File name:

OfficeSetup.exe

Full analysis: https://app.any.run/tasks/93f2c338-d044-43ce-a9ce-f284afcda362
Verdict: Malicious activity
Analysis date: July 02, 2025, 13:25:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

70F26F5DEBAD8970935D4CAA2FE0230D

SHA1:

A6694017D8D0A7B1641DE7A1A8DEA2AA727639A5

SHA256:

7FF97240A37495A3C1FBBE81FB4806C26429DF44E35CFB402D8E20930D1D0E3C

SSDEEP:

98304:czr3ZaejraO5eWEJpzW9cNOv0PhfnpP+/4aEWs/E8NXZqW5AHEqBtg11Vso3Bl/r:Y7+9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • OfficeSetup.exe (PID: 864)
      • OfficeSetup.exe (PID: 2356)
      • OfficeC2RClient.exe (PID: 316)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • OfficeSetup.exe (PID: 2708)
      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)

    • Process drops legitimate windows executable

      • OfficeSetup.exe (PID: 2708)
      • OfficeClickToRun.exe (PID: 2128)
      • OfficeClickToRun.exe (PID: 2388)

    • Application launched itself

      • OfficeSetup.exe (PID: 2708)
      • OfficeSetup.exe (PID: 2356)

    • Reads security settings of Internet Explorer

      • OfficeSetup.exe (PID: 864)
      • OfficeSetup.exe (PID: 2356)
      • OfficeC2RClient.exe (PID: 316)

    • Searches for installed software

      • OfficeSetup.exe (PID: 864)

    • The process drops C-runtime libraries

      • OfficeClickToRun.exe (PID: 2128)

    • Executable content was dropped or overwritten

      • OfficeClickToRun.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 2128)

  • INFO

    • Process checks whether UAC notifications are on

      • OfficeSetup.exe (PID: 2356)

    • Reads the computer name

      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)
      • OfficeClickToRun.exe (PID: 2128)
      • OfficeClickToRun.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 4824)
      • OfficeC2RClient.exe (PID: 316)

    • Reads the software policy settings

      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)
      • OfficeClickToRun.exe (PID: 2128)
      • OfficeClickToRun.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 4824)
      • slui.exe (PID: 1236)

    • Checks supported languages

      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)
      • OfficeSetup.exe (PID: 2708)
      • OfficeClickToRun.exe (PID: 2128)
      • OfficeClickToRun.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 4824)
      • OfficeC2RClient.exe (PID: 316)

    • Creates files or folders in the user directory

      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)
      • OfficeClickToRun.exe (PID: 2128)
      • OfficeC2RClient.exe (PID: 316)
      • OfficeClickToRun.exe (PID: 4824)

    • Reads Microsoft Office registry keys

      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)
      • OfficeClickToRun.exe (PID: 2128)
      • OfficeClickToRun.exe (PID: 4824)
      • OfficeClickToRun.exe (PID: 2388)
      • OfficeC2RClient.exe (PID: 316)

    • Checks proxy server information

      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)
      • OfficeClickToRun.exe (PID: 2128)
      • OfficeClickToRun.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 4824)
      • OfficeC2RClient.exe (PID: 316)
      • slui.exe (PID: 1236)

    • Reads CPU info

      • OfficeSetup.exe (PID: 864)
      • OfficeSetup.exe (PID: 2356)

    • Reads Environment values

      • OfficeSetup.exe (PID: 864)
      • OfficeSetup.exe (PID: 2356)
      • OfficeC2RClient.exe (PID: 316)

    • Process checks computer location settings

      • OfficeSetup.exe (PID: 864)
      • OfficeSetup.exe (PID: 2356)
      • OfficeC2RClient.exe (PID: 316)

    • Create files in a temporary directory

      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)
      • OfficeClickToRun.exe (PID: 2128)
      • OfficeClickToRun.exe (PID: 4824)
      • OfficeC2RClient.exe (PID: 316)

    • Reads the machine GUID from the registry

      • OfficeSetup.exe (PID: 2356)
      • OfficeSetup.exe (PID: 864)
      • OfficeClickToRun.exe (PID: 2128)
      • OfficeClickToRun.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 4824)

    • Creates files in the program directory

      • OfficeClickToRun.exe (PID: 2128)
      • OfficeClickToRun.exe (PID: 2388)

    • The sample compiled with english language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with german language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with czech language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with french language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with korean language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with bulgarian language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with spanish language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with Indonesian language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with Italian language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with japanese language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with polish language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with portuguese language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with turkish language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with slovak language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with swedish language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with russian language support

      • OfficeClickToRun.exe (PID: 2128)

    • The sample compiled with chinese language support

      • OfficeClickToRun.exe (PID: 2128)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 2388)

    • The sample compiled with arabic language support

      • OfficeClickToRun.exe (PID: 2128)

    • Manual execution by a user

      • OfficeC2RClient.exe (PID: 316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:06:29 04:43:18+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.42
CodeSize: 4631552
InitializedDataSize: 2706432
UninitializedDataSize: -
EntryPoint: 0x3f54d6
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 16.0.18925.20138
ProductVersionNumber: 16.0.18925.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft 365 and Office
FileVersion: 16.0.18925.20138
InternalName: Bootstrapper.exe
LegalTrademarks1: Microsoft® is a registered trademark of Microsoft Corporation.
LegalTrademarks2: Windows® is a registered trademark of Microsoft Corporation.
OriginalFileName: Bootstrapper.exe
ProductName: Microsoft Office
ProductVersion: 16.0.18925.20138
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
9
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start officesetup.exe no specs officesetup.exe officesetup.exe officeclicktorun.exe Delivery Optimization User no specs officeclicktorun.exe officeclicktorun.exe slui.exe officec2rclient.exe

Process information

PID
CMD
Path
Indicators
Parent process
316"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /progressandlaunch AppTargets="root\office16\excel.exe|root\office16\msaccess.exe|root\office16\mspub.exe|root\office16\onenote.exe|root\office16\outlook.exe|root\office16\powerpnt.exe|root\office16\winword.exe" ManualUpgrade=False ScenarioToTrack="Scenario:{477E0208-58BD-4F33-978A-09BCC9AA9EB1}@INSTALL"C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office Click-to-Run Client
Version:
16.0.18925.20138
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
864"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" ELEVATED sid=S-1-5-21-1693682860-607145093-2874071422-1001 RELAUNCHED C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft 365 and Office
Version:
16.0.18925.20138
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1236C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2128OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365HomePremRetail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18925.20138 mediatype=CDN sourcetype=CDN O365HomePremRetail.excludedapps=groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATEC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Exit code:
0
Version:
16.0.16026.20140
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2228C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
2356OfficeSetup.exe RELAUNCHED C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18925.20138
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2388"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18925.20138
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140_1.dll
2708"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" C:\Users\admin\AppData\Local\Temp\OfficeSetup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18925.20138
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
4824OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365HomePremRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18925.20138 mediatype.16=CDN sourcetype.16=CDN O365HomePremRetail.excludedapps.16=groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=TrueC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18925.20138
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
62 866
Read events
62 374
Write events
275
Delete events
217

Modification events

(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officesetup.exe\ULSMonitor
Operation:writeName:ULSCategoriesSeverities
Value:
942 6,1329 50,944 15,1329 10,940 10,941 10,942 10,943 10,1329 15,944 10,940 15,944 50,940 6,941 15,940 100,942 15,943 15,940 50,944 6,1329 6,1329 100,943 6,941 6,944 100
(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(2356) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
Executable files
409
Suspicious files
229
Text files
534
Unknown types
59

Dropped files

PID
Process
Filename
Type
864OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2RC292A353-7269-4CA0-A75B-042572B950AF\VersionDescriptor.xmlxml
MD5:3851C0A4660AADBDE33AAE1409BC0FF8
SHA256:9F28F50398E106E80830302D959F54DA37A1E9EAC09A1F12D3DD9DFEAF466895
2356OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-shmbinary
MD5:B7C0675837710C61022D9802115F998C
SHA256:BA5D18A0DA8A0C3812652B31F5D62D79CECE9FC0FC7AA73AE9FC129BE26597AF
864OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2RC292A353-7269-4CA0-A75B-042572B950AF\v64.hashtext
MD5:BF842F74AB050FEE830C1FC019BFB886
SHA256:40BBB0C4BD3EDF1B5FE902BA07AC5DE4C988DB3F9A84DEF443A0A7E3F84C6A47
2356OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C18612B7-32C2-4674-83F2-4D7478857C2Dxml
MD5:FF34CE9D45E0190590E8C63F00812440
SHA256:CA90E72CD687EF7A0708A85E9A98BEF93324408B129A09C522324B80D302D4F4
864OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59C76228DF8A2918214D353D01EDF08binary
MD5:D710AA6FED4719D8B1037399F6A95965
SHA256:9A06D65A175560E6618E7C44C4565ABD96DF632539191CB67E43154A7E79A140
864OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2RC292A353-7269-4CA0-A75B-042572B950AFOfficeC2R3A86B924-E0E8-4DF8-B308-DD608303A7AD\v64.hashtext
MD5:BF842F74AB050FEE830C1FC019BFB886
SHA256:40BBB0C4BD3EDF1B5FE902BA07AC5DE4C988DB3F9A84DEF443A0A7E3F84C6A47
864OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:B61095C6F8F3A2D026E0494DA7E2D06F
SHA256:B998A0F00649FD25C0B16EBF8B3457E906315A74B64824CF2947ABC89ED782CC
2356OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187der
MD5:B7E14297FBD14ED11C872A21A80310C6
SHA256:FABAE8D68F40A541A4C003BD476D496D5590D3ED37E124E7C340BFC364F5F994
2128OfficeClickToRun.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\F9CC56FB-0A33-4C7A-B74E-4FC717975D94OfficeC2R990E2DC7-63BA-458C-A901-FE2E32233D90\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:ADB3471F89E47CD93B6854D629906809
SHA256:355633A84DB0816AB6A340A086FB41C65854C313BD08D427A17389C42A1E5B69
864OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2RC292A353-7269-4CA0-A75B-042572B950AFOfficeC2R3A86B924-E0E8-4DF8-B308-DD608303A7AD\VersionDescriptor.xmlxml
MD5:3851C0A4660AADBDE33AAE1409BC0FF8
SHA256:9F28F50398E106E80830302D959F54DA37A1E9EAC09A1F12D3DD9DFEAF466895
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
202
TCP/UDP connections
192
DNS requests
122
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
864
OfficeSetup.exe
HEAD
200
2.16.168.107:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.16026.20146.cab
unknown
whitelisted
1268
svchost.exe
GET
200
173.223.117.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
864
OfficeSetup.exe
HEAD
200
2.16.168.107:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18925.20138.cab
unknown
whitelisted
864
OfficeSetup.exe
HEAD
200
2.16.168.107:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18925.20138.cab
unknown
whitelisted
2524
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2356
OfficeSetup.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
864
OfficeSetup.exe
GET
200
2.18.121.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
4760
svchost.exe
HEAD
200
199.232.210.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18925.20138.cab
unknown
whitelisted
1268
svchost.exe
GET
200
2.18.121.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1044
svchost.exe
GET
206
199.232.210.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.18925.20138/i640.cab
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6936
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2356
OfficeSetup.exe
52.109.89.18:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2356
OfficeSetup.exe
52.123.129.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
864
OfficeSetup.exe
52.110.17.38:443
mrodevicemgr.officeapps.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
864
OfficeSetup.exe
2.16.168.107:80
f.c2r.ts.cdn.office.net
Akamai International B.V.
RU
whitelisted
4
System
192.168.100.255:138
whitelisted
4140
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
officeclient.microsoft.com
  • 52.109.89.18
  • 52.109.76.240
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.110.17.38
  • 52.110.17.62
  • 52.110.17.43
  • 52.110.17.26
  • 52.110.17.53
  • 52.110.17.45
  • 52.110.17.48
  • 52.110.17.18
whitelisted
f.c2r.ts.cdn.office.net
  • 2.16.168.107
  • 2.16.168.120
  • 199.232.210.172
  • 199.232.214.172
whitelisted
mobile.events.data.microsoft.com
  • 13.69.239.74
  • 20.189.173.26
  • 20.42.72.131
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
crl.microsoft.com
  • 2.18.121.139
  • 2.18.121.147
  • 2.16.241.14
  • 2.16.241.12
  • 2.16.168.124
  • 2.16.168.114
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 173.223.117.131
  • 95.101.149.131
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OfficeSetup.exe