File name: | microsoft-office-2016-preview-32-bit-en-win.exe |
Full analysis: | https://app.any.run/tasks/39099de5-9e12-44f5-b1c9-8ff7a1ddd92e |
Verdict: | Malicious activity |
Analysis date: | March 06, 2021, 17:55:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | B2BD5DFA4DF9ED5BAA44948D8F6FA7C8 |
SHA1: | 6E6DC6257D9D9F682A83943FE599FAFD0EE20D05 |
SHA256: | FAA91D9978C6D68C2D793064884DFAA86603D28A9A76E613CA7F832A6B8E7374 |
SSDEEP: | 49152:uXZCkNmswJEn5pv961pnqNbs4LBy/85pjIAbzE+LFmt7yjwYWlkssvNEsK7Psx:uXZnNm+jv9ns4LB485RFDwY2sr |
.exe | | | Win64 Executable (generic) (76.4) |
---|---|---|
.exe | | | Win32 Executable (generic) (12.4) |
.exe | | | Generic Win/DOS Executable (5.5) |
.exe | | | DOS Executable Generic (5.5) |
MOSEVersion: | BETA |
---|---|
ProductVersion: | 16.0.3930.1008 |
ProductName: | Microsoft Office 16 |
OriginalFileName: | c2rui.dll |
LegalTrademarks2: | Windows® is a registered trademark of Microsoft Corporation. |
LegalTrademarks1: | Microsoft® is a registered trademark of Microsoft Corporation. |
InternalName: | c2rui.dll |
FileVersion: | 16.0.3930.1008 |
FileDescription: | Microsoft Office Click-to-Run |
CompanyName: | Microsoft Corporation |
CharacterSet: | Windows, Latin1 |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Unknown |
FileOS: | Windows NT 32-bit |
FileFlags: | Pre-release, Special build |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 16.0.3930.0 |
FileVersionNumber: | 16.0.3930.1008 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.2 |
ImageVersion: | - |
OSVersion: | 5.2 |
EntryPoint: | 0xbb42a |
UninitializedDataSize: | - |
InitializedDataSize: | 1329664 |
CodeSize: | 1308672 |
LinkerVersion: | 12 |
PEType: | PE32 |
TimeStamp: | 2015:04:25 22:00:34+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 25-Apr-2015 20:00:34 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | Microsoft Corporation |
FileDescription: | Microsoft Office Click-to-Run |
FileVersion: | 16.0.3930.1008 |
InternalName: | c2rui.dll |
LegalTrademarks1: | Microsoft® is a registered trademark of Microsoft Corporation. |
LegalTrademarks2: | Windows® is a registered trademark of Microsoft Corporation. |
OriginalFilename: | c2rui.dll |
ProductName: | Microsoft Office 16 |
ProductVersion: | 16.0.3930.1008 |
MOSEVersion: | BETA |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000108 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 25-Apr-2015 20:00:34 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0013F714 | 0x0013F800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.60792 |
.rdata | 0x00141000 | 0x00078F64 | 0x00079000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.40111 |
.data | 0x001BA000 | 0x00024B8C | 0x00022E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.08851 |
.rsrc | 0x001DF000 | 0x00093000 | 0x00093000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.33815 |
.reloc | 0x00272000 | 0x00015B7C | 0x00015C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.6008 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.33182 | 1345 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 4.62479 | 858 | Latin 1 / Western European | English - United States | RT_MANIFEST |
3 | 2.20562 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 2.87138 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
63 | 0.960953 | 42 | Latin 1 / Western European | English - United States | RT_STRING |
101 | 2.65982 | 62 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
188 | 3.43855 | 608 | Latin 1 / Western European | English - United States | RT_STRING |
189 | 3.30662 | 740 | Latin 1 / Western European | English - United States | RT_STRING |
190 | 3.28015 | 706 | Latin 1 / Western European | English - United States | RT_STRING |
191 | 3.31206 | 1218 | Latin 1 / Western European | English - United States | RT_STRING |
ADVAPI32.dll |
Cabinet.dll |
GDI32.dll |
IPHLPAPI.DLL |
KERNEL32.dll |
OLEAUT32.dll |
SETUPAPI.dll |
SHELL32.dll (delay-loaded) |
WINTRUST.dll |
WS2_32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2540 | "C:\Users\admin\AppData\Local\Temp\microsoft-office-2016-preview-32-bit-en-win.exe" | C:\Users\admin\AppData\Local\Temp\microsoft-office-2016-preview-32-bit-en-win.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Click-to-Run Version: 16.0.3930.1008 | ||||
2884 | "C:\Users\admin\AppData\Local\Temp\microsoft-office-2016-preview-32-bit-en-win.exe" | C:\Users\admin\AppData\Local\Temp\microsoft-office-2016-preview-32-bit-en-win.exe | microsoft-office-2016-preview-32-bit-en-win.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Office Click-to-Run Version: 16.0.3930.1008 | ||||
2852 | scenario=unknown scenariosubtype=CDN platform="x86" productreleaseid="ProfessionalRetail" cdnbaseurl="http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be" culture="en-us" version="16.0.12527.21594" lcid="1033" prereleasebuild="4419" firstrun="root\office16\firstrun.exe" baseurl="http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be" mediatype="CDN" updatesenabled="True" productstoadd="ProfessionalRetail_en-us_x-none" trackedduration=13156 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | microsoft-office-2016-preview-32-bit-en-win.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Office Click-to-Run (SxS) Version: 16.0.12527.21594 | ||||
1532 | "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Office Click-to-Run (SxS) Version: 16.0.12527.21594 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2884 | microsoft-office-2016-preview-32-bit-en-win.exe | C:\Users\admin\AppData\Local\Temp\OfficeC2RA4EB9592-A21E-46EC-AD11-04AC49C387F8\v32.cab | — | |
MD5:— | SHA256:— | |||
2884 | microsoft-office-2016-preview-32-bit-en-win.exe | C:\Users\admin\AppData\Local\Temp\OfficeC2RA4EB9592-A21E-46EC-AD11-04AC49C387F8\v32.hash | — | |
MD5:— | SHA256:— | |||
2884 | microsoft-office-2016-preview-32-bit-en-win.exe | C:\Users\admin\AppData\Local\Temp\OfficeC2RA4EB9592-A21E-46EC-AD11-04AC49C387F8\VersionDescriptor.xml | — | |
MD5:— | SHA256:— | |||
2884 | microsoft-office-2016-preview-32-bit-en-win.exe | C:\Users\admin\AppData\Local\Temp\OfficeC2RA4A3E1F6-B804-4D5C-843C-3AB298A9A636\i320.cab | — | |
MD5:— | SHA256:— | |||
2884 | microsoft-office-2016-preview-32-bit-en-win.exe | C:\Users\admin\AppData\Local\Temp\OfficeC2RAD40C9E3-1485-41CC-9968-DEE9B9170AC1\i321033.cab | compressed | |
MD5:85E49757C9949361D1577DB4252B8489 | SHA256:480EAFE94A61E16F3D6308C56B4A5CAA557B659072DC80841A925E9DC3E5243C | |||
2884 | microsoft-office-2016-preview-32-bit-en-win.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll | executable | |
MD5:C2EAD5FCCE95A04D31810768A3D44D57 | SHA256:42A9A3D8A4A7C82CB6EC42C62D3A522DAA95BEB01ECB776AAC2BFD4AA1E58D62 | |||
2884 | microsoft-office-2016-preview-32-bit-en-win.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll | executable | |
MD5:45C54A21261180410091CEFB23F6A5AE | SHA256:2B0FEA07DB507B7266346EAB3CA7EDE3821876AADC519DAF059B130B85640918 | |||
2884 | microsoft-office-2016-preview-32-bit-en-win.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll | executable | |
MD5:AB8734C2328A46E7E9583BEFEB7085A2 | SHA256:921B7CF74744C4336F976DB6750921B2A0960E8AA11268457F5ED27C0E13B2C8 | |||
2884 | microsoft-office-2016-preview-32-bit-en-win.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll | executable | |
MD5:3B038338C1EB179D8EEE3883CF42BC3E | SHA256:C17786E9031062F56E4B205F394A795E11EF9367B922763DDF391F2ACAB2E979 | |||
2884 | microsoft-office-2016-preview-32-bit-en-win.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll | executable | |
MD5:809BC1010EAF714CD095189AF236CE2F | SHA256:B52F2B9DE19D12B0E727E13E3DDE93009E487BFB2DD97FD23952C7080949D97E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2884 | microsoft-office-2016-preview-32-bit-en-win.exe | HEAD | 301 | 104.108.144.60:80 | http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/16.0.12527.21594/i321033.cab | US | — | — | whitelisted |
2884 | microsoft-office-2016-preview-32-bit-en-win.exe | HEAD | 200 | 23.32.238.194:80 | http://officecdn.microsoft.com.edgesuite.net/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/v32.cab | US | — | — | whitelisted |
2884 | microsoft-office-2016-preview-32-bit-en-win.exe | GET | 301 | 104.108.144.60:80 | http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/16.0.12527.21594/i321033.cab | US | — | — | whitelisted |
1532 | OfficeClickToRun.exe | HEAD | 200 | 23.32.238.194:80 | http://officecdn.microsoft.com.edgesuite.net/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/16.0.12527.21594/s321033.cab | US | — | — | whitelisted |
2884 | microsoft-office-2016-preview-32-bit-en-win.exe | HEAD | 301 | 104.108.144.60:80 | http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/16.0.12527.21594/i320.cab | US | — | — | whitelisted |
2884 | microsoft-office-2016-preview-32-bit-en-win.exe | GET | 301 | 104.108.144.60:80 | http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/v32.cab | US | — | — | whitelisted |
2884 | microsoft-office-2016-preview-32-bit-en-win.exe | GET | 301 | 104.108.144.60:80 | http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/16.0.12527.21594/i320.cab | US | — | — | whitelisted |
2884 | microsoft-office-2016-preview-32-bit-en-win.exe | HEAD | 301 | 104.108.144.60:80 | http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/v32.cab | US | — | — | whitelisted |
1532 | OfficeClickToRun.exe | HEAD | 301 | 104.108.144.60:80 | http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/16.0.12527.21594/s321033.cab | US | — | — | whitelisted |
1532 | OfficeClickToRun.exe | HEAD | 301 | 104.108.144.60:80 | http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/16.0.12527.21594/s321033.cab | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2852 | OfficeClickToRun.exe | 52.113.194.132:443 | ecs.office.com | Microsoft Corporation | US | suspicious |
1532 | OfficeClickToRun.exe | 52.114.128.75:443 | self.events.data.microsoft.com | Microsoft Corporation | US | unknown |
1532 | OfficeClickToRun.exe | 184.30.21.171:80 | www.microsoft.com | GTT Communications Inc. | US | suspicious |
— | — | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
— | — | 23.32.238.232:80 | officecdn.microsoft.com.edgesuite.net | XO Communications | US | unknown |
1532 | OfficeClickToRun.exe | 2.21.242.213:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
2884 | microsoft-office-2016-preview-32-bit-en-win.exe | 104.108.144.60:80 | officecdn.microsoft.com | TOT Public Company Limited | US | unknown |
1532 | OfficeClickToRun.exe | 23.32.238.194:80 | officecdn.microsoft.com.edgesuite.net | XO Communications | US | suspicious |
1532 | OfficeClickToRun.exe | 52.113.194.132:443 | ecs.office.com | Microsoft Corporation | US | suspicious |
2884 | microsoft-office-2016-preview-32-bit-en-win.exe | 23.32.238.194:80 | officecdn.microsoft.com.edgesuite.net | XO Communications | US | suspicious |
Domain | IP | Reputation |
---|---|---|
officecdn.microsoft.com |
| whitelisted |
officecdn.microsoft.com.edgesuite.net |
| whitelisted |
ecs.office.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |