File name:

OfficeSetup.exe

Full analysis: https://app.any.run/tasks/4b600e3d-1d81-4a1b-b584-11ee38ace56c
Verdict: Malicious activity
Analysis date: August 01, 2025, 01:40:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

B531800DF983D7AAD5B4A425F44CFF1B

SHA1:

00E066345DE9468B034B98392B3DB13060D8DB84

SHA256:

8463CD603B1E9B1E283AA765BF73D87FCB6F3DCF2674E5EFD470EE6DDC56C539

SSDEEP:

98304:l5EFmJUdAOIUO28aWJKEWcNCyymbXEMdc9+e5RkA0ltSGegY/qG7Xrb+iEFPhUes:SWjHo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • OfficeSetup.exe (PID: 2388)
      • OfficeSetup.exe (PID: 5436)
      • OfficeC2RClient.exe (PID: 5724)

  • SUSPICIOUS

    • Application launched itself

      • OfficeSetup.exe (PID: 2320)
      • OfficeSetup.exe (PID: 5436)

    • Starts a Microsoft application from unusual location

      • OfficeSetup.exe (PID: 2320)
      • OfficeSetup.exe (PID: 5436)
      • OfficeSetup.exe (PID: 2388)

    • Process drops legitimate windows executable

      • OfficeSetup.exe (PID: 2320)
      • OfficeClickToRun.exe (PID: 1100)
      • OfficeClickToRun.exe (PID: 5684)

    • Reads security settings of Internet Explorer

      • OfficeSetup.exe (PID: 5436)
      • OfficeSetup.exe (PID: 2388)
      • OfficeC2RClient.exe (PID: 5724)

    • Searches for installed software

      • OfficeSetup.exe (PID: 2388)

    • Executable content was dropped or overwritten

      • OfficeClickToRun.exe (PID: 1100)
      • OfficeClickToRun.exe (PID: 5684)

    • The process drops C-runtime libraries

      • OfficeClickToRun.exe (PID: 1100)

  • INFO

    • Checks supported languages

      • OfficeSetup.exe (PID: 2320)
      • OfficeSetup.exe (PID: 5436)
      • OfficeSetup.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 1100)
      • OfficeClickToRun.exe (PID: 5684)
      • OfficeClickToRun.exe (PID: 1816)
      • OfficeC2RClient.exe (PID: 5724)

    • Reads the machine GUID from the registry

      • OfficeSetup.exe (PID: 5436)
      • OfficeClickToRun.exe (PID: 1100)
      • OfficeSetup.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 1816)
      • OfficeClickToRun.exe (PID: 5684)

    • Process checks whether UAC notifications are on

      • OfficeSetup.exe (PID: 5436)

    • Process checks computer location settings

      • OfficeSetup.exe (PID: 5436)
      • OfficeSetup.exe (PID: 2388)
      • OfficeC2RClient.exe (PID: 5724)

    • Reads the computer name

      • OfficeSetup.exe (PID: 5436)
      • OfficeSetup.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 1100)
      • OfficeClickToRun.exe (PID: 5684)
      • OfficeClickToRun.exe (PID: 1816)
      • OfficeC2RClient.exe (PID: 5724)

    • Checks proxy server information

      • OfficeSetup.exe (PID: 5436)
      • OfficeSetup.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 1100)
      • OfficeClickToRun.exe (PID: 1816)
      • slui.exe (PID: 5248)
      • OfficeC2RClient.exe (PID: 5724)
      • OfficeClickToRun.exe (PID: 5684)

    • Reads the software policy settings

      • OfficeSetup.exe (PID: 5436)
      • OfficeSetup.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 1100)
      • OfficeClickToRun.exe (PID: 5684)
      • OfficeClickToRun.exe (PID: 1816)
      • slui.exe (PID: 5248)

    • Reads Microsoft Office registry keys

      • OfficeSetup.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 1100)
      • OfficeSetup.exe (PID: 5436)
      • OfficeClickToRun.exe (PID: 5684)
      • OfficeClickToRun.exe (PID: 1816)
      • OfficeC2RClient.exe (PID: 5724)

    • Creates files or folders in the user directory

      • OfficeSetup.exe (PID: 5436)
      • OfficeSetup.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 1100)
      • OfficeClickToRun.exe (PID: 1816)
      • OfficeC2RClient.exe (PID: 5724)

    • Create files in a temporary directory

      • OfficeSetup.exe (PID: 5436)
      • OfficeSetup.exe (PID: 2388)
      • OfficeClickToRun.exe (PID: 1100)
      • OfficeClickToRun.exe (PID: 1816)
      • OfficeC2RClient.exe (PID: 5724)

    • Reads Environment values

      • OfficeSetup.exe (PID: 2388)
      • OfficeSetup.exe (PID: 5436)
      • OfficeC2RClient.exe (PID: 5724)

    • Reads CPU info

      • OfficeSetup.exe (PID: 2388)
      • OfficeSetup.exe (PID: 5436)

    • The sample compiled with english language support

      • OfficeClickToRun.exe (PID: 1100)

    • Creates files in the program directory

      • OfficeClickToRun.exe (PID: 1100)
      • OfficeClickToRun.exe (PID: 5684)

    • The sample compiled with bulgarian language support

      • OfficeClickToRun.exe (PID: 1100)

    • The sample compiled with arabic language support

      • OfficeClickToRun.exe (PID: 1100)

    • The sample compiled with french language support

      • OfficeClickToRun.exe (PID: 1100)

    • The sample compiled with german language support

      • OfficeClickToRun.exe (PID: 1100)

    • The sample compiled with korean language support

      • OfficeClickToRun.exe (PID: 1100)

    • The sample compiled with polish language support

      • OfficeClickToRun.exe (PID: 1100)

    • The sample compiled with Indonesian language support

      • OfficeClickToRun.exe (PID: 1100)

    • The sample compiled with Italian language support

      • OfficeClickToRun.exe (PID: 1100)

    • The sample compiled with slovak language support

      • OfficeClickToRun.exe (PID: 1100)

    • The sample compiled with russian language support

      • OfficeClickToRun.exe (PID: 1100)

    • The sample compiled with portuguese language support

      • OfficeClickToRun.exe (PID: 1100)

    • The sample compiled with japanese language support

      • OfficeClickToRun.exe (PID: 1100)

    • The sample compiled with swedish language support

      • OfficeClickToRun.exe (PID: 1100)

    • The sample compiled with turkish language support

      • OfficeClickToRun.exe (PID: 1100)

    • The sample compiled with chinese language support

      • OfficeClickToRun.exe (PID: 1100)

    • The sample compiled with spanish language support

      • OfficeClickToRun.exe (PID: 1100)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 5684)

    • Manual execution by a user

      • OfficeC2RClient.exe (PID: 5724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:07:27 19:01:19+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.42
CodeSize: 4769280
InitializedDataSize: 2667008
UninitializedDataSize: -
EntryPoint: 0x410d18
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 16.0.19029.20136
ProductVersionNumber: 16.0.19029.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft 365 and Office
FileVersion: 16.0.19029.20136
InternalName: Bootstrapper.exe
LegalTrademarks1: Microsoft® is a registered trademark of Microsoft Corporation.
LegalTrademarks2: Windows® is a registered trademark of Microsoft Corporation.
OriginalFileName: Bootstrapper.exe
ProductName: Microsoft Office
ProductVersion: 16.0.19029.20136
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
9
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start officesetup.exe no specs officesetup.exe officesetup.exe officeclicktorun.exe Delivery Optimization User no specs officeclicktorun.exe officeclicktorun.exe slui.exe officec2rclient.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1100OfficeClickToRun.exe platform=x64 culture=fr-fr productstoadd=OutlookRetail.16_fr-fr_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.19029.20136 mediatype=CDN sourcetype=CDN OutlookRetail.excludedapps=groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATEC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Exit code:
0
Version:
16.0.16026.20140
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1816OfficeClickToRun.exe platform=x64 culture=fr-fr productstoadd=OutlookRetail.16_fr-fr_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.19029.20136 mediatype.16=CDN sourcetype.16=CDN OutlookRetail.excludedapps.16=groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=TrueC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.19029.20136
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2320"C:\Users\admin\Desktop\OfficeSetup.exe" C:\Users\admin\Desktop\OfficeSetup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.19029.20136
Modules
Images
c:\users\admin\desktop\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2388"C:\Users\admin\Desktop\OfficeSetup.exe" ELEVATED sid=S-1-5-21-1693682860-607145093-2874071422-1001 RELAUNCHED C:\Users\admin\Desktop\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft 365 and Office
Version:
16.0.19029.20136
Modules
Images
c:\users\admin\desktop\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2604C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
5248C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5436OfficeSetup.exe RELAUNCHED C:\Users\admin\Desktop\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.19029.20136
Modules
Images
c:\users\admin\desktop\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
5684"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.19029.20136
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140_1.dll
5724"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /progressandlaunch AppTargets="root\office16\outlook.exe" ManualUpgrade=False ScenarioToTrack="Scenario:{477E0208-58BD-4F33-978A-09BCC9AA9EB1}@INSTALL"C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office Click-to-Run Client
Version:
16.0.19029.20136
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
52 649
Read events
52 099
Write events
340
Delete events
210

Modification events

(PID) Process:(5436) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(5436) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(5436) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(5436) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(5436) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(5436) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(5436) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(5436) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(5436) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
(PID) Process:(5436) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:tr-tr
Value:
2
Executable files
409
Suspicious files
127
Text files
470
Unknown types
32

Dropped files

PID
Process
Filename
Type
2388OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\A9404A04-AAFB-45C7-BAE6-AA431045765Fxml
MD5:D1585CEE4E9FE45F39B482AC217AE04B
SHA256:AED078DA921952966152E07BF3E3038DB5D568EF13E33061C975F41B61A0481E
5436OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-shmbinary
MD5:C48029191B94FFBBE4B52068D5FCD26C
SHA256:ECCE915E5CF3412FA9EC19FCF1E70D1E6BB4672CA991FE9FE186E91491C020B8
2388OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59C76228DF8A2918214D353D01EDF08binary
MD5:99B1A59BB77B4C6C576D05AF2D075036
SHA256:5ACAA8F89506E02D421327BB177B8154405517BF73D8832049DAE69EC1384B50
5436OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\53E2E09F-A573-4C21-87A7-4B964FBCAC7Dxml
MD5:6A8AEA55418550E95A59F555D7B4E745
SHA256:21F6A6F85226F02E465817B2D4833A1A1998D198A8F9C7A559CA8ECDDB2507D7
2388OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2R50B7560D-EC0C-4852-9BB4-74134C132562\v64.hashtext
MD5:3ABE3AB08001A827DB9FE42121FC12A8
SHA256:3344FDEF59A9B625FC9FB7ED814A8A871CA7865DAE071D09F0B8F2D09232346F
1100OfficeClickToRun.exeC:\Users\admin\AppData\Local\Temp\DESKTOP-JGLLJLD-20250801-0141.logtext
MD5:B5E3F2CEEAF549166409F27346493E27
SHA256:4E532ADCAEC00823BB317C735DBB59A556005D360F93FD3CF136902B55138B68
5436OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-walbinary
MD5:AFE7D2AACE8BA7E135138062FA12262E
SHA256:3641841F2983E8664C51B57B19B0296D2871A1C9485B3C3870B3A5DB052888CF
2388OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2R50B7560D-EC0C-4852-9BB4-74134C132562\VersionDescriptor.xmlxml
MD5:6533AA947F36175764DF3D68A30E3816
SHA256:F7B68FFF3D4BD19AAD0AC4CA8F412A406F2A0CD3B2FC6EFD95C844D8D0A06FD8
2388OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850der
MD5:144D698C7F3CCD662F9460D8F443A2BB
SHA256:C5714AC85358D727F4EA913F814CCADCD7F6E063D95B54B886CCF6BFC31612C1
1100OfficeClickToRun.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\B5966898-BAE6-4866-B86F-85ED7BD1BA45OfficeC2R3BC05C12-D088-4F48-8BC9-8B83248E6596\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:19DF2B0F78DC3D8C470E836BAE85E1FF
SHA256:BD9E07BBC62CE82DBC30C23069A17FBFA17F1C26A9C19E50FE754D494E6CD0B1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
661
TCP/UDP connections
134
DNS requests
73
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
52.109.89.18:443
https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.19029&crev=3
unknown
xml
182 Kb
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3964
svchost.exe
HEAD
200
199.232.210.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.19029.20136.cab
unknown
whitelisted
2388
OfficeSetup.exe
HEAD
200
199.232.210.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.16026.20146.cab
unknown
whitelisted
2388
OfficeSetup.exe
HEAD
200
199.232.210.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.19029.20136.cab
unknown
whitelisted
2388
OfficeSetup.exe
HEAD
200
199.232.210.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.19029.20136.cab
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4024
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4024
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5436
OfficeSetup.exe
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
4024
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
  • 52.109.32.97
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.3.109.244
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.110.17.64
  • 52.110.17.61
  • 52.110.17.18
  • 52.110.17.68
  • 52.110.17.38
  • 52.110.17.32
  • 52.110.17.73
  • 52.110.17.49
whitelisted
login.live.com
  • 20.190.160.131
  • 40.126.32.76
  • 20.190.160.67
  • 20.190.160.65
  • 40.126.32.134
  • 20.190.160.2
  • 40.126.32.68
  • 40.126.32.72
whitelisted
f.c2r.ts.cdn.office.net
  • 199.232.210.172
  • 199.232.214.172
whitelisted
mobile.events.data.microsoft.com
  • 20.42.73.26
  • 104.208.16.88
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OfficeSetup.exe