File name:

OfficeSetup.exe

Full analysis: https://app.any.run/tasks/f32d8bdb-a044-4086-a597-6b912b986865
Verdict: Malicious activity
Analysis date: April 15, 2025, 02:33:39
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

D6F13E7D20C29626DE537F25CAD87D4C

SHA1:

778540030BE3E9837556900A4A97FB2951B2DB39

SHA256:

41EE79EED8B9E52FCC8D061C2594CDBEC19479216354EDCEDD0318E6089327E3

SSDEEP:

98304:FyCkN96WNwWOUSgcRbRlIFATBZjf6vlXBXVXz8mQMHT4Bm5n8QE/IhaFAEffqcEf:Aq4PX99

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • OfficeSetup.exe (PID: 7580)
      • OfficeSetup.exe (PID: 7316)

    • GENERIC has been found (auto)

      • OfficeClickToRun.exe (PID: 8048)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • OfficeSetup.exe (PID: 7276)
      • OfficeSetup.exe (PID: 7316)
      • OfficeSetup.exe (PID: 7580)

    • Process drops legitimate windows executable

      • OfficeSetup.exe (PID: 7276)
      • OfficeClickToRun.exe (PID: 8048)
      • OfficeClickToRun.exe (PID: 7336)

    • Application launched itself

      • OfficeSetup.exe (PID: 7276)
      • OfficeSetup.exe (PID: 7316)

    • Reads security settings of Internet Explorer

      • OfficeSetup.exe (PID: 7316)
      • OfficeSetup.exe (PID: 7580)

    • Searches for installed software

      • OfficeSetup.exe (PID: 7580)

    • Executable content was dropped or overwritten

      • OfficeClickToRun.exe (PID: 8048)
      • OfficeClickToRun.exe (PID: 7336)

    • The process drops C-runtime libraries

      • OfficeClickToRun.exe (PID: 8048)

  • INFO

    • Checks supported languages

      • OfficeSetup.exe (PID: 7276)
      • OfficeSetup.exe (PID: 7316)
      • OfficeSetup.exe (PID: 7580)
      • OfficeClickToRun.exe (PID: 8048)
      • OfficeClickToRun.exe (PID: 7336)
      • OfficeClickToRun.exe (PID: 7736)

    • Reads the machine GUID from the registry

      • OfficeSetup.exe (PID: 7316)
      • OfficeSetup.exe (PID: 7580)
      • OfficeClickToRun.exe (PID: 8048)
      • OfficeClickToRun.exe (PID: 7336)
      • OfficeClickToRun.exe (PID: 7736)

    • Reads the computer name

      • OfficeSetup.exe (PID: 7316)
      • OfficeSetup.exe (PID: 7580)
      • OfficeClickToRun.exe (PID: 8048)
      • OfficeClickToRun.exe (PID: 7336)
      • OfficeClickToRun.exe (PID: 7736)

    • Process checks whether UAC notifications are on

      • OfficeSetup.exe (PID: 7316)

    • Checks proxy server information

      • OfficeSetup.exe (PID: 7316)
      • OfficeSetup.exe (PID: 7580)
      • OfficeClickToRun.exe (PID: 8048)
      • OfficeClickToRun.exe (PID: 7336)
      • OfficeClickToRun.exe (PID: 7736)

    • Process checks computer location settings

      • OfficeSetup.exe (PID: 7316)
      • OfficeSetup.exe (PID: 7580)

    • Creates files or folders in the user directory

      • OfficeSetup.exe (PID: 7316)
      • OfficeSetup.exe (PID: 7580)
      • OfficeClickToRun.exe (PID: 8048)
      • OfficeClickToRun.exe (PID: 7736)

    • Reads Microsoft Office registry keys

      • OfficeSetup.exe (PID: 7316)
      • OfficeSetup.exe (PID: 7580)
      • OfficeClickToRun.exe (PID: 8048)
      • OfficeClickToRun.exe (PID: 7336)
      • OfficeClickToRun.exe (PID: 7736)

    • Reads the software policy settings

      • OfficeSetup.exe (PID: 7316)
      • OfficeSetup.exe (PID: 7580)
      • OfficeClickToRun.exe (PID: 8048)
      • OfficeClickToRun.exe (PID: 7736)
      • OfficeClickToRun.exe (PID: 7336)

    • Create files in a temporary directory

      • OfficeSetup.exe (PID: 7316)
      • OfficeSetup.exe (PID: 7580)
      • OfficeClickToRun.exe (PID: 8048)
      • OfficeClickToRun.exe (PID: 7736)

    • Reads CPU info

      • OfficeSetup.exe (PID: 7316)
      • OfficeSetup.exe (PID: 7580)

    • Reads Environment values

      • OfficeSetup.exe (PID: 7580)
      • OfficeSetup.exe (PID: 7316)

    • The sample compiled with spanish language support

      • OfficeClickToRun.exe (PID: 8048)

    • The sample compiled with english language support

      • OfficeClickToRun.exe (PID: 8048)

    • The sample compiled with arabic language support

      • OfficeClickToRun.exe (PID: 8048)

    • The sample compiled with french language support

      • OfficeClickToRun.exe (PID: 8048)

    • The sample compiled with Italian language support

      • OfficeClickToRun.exe (PID: 8048)

    • The sample compiled with bulgarian language support

      • OfficeClickToRun.exe (PID: 8048)

    • Creates files in the program directory

      • OfficeClickToRun.exe (PID: 8048)
      • OfficeClickToRun.exe (PID: 7336)

    • The sample compiled with polish language support

      • OfficeClickToRun.exe (PID: 8048)

    • The sample compiled with czech language support

      • OfficeClickToRun.exe (PID: 8048)

    • The sample compiled with Indonesian language support

      • OfficeClickToRun.exe (PID: 8048)

    • The sample compiled with japanese language support

      • OfficeClickToRun.exe (PID: 8048)

    • The sample compiled with korean language support

      • OfficeClickToRun.exe (PID: 8048)

    • The sample compiled with portuguese language support

      • OfficeClickToRun.exe (PID: 8048)

    • The sample compiled with russian language support

      • OfficeClickToRun.exe (PID: 8048)

    • The sample compiled with swedish language support

      • OfficeClickToRun.exe (PID: 8048)

    • The sample compiled with chinese language support

      • OfficeClickToRun.exe (PID: 8048)

    • The sample compiled with german language support

      • OfficeClickToRun.exe (PID: 8048)

    • The sample compiled with slovak language support

      • OfficeClickToRun.exe (PID: 8048)

    • The sample compiled with turkish language support

      • OfficeClickToRun.exe (PID: 8048)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 7336)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:08 04:27:38+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.4
CodeSize: 4641280
InitializedDataSize: 2994176
UninitializedDataSize: -
EntryPoint: 0x3f7da1
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 16.0.18623.20178
ProductVersionNumber: 16.0.18623.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft 365 and Office
FileVersion: 16.0.18623.20178
InternalName: Bootstrapper.exe
LegalTrademarks1: Microsoft® is a registered trademark of Microsoft Corporation.
LegalTrademarks2: Windows® is a registered trademark of Microsoft Corporation.
OriginalFileName: Bootstrapper.exe
ProductName: Microsoft Office
ProductVersion: 16.0.18623.20178
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
9
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start officesetup.exe no specs officesetup.exe sppextcomobj.exe no specs slui.exe officesetup.exe #GENERIC officeclicktorun.exe Delivery Optimization User no specs officeclicktorun.exe officeclicktorun.exe

Process information

PID
CMD
Path
Indicators
Parent process
7276"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" C:\Users\admin\AppData\Local\Temp\OfficeSetup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18623.20178
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7316OfficeSetup.exe RELAUNCHED C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18623.20178
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7336"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18623.20178
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140_1.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140.dll
c:\program files\common files\microsoft shared\clicktorun\msvcp140.dll
c:\program files\common files\microsoft shared\clicktorun\apiclient.dll
c:\windows\system32\advapi32.dll
7444C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7504"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7580"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" ELEVATED sid=S-1-5-21-1693682860-607145093-2874071422-1001 RELAUNCHED C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft 365 and Office
Version:
16.0.18623.20178
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7736OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=ProPlus2024Retail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18623.20178 mediatype.16=CDN sourcetype.16=CDN ProPlus2024Retail.excludedapps.16=groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=TrueC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18623.20178
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140_1.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140.dll
c:\program files\common files\microsoft shared\clicktorun\msvcp140.dll
c:\program files\common files\microsoft shared\clicktorun\apiclient.dll
8048OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=ProPlus2024Retail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18623.20178 mediatype=CDN sourcetype=CDN ProPlus2024Retail.excludedapps=groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATEC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Exit code:
0
Version:
16.0.16026.20140
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
8180C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
Total events
24 839
Read events
24 473
Write events
163
Delete events
203

Modification events

(PID) Process:(7316) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(7316) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(7316) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(7316) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(7316) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(7316) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(7316) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(7316) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(7316) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
(PID) Process:(7316) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:tr-tr
Value:
2
Executable files
385
Suspicious files
54
Text files
245
Unknown types
0

Dropped files

PID
Process
Filename
Type
7316OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\22302B14-DAC1-4537-8DD4-92D67EE12A78xml
MD5:0751C74EC224251F957AEA6F7E95E7E9
SHA256:73AAD9213CA32728EBA10594D9E4380D03F2B5D1CB0FE60D017C62EDF2ECCAD8
7316OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-walbinary
MD5:2F2CE6846C4A1C430E9C941ECBA774A4
SHA256:1009EB416DE9F7843B0B21DABCD673E10BA990BA2752B2B7B071D95E0306B52B
7316OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04binary
MD5:6912D1D2833DE896790E45778C0DD647
SHA256:81FCBC48C18F5C2D1EF3D5A24A43103378FDDA1F3884C5C3294FC635FC8C9FA6
7580OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:86BEC7A51419CF6F8277608E79B2B807
SHA256:1AE99C253A484A9CB6814FB52AFD40E347DFE2CD6273E50B245695B87C1BC6E5
7316OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04binary
MD5:8F262A930527AE9D8ED59AB687A6A635
SHA256:7EE7CAED54B6B2C7A7E94A75C33C983AC56462826D27BD5F54DF8421BB500E15
7316OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-shmbinary
MD5:E48A1031674FD4FBBCBAA62701C67F0D
SHA256:79E452E88CCE497108919B81EA0372C787E704A36DE809DC38D6369D10476077
7580OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:E941E5C024816392E9BDD7189860C8CE
SHA256:3D752EC3FDADEA8F290BB2446230CD1880A3B6BC18666570384C202ED979987A
7580OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\36AC0BE60E1243344AE145F746D881FEbinary
MD5:411D4C6D9068F0593E05D0F67B46BF77
SHA256:743747DD59C21B0ECD5328A93F31A5D89A9765AFC6740C4963EBA797AA383043
7580OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0B8A20E1F3F4D73D52A19929F922C892binary
MD5:88DF11F50757B8DB445ECDFFEC78200C
SHA256:B2BB9C5885233855D90AB237B1EE28C77EC90A09388A10E860702A1A951ECE5C
7580OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9binary
MD5:B6F26018B93377B06179ABB89479DF0F
SHA256:FB5CB2C2963165DD11B1FAC4176DFE4DA53F17C755A35EF3BAF39B3BB969B8E9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
73
TCP/UDP connections
63
DNS requests
43
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7580
OfficeSetup.exe
HEAD
200
23.48.23.37:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.16026.20146.cab
unknown
whitelisted
7580
OfficeSetup.exe
HEAD
200
23.48.23.37:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18623.20178.cab
unknown
whitelisted
7580
OfficeSetup.exe
HEAD
200
23.48.23.37:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18623.20178.cab
unknown
whitelisted
7756
svchost.exe
HEAD
200
23.48.23.37:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18623.20178.cab
unknown
whitelisted
7756
svchost.exe
GET
206
23.48.23.37:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18623.20178.cab
unknown
whitelisted
7756
svchost.exe
HEAD
200
23.48.23.37:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18623.20178.cab
unknown
whitelisted
7756
svchost.exe
GET
200
23.48.23.37:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18623.20178.cab
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7580
OfficeSetup.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2616
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
7316
OfficeSetup.exe
52.109.32.97:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
2112
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7316
OfficeSetup.exe
52.123.128.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7580
OfficeSetup.exe
52.110.17.66:443
mrodevicemgr.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 2.16.164.49
  • 2.16.164.120
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.110.17.66
  • 52.110.17.63
  • 52.110.17.11
  • 52.110.17.21
  • 52.110.17.70
  • 52.110.17.45
  • 52.110.17.15
  • 52.110.17.74
whitelisted
f.c2r.ts.cdn.office.net
  • 23.48.23.37
  • 23.48.23.62
  • 2.22.242.89
  • 2.22.242.130
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.75
  • 40.126.31.131
  • 40.126.31.1
  • 20.190.159.73
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.4
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
mobile.events.data.microsoft.com
  • 20.42.65.90
  • 20.189.173.5
  • 20.189.173.4
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OfficeSetup.exe