File name:

OfficeSetup.exe

Full analysis: https://app.any.run/tasks/db54e48e-eaa1-44a5-a09b-412eb6bf4b73
Verdict: Malicious activity
Analysis date: January 10, 2025, 18:47:17
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

62D672AAA0CF5559F583927185410B21

SHA1:

06CDE9C0E19013F796FD4A8A1BDB1422E317D2C7

SHA256:

BB49A25BD7228559E7A54F0E68A97F6A3472B93A11E6A313AEC021E4319506F6

SSDEEP:

98304:sFWtzZcuxiNrBW0+5HT+lx1+tFyG+nDTpEV5Sq65EFqqh6Hf8yljgEkuBVLmlCT6:7Xd7d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Scans artifacts that could help determine the target

      • OfficeSetup.exe (PID: 6332)
      • OfficeSetup.exe (PID: 3620)
      • OfficeC2RClient.exe (PID: 6928)
  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • OfficeSetup.exe (PID: 4708)
      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
    • Process drops legitimate windows executable

      • OfficeSetup.exe (PID: 4708)
      • OfficeClickToRun.exe (PID: 6876)
    • Application launched itself

      • OfficeSetup.exe (PID: 4708)
      • OfficeSetup.exe (PID: 3620)
    • Reads security settings of Internet Explorer

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeC2RClient.exe (PID: 6928)
    • Checks Windows Trust Settings

      • OfficeSetup.exe (PID: 6332)
      • OfficeSetup.exe (PID: 3620)
    • Searches for installed software

      • OfficeSetup.exe (PID: 6332)
    • Executable content was dropped or overwritten

      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)
    • The process drops C-runtime libraries

      • OfficeClickToRun.exe (PID: 6876)
  • INFO

    • Checks supported languages

      • OfficeSetup.exe (PID: 4708)
      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)
      • OfficeClickToRun.exe (PID: 4968)
      • OfficeC2RClient.exe (PID: 6928)
    • Process checks whether UAC notifications are on

      • OfficeSetup.exe (PID: 3620)
    • Checks proxy server information

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)
      • OfficeClickToRun.exe (PID: 4968)
    • Reads the computer name

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)
      • OfficeClickToRun.exe (PID: 4968)
      • OfficeC2RClient.exe (PID: 6928)
    • Reads the machine GUID from the registry

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)
      • OfficeClickToRun.exe (PID: 4968)
    • The process uses the downloaded file

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
    • Process checks computer location settings

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeC2RClient.exe (PID: 6928)
    • Reads the software policy settings

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 4968)
      • OfficeClickToRun.exe (PID: 7136)
    • Reads CPU info

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
    • Reads Microsoft Office registry keys

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)
      • OfficeClickToRun.exe (PID: 4968)
      • OfficeC2RClient.exe (PID: 6928)
    • Create files in a temporary directory

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 4968)
      • OfficeC2RClient.exe (PID: 6928)
    • Creates files or folders in the user directory

      • OfficeSetup.exe (PID: 3620)
      • OfficeSetup.exe (PID: 6332)
      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 4968)
      • OfficeC2RClient.exe (PID: 6928)
    • Reads Environment values

      • OfficeSetup.exe (PID: 6332)
      • OfficeSetup.exe (PID: 3620)
      • OfficeC2RClient.exe (PID: 6928)
    • Drops encrypted VBS script (Microsoft Script Encoder)

      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 4968)
    • The sample compiled with bulgarian language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with german language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with czech language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with arabic language support

      • OfficeClickToRun.exe (PID: 6876)
    • Creates files in the program directory

      • OfficeClickToRun.exe (PID: 6876)
      • OfficeClickToRun.exe (PID: 7136)
    • The sample compiled with english language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with chinese language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with japanese language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with turkish language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with swedish language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with Italian language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with spanish language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with russian language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with portuguese language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with french language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with Indonesian language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with slovak language support

      • OfficeClickToRun.exe (PID: 6876)
    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 7136)
    • The sample compiled with polish language support

      • OfficeClickToRun.exe (PID: 6876)
    • The sample compiled with korean language support

      • OfficeClickToRun.exe (PID: 6876)
    • Manual execution by a user

      • OfficeC2RClient.exe (PID: 6928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

ProductVersion: 16.0.18324.20168
ProductName: Microsoft Office
OriginalFileName: Bootstrapper.exe
LegalTrademarks2: Windows® is a registered trademark of Microsoft Corporation.
LegalTrademarks1: Microsoft® is a registered trademark of Microsoft Corporation.
InternalName: Bootstrapper.exe
FileVersion: 16.0.18324.20168
FileDescription: Microsoft 365 and Office
CompanyName: Microsoft Corporation
CharacterSet: Windows, Latin1
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 16.0.18324.0
FileVersionNumber: 16.0.18324.20168
Subsystem: Windows GUI
SubsystemVersion: 5.2
ImageVersion: -
OSVersion: 5.2
EntryPoint: 0x3e2b04
UninitializedDataSize: -
InitializedDataSize: 2924032
CodeSize: 4581376
LinkerVersion: 14.4
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
TimeStamp: 2025:01:03 18:18:54+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
8
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start officesetup.exe no specs officesetup.exe officesetup.exe officeclicktorun.exe Delivery Optimization User no specs officeclicktorun.exe officeclicktorun.exe officec2rclient.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4708"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" C:\Users\admin\AppData\Local\Temp\OfficeSetup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18324.20168
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3620OfficeSetup.exe RELAUNCHED C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18324.20168
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6332"C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe" ELEVATED sid=S-1-5-21-1693682860-607145093-2874071422-1001 RELAUNCHED C:\Users\admin\AppData\Local\Temp\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft 365 and Office
Version:
16.0.18324.20168
Modules
Images
c:\users\admin\appdata\local\temp\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6876OfficeClickToRun.exe platform=x64 culture=es-es productstoadd=O365ProPlusRetail.16_es-es_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18324.20168 mediatype=CDN sourcetype=CDN O365ProPlusRetail.excludedapps=teams,groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATEC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Exit code:
0
Version:
16.0.16026.20140
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7112C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
7136"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18324.20168
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gdi32.dll
4968OfficeClickToRun.exe platform=x64 culture=es-es productstoadd=O365ProPlusRetail.16_es-es_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18324.20168 mediatype.16=CDN sourcetype.16=CDN O365ProPlusRetail.excludedapps.16=teams,groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=TrueC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18324.20168
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6928"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /progressandlaunch AppTargets="root\office16\excel.exe|root\office16\lync.exe|root\office16\msaccess.exe|root\office16\mspub.exe|root\office16\onenote.exe|root\office16\outlook.exe|root\office16\powerpnt.exe|root\office16\winword.exe" ManualUpgrade=False ScenarioToTrack="Scenario:{477E0208-58BD-4F33-978A-09BCC9AA9EB1}@INSTALL"C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office Click-to-Run Client
Version:
16.0.18324.20168
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
39 341
Read events
38 854
Write events
275
Delete events
212

Modification events

(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
(PID) Process:(3620) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:tr-tr
Value:
2
Executable files
385
Suspicious files
127
Text files
475
Unknown types
22

Dropped files

PID
Process
Filename
Type
6332OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\36AC0BE60E1243344AE145F746D881FEbinary
MD5:3A3F1E12450AF7713768EBDF78E791C6
SHA256:35C1906B6AC07316766E8BD81250B34CED02758B090058B1D476E49846CC3263
6332OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2RD8F0C96F-5F00-4059-A2E7-922C9924F375\v64.hashbinary
MD5:6E248C212F22FF0D37DC7A6ACA85D479
SHA256:0059972434351895FB04E488D4FC9A4308C317380A7971DA67495CCA5ADF13F6
6332OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:7237FD935A7AAD400A3BFDBEBC288148
SHA256:A6BD0BC6268CDAB01A38E67C1A74179BF3EC6868C4F972580C623FDCB146448A
3620OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-shmbinary
MD5:AA5011D4A5AA8EBD10A2B36C88439590
SHA256:A079DF6A67F8018227FC4F2F9C97273107AB54E549EB9C7C4F7B1E2E932E3289
6332OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2RD8F0C96F-5F00-4059-A2E7-922C9924F375OfficeC2RD0A69F2B-631E-4EF0-B71F-45621FCCE7AC\v64.hashbinary
MD5:6E248C212F22FF0D37DC7A6ACA85D479
SHA256:0059972434351895FB04E488D4FC9A4308C317380A7971DA67495CCA5ADF13F6
3620OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187binary
MD5:50DAD0F9DBEF844397191CE03129B849
SHA256:6FBE7DF412D10F0E71189C54C1DE9043EFC0B542476C84DD018A4EC445E6E71E
3620OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\357ECFFC-2515-41F5-AE6F-27CEFE904741xml
MD5:D4CC4FEC9DEFE044D9BAAB3B83C7A100
SHA256:4AAE5C3A9D0792931BC77EA16047C535648BEFB3480BD1A8500E0DB5B216F535
6332OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0B8A20E1F3F4D73D52A19929F922C892binary
MD5:0181019618070C02397230BD3B08FDF7
SHA256:993660F2BC556AD2329A398A4564D64A9D442053B9801A79DAED354C9FA735E0
3620OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-walbinary
MD5:FF152FF29569C6C5D9904890F85D8ECE
SHA256:609A8B502CC8744E8EC581AFB8E4B61544B6312002766F47B399A59F262D1223
3620OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187der
MD5:52597E9D833A0C26E46E45B7AB100B18
SHA256:4948B08D75D8B8102065132037FED397534902CA17F972E9F61943404BA6351F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
103
TCP/UDP connections
111
DNS requests
83
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6476
svchost.exe
HEAD
200
23.50.131.21:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6332
OfficeSetup.exe
HEAD
200
23.50.131.21:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab
unknown
whitelisted
6476
svchost.exe
GET
206
23.50.131.21:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab
unknown
whitelisted
6332
OfficeSetup.exe
HEAD
200
23.50.131.21:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab
unknown
whitelisted
6476
svchost.exe
GET
200
23.50.131.21:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab
unknown
whitelisted
6332
OfficeSetup.exe
HEAD
200
23.50.131.21:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.16026.20146.cab
unknown
whitelisted
6332
OfficeSetup.exe
GET
200
23.48.23.169:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6476
svchost.exe
HEAD
200
23.50.131.21:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18324.20168.cab
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3928
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
104.126.37.170:443
www.bing.com
Akamai International B.V.
DE
unknown
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
23.48.23.169:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4
System
192.168.100.255:137
unknown
3620
OfficeSetup.exe
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown
3620
OfficeSetup.exe
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 52.167.17.97
  • 51.124.78.146
unknown
www.bing.com
  • 104.126.37.170
  • 104.126.37.176
  • 104.126.37.178
  • 104.126.37.171
  • 104.126.37.144
  • 104.126.37.128
  • 104.126.37.130
  • 104.126.37.185
  • 104.126.37.123
unknown
ocsp.digicert.com
  • 192.229.221.95
unknown
google.com
  • 142.250.185.110
unknown
crl.microsoft.com
  • 23.48.23.169
  • 23.48.23.162
  • 23.48.23.176
  • 23.48.23.190
  • 23.48.23.164
  • 23.48.23.180
  • 23.48.23.173
  • 23.48.23.177
  • 23.48.23.183
  • 2.16.164.49
  • 2.16.164.72
  • 2.16.241.12
  • 2.16.241.19
unknown
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
  • 95.101.149.131
unknown
officeclient.microsoft.com
  • 52.109.28.46
unknown
ecs.office.com
  • 52.113.194.132
unknown
mrodevicemgr.officeapps.live.com
  • 52.109.89.117
unknown
login.live.com
  • 20.190.159.23
  • 20.190.159.4
  • 40.126.31.71
  • 20.190.159.64
  • 20.190.159.73
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.2
unknown

Threats

No threats detected
No debug info