rule Suspicious_OffScrub_Impersonation meta: description = "Detects unsigned or misnamed SetupProd_OffScrub.exe" strings: $sig = "Microsoft Corporation" wide ascii $name = "SetupProd_OffScrub.exe" nocase condition: filename == $name and not $sig
: Follow the remaining prompts to confirm the scrubbing process. setupprodoffscrubexe top
If you sorted by CPU usage ( top processes), you saw this executable using high CPU. : setupprodoffscrubexe top
Method 1: The Microsoft Support and Recovery Assistant (Recommended) setupprodoffscrubexe top
: Essential when switching between Office versions (e.g., upgrading to Office 2019/2021) or changing from 64-bit to 32-bit architectures.