Malware analysis OfficeSetup.exe Malicious activity | ANY.RUN

Add for printing

File name:	OfficeSetup.exe
Full analysis:	https://app.any.run/tasks/db54e48e-eaa1-44a5-a09b-412eb6bf4b73
Verdict:	Malicious activity
Analysis date:	January 10, 2025, 18:47:17
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	62D672AAA0CF5559F583927185410B21
SHA1:	06CDE9C0E19013F796FD4A8A1BDB1422E317D2C7
SHA256:	BB49A25BD7228559E7A54F0E68A97F6A3472B93A11E6A313AEC021E4319506F6
SSDEEP:	98304:sFWtzZcuxiNrBW0+5HT+lx1+tFyG+nDTpEV5Sq65EFqqh6Hf8yljgEkuBVLmlCT6:7Xd7d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Scans artifacts that could help determine the target
  - OfficeSetup.exe (PID: 6332)
  - OfficeSetup.exe (PID: 3620)
  - OfficeC2RClient.exe (PID: 6928)
SUSPICIOUS
- Process drops legitimate windows executable
  - OfficeSetup.exe (PID: 4708)
  - OfficeClickToRun.exe (PID: 6876)
- Reads security settings of Internet Explorer
  - OfficeSetup.exe (PID: 3620)
  - OfficeSetup.exe (PID: 6332)
  - OfficeC2RClient.exe (PID: 6928)
- Application launched itself
  - OfficeSetup.exe (PID: 4708)
  - OfficeSetup.exe (PID: 3620)
- Starts a Microsoft application from unusual location
  - OfficeSetup.exe (PID: 3620)
  - OfficeSetup.exe (PID: 4708)
  - OfficeSetup.exe (PID: 6332)
- Checks Windows Trust Settings
  - OfficeSetup.exe (PID: 6332)
  - OfficeSetup.exe (PID: 3620)
- Searches for installed software
  - OfficeSetup.exe (PID: 6332)
- Executable content was dropped or overwritten
  - OfficeClickToRun.exe (PID: 6876)
  - OfficeClickToRun.exe (PID: 7136)
- The process drops C-runtime libraries
  - OfficeClickToRun.exe (PID: 6876)
INFO
- Process checks whether UAC notifications are on
  - OfficeSetup.exe (PID: 3620)
- Checks supported languages
  - OfficeSetup.exe (PID: 4708)
  - OfficeSetup.exe (PID: 3620)
  - OfficeSetup.exe (PID: 6332)
  - OfficeClickToRun.exe (PID: 6876)
  - OfficeClickToRun.exe (PID: 7136)
  - OfficeClickToRun.exe (PID: 4968)
  - OfficeC2RClient.exe (PID: 6928)
- Checks proxy server information
  - OfficeSetup.exe (PID: 3620)
  - OfficeSetup.exe (PID: 6332)
  - OfficeClickToRun.exe (PID: 6876)
  - OfficeClickToRun.exe (PID: 7136)
  - OfficeClickToRun.exe (PID: 4968)
  - OfficeC2RClient.exe (PID: 6928)
- The process uses the downloaded file
  - OfficeSetup.exe (PID: 3620)
  - OfficeSetup.exe (PID: 6332)
- Reads the computer name
  - OfficeSetup.exe (PID: 3620)
  - OfficeSetup.exe (PID: 6332)
  - OfficeClickToRun.exe (PID: 6876)
  - OfficeClickToRun.exe (PID: 7136)
  - OfficeClickToRun.exe (PID: 4968)
  - OfficeC2RClient.exe (PID: 6928)
- Reads the machine GUID from the registry
  - OfficeSetup.exe (PID: 3620)
  - OfficeSetup.exe (PID: 6332)
  - OfficeClickToRun.exe (PID: 6876)
  - OfficeClickToRun.exe (PID: 7136)
  - OfficeClickToRun.exe (PID: 4968)
- Process checks computer location settings
  - OfficeSetup.exe (PID: 3620)
  - OfficeSetup.exe (PID: 6332)
  - OfficeC2RClient.exe (PID: 6928)
- Creates files or folders in the user directory
  - OfficeSetup.exe (PID: 3620)
  - OfficeSetup.exe (PID: 6332)
  - OfficeClickToRun.exe (PID: 6876)
  - OfficeClickToRun.exe (PID: 4968)
  - OfficeC2RClient.exe (PID: 6928)
- Reads Microsoft Office registry keys
  - OfficeSetup.exe (PID: 3620)
  - OfficeSetup.exe (PID: 6332)
  - OfficeClickToRun.exe (PID: 6876)
  - OfficeClickToRun.exe (PID: 7136)
  - OfficeClickToRun.exe (PID: 4968)
  - OfficeC2RClient.exe (PID: 6928)
- Reads the software policy settings
  - OfficeSetup.exe (PID: 3620)
  - OfficeSetup.exe (PID: 6332)
  - OfficeClickToRun.exe (PID: 6876)
  - OfficeClickToRun.exe (PID: 4968)
  - OfficeClickToRun.exe (PID: 7136)
- Create files in a temporary directory
  - OfficeSetup.exe (PID: 3620)
  - OfficeSetup.exe (PID: 6332)
  - OfficeClickToRun.exe (PID: 6876)
  - OfficeClickToRun.exe (PID: 4968)
  - OfficeC2RClient.exe (PID: 6928)
- Reads CPU info
  - OfficeSetup.exe (PID: 3620)
  - OfficeSetup.exe (PID: 6332)
- Reads Environment values
  - OfficeSetup.exe (PID: 6332)
  - OfficeSetup.exe (PID: 3620)
  - OfficeC2RClient.exe (PID: 6928)
- Drops encrypted VBS script (Microsoft Script Encoder)
  - OfficeClickToRun.exe (PID: 6876)
  - OfficeClickToRun.exe (PID: 4968)
- Creates files in the program directory
  - OfficeClickToRun.exe (PID: 6876)
  - OfficeClickToRun.exe (PID: 7136)
- The sample compiled with english language support
  - OfficeClickToRun.exe (PID: 6876)
- The sample compiled with arabic language support
  - OfficeClickToRun.exe (PID: 6876)
- The sample compiled with german language support
  - OfficeClickToRun.exe (PID: 6876)
- The sample compiled with czech language support
  - OfficeClickToRun.exe (PID: 6876)
- The sample compiled with bulgarian language support
  - OfficeClickToRun.exe (PID: 6876)
- The sample compiled with spanish language support
  - OfficeClickToRun.exe (PID: 6876)
- The sample compiled with french language support
  - OfficeClickToRun.exe (PID: 6876)
- The sample compiled with Indonesian language support
  - OfficeClickToRun.exe (PID: 6876)
- The sample compiled with Italian language support
  - OfficeClickToRun.exe (PID: 6876)
- The sample compiled with portuguese language support
  - OfficeClickToRun.exe (PID: 6876)
- The sample compiled with russian language support
  - OfficeClickToRun.exe (PID: 6876)
- The sample compiled with japanese language support
  - OfficeClickToRun.exe (PID: 6876)
- The sample compiled with slovak language support
  - OfficeClickToRun.exe (PID: 6876)
- The sample compiled with swedish language support
  - OfficeClickToRun.exe (PID: 6876)
- The sample compiled with chinese language support
  - OfficeClickToRun.exe (PID: 6876)
- The sample compiled with turkish language support
  - OfficeClickToRun.exe (PID: 6876)
- The sample compiled with korean language support
  - OfficeClickToRun.exe (PID: 6876)
- Executes as Windows Service
  - OfficeClickToRun.exe (PID: 7136)
- The sample compiled with polish language support
  - OfficeClickToRun.exe (PID: 6876)
- Manual execution by a user
  - OfficeC2RClient.exe (PID: 6928)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:01:03 18:18:54+00:00
ImageFileCharacteristics:	Executable, 32-bit, Removable run from swap, Net run from swap
PEType:	PE32
LinkerVersion:	14.4
CodeSize:	4581376
InitializedDataSize:	2924032
UninitializedDataSize:	-
EntryPoint:	0x3e2b04
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI
FileVersionNumber:	16.0.18324.20168
ProductVersionNumber:	16.0.18324.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Windows, Latin1
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft 365 and Office
FileVersion:	16.0.18324.20168
InternalName:	Bootstrapper.exe
LegalTrademarks1:	Microsoft® is a registered trademark of Microsoft Corporation.
LegalTrademarks2:	Windows® is a registered trademark of Microsoft Corporation.
OriginalFileName:	Bootstrapper.exe
ProductName:	Microsoft Office
ProductVersion:	16.0.18324.20168

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

138

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

3620

OfficeSetup.exe RELAUNCHED

C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe

OfficeSetup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft 365 and Office

Version:

16.0.18324.20168

Modules

Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

4708

"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe"

C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft 365 and Office

Version:

16.0.18324.20168

Modules

Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

4968

OfficeClickToRun.exe platform=x64 culture=es-es productstoadd=O365ProPlusRetail.16_es-es_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18324.20168 mediatype.16=CDN sourcetype.16=CDN O365ProPlusRetail.excludedapps.16=teams,groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

OfficeSetup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Office Click-to-Run (SxS)

Version:

16.0.18324.20168

Modules

Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6332

"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" ELEVATED sid=S-1-5-21-1693682860-607145093-2874071422-1001 RELAUNCHED

C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe

OfficeSetup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft 365 and Office

Version:

16.0.18324.20168

Modules

Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

6876

OfficeClickToRun.exe platform=x64 culture=es-es productstoadd=O365ProPlusRetail.16_es-es_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18324.20168 mediatype=CDN sourcetype=CDN O365ProPlusRetail.excludedapps=teams,groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATE

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

OfficeSetup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Office Click-to-Run (SxS)

Exit code:

Version:

16.0.16026.20140

Modules

Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6928

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /progressandlaunch AppTargets="root\office16\excel.exe|root\office16\lync.exe|root\office16\msaccess.exe|root\office16\mspub.exe|root\office16\onenote.exe|root\office16\outlook.exe|root\office16\powerpnt.exe|root\office16\winword.exe" ManualUpgrade=False ScenarioToTrack="Scenario:{477E0208-58BD-4F33-978A-09BCC9AA9EB1}@INSTALL"

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Office Click-to-Run Client

Version:

16.0.18324.20168

Modules

Images
c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

7112

C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}

C:\Windows\System32\dllhost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

COM Surrogate

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll

7136

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Office Click-to-Run (SxS)

Version:

16.0.18324.20168

Modules

Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

39 341

Read events

38 854

Write events

275

Delete events

212

Modification events


(PID) Process:	(3620) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common
Operation:	write	Name:	SessionId
Value: 3DE9B9FAD75CAC41A591BC7E1E65BAF0
(PID) Process:	(3620) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.18324&crev=3
Operation:	write	Name:	Last
Value: 0
(PID) Process:	(3620) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.18324&crev=3\0
Operation:	write	Name:	FilePath
Value: officeclient.microsoft.com\357ECFFC-2515-41F5-AE6F-27CEFE904741
(PID) Process:	(3620) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.18324&crev=3\0
Operation:	write	Name:	StartDate
Value: 3005A5189063DB01
(PID) Process:	(3620) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.18324&crev=3\0
Operation:	write	Name:	EndDate
Value: 30C50E435964DB01
(PID) Process:	(3620) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.18324&crev=3\0
Operation:	write	Name:	Properties
Value: 1
(PID) Process:	(3620) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.18324&crev=3\0
Operation:	write	Name:	Url
Value: https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.18324&crev=3
(PID) Process:	(3620) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2
(PID) Process:	(3620) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	de-de
Value: 2
(PID) Process:	(3620) OfficeSetup.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	fr-fr
Value: 2

Add for printing

Executable files

385

Suspicious files

145

Text files

475

Unknown types

Dropped files

PID	Process	Filename		Type
3620	OfficeSetup.exe	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\357ECFFC-2515-41F5-AE6F-27CEFE904741		xml
		MD5:D4CC4FEC9DEFE044D9BAAB3B83C7A100	SHA256:4AAE5C3A9D0792931BC77EA16047C535648BEFB3480BD1A8500E0DB5B216F535
6332	OfficeSetup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850		der
		MD5:BB148187A85E826D9F04F30A242F8647	SHA256:569FD129CDDBCD13CA12E73C48D326043C5E4649C4B6DB82757E10EEE6E27595
6332	OfficeSetup.exe	C:\Users\admin\AppData\Local\Temp\OfficeC2RD8F0C96F-5F00-4059-A2E7-922C9924F375OfficeC2RD0A69F2B-631E-4EF0-B71F-45621FCCE7AC\VersionDescriptor.xml		xml
		MD5:086CB2044AC6D13D0A44A0DA8DB758FB	SHA256:D01C2F29C53604E3E4B1C9AB7278D65110741A6A4B8639C6E7AD4B4C656AB94C
6332	OfficeSetup.exe	C:\Users\admin\AppData\Local\Temp\OfficeC2RD8F0C96F-5F00-4059-A2E7-922C9924F375\VersionDescriptor.xml		xml
		MD5:086CB2044AC6D13D0A44A0DA8DB758FB	SHA256:D01C2F29C53604E3E4B1C9AB7278D65110741A6A4B8639C6E7AD4B4C656AB94C
6332	OfficeSetup.exe	C:\Users\admin\AppData\Local\Temp\OfficeC2RD8F0C96F-5F00-4059-A2E7-922C9924F375\v64.hash		binary
		MD5:6E248C212F22FF0D37DC7A6ACA85D479	SHA256:0059972434351895FB04E488D4FC9A4308C317380A7971DA67495CCA5ADF13F6
3620	OfficeSetup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187		binary
		MD5:50DAD0F9DBEF844397191CE03129B849	SHA256:6FBE7DF412D10F0E71189C54C1DE9043EFC0B542476C84DD018A4EC445E6E71E
6876	OfficeClickToRun.exe	C:\Users\admin\AppData\Local\Temp\DESKTOP-JGLLJLD-20250110-1847.log		binary
		MD5:C1C9267D4ABDA863EDAFF57083D5CB9B	SHA256:F159CCFCA45AB239CDEA06A909D98094BE6D0DD4F936D27175F8660879ED51B1
6876	OfficeClickToRun.exe	C:\Users\admin\AppData\Local\Temp\DESKTOP-JGLLJLD-20250110-1847a.log		binary
		MD5:57C8628CA7DBCE2C6A4EB56485437000	SHA256:623523F04E1108DF11A437FB3AF56CE355F7E93B8CC5C27BCECB379A5AFDCC9F
3620	OfficeSetup.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187		der
		MD5:52597E9D833A0C26E46E45B7AB100B18	SHA256:4948B08D75D8B8102065132037FED397534902CA17F972E9F61943404BA6351F
6876	OfficeClickToRun.exe	C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\CB534893-0BB5-477A-BDD2-AA885B1D89B0OfficeC2R95652EF6-4CB1-4D0C-B987-6EC99F504D49\api-ms-win-core-file-l1-2-0.dll		executable
		MD5:19DF2B0F78DC3D8C470E836BAE85E1FF	SHA256:BD9E07BBC62CE82DBC30C23069A17FBFA17F1C26A9C19E50FE754D494E6CD0B1

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

103

TCP/UDP connections

111

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.48.23.169:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6476	svchost.exe	HEAD	200	23.50.131.21:80	http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab	unknown	—	—	whitelisted
6476	svchost.exe	GET	200	23.50.131.21:80	http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab	unknown	—	—	whitelisted
6332	OfficeSetup.exe	GET	200	23.48.23.169:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
6332	OfficeSetup.exe	GET	200	23.48.23.169:80	http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl	unknown	—	—	whitelisted
6332	OfficeSetup.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl	unknown	—	—	whitelisted
3620	OfficeSetup.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
7048	svchost.exe	GET	200	23.50.131.21:80	http://officecdn.microsoft.com/pr/64256afe-f5d9-4f86-8936-8840a6a4f5be/Office/Data/16.0.18324.20168/i640.cab.phf	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3928	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5064	SearchApp.exe	104.126.37.170:443	www.bing.com	Akamai International B.V.	DE	unknown
5064	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	unknown
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
—	—	23.48.23.169:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	unknown
4	System	192.168.100.255:137	—	—	—	unknown
3620	OfficeSetup.exe	52.109.28.46:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	unknown
3620	OfficeSetup.exe	52.113.194.132:443	ecs.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 52.167.17.97 51.124.78.146	unknown
www.bing.com	104.126.37.170 104.126.37.176 104.126.37.178 104.126.37.171 104.126.37.144 104.126.37.128 104.126.37.130 104.126.37.185 104.126.37.123	unknown
ocsp.digicert.com	192.229.221.95	unknown
google.com	142.250.185.110	unknown
crl.microsoft.com	23.48.23.169 23.48.23.162 23.48.23.176 23.48.23.190 23.48.23.164 23.48.23.180 23.48.23.173 23.48.23.177 23.48.23.183 2.16.164.49 2.16.164.72 2.16.241.12 2.16.241.19	unknown
www.microsoft.com	184.30.21.171 2.23.246.101 95.101.149.131	unknown
officeclient.microsoft.com	52.109.28.46	unknown
ecs.office.com	52.113.194.132	unknown
mrodevicemgr.officeapps.live.com	52.109.89.117	unknown
login.live.com	20.190.159.23 20.190.159.4 40.126.31.71 20.190.159.64 20.190.159.73 20.190.159.71 40.126.31.69 20.190.159.2	unknown

Threats

No threats detected

Add for printing

No debug info

General Info

OfficeSetup.exe

62D672AAA0CF5559F583927185410B21

06CDE9C0E19013F796FD4A8A1BDB1422E317D2C7

BB49A25BD7228559E7A54F0E68A97F6A3472B93A11E6A313AEC021E4319506F6

98304:sFWtzZcuxiNrBW0+5HT+lx1+tFyG+nDTpEV5Sq65EFqqh6Hf8yljgEkuBVLmlCT6:7Xd7d

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Scans artifacts that could help determine the target

SUSPICIOUS

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Application launched itself

Starts a Microsoft application from unusual location

Checks Windows Trust Settings

Searches for installed software

Executable content was dropped or overwritten

The process drops C-runtime libraries

INFO

Process checks whether UAC notifications are on

Checks supported languages

Checks proxy server information

The process uses the downloaded file

Reads the computer name

Reads the machine GUID from the registry

Process checks computer location settings

Creates files or folders in the user directory

Reads Microsoft Office registry keys

Reads the software policy settings

Create files in a temporary directory

Reads CPU info

Reads Environment values

Drops encrypted VBS script (Microsoft Script Encoder)

Creates files in the program directory

The sample compiled with english language support

The sample compiled with arabic language support

The sample compiled with german language support

The sample compiled with czech language support

The sample compiled with bulgarian language support

The sample compiled with spanish language support

The sample compiled with french language support

The sample compiled with Indonesian language support

The sample compiled with Italian language support

The sample compiled with portuguese language support

The sample compiled with russian language support

The sample compiled with japanese language support

The sample compiled with slovak language support

The sample compiled with swedish language support

The sample compiled with chinese language support

The sample compiled with turkish language support

The sample compiled with korean language support

Executes as Windows Service

The sample compiled with polish language support

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules