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
268findstr /c:\ /a:0E "[A] SHOW ACTIVATION INFO"\..\c nulC:\Windows\System32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
332C:\Windows\System32\reg.exe delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /f /v KeyManagementServiceNameC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
376"C:\Windows\Temp\setup.exe" /configure C:\Windows\Temp\configure32.xml C:\Windows\Temp\setup.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office
Exit code:
4294967295
Version:
16.0.14131.20278
Modules
Images
c:\windows\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
492C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -command "$Host.UI.RawUI.WindowTitle = 'Administrator: OfficeRTool - 2023/MAR/06 -'"; Write-Host "Mondo 2016 Grande Suite" -foreground "Green"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
548C:\Windows\system32\cmd.exe /c "type C:\Windows\temp\output"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
572C:\Windows\system32\cmd.exe /c "2>nul findstr "=" "C:\Users\admin\Desktop\Office por script\2021\Data\template.ini""C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
572C:\Windows\System32\reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
44 673
Read events
43 972
Write events
644
Delete events
57

Modification events

(PID) Process:(3768) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3768) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3768) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3768) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3768) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3768) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3768) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Office por script.rar
(PID) Process:(3768) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3768) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3768) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
112
Suspicious files
6
Text files
235
Unknown types
1

Dropped files

PID
Process
Filename
Type
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3768.22140\Office por script\2021\Build_Info.initext
MD5:B607DE0EDD8CC441710AF0ACB02B9D46
SHA256:1F98458AC8AD7873954DE17DB664913ED154A146A9387E398425E8002CD756B0
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3768.22140\Office por script\2021\OfficeRTool.cmdtext
MD5:F9462E768973215651813E4CCCFA9038
SHA256:539C11257ADCB8B269A3E2DE226F821EE9747F659CE6614A3503418ECD8FF874
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3768.22140\Office por script\2021\My Digital Life Forums.lnklnk
MD5:A57B4BF486822F28940DFE2546D50433
SHA256:90840A2FC69AC5ADDD68BF3850C804105F8CF5224A64612D9F871FB5F6A49DE0
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3768.22140\Office por script\2021\Debug Mode.cmdtext
MD5:2C4A1AE0FFE1298630974AF234A7ECC0
SHA256:71B072BCF927ED85E377E420DDC37C26C4C7ED266FE9A27A1568C0A66E030311
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3768.22140\Office por script\2021\Settings.initext
MD5:64C2791461F9BBE090313729A494858A
SHA256:FE88D845750C459205494B1823F8B472DEA724A8B927B3A5C5250FB63C62534D
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3768.22140\Office por script\2021\readme.pdfpdf
MD5:FFC8DED7D71A200A1AE667C977AFB1E8
SHA256:690E584517DC008A7FC80665CA89CABE2CC97C5072FC2F50C3544D56EEBFFD70
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3768.22140\Office por script\2021\Data\start_setup.cmdtext
MD5:FB5ABD106E9A939C47A0F372B462F781
SHA256:F269AE680B699B52154B28DBA94131E086EA39FB48EE9A6558A4353325C4ACA3
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3768.22140\Office por script\2021\Data\bin\cleanospp.exeexecutable
MD5:CB600D36DE6A9D7A5D6E8DC06F665057
SHA256:0CD5483DBD9292E08E1D28B3E8E1148DD9D411BCF3D222BCC6C8B2FD4F1A540C
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3768.22140\Office por script\2021\Data\bin\oscdimg.exeexecutable
MD5:B9A52EA0BEEDC9C8D7A559B296557DDA
SHA256:205FA367026879A4233FAEAE14953551F4BD7339A96135AD78515A9836CF540A
3768WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3768.22140\Office por script\2021\Data\bin\hex2dec.exeexecutable
MD5:27F5AF8C8254FD65D10E583B2F863C26
SHA256:3A1E2A2C3280625E850D85C6ED913A54E5B793FE84C2975EB30070CE3103180C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
17
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2044
wget.exe
GET
200
95.101.54.121:80
http://officecdn.microsoft.com.edgesuite.net/pr/f2e724c1-748f-4b47-8fb8-8e0d210e9208/Office/Data/v32.cab
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
3404
wget.exe
199.188.201.131:443
officertool.org
NAMECHEAP-NET
US
unknown
2044
wget.exe
95.101.54.121:80
officecdn.microsoft.com.edgesuite.net
Akamai International B.V.
DE
unknown
376
setup.exe
52.111.229.19:443
nexusrules.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
376
setup.exe
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1360
svchost.exe
20.42.65.89:443
vortex-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
1360
svchost.exe
52.182.143.213:443
vortex-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
officertool.org
  • 199.188.201.131
unknown
officecdn.microsoft.com.edgesuite.net
  • 95.101.54.121
  • 95.101.54.217
unknown
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
vortex-win.data.microsoft.com
  • 20.42.65.89
  • 52.182.143.213
whitelisted
nexus.officeapps.live.com
  • 52.111.236.25
whitelisted

Threats

No threats detected
Process
Message
Dism.exe
PID=3104 Failed to get an OSServices provider. Must be running in local store. Falling back to checking alongside the log provider for wdscore.dll. - CDISMLogger::FindWdsCore(hr:0x80004005)
Dism.exe
PID=3104 The requested provider was not found in the Provider Store. - CDISMProviderStore::Internal_GetProvider(hr:0x80004005)
Dism.exe
PID=3104 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=3104 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=3104 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
Dism.exe
PID=3104 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect
Dism.exe
PID=3104 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore
Dism.exe
PID=3104 Getting Provider OSServices - CDISMProviderStore::GetProvider
Dism.exe
PID=3104 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider
DismHost.exe
PID=3732 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProvider
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Office por script.rar