File name: | OfficeSetup.exe |
Full analysis: | https://app.any.run/tasks/db54e48e-eaa1-44a5-a09b-412eb6bf4b73 |
Verdict: | Malicious activity |
Analysis date: | January 10, 2025, 18:47:17 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections |
MD5: | 62D672AAA0CF5559F583927185410B21 |
SHA1: | 06CDE9C0E19013F796FD4A8A1BDB1422E317D2C7 |
SHA256: | BB49A25BD7228559E7A54F0E68A97F6A3472B93A11E6A313AEC021E4319506F6 |
SSDEEP: | 98304:sFWtzZcuxiNrBW0+5HT+lx1+tFyG+nDTpEV5Sq65EFqqh6Hf8yljgEkuBVLmlCT6:7Xd7d |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2025:01:03 18:18:54+00:00 |
ImageFileCharacteristics: | Executable, 32-bit, Removable run from swap, Net run from swap |
PEType: | PE32 |
LinkerVersion: | 14.4 |
CodeSize: | 4581376 |
InitializedDataSize: | 2924032 |
UninitializedDataSize: | - |
EntryPoint: | 0x3e2b04 |
OSVersion: | 5.2 |
ImageVersion: | - |
SubsystemVersion: | 5.2 |
Subsystem: | Windows GUI |
FileVersionNumber: | 16.0.18324.20168 |
ProductVersionNumber: | 16.0.18324.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Windows NT 32-bit |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Neutral |
CharacterSet: | Windows, Latin1 |
CompanyName: | Microsoft Corporation |
FileDescription: | Microsoft 365 and Office |
FileVersion: | 16.0.18324.20168 |
InternalName: | Bootstrapper.exe |
LegalTrademarks1: | Microsoft® is a registered trademark of Microsoft Corporation. |
LegalTrademarks2: | Windows® is a registered trademark of Microsoft Corporation. |
OriginalFileName: | Bootstrapper.exe |
ProductName: | Microsoft Office |
ProductVersion: | 16.0.18324.20168 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
4708 | "C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" | C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft 365 and Office Version: 16.0.18324.20168 Modules
| |||||||||||||||
3620 | OfficeSetup.exe RELAUNCHED | C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe | OfficeSetup.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft 365 and Office Version: 16.0.18324.20168 Modules
| |||||||||||||||
6332 | "C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" ELEVATED sid=S-1-5-21-1693682860-607145093-2874071422-1001 RELAUNCHED | C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe | OfficeSetup.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft 365 and Office Version: 16.0.18324.20168 Modules
| |||||||||||||||
6876 | OfficeClickToRun.exe platform=x64 culture=es-es productstoadd=O365ProPlusRetail.16_es-es_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18324.20168 mediatype=CDN sourcetype=CDN O365ProPlusRetail.excludedapps=teams,groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATE | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe | OfficeSetup.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Office Click-to-Run (SxS) Exit code: 0 Version: 16.0.16026.20140 Modules
| |||||||||||||||
7112 | C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
7136 | "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Office Click-to-Run (SxS) Version: 16.0.18324.20168 Modules
| |||||||||||||||
4968 | OfficeClickToRun.exe platform=x64 culture=es-es productstoadd=O365ProPlusRetail.16_es-es_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18324.20168 mediatype.16=CDN sourcetype.16=CDN O365ProPlusRetail.excludedapps.16=teams,groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe | OfficeSetup.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Office Click-to-Run (SxS) Version: 16.0.18324.20168 Modules
| |||||||||||||||
6928 | "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /progressandlaunch AppTargets="root\office16\excel.exe|root\office16\lync.exe|root\office16\msaccess.exe|root\office16\mspub.exe|root\office16\onenote.exe|root\office16\outlook.exe|root\office16\powerpnt.exe|root\office16\winword.exe" ManualUpgrade=False ScenarioToTrack="Scenario:{477E0208-58BD-4F33-978A-09BCC9AA9EB1}@INSTALL" | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Click-to-Run Client Version: 16.0.18324.20168 Modules
|
(PID) Process: | (3620) OfficeSetup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
Operation: | write | Name: | en-US |
Value: 2 | |||
(PID) Process: | (3620) OfficeSetup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
Operation: | write | Name: | de-de |
Value: 2 | |||
(PID) Process: | (3620) OfficeSetup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
Operation: | write | Name: | fr-fr |
Value: 2 | |||
(PID) Process: | (3620) OfficeSetup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
Operation: | write | Name: | es-es |
Value: 2 | |||
(PID) Process: | (3620) OfficeSetup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
Operation: | write | Name: | it-it |
Value: 2 | |||
(PID) Process: | (3620) OfficeSetup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
Operation: | write | Name: | ja-jp |
Value: 2 | |||
(PID) Process: | (3620) OfficeSetup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
Operation: | write | Name: | ko-kr |
Value: 2 | |||
(PID) Process: | (3620) OfficeSetup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
Operation: | write | Name: | pt-br |
Value: 2 | |||
(PID) Process: | (3620) OfficeSetup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
Operation: | write | Name: | ru-ru |
Value: 2 | |||
(PID) Process: | (3620) OfficeSetup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
Operation: | write | Name: | tr-tr |
Value: 2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3620 | OfficeSetup.exe | C:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-shm | binary | |
MD5:AA5011D4A5AA8EBD10A2B36C88439590 | SHA256:A079DF6A67F8018227FC4F2F9C97273107AB54E549EB9C7C4F7B1E2E932E3289 | |||
6332 | OfficeSetup.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850 | der | |
MD5:BB148187A85E826D9F04F30A242F8647 | SHA256:569FD129CDDBCD13CA12E73C48D326043C5E4649C4B6DB82757E10EEE6E27595 | |||
6332 | OfficeSetup.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0B8A20E1F3F4D73D52A19929F922C892 | binary | |
MD5:0181019618070C02397230BD3B08FDF7 | SHA256:993660F2BC556AD2329A398A4564D64A9D442053B9801A79DAED354C9FA735E0 | |||
6332 | OfficeSetup.exe | C:\Users\admin\AppData\Local\Temp\OfficeC2RD8F0C96F-5F00-4059-A2E7-922C9924F375\VersionDescriptor.xml | xml | |
MD5:086CB2044AC6D13D0A44A0DA8DB758FB | SHA256:D01C2F29C53604E3E4B1C9AB7278D65110741A6A4B8639C6E7AD4B4C656AB94C | |||
3620 | OfficeSetup.exe | C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\357ECFFC-2515-41F5-AE6F-27CEFE904741 | xml | |
MD5:D4CC4FEC9DEFE044D9BAAB3B83C7A100 | SHA256:4AAE5C3A9D0792931BC77EA16047C535648BEFB3480BD1A8500E0DB5B216F535 | |||
3620 | OfficeSetup.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 | binary | |
MD5:50DAD0F9DBEF844397191CE03129B849 | SHA256:6FBE7DF412D10F0E71189C54C1DE9043EFC0B542476C84DD018A4EC445E6E71E | |||
6332 | OfficeSetup.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\36AC0BE60E1243344AE145F746D881FE | der | |
MD5:67A52A39F91421613A4D854BF8E8D791 | SHA256:D8B8FE5F54E4AFC75FBEC4BC8453D2FE7CF4E1A5959CD442CB0EE05223CF607E | |||
6332 | OfficeSetup.exe | C:\Users\admin\AppData\Local\Temp\OfficeC2RD8F0C96F-5F00-4059-A2E7-922C9924F375OfficeC2RD0A69F2B-631E-4EF0-B71F-45621FCCE7AC\VersionDescriptor.xml | xml | |
MD5:086CB2044AC6D13D0A44A0DA8DB758FB | SHA256:D01C2F29C53604E3E4B1C9AB7278D65110741A6A4B8639C6E7AD4B4C656AB94C | |||
6876 | OfficeClickToRun.exe | C:\Users\admin\AppData\Local\Temp\DESKTOP-JGLLJLD-20250110-1847.log | binary | |
MD5:C1C9267D4ABDA863EDAFF57083D5CB9B | SHA256:F159CCFCA45AB239CDEA06A909D98094BE6D0DD4F936D27175F8660879ED51B1 | |||
6876 | OfficeClickToRun.exe | C:\Users\admin\AppData\Local\Temp\DESKTOP-JGLLJLD-20250110-1847a.log | binary | |
MD5:57C8628CA7DBCE2C6A4EB56485437000 | SHA256:623523F04E1108DF11A437FB3AF56CE355F7E93B8CC5C27BCECB379A5AFDCC9F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
6332 | OfficeSetup.exe | HEAD | 200 | 23.50.131.21:80 | http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab | unknown | — | — | whitelisted |
6332 | OfficeSetup.exe | HEAD | 200 | 23.50.131.21:80 | http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.16026.20146.cab | unknown | — | — | whitelisted |
1176 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
6476 | svchost.exe | GET | 206 | 23.50.131.21:80 | http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab | unknown | — | — | whitelisted |
6476 | svchost.exe | HEAD | 200 | 23.50.131.21:80 | http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab | unknown | — | — | whitelisted |
6332 | OfficeSetup.exe | GET | 200 | 23.48.23.169:80 | http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl | unknown | — | — | whitelisted |
6332 | OfficeSetup.exe | GET | 200 | 23.48.23.169:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
6476 | svchost.exe | GET | 200 | 23.50.131.21:80 | http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab | unknown | — | — | whitelisted |
5064 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
6476 | svchost.exe | HEAD | 200 | 23.50.131.21:80 | http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3928 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5064 | SearchApp.exe | 104.126.37.170:443 | www.bing.com | Akamai International B.V. | DE | unknown |
5064 | SearchApp.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | unknown |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
— | — | 23.48.23.169:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
— | — | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
4 | System | 192.168.100.255:137 | — | — | — | unknown |
3620 | OfficeSetup.exe | 52.109.28.46:443 | officeclient.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | GB | unknown |
3620 | OfficeSetup.exe | 52.113.194.132:443 | ecs.office.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| unknown |
www.bing.com |
| unknown |
ocsp.digicert.com |
| unknown |
google.com |
| unknown |
crl.microsoft.com |
| unknown |
www.microsoft.com |
| unknown |
officeclient.microsoft.com |
| unknown |
ecs.office.com |
| unknown |
mrodevicemgr.officeapps.live.com |
| unknown |
login.live.com |
| unknown |