File name:

OfficeSetup.exe

Full analysis: https://app.any.run/tasks/db54e48e-eaa1-44a5-a09b-412eb6bf4b73
Verdict: Malicious activity
Analysis date: January 10, 2025, 18:47:17
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

62D672AAA0CF5559F583927185410B21

SHA1:

06CDE9C0E19013F796FD4A8A1BDB1422E317D2C7

SHA256:

BB49A25BD7228559E7A54F0E68A97F6A3472B93A11E6A313AEC021E4319506F6

SSDEEP:

98304:sFWtzZcuxiNrBW0+5HT+lx1+tFyG+nDTpEV5Sq65EFqqh6Hf8yljgEkuBVLmlCT6:7Xd7d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • OfficeSetup.exe (PID: 6332)
      • OfficeSetup.exe (PID: 3620)
      • OfficeC2RClient.exe (PID: 6928)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • OfficeSetup.exe (PID: 4708)
      • OfficeClickToRun.exe (PID: 6876)

    • Application launched itself

      • OfficeSetup.exe (PID: 4708)
      • OfficeSetup.exe (PID: 3620)

    • Starts a Microsoft application from unusual location

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 4708)
      • OfficeSetup.exe (PID: 6332)

    • Reads security settings of Internet Explorer

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeC2RClient.exe (PID: 6928)

    • Checks Windows Trust Settings

      • OfficeSetup.exe (PID: 6332)
      • OfficeSetup.exe (PID: 3620)

    • Searches for installed software

      • OfficeSetup.exe (PID: 6332)

    • Executable content was dropped or overwritten

      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)

    • The process drops C-runtime libraries

      • OfficeClickToRun.exe (PID: 6876)

  • INFO

    • Creates files or folders in the user directory

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 4968)
      • OfficeC2RClient.exe (PID: 6928)

    • Reads the computer name

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 4968)
      • OfficeClickToRun.exe (PID: 7136)
      • OfficeC2RClient.exe (PID: 6928)

    • Create files in a temporary directory

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 4968)
      • OfficeC2RClient.exe (PID: 6928)

    • Checks supported languages

      • OfficeSetup.exe (PID: 4708)
      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)
      • OfficeClickToRun.exe (PID: 4968)
      • OfficeC2RClient.exe (PID: 6928)

    • Checks proxy server information

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)
      • OfficeClickToRun.exe (PID: 4968)
      • OfficeC2RClient.exe (PID: 6928)

    • Reads CPU info

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)

    • Process checks whether UAC notifications are on

      • OfficeSetup.exe (PID: 3620)

    • Reads Microsoft Office registry keys

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)
      • OfficeClickToRun.exe (PID: 4968)
      • OfficeC2RClient.exe (PID: 6928)

    • Reads the machine GUID from the registry

      • OfficeSetup.exe (PID: 6332)
      • OfficeSetup.exe (PID: 3620)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)
      • OfficeClickToRun.exe (PID: 4968)

    • Reads the software policy settings

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 4968)
      • OfficeClickToRun.exe (PID: 7136)

    • Process checks computer location settings

      • OfficeSetup.exe (PID: 6332)
      • OfficeSetup.exe (PID: 3620)
      • OfficeC2RClient.exe (PID: 6928)

    • The process uses the downloaded file

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)

    • Reads Environment values

      • OfficeSetup.exe (PID: 6332)
      • OfficeSetup.exe (PID: 3620)
      • OfficeC2RClient.exe (PID: 6928)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 4968)

    • Creates files in the program directory

      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)

    • The sample compiled with english language support

      • OfficeClickToRun.exe (PID: 6876)

    • The sample compiled with arabic language support

      • OfficeClickToRun.exe (PID: 6876)

    • The sample compiled with german language support

      • OfficeClickToRun.exe (PID: 6876)

    • The sample compiled with Indonesian language support

      • OfficeClickToRun.exe (PID: 6876)

    • The sample compiled with Italian language support

      • OfficeClickToRun.exe (PID: 6876)

    • The sample compiled with japanese language support

      • OfficeClickToRun.exe (PID: 6876)

    • The sample compiled with french language support

      • OfficeClickToRun.exe (PID: 6876)

    • The sample compiled with bulgarian language support

      • OfficeClickToRun.exe (PID: 6876)

    • The sample compiled with spanish language support

      • OfficeClickToRun.exe (PID: 6876)

    • The sample compiled with portuguese language support

      • OfficeClickToRun.exe (PID: 6876)

    • The sample compiled with czech language support

      • OfficeClickToRun.exe (PID: 6876)

    • The sample compiled with swedish language support

      • OfficeClickToRun.exe (PID: 6876)

    • The sample compiled with slovak language support

      • OfficeClickToRun.exe (PID: 6876)

    • The sample compiled with turkish language support

      • OfficeClickToRun.exe (PID: 6876)

    • The sample compiled with chinese language support

      • OfficeClickToRun.exe (PID: 6876)

    • The sample compiled with korean language support

      • OfficeClickToRun.exe (PID: 6876)

    • The sample compiled with polish language support

      • OfficeClickToRun.exe (PID: 6876)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 7136)

    • Manual execution by a user

      • OfficeC2RClient.exe (PID: 6928)

    • The sample compiled with russian language support

      • OfficeClickToRun.exe (PID: 6876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:01:03 18:18:54+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.4
CodeSize: 4581376
InitializedDataSize: 2924032
UninitializedDataSize: -
EntryPoint: 0x3e2b04
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 16.0.18324.20168
ProductVersionNumber: 16.0.18324.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft 365 and Office
FileVersion: 16.0.18324.20168
InternalName: Bootstrapper.exe
LegalTrademarks1: Microsoft® is a registered trademark of Microsoft Corporation.
LegalTrademarks2: Windows® is a registered trademark of Microsoft Corporation.
OriginalFileName: Bootstrapper.exe
ProductName: Microsoft Office
ProductVersion: 16.0.18324.20168
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
8
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start officesetup.exe no specs officesetup.exe officesetup.exe officeclicktorun.exe Delivery Optimization User no specs officeclicktorun.exe officeclicktorun.exe officec2rclient.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3620OfficeSetup.exe RELAUNCHED C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18324.20168
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4708"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" C:\Users\admin\AppData\Local\Temp\OfficeSetup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18324.20168
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4968OfficeClickToRun.exe platform=x64 culture=es-es productstoadd=O365ProPlusRetail.16_es-es_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18324.20168 mediatype.16=CDN sourcetype.16=CDN O365ProPlusRetail.excludedapps.16=teams,groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=TrueC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18324.20168
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6332"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" ELEVATED sid=S-1-5-21-1693682860-607145093-2874071422-1001 RELAUNCHED C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft 365 and Office
Version:
16.0.18324.20168
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6876OfficeClickToRun.exe platform=x64 culture=es-es productstoadd=O365ProPlusRetail.16_es-es_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18324.20168 mediatype=CDN sourcetype=CDN O365ProPlusRetail.excludedapps=teams,groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATEC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Exit code:
0
Version:
16.0.16026.20140
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6928"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /progressandlaunch AppTargets="root\office16\excel.exe|root\office16\lync.exe|root\office16\msaccess.exe|root\office16\mspub.exe|root\office16\onenote.exe|root\office16\outlook.exe|root\office16\powerpnt.exe|root\office16\winword.exe" ManualUpgrade=False ScenarioToTrack="Scenario:{477E0208-58BD-4F33-978A-09BCC9AA9EB1}@INSTALL"C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office Click-to-Run Client
Version:
16.0.18324.20168
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7112C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
7136"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18324.20168
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
Total events
39 341
Read events
38 854
Write events
275
Delete events
212

Modification events

(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common
Operation:writeName:SessionId
Value:
3DE9B9FAD75CAC41A591BC7E1E65BAF0
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.18324&crev=3
Operation:writeName:Last
Value:
0
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.18324&crev=3\0
Operation:writeName:FilePath
Value:
officeclient.microsoft.com\357ECFFC-2515-41F5-AE6F-27CEFE904741
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.18324&crev=3\0
Operation:writeName:StartDate
Value:
3005A5189063DB01
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.18324&crev=3\0
Operation:writeName:EndDate
Value:
30C50E435964DB01
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.18324&crev=3\0
Operation:writeName:Properties
Value:
1
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.18324&crev=3\0
Operation:writeName:Url
Value:
https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.18324&crev=3
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
Executable files
385
Suspicious files
145
Text files
475
Unknown types
4

Dropped files

PID
Process
Filename
Type
6332OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\36AC0BE60E1243344AE145F746D881FEder
MD5:67A52A39F91421613A4D854BF8E8D791
SHA256:D8B8FE5F54E4AFC75FBEC4BC8453D2FE7CF4E1A5959CD442CB0EE05223CF607E
6332OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2RD8F0C96F-5F00-4059-A2E7-922C9924F375OfficeC2RD0A69F2B-631E-4EF0-B71F-45621FCCE7AC\v64.hashbinary
MD5:6E248C212F22FF0D37DC7A6ACA85D479
SHA256:0059972434351895FB04E488D4FC9A4308C317380A7971DA67495CCA5ADF13F6
6332OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:7237FD935A7AAD400A3BFDBEBC288148
SHA256:A6BD0BC6268CDAB01A38E67C1A74179BF3EC6868C4F972580C623FDCB146448A
6332OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\36AC0BE60E1243344AE145F746D881FEbinary
MD5:3A3F1E12450AF7713768EBDF78E791C6
SHA256:35C1906B6AC07316766E8BD81250B34CED02758B090058B1D476E49846CC3263
3620OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-shmbinary
MD5:AA5011D4A5AA8EBD10A2B36C88439590
SHA256:A079DF6A67F8018227FC4F2F9C97273107AB54E549EB9C7C4F7B1E2E932E3289
6332OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0B8A20E1F3F4D73D52A19929F922C892der
MD5:4BB71C446533E3B735C069A975FDEC3A
SHA256:D854D6E3CFD975FB2B6E7BEF5B32815F18F2128C1892584383500C14D3B0BAAC
6876OfficeClickToRun.exeC:\Users\admin\AppData\Local\Temp\DESKTOP-JGLLJLD-20250110-1847a.logbinary
MD5:57C8628CA7DBCE2C6A4EB56485437000
SHA256:623523F04E1108DF11A437FB3AF56CE355F7E93B8CC5C27BCECB379A5AFDCC9F
6332OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0B8A20E1F3F4D73D52A19929F922C892binary
MD5:0181019618070C02397230BD3B08FDF7
SHA256:993660F2BC556AD2329A398A4564D64A9D442053B9801A79DAED354C9FA735E0
3620OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187binary
MD5:50DAD0F9DBEF844397191CE03129B849
SHA256:6FBE7DF412D10F0E71189C54C1DE9043EFC0B542476C84DD018A4EC445E6E71E
3620OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-walbinary
MD5:FF152FF29569C6C5D9904890F85D8ECE
SHA256:609A8B502CC8744E8EC581AFB8E4B61544B6312002766F47B399A59F262D1223
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
103
TCP/UDP connections
111
DNS requests
83
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
23.48.23.169:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6332
OfficeSetup.exe
HEAD
200
23.50.131.21:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab
unknown
whitelisted
6332
OfficeSetup.exe
HEAD
200
23.50.131.21:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.16026.20146.cab
unknown
whitelisted
6476
svchost.exe
HEAD
200
23.50.131.21:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab
unknown
whitelisted
6476
svchost.exe
GET
200
23.50.131.21:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab
unknown
whitelisted
6332
OfficeSetup.exe
GET
200
23.48.23.169:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
6332
OfficeSetup.exe
HEAD
200
23.50.131.21:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3928
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
104.126.37.170:443
www.bing.com
Akamai International B.V.
DE
unknown
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
23.48.23.169:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4
System
192.168.100.255:137
unknown
3620
OfficeSetup.exe
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown
3620
OfficeSetup.exe
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 52.167.17.97
  • 51.124.78.146
unknown
www.bing.com
  • 104.126.37.170
  • 104.126.37.176
  • 104.126.37.178
  • 104.126.37.171
  • 104.126.37.144
  • 104.126.37.128
  • 104.126.37.130
  • 104.126.37.185
  • 104.126.37.123
unknown
ocsp.digicert.com
  • 192.229.221.95
unknown
google.com
  • 142.250.185.110
unknown
crl.microsoft.com
  • 23.48.23.169
  • 23.48.23.162
  • 23.48.23.176
  • 23.48.23.190
  • 23.48.23.164
  • 23.48.23.180
  • 23.48.23.173
  • 23.48.23.177
  • 23.48.23.183
  • 2.16.164.49
  • 2.16.164.72
  • 2.16.241.12
  • 2.16.241.19
unknown
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
  • 95.101.149.131
unknown
officeclient.microsoft.com
  • 52.109.28.46
unknown
ecs.office.com
  • 52.113.194.132
unknown
mrodevicemgr.officeapps.live.com
  • 52.109.89.117
unknown
login.live.com
  • 20.190.159.23
  • 20.190.159.4
  • 40.126.31.71
  • 20.190.159.64
  • 20.190.159.73
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.2
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OfficeSetup.exe