File name:

OfficeSetup (2).exe

Full analysis: https://app.any.run/tasks/0d535c3f-eb02-451f-8dd3-b137610be83e
Verdict: Malicious activity
Analysis date: May 18, 2025, 12:14:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

A572E50EE1D2489638A422F20D6E4380

SHA1:

ABCCE43D09AC99934CE444492BBA696E190547C1

SHA256:

57FD2367F20B4A7F46873B16A29402EBED66F98025775D3B59F3F53A34130EF7

SSDEEP:

98304:FeYDn+P++j8xOxtxUBacyWOOXCigTc0Rd847TucE2725rKbkK9hFPU5EKe5EF1M/:n/m/3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • OfficeSetup (2).exe (PID: 7564)
      • OfficeSetup (2).exe (PID: 7416)

    • GENERIC has been found (auto)

      • OfficeClickToRun.exe (PID: 7244)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • OfficeSetup (2).exe (PID: 7396)
      • OfficeClickToRun.exe (PID: 7244)
      • OfficeClickToRun.exe (PID: 7712)

    • Starts a Microsoft application from unusual location

      • OfficeSetup (2).exe (PID: 7396)
      • OfficeSetup (2).exe (PID: 7416)
      • OfficeSetup (2).exe (PID: 7564)

    • Application launched itself

      • OfficeSetup (2).exe (PID: 7396)
      • OfficeSetup (2).exe (PID: 7416)

    • Reads security settings of Internet Explorer

      • OfficeSetup (2).exe (PID: 7416)
      • OfficeSetup (2).exe (PID: 7564)

    • Executable content was dropped or overwritten

      • OfficeClickToRun.exe (PID: 7244)
      • OfficeClickToRun.exe (PID: 7712)

    • Searches for installed software

      • OfficeSetup (2).exe (PID: 7564)

    • The process drops C-runtime libraries

      • OfficeClickToRun.exe (PID: 7244)

  • INFO

    • Checks supported languages

      • OfficeSetup (2).exe (PID: 7396)
      • OfficeSetup (2).exe (PID: 7416)
      • OfficeSetup (2).exe (PID: 7564)
      • OfficeClickToRun.exe (PID: 7244)
      • OfficeClickToRun.exe (PID: 7712)
      • OfficeClickToRun.exe (PID: 4920)

    • Reads the machine GUID from the registry

      • OfficeSetup (2).exe (PID: 7416)
      • OfficeSetup (2).exe (PID: 7564)
      • OfficeClickToRun.exe (PID: 7244)
      • OfficeClickToRun.exe (PID: 7712)
      • OfficeClickToRun.exe (PID: 4920)

    • Reads the computer name

      • OfficeSetup (2).exe (PID: 7416)
      • OfficeSetup (2).exe (PID: 7564)
      • OfficeClickToRun.exe (PID: 7244)
      • OfficeClickToRun.exe (PID: 7712)
      • OfficeClickToRun.exe (PID: 4920)

    • Reads Microsoft Office registry keys

      • OfficeSetup (2).exe (PID: 7416)
      • OfficeSetup (2).exe (PID: 7564)
      • OfficeClickToRun.exe (PID: 7244)
      • OfficeClickToRun.exe (PID: 7712)
      • OfficeClickToRun.exe (PID: 4920)

    • Process checks computer location settings

      • OfficeSetup (2).exe (PID: 7416)
      • OfficeSetup (2).exe (PID: 7564)

    • Process checks whether UAC notifications are on

      • OfficeSetup (2).exe (PID: 7416)

    • Checks proxy server information

      • OfficeSetup (2).exe (PID: 7416)
      • OfficeSetup (2).exe (PID: 7564)
      • OfficeClickToRun.exe (PID: 7244)
      • OfficeClickToRun.exe (PID: 7712)
      • OfficeClickToRun.exe (PID: 4920)

    • Reads the software policy settings

      • OfficeSetup (2).exe (PID: 7416)
      • OfficeSetup (2).exe (PID: 7564)
      • OfficeClickToRun.exe (PID: 7244)
      • OfficeClickToRun.exe (PID: 4920)
      • OfficeClickToRun.exe (PID: 7712)
      • slui.exe (PID: 7888)

    • Creates files or folders in the user directory

      • OfficeSetup (2).exe (PID: 7416)
      • OfficeSetup (2).exe (PID: 7564)
      • OfficeClickToRun.exe (PID: 7244)
      • OfficeClickToRun.exe (PID: 4920)

    • Create files in a temporary directory

      • OfficeSetup (2).exe (PID: 7416)
      • OfficeSetup (2).exe (PID: 7564)
      • OfficeClickToRun.exe (PID: 7244)
      • OfficeClickToRun.exe (PID: 4920)

    • Reads Environment values

      • OfficeSetup (2).exe (PID: 7564)
      • OfficeSetup (2).exe (PID: 7416)

    • The sample compiled with bulgarian language support

      • OfficeClickToRun.exe (PID: 7244)

    • Creates files in the program directory

      • OfficeClickToRun.exe (PID: 7244)
      • OfficeClickToRun.exe (PID: 7712)

    • The sample compiled with german language support

      • OfficeClickToRun.exe (PID: 7244)

    • The sample compiled with arabic language support

      • OfficeClickToRun.exe (PID: 7244)

    • The sample compiled with czech language support

      • OfficeClickToRun.exe (PID: 7244)

    • The sample compiled with spanish language support

      • OfficeClickToRun.exe (PID: 7244)

    • The sample compiled with japanese language support

      • OfficeClickToRun.exe (PID: 7244)

    • The sample compiled with french language support

      • OfficeClickToRun.exe (PID: 7244)

    • The sample compiled with Indonesian language support

      • OfficeClickToRun.exe (PID: 7244)

    • The sample compiled with Italian language support

      • OfficeClickToRun.exe (PID: 7244)

    • The sample compiled with polish language support

      • OfficeClickToRun.exe (PID: 7244)

    • The sample compiled with korean language support

      • OfficeClickToRun.exe (PID: 7244)

    • The sample compiled with portuguese language support

      • OfficeClickToRun.exe (PID: 7244)

    • The sample compiled with russian language support

      • OfficeClickToRun.exe (PID: 7244)

    • The sample compiled with swedish language support

      • OfficeClickToRun.exe (PID: 7244)

    • The sample compiled with english language support

      • OfficeClickToRun.exe (PID: 7244)

    • The sample compiled with chinese language support

      • OfficeClickToRun.exe (PID: 7244)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 7712)

    • The sample compiled with slovak language support

      • OfficeClickToRun.exe (PID: 7244)

    • The sample compiled with turkish language support

      • OfficeClickToRun.exe (PID: 7244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:08 07:07:01+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.4
CodeSize: 4682240
InitializedDataSize: 2941440
UninitializedDataSize: -
EntryPoint: 0x3fbdc5
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 16.0.18730.20168
ProductVersionNumber: 16.0.18730.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft 365 and Office
FileVersion: 16.0.18730.20168
InternalName: Bootstrapper.exe
LegalTrademarks1: Microsoft® is a registered trademark of Microsoft Corporation.
LegalTrademarks2: Windows® is a registered trademark of Microsoft Corporation.
OriginalFileName: Bootstrapper.exe
ProductName: Microsoft Office
ProductVersion: 16.0.18730.20168
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
10
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start officesetup (2).exe no specs officesetup (2).exe officesetup (2).exe sppextcomobj.exe no specs slui.exe #GENERIC officeclicktorun.exe Delivery Optimization User no specs officeclicktorun.exe officeclicktorun.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4920OfficeClickToRun.exe platform=x64 culture=ru-ru productstoadd=ProPlus2024Retail.16_ru-ru_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18730.20168 mediatype.16=CDN sourcetype.16=CDN ProPlus2024Retail.excludedapps.16=groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=TrueC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup (2).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18730.20168
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140_1.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140.dll
c:\program files\common files\microsoft shared\clicktorun\apiclient.dll
c:\program files\common files\microsoft shared\clicktorun\msvcp140.dll
5056C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
5384C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7244OfficeClickToRun.exe platform=x64 culture=ru-ru productstoadd=ProPlus2024Retail.16_ru-ru_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18730.20168 mediatype=CDN sourcetype=CDN ProPlus2024Retail.excludedapps=groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATEC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup (2).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Exit code:
0
Version:
16.0.16026.20140
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7396"C:\Users\admin\AppData\Local\Temp\OfficeSetup (2).exe" C:\Users\admin\AppData\Local\Temp\OfficeSetup (2).exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18730.20168
Modules
Images
c:\users\admin\appdata\local\temp\officesetup (2).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7416OfficeSetup (2).exe RELAUNCHED C:\Users\admin\AppData\Local\Temp\OfficeSetup (2).exe
OfficeSetup (2).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18730.20168
Modules
Images
c:\users\admin\appdata\local\temp\officesetup (2).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7564"C:\Users\admin\AppData\Local\Temp\OfficeSetup (2).exe" ELEVATED sid=S-1-5-21-1693682860-607145093-2874071422-1001 (2).exe RELAUNCHED C:\Users\admin\AppData\Local\Temp\OfficeSetup (2).exe
OfficeSetup (2).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft 365 and Office
Version:
16.0.18730.20168
Modules
Images
c:\users\admin\appdata\local\temp\officesetup (2).exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7712"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18730.20168
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140_1.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140.dll
c:\program files\common files\microsoft shared\clicktorun\msvcp140.dll
c:\program files\common files\microsoft shared\clicktorun\apiclient.dll
c:\windows\system32\advapi32.dll
7856C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7888"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
26 603
Read events
26 250
Write events
158
Delete events
195

Modification events

(PID) Process:(7416) OfficeSetup (2).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(7416) OfficeSetup (2).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(7416) OfficeSetup (2).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(7416) OfficeSetup (2).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(7416) OfficeSetup (2).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(7416) OfficeSetup (2).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(7416) OfficeSetup (2).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(7416) OfficeSetup (2).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(7416) OfficeSetup (2).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
(PID) Process:(7416) OfficeSetup (2).exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:tr-tr
Value:
2
Executable files
403
Suspicious files
72
Text files
70
Unknown types
0

Dropped files

PID
Process
Filename
Type
7564OfficeSetup (2).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:0ED6F3BF590237C1ADE344A4E0E013BD
SHA256:84B3A728F7D2D9A140E146B02CD7D27DAE37F9C1B0ED6183CF23E722B0FC2272
7564OfficeSetup (2).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0B8A20E1F3F4D73D52A19929F922C892binary
MD5:53F5904DF6CB77C8CD4222F039BD4B69
SHA256:1CF5326BCEAA70ED292F8CD6BCDC81C48E4CCB5B7F9036E7FA40ED458C494C36
7564OfficeSetup (2).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:86BEC7A51419CF6F8277608E79B2B807
SHA256:1AE99C253A484A9CB6814FB52AFD40E347DFE2CD6273E50B245695B87C1BC6E5
7564OfficeSetup (2).exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup (2).exe.db-journalbinary
MD5:B4EC99109B0C2F75AC90DC196FCF5349
SHA256:6741E13BB5698265D0173380C539B6FE2210D9D0DEF90D57F5E976F7F1A5500A
7564OfficeSetup (2).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\36AC0BE60E1243344AE145F746D881FEbinary
MD5:BEA1941BDC23767B6C2530D156B74D72
SHA256:D556DB8F1F1BA83A208AE8550CD415EC3F5B384CC48B85C59E90294B474FFB46
7564OfficeSetup (2).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\36AC0BE60E1243344AE145F746D881FEbinary
MD5:411D4C6D9068F0593E05D0F67B46BF77
SHA256:743747DD59C21B0ECD5328A93F31A5D89A9765AFC6740C4963EBA797AA383043
7564OfficeSetup (2).exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0B8A20E1F3F4D73D52A19929F922C892binary
MD5:A511DAB56DC44A64A1114B7814E4F8C6
SHA256:08FA57906B20E454242889F05F1609C276B91A06561121E9012A88A50FF23F9F
7416OfficeSetup (2).exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup (2).exe.db-shmbinary
MD5:01AE6ED587ED8A9A8C1EA0487AE2B59B
SHA256:C539740EBE113CFE4A10174B9EA77D0958BF19D7A3F9ABA70B037C2D81007E33
7416OfficeSetup (2).exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup (2).exe.dbbinary
MD5:0C3A13B352261F6276AF951A9069C8E2
SHA256:37259D9FA1FBA5B25C6E3D03F82D1B1A0FC2B58E4A30A420137E9BF7BBF6414E
7416OfficeSetup (2).exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup (2).exe.db-walbinary
MD5:07E1780FA01DE46ED500D37AD4E21932
SHA256:E029ADF146C72C1BD354043EC7C052216D2E30E9CD8177340B17CE500CBACECB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
76
TCP/UDP connections
61
DNS requests
47
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7564
OfficeSetup (2).exe
HEAD
200
199.232.214.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.16026.20146.cab
unknown
whitelisted
7564
OfficeSetup (2).exe
HEAD
200
199.232.214.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18730.20168.cab
unknown
whitelisted
7564
OfficeSetup (2).exe
HEAD
200
199.232.214.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18730.20168.cab
unknown
whitelisted
GET
200
23.216.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7660
svchost.exe
HEAD
200
199.232.214.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18730.20168.cab
unknown
whitelisted
7660
svchost.exe
GET
206
199.232.214.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18730.20168.cab
unknown
whitelisted
7660
svchost.exe
GET
200
199.232.214.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18730.20168.cab
unknown
whitelisted
7660
svchost.exe
HEAD
200
199.232.214.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18730.20168.cab
unknown
whitelisted
7564
OfficeSetup (2).exe
GET
200
23.216.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
23.216.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
7416
OfficeSetup (2).exe
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
7416
OfficeSetup (2).exe
52.123.128.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3812
svchost.exe
239.255.255.250:1900
whitelisted
7564
OfficeSetup (2).exe
52.110.17.32:443
mrodevicemgr.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7564
OfficeSetup (2).exe
199.232.214.172:80
f.c2r.ts.cdn.office.net
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.216.77.37
  • 23.216.77.42
  • 23.216.77.30
  • 23.216.77.27
  • 23.216.77.36
  • 23.216.77.35
  • 23.216.77.31
  • 23.216.77.41
  • 23.216.77.34
  • 2.19.11.105
  • 2.19.11.120
  • 23.216.77.5
  • 23.216.77.32
  • 23.216.77.8
  • 23.216.77.39
  • 23.216.77.7
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 23.219.150.101
whitelisted
google.com
  • 142.250.185.238
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
  • 52.109.89.18
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.110.17.32
  • 52.110.17.68
  • 52.110.17.63
  • 52.110.17.51
  • 52.110.17.49
  • 52.110.17.75
  • 52.110.17.34
  • 52.110.17.70
whitelisted
f.c2r.ts.cdn.office.net
  • 199.232.214.172
  • 199.232.210.172
  • 23.50.131.95
  • 23.50.131.73
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.131
  • 20.190.159.64
  • 20.190.159.131
  • 20.190.159.128
  • 20.190.159.75
  • 40.126.31.67
  • 40.126.31.1
  • 40.126.31.3
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OfficeSetup (2).exe