File name:

OfficeSetup.exe

Full analysis: https://app.any.run/tasks/db54e48e-eaa1-44a5-a09b-412eb6bf4b73
Verdict: Malicious activity
Analysis date: January 10, 2025, 18:47:17
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

62D672AAA0CF5559F583927185410B21

SHA1:

06CDE9C0E19013F796FD4A8A1BDB1422E317D2C7

SHA256:

BB49A25BD7228559E7A54F0E68A97F6A3472B93A11E6A313AEC021E4319506F6

SSDEEP:

98304:sFWtzZcuxiNrBW0+5HT+lx1+tFyG+nDTpEV5Sq65EFqqh6Hf8yljgEkuBVLmlCT6:7Xd7d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Scans artifacts that could help determine the target

      • OfficeSetup.exe (PID: 6332)
      • OfficeSetup.exe (PID: 3620)
      • OfficeC2RClient.exe (PID: 6928)
  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeC2RClient.exe (PID: 6928)
    • Starts a Microsoft application from unusual location

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeSetup.exe (PID: 4708)
    • Application launched itself

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 4708)
    • Process drops legitimate windows executable

      • OfficeSetup.exe (PID: 4708)
      • OfficeClickToRun.exe (PID: 6876)
    • Searches for installed software

      • OfficeSetup.exe (PID: 6332)
    • Checks Windows Trust Settings

      • OfficeSetup.exe (PID: 6332)
      • OfficeSetup.exe (PID: 3620)
    • Executable content was dropped or overwritten

      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)
    • The process drops C-runtime libraries

      • OfficeClickToRun.exe (PID: 6876)
  • INFO

    • Process checks whether UAC notifications are on

      • OfficeSetup.exe (PID: 3620)
    • Creates files or folders in the user directory

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 4968)
      • OfficeC2RClient.exe (PID: 6928)
    • Checks proxy server information

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)
      • OfficeClickToRun.exe (PID: 4968)
      • OfficeC2RClient.exe (PID: 6928)
    • Checks supported languages

      • OfficeSetup.exe (PID: 4708)
      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)
      • OfficeClickToRun.exe (PID: 4968)
      • OfficeC2RClient.exe (PID: 6928)
    • Create files in a temporary directory

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 4968)
      • OfficeC2RClient.exe (PID: 6928)
    • Reads Microsoft Office registry keys

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)
      • OfficeClickToRun.exe (PID: 4968)
      • OfficeC2RClient.exe (PID: 6928)
    • Reads CPU info

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
    • Process checks computer location settings

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeC2RClient.exe (PID: 6928)
    • The process uses the downloaded file

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
    • Reads the machine GUID from the registry

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)
      • OfficeClickToRun.exe (PID: 4968)
    • Reads the computer name

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)
      • OfficeClickToRun.exe (PID: 4968)
      • OfficeC2RClient.exe (PID: 6928)
    • Reads the software policy settings

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)
      • OfficeClickToRun.exe (PID: 4968)
    • Reads Environment values

      • OfficeSetup.exe (PID: 6332)
      • OfficeSetup.exe (PID: 3620)
      • OfficeC2RClient.exe (PID: 6928)
    • Creates files in the program directory

      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)
    • Drops encrypted VBS script (Microsoft Script Encoder)

      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 4968)
    • The sample compiled with english language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with arabic language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with bulgarian language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with german language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with czech language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with spanish language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with french language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with Italian language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with japanese language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with Indonesian language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with swedish language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with russian language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with chinese language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with turkish language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with slovak language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with portuguese language support

      • OfficeClickToRun.exe (PID: 6876)
    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 7136)
    • The sample compiled with polish language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with korean language support

      • OfficeClickToRun.exe (PID: 6876)
    • Manual execution by a user

      • OfficeC2RClient.exe (PID: 6928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:01:03 18:18:54+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.4
CodeSize: 4581376
InitializedDataSize: 2924032
UninitializedDataSize: -
EntryPoint: 0x3e2b04
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 16.0.18324.20168
ProductVersionNumber: 16.0.18324.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft 365 and Office
FileVersion: 16.0.18324.20168
InternalName: Bootstrapper.exe
LegalTrademarks1: Microsoft® is a registered trademark of Microsoft Corporation.
LegalTrademarks2: Windows® is a registered trademark of Microsoft Corporation.
OriginalFileName: Bootstrapper.exe
ProductName: Microsoft Office
ProductVersion: 16.0.18324.20168
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
8
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start officesetup.exe no specs officesetup.exe officesetup.exe officeclicktorun.exe Delivery Optimization User no specs officeclicktorun.exe officeclicktorun.exe officec2rclient.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4708"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" C:\Users\admin\AppData\Local\Temp\OfficeSetup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18324.20168
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3620OfficeSetup.exe RELAUNCHED C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18324.20168
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6332"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" ELEVATED sid=S-1-5-21-1693682860-607145093-2874071422-1001 RELAUNCHED C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft 365 and Office
Version:
16.0.18324.20168
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6876OfficeClickToRun.exe platform=x64 culture=es-es productstoadd=O365ProPlusRetail.16_es-es_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18324.20168 mediatype=CDN sourcetype=CDN O365ProPlusRetail.excludedapps=teams,groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATEC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Exit code:
0
Version:
16.0.16026.20140
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7112C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
7136"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18324.20168
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
4968OfficeClickToRun.exe platform=x64 culture=es-es productstoadd=O365ProPlusRetail.16_es-es_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18324.20168 mediatype.16=CDN sourcetype.16=CDN O365ProPlusRetail.excludedapps.16=teams,groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=TrueC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18324.20168
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6928"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /progressandlaunch AppTargets="root\office16\excel.exe|root\office16\lync.exe|root\office16\msaccess.exe|root\office16\mspub.exe|root\office16\onenote.exe|root\office16\outlook.exe|root\office16\powerpnt.exe|root\office16\winword.exe" ManualUpgrade=False ScenarioToTrack="Scenario:{477E0208-58BD-4F33-978A-09BCC9AA9EB1}@INSTALL"C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office Click-to-Run Client
Version:
16.0.18324.20168
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
39 341
Read events
38 854
Write events
275
Delete events
212

Modification events

(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:tr-tr
Value:
2
Executable files
385
Suspicious files
145
Text files
475
Unknown types
4

Dropped files

PID
Process
Filename
Type
3620OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-shmbinary
MD5:AA5011D4A5AA8EBD10A2B36C88439590
SHA256:A079DF6A67F8018227FC4F2F9C97273107AB54E549EB9C7C4F7B1E2E932E3289
6332OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850der
MD5:BB148187A85E826D9F04F30A242F8647
SHA256:569FD129CDDBCD13CA12E73C48D326043C5E4649C4B6DB82757E10EEE6E27595
6332OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0B8A20E1F3F4D73D52A19929F922C892binary
MD5:0181019618070C02397230BD3B08FDF7
SHA256:993660F2BC556AD2329A398A4564D64A9D442053B9801A79DAED354C9FA735E0
6332OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2RD8F0C96F-5F00-4059-A2E7-922C9924F375\VersionDescriptor.xmlxml
MD5:086CB2044AC6D13D0A44A0DA8DB758FB
SHA256:D01C2F29C53604E3E4B1C9AB7278D65110741A6A4B8639C6E7AD4B4C656AB94C
3620OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\357ECFFC-2515-41F5-AE6F-27CEFE904741xml
MD5:D4CC4FEC9DEFE044D9BAAB3B83C7A100
SHA256:4AAE5C3A9D0792931BC77EA16047C535648BEFB3480BD1A8500E0DB5B216F535
3620OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187binary
MD5:50DAD0F9DBEF844397191CE03129B849
SHA256:6FBE7DF412D10F0E71189C54C1DE9043EFC0B542476C84DD018A4EC445E6E71E
6332OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\36AC0BE60E1243344AE145F746D881FEder
MD5:67A52A39F91421613A4D854BF8E8D791
SHA256:D8B8FE5F54E4AFC75FBEC4BC8453D2FE7CF4E1A5959CD442CB0EE05223CF607E
6332OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2RD8F0C96F-5F00-4059-A2E7-922C9924F375OfficeC2RD0A69F2B-631E-4EF0-B71F-45621FCCE7AC\VersionDescriptor.xmlxml
MD5:086CB2044AC6D13D0A44A0DA8DB758FB
SHA256:D01C2F29C53604E3E4B1C9AB7278D65110741A6A4B8639C6E7AD4B4C656AB94C
6876OfficeClickToRun.exeC:\Users\admin\AppData\Local\Temp\DESKTOP-JGLLJLD-20250110-1847.logbinary
MD5:C1C9267D4ABDA863EDAFF57083D5CB9B
SHA256:F159CCFCA45AB239CDEA06A909D98094BE6D0DD4F936D27175F8660879ED51B1
6876OfficeClickToRun.exeC:\Users\admin\AppData\Local\Temp\DESKTOP-JGLLJLD-20250110-1847a.logbinary
MD5:57C8628CA7DBCE2C6A4EB56485437000
SHA256:623523F04E1108DF11A437FB3AF56CE355F7E93B8CC5C27BCECB379A5AFDCC9F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
103
TCP/UDP connections
111
DNS requests
83
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6332
OfficeSetup.exe
HEAD
200
23.50.131.21:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab
unknown
whitelisted
6332
OfficeSetup.exe
HEAD
200
23.50.131.21:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.16026.20146.cab
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6476
svchost.exe
GET
206
23.50.131.21:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab
unknown
whitelisted
6476
svchost.exe
HEAD
200
23.50.131.21:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab
unknown
whitelisted
6332
OfficeSetup.exe
GET
200
23.48.23.169:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl
unknown
whitelisted
6332
OfficeSetup.exe
GET
200
23.48.23.169:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
6476
svchost.exe
GET
200
23.50.131.21:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6476
svchost.exe
HEAD
200
23.50.131.21:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3928
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
104.126.37.170:443
www.bing.com
Akamai International B.V.
DE
unknown
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
23.48.23.169:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4
System
192.168.100.255:137
unknown
3620
OfficeSetup.exe
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown
3620
OfficeSetup.exe
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 52.167.17.97
  • 51.124.78.146
unknown
www.bing.com
  • 104.126.37.170
  • 104.126.37.176
  • 104.126.37.178
  • 104.126.37.171
  • 104.126.37.144
  • 104.126.37.128
  • 104.126.37.130
  • 104.126.37.185
  • 104.126.37.123
unknown
ocsp.digicert.com
  • 192.229.221.95
unknown
google.com
  • 142.250.185.110
unknown
crl.microsoft.com
  • 23.48.23.169
  • 23.48.23.162
  • 23.48.23.176
  • 23.48.23.190
  • 23.48.23.164
  • 23.48.23.180
  • 23.48.23.173
  • 23.48.23.177
  • 23.48.23.183
  • 2.16.164.49
  • 2.16.164.72
  • 2.16.241.12
  • 2.16.241.19
unknown
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
  • 95.101.149.131
unknown
officeclient.microsoft.com
  • 52.109.28.46
unknown
ecs.office.com
  • 52.113.194.132
unknown
mrodevicemgr.officeapps.live.com
  • 52.109.89.117
unknown
login.live.com
  • 20.190.159.23
  • 20.190.159.4
  • 40.126.31.71
  • 20.190.159.64
  • 20.190.159.73
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.2
unknown

Threats

No threats detected
No debug info