File name:

OfficeSetup.exe

Full analysis: https://app.any.run/tasks/93f2c338-d044-43ce-a9ce-f284afcda362
Verdict: Malicious activity
Analysis date: July 02, 2025, 13:25:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

70F26F5DEBAD8970935D4CAA2FE0230D

SHA1:

A6694017D8D0A7B1641DE7A1A8DEA2AA727639A5

SHA256:

7FF97240A37495A3C1FBBE81FB4806C26429DF44E35CFB402D8E20930D1D0E3C

SSDEEP:

98304:czr3ZaejraO5eWEJpzW9cNOv0PhfnpP+/4aEWs/E8NXZqW5AHEqBtg11Vso3Bl/r:Y7+9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • OfficeSetup.exe (PID: 864)
      • OfficeSetup.exe (PID: 2356)
      • OfficeC2RClient.exe (PID: 316)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • OfficeSetup.exe (PID: 2708)
      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)

    • Process drops legitimate windows executable

      • OfficeSetup.exe (PID: 2708)
      • OfficeClickToRun.exe (PID: 2128)
      • OfficeClickToRun.exe (PID: 2388)

    • Application launched itself

      • OfficeSetup.exe (PID: 2708)
      • OfficeSetup.exe (PID: 2356)

    • Reads security settings of Internet Explorer

      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)
      • OfficeC2RClient.exe (PID: 316)

    • Searches for installed software

      • OfficeSetup.exe (PID: 864)

    • Executable content was dropped or overwritten

      • OfficeClickToRun.exe (PID: 2128)
      • OfficeClickToRun.exe (PID: 2388)

    • The process drops C-runtime libraries

      • OfficeClickToRun.exe (PID: 2128)

  • INFO

    • Checks supported languages

      • OfficeSetup.exe (PID: 2708)
      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)
      • OfficeClickToRun.exe (PID: 2128)
      • OfficeClickToRun.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 4824)
      • OfficeC2RClient.exe (PID: 316)

    • Reads the computer name

      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)
      • OfficeClickToRun.exe (PID: 2128)
      • OfficeClickToRun.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 4824)
      • OfficeC2RClient.exe (PID: 316)

    • Process checks computer location settings

      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)
      • OfficeC2RClient.exe (PID: 316)

    • Process checks whether UAC notifications are on

      • OfficeSetup.exe (PID: 2356)

    • Creates files or folders in the user directory

      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)
      • OfficeClickToRun.exe (PID: 2128)
      • OfficeClickToRun.exe (PID: 4824)
      • OfficeC2RClient.exe (PID: 316)

    • Reads the software policy settings

      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)
      • OfficeClickToRun.exe (PID: 2128)
      • OfficeClickToRun.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 4824)
      • slui.exe (PID: 1236)

    • Reads Microsoft Office registry keys

      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)
      • OfficeClickToRun.exe (PID: 2128)
      • OfficeClickToRun.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 4824)
      • OfficeC2RClient.exe (PID: 316)

    • Checks proxy server information

      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)
      • OfficeClickToRun.exe (PID: 2128)
      • OfficeClickToRun.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 4824)
      • OfficeC2RClient.exe (PID: 316)
      • slui.exe (PID: 1236)

    • Reads Environment values

      • OfficeSetup.exe (PID: 864)
      • OfficeSetup.exe (PID: 2356)
      • OfficeC2RClient.exe (PID: 316)

    • Create files in a temporary directory

      • OfficeSetup.exe (PID: 864)
      • OfficeSetup.exe (PID: 2356)
      • OfficeClickToRun.exe (PID: 2128)
      • OfficeClickToRun.exe (PID: 4824)
      • OfficeC2RClient.exe (PID: 316)

    • Reads CPU info

      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)

    • The sample compiled with english language support

      • OfficeClickToRun.exe (PID: 2128)

    • Reads the machine GUID from the registry

      • OfficeClickToRun.exe (PID: 2128)
      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)
      • OfficeClickToRun.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 4824)

    • Creates files in the program directory

      • OfficeClickToRun.exe (PID: 2128)
      • OfficeClickToRun.exe (PID: 2388)

    • The sample compiled with arabic language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with german language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with bulgarian language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with czech language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with spanish language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with Italian language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with japanese language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with korean language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with portuguese language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with russian language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with polish language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with slovak language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with chinese language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with turkish language support

      • OfficeClickToRun.exe (PID: 2128)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 2388)

    • The sample compiled with Indonesian language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with french language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with swedish language support

      • OfficeClickToRun.exe (PID: 2128)

    • Manual execution by a user

      • OfficeC2RClient.exe (PID: 316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:06:29 04:43:18+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.42
CodeSize: 4631552
InitializedDataSize: 2706432
UninitializedDataSize: -
EntryPoint: 0x3f54d6
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 16.0.18925.20138
ProductVersionNumber: 16.0.18925.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft 365 and Office
FileVersion: 16.0.18925.20138
InternalName: Bootstrapper.exe
LegalTrademarks1: Microsoft® is a registered trademark of Microsoft Corporation.
LegalTrademarks2: Windows® is a registered trademark of Microsoft Corporation.
OriginalFileName: Bootstrapper.exe
ProductName: Microsoft Office
ProductVersion: 16.0.18925.20138
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
9
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start officesetup.exe no specs officesetup.exe officesetup.exe officeclicktorun.exe Delivery Optimization User no specs officeclicktorun.exe officeclicktorun.exe slui.exe officec2rclient.exe

Process information

PID
CMD
Path
Indicators
Parent process
316"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /progressandlaunch AppTargets="root\office16\excel.exe|root\office16\msaccess.exe|root\office16\mspub.exe|root\office16\onenote.exe|root\office16\outlook.exe|root\office16\powerpnt.exe|root\office16\winword.exe" ManualUpgrade=False ScenarioToTrack="Scenario:{477E0208-58BD-4F33-978A-09BCC9AA9EB1}@INSTALL"C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office Click-to-Run Client
Version:
16.0.18925.20138
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" ELEVATED sid=S-1-5-21-1693682860-607145093-2874071422-1001 RELAUNCHED C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft 365 and Office
Version:
16.0.18925.20138
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1236C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2128OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365HomePremRetail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18925.20138 mediatype=CDN sourcetype=CDN O365HomePremRetail.excludedapps=groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATEC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Exit code:
0
Version:
16.0.16026.20140
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2228C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
2356OfficeSetup.exe RELAUNCHED C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18925.20138
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2388"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18925.20138
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140_1.dll
2708"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" C:\Users\admin\AppData\Local\Temp\OfficeSetup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18925.20138
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
4824OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365HomePremRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18925.20138 mediatype.16=CDN sourcetype.16=CDN O365HomePremRetail.excludedapps.16=groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=TrueC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18925.20138
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
62 866
Read events
62 374
Write events
275
Delete events
217

Modification events

(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officesetup.exe\ULSMonitor
Operation:writeName:ULSCategoriesSeverities
Value:
942 6,1329 50,944 15,1329 10,940 10,941 10,942 10,943 10,1329 15,944 10,940 15,944 50,940 6,941 15,940 100,942 15,943 15,940 50,944 6,1329 6,1329 100,943 6,941 6,944 100
(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
Executable files
409
Suspicious files
229
Text files
534
Unknown types
59

Dropped files

PID
Process
Filename
Type
864OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:B61095C6F8F3A2D026E0494DA7E2D06F
SHA256:B998A0F00649FD25C0B16EBF8B3457E906315A74B64824CF2947ABC89ED782CC
2356OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187binary
MD5:B607506EE4DFAFAB5C42478B8853FEE1
SHA256:35BAC6C1262CACB444FACD2D62BEEE1ACF5DD75839CF9F2B3414FFEA69DC806A
2356OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187der
MD5:B7E14297FBD14ED11C872A21A80310C6
SHA256:FABAE8D68F40A541A4C003BD476D496D5590D3ED37E124E7C340BFC364F5F994
2356OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-walbinary
MD5:70B98CE0A50D696F8C6079824E354024
SHA256:0ACA8DBD226B87AE254CF067E0C12E8E518513E577C38D70D607C7B2A4EBE2B7
2356OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-shmbinary
MD5:B7C0675837710C61022D9802115F998C
SHA256:BA5D18A0DA8A0C3812652B31F5D62D79CECE9FC0FC7AA73AE9FC129BE26597AF
2356OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C18612B7-32C2-4674-83F2-4D7478857C2Dxml
MD5:FF34CE9D45E0190590E8C63F00812440
SHA256:CA90E72CD687EF7A0708A85E9A98BEF93324408B129A09C522324B80D302D4F4
864OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0B8A20E1F3F4D73D52A19929F922C892binary
MD5:19060BE61EB12E429D034A4A56717B66
SHA256:B77C3671202B4C2CA52A2E33A2D80A590140A338EBBF5CBE26ED2D321046BAFB
864OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59C76228DF8A2918214D353D01EDF08binary
MD5:D710AA6FED4719D8B1037399F6A95965
SHA256:9A06D65A175560E6618E7C44C4565ABD96DF632539191CB67E43154A7E79A140
864OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59C76228DF8A2918214D353D01EDF08der
MD5:E468B4C4A219F9B49766E6090E9D667F
SHA256:79328A32320DB64F79448E33EC16692E080C18ACD4765D638837A5E676E50478
864OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0B8A20E1F3F4D73D52A19929F922C892der
MD5:A511DAB56DC44A64A1114B7814E4F8C6
SHA256:08FA57906B20E454242889F05F1609C276B91A06561121E9012A88A50FF23F9F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
202
TCP/UDP connections
192
DNS requests
122
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
864
OfficeSetup.exe
HEAD
200
2.16.168.107:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.16026.20146.cab
unknown
whitelisted
864
OfficeSetup.exe
HEAD
200
2.16.168.107:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18925.20138.cab
unknown
whitelisted
864
OfficeSetup.exe
HEAD
200
2.16.168.107:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18925.20138.cab
unknown
whitelisted
1268
svchost.exe
GET
200
2.18.121.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2356
OfficeSetup.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
1268
svchost.exe
GET
200
173.223.117.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4760
svchost.exe
HEAD
200
199.232.210.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18925.20138.cab
unknown
whitelisted
2524
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4760
svchost.exe
GET
206
199.232.210.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18925.20138.cab
unknown
whitelisted
4760
svchost.exe
HEAD
200
199.232.210.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18925.20138.cab
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6936
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2356
OfficeSetup.exe
52.109.89.18:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2356
OfficeSetup.exe
52.123.129.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
864
OfficeSetup.exe
52.110.17.38:443
mrodevicemgr.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
864
OfficeSetup.exe
2.16.168.107:80
f.c2r.ts.cdn.office.net
Akamai International B.V.
RU
whitelisted
4
System
192.168.100.255:138
whitelisted
4140
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
officeclient.microsoft.com
  • 52.109.89.18
  • 52.109.76.240
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.110.17.38
  • 52.110.17.62
  • 52.110.17.43
  • 52.110.17.26
  • 52.110.17.53
  • 52.110.17.45
  • 52.110.17.48
  • 52.110.17.18
whitelisted
f.c2r.ts.cdn.office.net
  • 2.16.168.107
  • 2.16.168.120
  • 199.232.210.172
  • 199.232.214.172
whitelisted
mobile.events.data.microsoft.com
  • 13.69.239.74
  • 20.189.173.26
  • 20.42.72.131
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 2.18.121.139
  • 2.18.121.147
  • 2.16.241.14
  • 2.16.241.12
  • 2.16.168.124
  • 2.16.168.114
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 173.223.117.131
  • 95.101.149.131
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OfficeSetup.exe