File name:

OfficeSetup.exe

Full analysis: https://app.any.run/tasks/7d7d9c37-f1b9-4b76-8c1a-9bff40153e36
Verdict: Malicious activity
Analysis date: February 18, 2025, 10:12:21
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

3EC4400F966CC0D58AF8665397847407

SHA1:

507DA18F33099DB7A331C3064943905BAE972187

SHA256:

90611B4B8B017867F1AAEEE571B20C68BA3E983AC5E43612E7DC7B767D1789A2

SSDEEP:

98304:BQUNW3yAd6q1oRF8BuSNbnfBvxaYILTPT7U/jrMuKrC6HVlCVpkeTnooPCIvL7hn:0I/U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • OfficeSetup.exe (PID: 6912)
      • OfficeSetup.exe (PID: 6528)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • OfficeSetup.exe (PID: 6528)
      • OfficeSetup.exe (PID: 6912)

    • Process drops legitimate windows executable

      • OfficeSetup.exe (PID: 6528)
      • OfficeClickToRun.exe (PID: 6464)
      • OfficeClickToRun.exe (PID: 5544)

    • Application launched itself

      • OfficeSetup.exe (PID: 6528)

    • Reads security settings of Internet Explorer

      • OfficeSetup.exe (PID: 6912)
      • OfficeSetup.exe (PID: 6528)

    • Checks Windows Trust Settings

      • OfficeSetup.exe (PID: 6912)
      • OfficeSetup.exe (PID: 6528)

    • Executable content was dropped or overwritten

      • OfficeClickToRun.exe (PID: 6464)
      • OfficeClickToRun.exe (PID: 5544)

    • The process drops C-runtime libraries

      • OfficeClickToRun.exe (PID: 6464)

  • INFO

    • Checks supported languages

      • OfficeSetup.exe (PID: 6528)
      • OfficeSetup.exe (PID: 6912)
      • OfficeClickToRun.exe (PID: 6464)
      • OfficeClickToRun.exe (PID: 5544)
      • OfficeClickToRun.exe (PID: 6884)

    • Reads the machine GUID from the registry

      • OfficeSetup.exe (PID: 6528)
      • OfficeSetup.exe (PID: 6912)
      • OfficeClickToRun.exe (PID: 6464)

    • Process checks whether UAC notifications are on

      • OfficeSetup.exe (PID: 6528)

    • Process checks computer location settings

      • OfficeSetup.exe (PID: 6528)
      • OfficeSetup.exe (PID: 6912)

    • Reads the computer name

      • OfficeSetup.exe (PID: 6528)
      • OfficeSetup.exe (PID: 6912)
      • OfficeClickToRun.exe (PID: 6464)

    • Reads Microsoft Office registry keys

      • OfficeSetup.exe (PID: 6528)
      • OfficeSetup.exe (PID: 6912)
      • OfficeClickToRun.exe (PID: 6464)
      • OfficeClickToRun.exe (PID: 5544)
      • OfficeClickToRun.exe (PID: 6884)

    • Checks proxy server information

      • OfficeSetup.exe (PID: 6528)
      • OfficeSetup.exe (PID: 6912)
      • OfficeClickToRun.exe (PID: 6464)

    • Creates files or folders in the user directory

      • OfficeSetup.exe (PID: 6528)
      • OfficeSetup.exe (PID: 6912)
      • OfficeClickToRun.exe (PID: 6464)
      • OfficeClickToRun.exe (PID: 6884)

    • Reads CPU info

      • OfficeSetup.exe (PID: 6912)

    • Reads Environment values

      • OfficeSetup.exe (PID: 6912)
      • OfficeSetup.exe (PID: 6528)

    • Reads the software policy settings

      • OfficeSetup.exe (PID: 6912)
      • OfficeClickToRun.exe (PID: 6464)
      • OfficeSetup.exe (PID: 6528)

    • Create files in a temporary directory

      • OfficeSetup.exe (PID: 6912)
      • OfficeSetup.exe (PID: 6528)
      • OfficeClickToRun.exe (PID: 6464)

    • Creates files in the program directory

      • OfficeClickToRun.exe (PID: 6464)
      • OfficeClickToRun.exe (PID: 5544)

    • The sample compiled with arabic language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with bulgarian language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with czech language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with spanish language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with german language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with japanese language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with Indonesian language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with Italian language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with turkish language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with korean language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with polish language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with slovak language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with swedish language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with chinese language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with english language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with french language support

      • OfficeClickToRun.exe (PID: 6464)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 5544)

    • The sample compiled with portuguese language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with russian language support

      • OfficeClickToRun.exe (PID: 6464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:08:04 02:46:08+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.32
CodeSize: 4664320
InitializedDataSize: 2920960
UninitializedDataSize: -
EntryPoint: 0x3f8a46
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 16.0.16626.20170
ProductVersionNumber: 16.0.16626.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft 365 and Office
FileVersion: 16.0.16626.20170
InternalName: Bootstrapper.exe
LegalTrademarks1: Microsoft® is a registered trademark of Microsoft Corporation.
LegalTrademarks2: Windows® is a registered trademark of Microsoft Corporation.
OriginalFileName: Bootstrapper.exe
ProductName: Microsoft Office
ProductVersion: 16.0.16626.20170
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start officesetup.exe officesetup.exe officeclicktorun.exe Delivery Optimization User no specs officeclicktorun.exe officeclicktorun.exe

Process information

PID
CMD
Path
Indicators
Parent process
5544"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18429.20158
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
6324C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
6464OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365BusinessRetail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/db/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18429.20158 mediatype=CDN sourcetype=CDN O365BusinessRetail.excludedapps=groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.UseTeamsOnInstallConsumer=unknown flt.UseTeamsOnUpdateConsumer=unknown uninstallcentennial=True scenario=CLIENTUPDATEC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Exit code:
0
Version:
16.0.16026.20140
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6528"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.16626.20170
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6884OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365BusinessRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/db/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18429.20158 mediatype.16=CDN sourcetype.16=CDN O365BusinessRetail.excludedapps.16=groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.UseTeamsOnInstallConsumer=unknown flt.UseTeamsOnUpdateConsumer=unknown uninstallcentennial=TrueC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18429.20158
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6912"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" ELEVATED sid=S-1-5-21-1693682860-607145093-2874071422-1001 C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft 365 and Office
Version:
16.0.16626.20170
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
23 595
Read events
22 996
Write events
399
Delete events
200

Modification events

(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:tr-tr
Value:
2
Executable files
385
Suspicious files
41
Text files
63
Unknown types
0

Dropped files

PID
Process
Filename
Type
6912OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0B8A20E1F3F4D73D52A19929F922C892binary
MD5:4BB71C446533E3B735C069A975FDEC3A
SHA256:D854D6E3CFD975FB2B6E7BEF5B32815F18F2128C1892584383500C14D3B0BAAC
6528OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\54BFE3EF-24C4-4D85-8AE3-8E374D393257xml
MD5:4F988BC7DBC2FD9F0EAA9D95F0F2062B
SHA256:2D1371AFA7375ED947BB884F962A4F1915DB6638F191A2E9AFD978BFB7BC48DA
6912OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:BB148187A85E826D9F04F30A242F8647
SHA256:569FD129CDDBCD13CA12E73C48D326043C5E4649C4B6DB82757E10EEE6E27595
6912OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:F9F84955685EC9E1C57E8DD55DBE5BEA
SHA256:2064152A172AD3EFA0D3AF7038F95DBC795613E90DFAF818E1F8DCD88202C224
6912OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\36AC0BE60E1243344AE145F746D881FEbinary
MD5:36B0182C996DC13725E0A8DE669E848C
SHA256:84BF6684AB6246B9180C30727191203619FF653F885C7D0C57B1FC638178FD1E
6912OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2R0B2E4B75-5DA9-472F-8CD1-0A11FA8A2831\VersionDescriptor.xmlxml
MD5:F92F0F1F948C2061EA54314295FCC6BC
SHA256:5270D07200608BF294ED8941EF72A362C2D931DE59DD5827B88930987BA5E891
6912OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2R0B2E4B75-5DA9-472F-8CD1-0A11FA8A2831OfficeC2RD6795C8C-72EA-4C14-A7B0-2C3B178DC770\VersionDescriptor.xmlxml
MD5:F92F0F1F948C2061EA54314295FCC6BC
SHA256:5270D07200608BF294ED8941EF72A362C2D931DE59DD5827B88930987BA5E891
6464OfficeClickToRun.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\F162C108-A12C-43FE-A8B7-FF732A601E17OfficeC2RB15757EA-FF8E-443B-BECA-20003DC66C6B\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:19DF2B0F78DC3D8C470E836BAE85E1FF
SHA256:BD9E07BBC62CE82DBC30C23069A17FBFA17F1C26A9C19E50FE754D494E6CD0B1
6912OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187binary
MD5:CEB61D9D7BEB21CBDDE7796471EBC1DE
SHA256:4236A61617F4961DA988161BE06DA59D13DB9C6949A1436774B3B6621EB84BE0
6528OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-walbinary
MD5:BC65CCFDA1AD3CEA01E14B5C9DED66DC
SHA256:DF7351E333E6413B5B9DDF3FF940B42625DED44B10F16AB833A7E1A09C661737
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
64
TCP/UDP connections
60
DNS requests
41
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4024
svchost.exe
GET
206
95.168.195.201:80
http://95.168.195.201/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.18429.20158/i640.cab?cacheHostOrigin=f.c2r.ts.cdn.office.net
unknown
unknown
4024
svchost.exe
GET
206
95.168.195.201:80
http://95.168.195.201/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.18429.20158/i640.cab?cacheHostOrigin=f.c2r.ts.cdn.office.net
unknown
unknown
4024
svchost.exe
GET
206
95.168.195.201:80
http://95.168.195.201/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.18429.20158/i640.cab?cacheHostOrigin=f.c2r.ts.cdn.office.net
unknown
unknown
4024
svchost.exe
GET
206
95.168.195.201:80
http://95.168.195.201/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.18429.20158/i640.cab?cacheHostOrigin=f.c2r.ts.cdn.office.net
unknown
unknown
4024
svchost.exe
GET
206
95.168.195.201:80
http://95.168.195.201/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.18429.20158/i640.cab?cacheHostOrigin=f.c2r.ts.cdn.office.net
unknown
unknown
4024
svchost.exe
GET
206
95.168.195.201:80
http://95.168.195.201/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.18429.20158/i640.cab?cacheHostOrigin=f.c2r.ts.cdn.office.net
unknown
unknown
4024
svchost.exe
GET
206
95.168.195.201:80
http://95.168.195.201/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.18429.20158/i640.cab?cacheHostOrigin=f.c2r.ts.cdn.office.net
unknown
unknown
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6912
OfficeSetup.exe
HEAD
200
23.48.23.17:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.16026.20146.cab
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
23.212.110.178:443
www.bing.com
Akamai International B.V.
CZ
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3220
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3508
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6528
OfficeSetup.exe
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
6528
OfficeSetup.exe
52.123.243.217:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1176
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
www.bing.com
  • 23.212.110.178
  • 23.212.110.202
  • 23.212.110.187
  • 23.212.110.185
  • 23.212.110.177
  • 23.212.110.201
  • 23.212.110.200
  • 23.212.110.184
  • 23.212.110.186
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
ecs.office.com
  • 52.123.243.217
  • 52.123.243.196
  • 52.123.243.84
  • 52.123.243.81
  • 52.123.131.14
  • 52.123.130.14
  • 52.123.129.14
  • 52.123.128.14
whitelisted
login.live.com
  • 20.190.160.22
  • 20.190.160.64
  • 20.190.160.4
  • 40.126.32.76
  • 40.126.32.72
  • 40.126.32.138
  • 40.126.32.68
  • 20.190.160.67
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.109.89.117
whitelisted
f.c2r.ts.cdn.office.net
  • 23.48.23.17
  • 23.48.23.22
  • 23.48.23.13
  • 23.48.23.21
  • 23.48.23.31
  • 23.48.23.4
  • 23.48.23.18
  • 23.48.23.20
  • 23.48.23.26
  • 23.48.23.35
  • 23.48.23.37
  • 23.48.23.34
  • 23.48.23.32
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
officecdn.microsoft.com
  • 23.48.23.26
  • 23.48.23.22
  • 23.48.23.31
  • 23.48.23.21
  • 23.48.23.35
  • 23.48.23.37
  • 23.48.23.20
  • 23.48.23.34
  • 23.48.23.32
  • 2.22.242.89
  • 2.22.242.130
  • 2.22.242.136
  • 2.22.242.146
  • 2.22.242.9
  • 2.22.242.227
  • 2.22.242.10
  • 2.22.242.144
  • 2.22.242.145
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OfficeSetup.exe