File name:

OfficeSetup.exe

Full analysis: https://app.any.run/tasks/7d7d9c37-f1b9-4b76-8c1a-9bff40153e36
Verdict: Malicious activity
Analysis date: February 18, 2025, 10:12:21
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

3EC4400F966CC0D58AF8665397847407

SHA1:

507DA18F33099DB7A331C3064943905BAE972187

SHA256:

90611B4B8B017867F1AAEEE571B20C68BA3E983AC5E43612E7DC7B767D1789A2

SSDEEP:

98304:BQUNW3yAd6q1oRF8BuSNbnfBvxaYILTPT7U/jrMuKrC6HVlCVpkeTnooPCIvL7hn:0I/U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • OfficeSetup.exe (PID: 6912)
      • OfficeSetup.exe (PID: 6528)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • OfficeSetup.exe (PID: 6528)
      • OfficeSetup.exe (PID: 6912)

    • Process drops legitimate windows executable

      • OfficeSetup.exe (PID: 6528)
      • OfficeClickToRun.exe (PID: 6464)
      • OfficeClickToRun.exe (PID: 5544)

    • Application launched itself

      • OfficeSetup.exe (PID: 6528)

    • Reads security settings of Internet Explorer

      • OfficeSetup.exe (PID: 6912)
      • OfficeSetup.exe (PID: 6528)

    • Checks Windows Trust Settings

      • OfficeSetup.exe (PID: 6912)
      • OfficeSetup.exe (PID: 6528)

    • Executable content was dropped or overwritten

      • OfficeClickToRun.exe (PID: 6464)
      • OfficeClickToRun.exe (PID: 5544)

    • The process drops C-runtime libraries

      • OfficeClickToRun.exe (PID: 6464)

  • INFO

    • Reads the computer name

      • OfficeSetup.exe (PID: 6528)
      • OfficeSetup.exe (PID: 6912)
      • OfficeClickToRun.exe (PID: 6464)

    • Process checks whether UAC notifications are on

      • OfficeSetup.exe (PID: 6528)

    • Checks supported languages

      • OfficeSetup.exe (PID: 6528)
      • OfficeSetup.exe (PID: 6912)
      • OfficeClickToRun.exe (PID: 6464)
      • OfficeClickToRun.exe (PID: 5544)
      • OfficeClickToRun.exe (PID: 6884)

    • Reads the machine GUID from the registry

      • OfficeSetup.exe (PID: 6528)
      • OfficeSetup.exe (PID: 6912)
      • OfficeClickToRun.exe (PID: 6464)

    • Reads Microsoft Office registry keys

      • OfficeSetup.exe (PID: 6528)
      • OfficeSetup.exe (PID: 6912)
      • OfficeClickToRun.exe (PID: 6464)
      • OfficeClickToRun.exe (PID: 5544)
      • OfficeClickToRun.exe (PID: 6884)

    • Process checks computer location settings

      • OfficeSetup.exe (PID: 6528)
      • OfficeSetup.exe (PID: 6912)

    • Checks proxy server information

      • OfficeSetup.exe (PID: 6528)
      • OfficeSetup.exe (PID: 6912)
      • OfficeClickToRun.exe (PID: 6464)

    • Reads CPU info

      • OfficeSetup.exe (PID: 6912)

    • Creates files or folders in the user directory

      • OfficeSetup.exe (PID: 6528)
      • OfficeSetup.exe (PID: 6912)
      • OfficeClickToRun.exe (PID: 6464)
      • OfficeClickToRun.exe (PID: 6884)

    • Reads Environment values

      • OfficeSetup.exe (PID: 6912)
      • OfficeSetup.exe (PID: 6528)

    • Create files in a temporary directory

      • OfficeSetup.exe (PID: 6912)
      • OfficeClickToRun.exe (PID: 6464)
      • OfficeSetup.exe (PID: 6528)

    • Reads the software policy settings

      • OfficeSetup.exe (PID: 6912)
      • OfficeSetup.exe (PID: 6528)
      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with czech language support

      • OfficeClickToRun.exe (PID: 6464)

    • Creates files in the program directory

      • OfficeClickToRun.exe (PID: 6464)
      • OfficeClickToRun.exe (PID: 5544)

    • The sample compiled with arabic language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with bulgarian language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with spanish language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with german language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with french language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with Indonesian language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with japanese language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with Italian language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with korean language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with english language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with turkish language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with chinese language support

      • OfficeClickToRun.exe (PID: 6464)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 5544)

    • The sample compiled with portuguese language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with russian language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with polish language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with slovak language support

      • OfficeClickToRun.exe (PID: 6464)

    • The sample compiled with swedish language support

      • OfficeClickToRun.exe (PID: 6464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:08:04 02:46:08+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.32
CodeSize: 4664320
InitializedDataSize: 2920960
UninitializedDataSize: -
EntryPoint: 0x3f8a46
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 16.0.16626.20170
ProductVersionNumber: 16.0.16626.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft 365 and Office
FileVersion: 16.0.16626.20170
InternalName: Bootstrapper.exe
LegalTrademarks1: Microsoft® is a registered trademark of Microsoft Corporation.
LegalTrademarks2: Windows® is a registered trademark of Microsoft Corporation.
OriginalFileName: Bootstrapper.exe
ProductName: Microsoft Office
ProductVersion: 16.0.16626.20170
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start officesetup.exe officesetup.exe officeclicktorun.exe Delivery Optimization User no specs officeclicktorun.exe officeclicktorun.exe

Process information

PID
CMD
Path
Indicators
Parent process
5544"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18429.20158
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
6324C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
6464OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365BusinessRetail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/db/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18429.20158 mediatype=CDN sourcetype=CDN O365BusinessRetail.excludedapps=groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.UseTeamsOnInstallConsumer=unknown flt.UseTeamsOnUpdateConsumer=unknown uninstallcentennial=True scenario=CLIENTUPDATEC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Exit code:
0
Version:
16.0.16026.20140
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6528"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.16626.20170
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6884OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365BusinessRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/db/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18429.20158 mediatype.16=CDN sourcetype.16=CDN O365BusinessRetail.excludedapps.16=groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.UseTeamsOnInstallConsumer=unknown flt.UseTeamsOnUpdateConsumer=unknown uninstallcentennial=TrueC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18429.20158
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6912"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" ELEVATED sid=S-1-5-21-1693682860-607145093-2874071422-1001 C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft 365 and Office
Version:
16.0.16626.20170
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
23 595
Read events
22 996
Write events
399
Delete events
200

Modification events

(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
(PID) Process:(6528) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:tr-tr
Value:
2
Executable files
385
Suspicious files
41
Text files
63
Unknown types
0

Dropped files

PID
Process
Filename
Type
6528OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\54BFE3EF-24C4-4D85-8AE3-8E374D393257xml
MD5:4F988BC7DBC2FD9F0EAA9D95F0F2062B
SHA256:2D1371AFA7375ED947BB884F962A4F1915DB6638F191A2E9AFD978BFB7BC48DA
6912OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2R0B2E4B75-5DA9-472F-8CD1-0A11FA8A2831OfficeC2RD6795C8C-72EA-4C14-A7B0-2C3B178DC770\v64.hashtext
MD5:F53ED0603D15D11B005186826E84FB43
SHA256:563F7D4B6FA4526D1158248D7C433651DE568E707E717B871F3EC5E5CB9F9494
6528OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-shmbinary
MD5:587190FEB61AA4204140F7E208860834
SHA256:A5710877B2FEDF780FAF1E66208F9A6B4A34A99766CD02FB3263C37DED17ED53
6912OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2R0B2E4B75-5DA9-472F-8CD1-0A11FA8A2831OfficeC2RD6795C8C-72EA-4C14-A7B0-2C3B178DC770\VersionDescriptor.xmlxml
MD5:F92F0F1F948C2061EA54314295FCC6BC
SHA256:5270D07200608BF294ED8941EF72A362C2D931DE59DD5827B88930987BA5E891
6528OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-walbinary
MD5:BC65CCFDA1AD3CEA01E14B5C9DED66DC
SHA256:DF7351E333E6413B5B9DDF3FF940B42625DED44B10F16AB833A7E1A09C661737
6912OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2R0B2E4B75-5DA9-472F-8CD1-0A11FA8A2831\VersionDescriptor.xmlxml
MD5:F92F0F1F948C2061EA54314295FCC6BC
SHA256:5270D07200608BF294ED8941EF72A362C2D931DE59DD5827B88930987BA5E891
6464OfficeClickToRun.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\F162C108-A12C-43FE-A8B7-FF732A601E17OfficeC2RB15757EA-FF8E-443B-BECA-20003DC66C6B\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:ADB3471F89E47CD93B6854D629906809
SHA256:355633A84DB0816AB6A340A086FB41C65854C313BD08D427A17389C42A1E5B69
6912OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187binary
MD5:CEB61D9D7BEB21CBDDE7796471EBC1DE
SHA256:4236A61617F4961DA988161BE06DA59D13DB9C6949A1436774B3B6621EB84BE0
6464OfficeClickToRun.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\F162C108-A12C-43FE-A8B7-FF732A601E17OfficeC2RB15757EA-FF8E-443B-BECA-20003DC66C6B\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:19DF2B0F78DC3D8C470E836BAE85E1FF
SHA256:BD9E07BBC62CE82DBC30C23069A17FBFA17F1C26A9C19E50FE754D494E6CD0B1
6912OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\36AC0BE60E1243344AE145F746D881FEbinary
MD5:F0FC09EC0F4C99D321504FA8D5B95382
SHA256:B65AAEA5EABA185057DC723D0AA097F5D137C6DB5B69F2A358CEB1062C3FFD7F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
64
TCP/UDP connections
60
DNS requests
41
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6912
OfficeSetup.exe
HEAD
200
23.48.23.17:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.16026.20146.cab
unknown
whitelisted
6912
OfficeSetup.exe
HEAD
200
23.48.23.17:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18429.20158.cab
unknown
whitelisted
6912
OfficeSetup.exe
HEAD
200
23.48.23.17:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18429.20158.cab
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7108
svchost.exe
HEAD
200
23.48.23.17:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18429.20158.cab
unknown
whitelisted
7108
svchost.exe
GET
206
23.48.23.17:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18429.20158.cab
unknown
whitelisted
7108
svchost.exe
HEAD
200
23.48.23.17:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18429.20158.cab
unknown
whitelisted
7108
svchost.exe
GET
200
23.48.23.17:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18429.20158.cab
unknown
whitelisted
6912
OfficeSetup.exe
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
23.212.110.178:443
www.bing.com
Akamai International B.V.
CZ
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3220
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3508
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6528
OfficeSetup.exe
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
6528
OfficeSetup.exe
52.123.243.217:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1176
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
www.bing.com
  • 23.212.110.178
  • 23.212.110.202
  • 23.212.110.187
  • 23.212.110.185
  • 23.212.110.177
  • 23.212.110.201
  • 23.212.110.200
  • 23.212.110.184
  • 23.212.110.186
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
ecs.office.com
  • 52.123.243.217
  • 52.123.243.196
  • 52.123.243.84
  • 52.123.243.81
  • 52.123.131.14
  • 52.123.130.14
  • 52.123.129.14
  • 52.123.128.14
whitelisted
login.live.com
  • 20.190.160.22
  • 20.190.160.64
  • 20.190.160.4
  • 40.126.32.76
  • 40.126.32.72
  • 40.126.32.138
  • 40.126.32.68
  • 20.190.160.67
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.109.89.117
whitelisted
f.c2r.ts.cdn.office.net
  • 23.48.23.17
  • 23.48.23.22
  • 23.48.23.13
  • 23.48.23.21
  • 23.48.23.31
  • 23.48.23.4
  • 23.48.23.18
  • 23.48.23.20
  • 23.48.23.26
  • 23.48.23.35
  • 23.48.23.37
  • 23.48.23.34
  • 23.48.23.32
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
officecdn.microsoft.com
  • 23.48.23.26
  • 23.48.23.22
  • 23.48.23.31
  • 23.48.23.21
  • 23.48.23.35
  • 23.48.23.37
  • 23.48.23.20
  • 23.48.23.34
  • 23.48.23.32
  • 2.22.242.89
  • 2.22.242.130
  • 2.22.242.136
  • 2.22.242.146
  • 2.22.242.9
  • 2.22.242.227
  • 2.22.242.10
  • 2.22.242.144
  • 2.22.242.145
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OfficeSetup.exe