File name:

Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.zip

Full analysis: https://app.any.run/tasks/a4320509-bd7b-44e2-a737-f9402a9a75a9
Verdict: Malicious activity
Analysis date: February 19, 2019, 09:03:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract
MD5:

36C04D7E790D36CF8D6701D763E35804

SHA1:

1303185FF2C328E27C5EE9785052CEC2B7E3AAFD

SHA256:

34E24362B92F3B70F656ACFFE13F5EB4329273573E69BD9478DAABD3C41395BC

SSDEEP:

49152:rSAb7AmRnjnLY3/Zvf5x/G932Lh64DwaE7T5eHR0SlMD4:rSAb77nLE3hI2OLeH+Sh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 2332)
      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 3164)
      • OfficeClickToRun.exe (PID: 3752)
      • OfficeClickToRun.exe (PID: 2960)
      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 4072)
      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 2976)
      • OfficeC2RClient.exe (PID: 2824)

    • Loads dropped or rewritten executable

      • OfficeClickToRun.exe (PID: 3752)
      • OfficeClickToRun.exe (PID: 2960)
      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 4072)
      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 2976)
      • OfficeC2RClient.exe (PID: 2824)

    • Changes settings of System certificates

      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 3164)
      • OfficeClickToRun.exe (PID: 2960)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 2332)
      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 3164)
      • OfficeClickToRun.exe (PID: 3752)
      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 4072)
      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 2976)
      • OfficeC2RClient.exe (PID: 2824)

    • Application launched itself

      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 2332)
      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 4072)

    • Adds / modifies Windows certificates

      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 3164)
      • OfficeClickToRun.exe (PID: 2960)

    • Searches for installed software

      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 3164)

    • Creates files in the user directory

      • powershell.exe (PID: 2836)

    • Creates files in the Windows directory

      • OfficeClickToRun.exe (PID: 2960)

    • Executes PowerShell scripts

      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 3164)

    • Executable content was dropped or overwritten

      • OfficeClickToRun.exe (PID: 2960)
      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 3164)

    • Removes files from Windows directory

      • OfficeClickToRun.exe (PID: 2960)

    • Creates files in the program directory

      • OfficeClickToRun.exe (PID: 2960)
      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 3164)

  • INFO

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 3752)
      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 3164)
      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 4072)
      • OfficeClickToRun.exe (PID: 2960)
      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 2976)
      • OfficeC2RClient.exe (PID: 2824)

    • Reads settings of System Certificates

      • OfficeClickToRun.exe (PID: 3752)
      • OfficeClickToRun.exe (PID: 2960)
      • Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe (PID: 4072)
      • OfficeC2RClient.exe (PID: 2824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 51
ZipBitFlag: 0x0001
ZipCompression: Unknown (99)
ZipModifyDate: 2019:02:18 17:33:03
ZipCRC: 0x00000000
ZipCompressedSize: 2369311
ZipUncompressedSize: 5225368
ZipFileName: Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
9
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs setup.def.en-us_o365businessretail_099fad3a-fc81-4eb4-af48-f29f647fe997_tx_pr_platform_def_b_16_.exe setup.def.en-us_o365businessretail_099fad3a-fc81-4eb4-af48-f29f647fe997_tx_pr_platform_def_b_16_.exe powershell.exe no specs officeclicktorun.exe officeclicktorun.exe setup.def.en-us_o365businessretail_099fad3a-fc81-4eb4-af48-f29f647fe997_tx_pr_platform_def_b_16_.exe setup.def.en-us_o365businessretail_099fad3a-fc81-4eb4-af48-f29f647fe997_tx_pr_platform_def_b_16_.exe officec2rclient.exe

Process information

PID
CMD
Path
Indicators
Parent process
2332"C:\Users\admin\Desktop\Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe" C:\Users\admin\Desktop\Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office
Exit code:
0
Version:
16.0.11231.20164
Modules
Images
c:\users\admin\desktop\setup.def.en-us_o365businessretail_099fad3a-fc81-4eb4-af48-f29f647fe997_tx_pr_platform_def_b_16_.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2824"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /progressandlaunch AppTargets="root\office16\excel.exe|root\office16\lync.exe|root\office16\msaccess.exe|root\office16\mspub.exe|root\office16\onenote.exe|root\office16\outlook.exe|root\office16\powerpnt.exe|root\office16\winword.exe" ManualUpgrade=False ScenarioToTrack="Scenario:{FB9843BB-0D8A-4347-A227-C759C3FC9103}@INSTALL"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office Click-to-Run Client
Exit code:
0
Version:
16.0.11328.20068
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2836"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -WindowStyle Hidden -Command "& { $isOfficeInstalled = Get-AppxPackage Microsoft.Office.Desktop -allusers; if ($isOfficeInstalled -eq $null) { Out-File -FilePath 'C:\Users\admin\AppData\Local\Temp\Centennial.Detection.IsCentennialOfficeInstalled.scratch' -InputObject '0' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\admin\AppData\Local\Temp\Centennial.Detection.IsCentennialOfficeInstalled.scratch' -InputObject '1' -Encoding ascii } }"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSetup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2960"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Click-to-Run (SxS)
Exit code:
0
Version:
16.0.11328.20068
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2976"C:\Users\admin\Desktop\Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe" ELEVATED C:\Users\admin\Desktop\Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office
Exit code:
2147549183
Version:
16.0.11231.20164
Modules
Images
c:\users\admin\desktop\setup.def.en-us_o365businessretail_099fad3a-fc81-4eb4-af48-f29f647fe997_tx_pr_platform_def_b_16_.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
3164"C:\Users\admin\Desktop\Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe" ELEVATED C:\Users\admin\Desktop\Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office
Exit code:
0
Version:
16.0.11231.20164
Modules
Images
c:\users\admin\desktop\setup.def.en-us_o365businessretail_099fad3a-fc81-4eb4-af48-f29f647fe997_tx_pr_platform_def_b_16_.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
3556"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3752 deliverymechanism=64256afe-f5d9-4f86-8936-8840a6a4f5be productreleaseid=O365BusinessRetail platform=x86 o365businessretail=099fad3a-fc81-4eb4-af48-f29f647fe997 tx=PR culture=en-us lcid=1033 b=16 prereleasebuild=4419 defaultplatform=True forcecentcheck= storeid= totalclientcabsize=19526529 productstoadd=O365BusinessRetail.16_en-us_x-none scenario=unknown O365BusinessRetail.excludedapps.16=groove updatesenabled.16=True cdnbaseurl.16=http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be version.16=16.0.11328.20070 mediatype.16=CDN baseurl.16=http://officecdn.microsoft.com/PR/64256afe-f5d9-4f86-8936-8840a6a4f5be sourcetype.16=CDN flt.useexptransportinplacepl=unknown flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.useteamsaddon=enabledC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Exit code:
0
Version:
16.0.11328.20068
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
4072"C:\Users\admin\Desktop\Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe" C:\Users\admin\Desktop\Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office
Exit code:
2147549183
Version:
16.0.11231.20164
Modules
Images
c:\users\admin\desktop\setup.def.en-us_o365businessretail_099fad3a-fc81-4eb4-af48-f29f647fe997_tx_pr_platform_def_b_16_.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
Total events
1 755
Read events
1 303
Write events
437
Delete events
15

Modification events

(PID) Process:(3556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3556) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.zip
(PID) Process:(3556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3556) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
181
Suspicious files
29
Text files
26
Unknown types
10

Dropped files

PID
Process
Filename
Type
3556WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3556.7517\Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
MD5:
SHA256:
3164Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exeC:\Users\admin\AppData\Local\Temp\CabF67C.tmp
MD5:
SHA256:
3164Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exeC:\Users\admin\AppData\Local\Temp\TarF67D.tmp
MD5:
SHA256:
3164Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exeC:\Users\admin\AppData\Local\Temp\OfficeC2R1855EA7C-7D03-4051-83D0-20CEFE88A9D6OfficeC2R6C356B89-9D37-4838-811D-03D7DFB12F67\v32.hash
MD5:
SHA256:
3164Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exeC:\Users\admin\AppData\Local\Temp\OfficeC2R1855EA7C-7D03-4051-83D0-20CEFE88A9D6OfficeC2R6C356B89-9D37-4838-811D-03D7DFB12F67\VersionDescriptor.xml
MD5:
SHA256:
3164Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exeC:\Users\admin\AppData\Local\Temp\OfficeC2R1855EA7C-7D03-4051-83D0-20CEFE88A9D6\v32.hash
MD5:
SHA256:
3164Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exeC:\Users\admin\AppData\Local\Temp\OfficeC2R1855EA7C-7D03-4051-83D0-20CEFE88A9D6\VersionDescriptor.xml
MD5:
SHA256:
2836powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TUK7YAGLEDF2F70H4ZFF.temp
MD5:
SHA256:
2836powershell.exeC:\Users\admin\AppData\Local\Temp\Centennial.Detection.IsCentennialOfficeInstalled.scratch
MD5:
SHA256:
3164Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exeC:\Users\admin\AppData\Local\Temp\OfficeC2RA2ADB74C-2A70-4BD0-B907-FEF8A7FF81A5\i321033.cab
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
48
TCP/UDP connections
29
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3164
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
HEAD
200
2.16.186.83:80
http://officecdn.microsoft.com.edgesuite.net/PR/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/v32_16.0.11328.20070.cab
unknown
whitelisted
3164
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
HEAD
301
23.5.102.128:80
http://officecdn.microsoft.com/PR/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/v32_16.0.11328.20070.cab
NL
whitelisted
3164
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
GET
301
23.5.102.128:80
http://officecdn.microsoft.com/PR/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/v32_16.0.11328.20070.cab
NL
whitelisted
3164
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
GET
301
23.5.102.128:80
http://officecdn.microsoft.com/PR/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/16.0.11328.20070/i321033.cab
NL
whitelisted
3164
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
HEAD
301
23.5.102.128:80
http://officecdn.microsoft.com/PR/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/16.0.11328.20070/i321033.cab
NL
whitelisted
3164
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
GET
301
23.5.102.128:80
http://officecdn.microsoft.com/PR/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/16.0.11328.20070/i320.cab
NL
whitelisted
3164
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
HEAD
301
23.5.102.128:80
http://officecdn.microsoft.com/PR/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/16.0.11328.20070/i320.cab
NL
whitelisted
3164
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
HEAD
301
23.5.102.128:80
http://officecdn.microsoft.com/PR/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/v32_16.0.11328.20070.cab
NL
whitelisted
3164
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
HEAD
200
2.16.186.83:80
http://officecdn.microsoft.com.edgesuite.net/PR/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/v32_16.0.11328.20070.cab
unknown
whitelisted
3164
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
GET
200
2.16.186.83:80
http://officecdn.microsoft.com.edgesuite.net/PR/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/16.0.11328.20070/i321033.cab
unknown
compressed
15.6 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2332
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
2332
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
52.232.69.150:443
client-office365-tas.msedge.net
Microsoft Corporation
NL
whitelisted
3164
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
52.109.88.44:443
mrodevicemgr.officeapps.live.com
Microsoft Corporation
NL
whitelisted
3164
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
23.5.102.128:80
officecdn.microsoft.com
Akamai Technologies, Inc.
NL
whitelisted
3164
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
2.16.186.83:80
officecdn.microsoft.com.edgesuite.net
Akamai International B.V.
whitelisted
3164
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.exe
2.16.186.120:80
crl.microsoft.com
Akamai International B.V.
whitelisted
3752
OfficeClickToRun.exe
52.232.69.150:443
client-office365-tas.msedge.net
Microsoft Corporation
NL
whitelisted
3752
OfficeClickToRun.exe
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
2960
OfficeClickToRun.exe
52.232.69.150:443
client-office365-tas.msedge.net
Microsoft Corporation
NL
whitelisted
2960
OfficeClickToRun.exe
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.3.128
malicious
client-office365-tas.msedge.net
  • 52.232.69.150
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.109.88.44
whitelisted
officecdn.microsoft.com
  • 23.5.102.128
  • 23.210.248.85
whitelisted
officecdn.microsoft.com.edgesuite.net
  • 2.16.186.83
  • 2.16.186.90
  • 2.16.186.59
whitelisted
crl.microsoft.com
  • 2.16.186.120
  • 2.16.186.74
whitelisted
self.events.data.microsoft.com
  • 52.114.74.45
  • 52.114.32.6
whitelisted
www.microsoft.com
  • 92.122.253.175
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
Process
Message
OfficeClickToRun.exe
2019-02-19 09:05:15.743 T#2772 <E> [AriaSDK] HTTP request WI-1 failed after 365 ms, events were rejected by the server (403) and will be all dropped
OfficeClickToRun.exe
2019-02-19 09:05:23.211 T#3312 <E> [AriaSDK] HTTP request WI-1 failed after 5767 ms, events were rejected by the server (403) and will be all dropped
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup.Def.en-us_O365BusinessRetail_099fad3a-fc81-4eb4-af48-f29f647fe997_TX_PR_Platform_def_b_16_.zip