File name:

OfficeSetup.exe

Full analysis: https://app.any.run/tasks/a673e691-2013-4ecc-a948-7d1b60cfeecd
Verdict: Malicious activity
Analysis date: August 15, 2025, 22:08:09
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

932187E118370335FDF0C280F303ED11

SHA1:

EF6FE58A4393E694C86846CBEE7DC7CE9ADB6EC8

SHA256:

BC2E30E11027F51A045895A5BCE9C5A6F96688D4F225C63057E400E5752A482A

SSDEEP:

98304:uR+p+8FO75J2DGRiiXfB5FjodQBak0FXQHwIIrr4qd8Smtjs/tEYXFI1GaJ4XA+d:BsAJhrt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • OfficeSetup.exe (PID: 5968)
      • OfficeSetup.exe (PID: 3872)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • OfficeSetup.exe (PID: 7020)
      • OfficeClickToRun.exe (PID: 6948)
      • OfficeClickToRun.exe (PID: 2192)

    • Starts a Microsoft application from unusual location

      • OfficeSetup.exe (PID: 7020)
      • OfficeSetup.exe (PID: 5968)
      • OfficeSetup.exe (PID: 3872)

    • Application launched itself

      • OfficeSetup.exe (PID: 7020)
      • OfficeSetup.exe (PID: 5968)

    • Reads security settings of Internet Explorer

      • OfficeSetup.exe (PID: 5968)
      • OfficeSetup.exe (PID: 3872)

    • Searches for installed software

      • OfficeSetup.exe (PID: 3872)

    • Executable content was dropped or overwritten

      • OfficeClickToRun.exe (PID: 6948)
      • OfficeClickToRun.exe (PID: 2192)

    • The process drops C-runtime libraries

      • OfficeClickToRun.exe (PID: 6948)

  • INFO

    • Checks supported languages

      • OfficeSetup.exe (PID: 7020)
      • OfficeSetup.exe (PID: 5968)
      • OfficeSetup.exe (PID: 3872)
      • OfficeClickToRun.exe (PID: 6948)
      • OfficeClickToRun.exe (PID: 6940)
      • OfficeClickToRun.exe (PID: 2192)

    • Reads the machine GUID from the registry

      • OfficeSetup.exe (PID: 5968)
      • OfficeSetup.exe (PID: 3872)
      • OfficeClickToRun.exe (PID: 6948)
      • OfficeClickToRun.exe (PID: 2192)
      • OfficeClickToRun.exe (PID: 6940)

    • Reads the computer name

      • OfficeSetup.exe (PID: 5968)
      • OfficeSetup.exe (PID: 3872)
      • OfficeClickToRun.exe (PID: 6948)
      • OfficeClickToRun.exe (PID: 2192)
      • OfficeClickToRun.exe (PID: 6940)

    • Process checks computer location settings

      • OfficeSetup.exe (PID: 5968)
      • OfficeSetup.exe (PID: 3872)

    • Process checks whether UAC notifications are on

      • OfficeSetup.exe (PID: 5968)

    • Reads the software policy settings

      • OfficeSetup.exe (PID: 5968)
      • OfficeSetup.exe (PID: 3872)
      • OfficeClickToRun.exe (PID: 6948)
      • slui.exe (PID: 3000)
      • OfficeClickToRun.exe (PID: 2192)
      • OfficeClickToRun.exe (PID: 6940)

    • Reads Microsoft Office registry keys

      • OfficeSetup.exe (PID: 3872)
      • OfficeSetup.exe (PID: 5968)
      • OfficeClickToRun.exe (PID: 6948)
      • OfficeClickToRun.exe (PID: 2192)
      • OfficeClickToRun.exe (PID: 6940)

    • Checks proxy server information

      • OfficeSetup.exe (PID: 5968)
      • OfficeSetup.exe (PID: 3872)
      • OfficeClickToRun.exe (PID: 6948)
      • OfficeClickToRun.exe (PID: 2192)
      • OfficeClickToRun.exe (PID: 6940)
      • slui.exe (PID: 3000)

    • Reads Environment values

      • OfficeSetup.exe (PID: 3872)
      • OfficeSetup.exe (PID: 5968)

    • Reads CPU info

      • OfficeSetup.exe (PID: 3872)
      • OfficeSetup.exe (PID: 5968)

    • Creates files or folders in the user directory

      • OfficeSetup.exe (PID: 3872)
      • OfficeSetup.exe (PID: 5968)
      • OfficeClickToRun.exe (PID: 6948)
      • OfficeClickToRun.exe (PID: 6940)

    • Create files in a temporary directory

      • OfficeSetup.exe (PID: 5968)
      • OfficeSetup.exe (PID: 3872)
      • OfficeClickToRun.exe (PID: 6948)
      • OfficeClickToRun.exe (PID: 6940)

    • The sample compiled with english language support

      • OfficeClickToRun.exe (PID: 6948)

    • Creates files in the program directory

      • OfficeClickToRun.exe (PID: 6948)
      • OfficeClickToRun.exe (PID: 2192)

    • The sample compiled with czech language support

      • OfficeClickToRun.exe (PID: 6948)

    • The sample compiled with arabic language support

      • OfficeClickToRun.exe (PID: 6948)

    • The sample compiled with french language support

      • OfficeClickToRun.exe (PID: 6948)

    • The sample compiled with bulgarian language support

      • OfficeClickToRun.exe (PID: 6948)

    • The sample compiled with Italian language support

      • OfficeClickToRun.exe (PID: 6948)

    • The sample compiled with spanish language support

      • OfficeClickToRun.exe (PID: 6948)

    • The sample compiled with german language support

      • OfficeClickToRun.exe (PID: 6948)

    • The sample compiled with Indonesian language support

      • OfficeClickToRun.exe (PID: 6948)

    • The sample compiled with portuguese language support

      • OfficeClickToRun.exe (PID: 6948)

    • The sample compiled with japanese language support

      • OfficeClickToRun.exe (PID: 6948)

    • The sample compiled with korean language support

      • OfficeClickToRun.exe (PID: 6948)

    • The sample compiled with swedish language support

      • OfficeClickToRun.exe (PID: 6948)

    • The sample compiled with polish language support

      • OfficeClickToRun.exe (PID: 6948)

    • The sample compiled with russian language support

      • OfficeClickToRun.exe (PID: 6948)

    • The sample compiled with slovak language support

      • OfficeClickToRun.exe (PID: 6948)

    • The sample compiled with chinese language support

      • OfficeClickToRun.exe (PID: 6948)

    • The sample compiled with turkish language support

      • OfficeClickToRun.exe (PID: 6948)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 2192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:08:08 07:04:26+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.42
CodeSize: 4729344
InitializedDataSize: 2714112
UninitializedDataSize: -
EntryPoint: 0x40d114
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 16.0.19029.20184
ProductVersionNumber: 16.0.19029.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft 365 and Office
FileVersion: 16.0.19029.20184
InternalName: Bootstrapper.exe
LegalTrademarks1: Microsoft® is a registered trademark of Microsoft Corporation.
LegalTrademarks2: Windows® is a registered trademark of Microsoft Corporation.
OriginalFileName: Bootstrapper.exe
ProductName: Microsoft Office
ProductVersion: 16.0.19029.20184
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start officesetup.exe no specs officesetup.exe officesetup.exe officeclicktorun.exe Delivery Optimization User no specs slui.exe officeclicktorun.exe officeclicktorun.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.19029.20184
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140.dll
3000C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3872"C:\Users\admin\Desktop\OfficeSetup.exe" ELEVATED sid=S-1-5-21-1693682860-607145093-2874071422-1001 RELAUNCHED C:\Users\admin\Desktop\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft 365 and Office
Version:
16.0.19029.20184
Modules
Images
c:\users\admin\desktop\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
5500C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
5968OfficeSetup.exe RELAUNCHED C:\Users\admin\Desktop\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.19029.20184
Modules
Images
c:\users\admin\desktop\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6940OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=ProPlusRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.19029.20184 mediatype.16=CDN sourcetype.16=CDN ProPlusRetail.excludedapps.16=groove updatesenabled.16=False autoactivate=1 bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=TrueC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.19029.20184
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6948OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=ProPlusRetail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.19029.20184 mediatype=CDN sourcetype=CDN ProPlusRetail.excludedapps=groove updatesenabled=False autoactivate=1 bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATEC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Exit code:
0
Version:
16.0.16026.20140
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7020"C:\Users\admin\Desktop\OfficeSetup.exe" C:\Users\admin\Desktop\OfficeSetup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.19029.20184
Modules
Images
c:\users\admin\desktop\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
43 952
Read events
43 500
Write events
242
Delete events
210

Modification events

(PID) Process:(5968) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.19029&crev=3
Operation:writeName:Last
Value:
0
(PID) Process:(5968) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.19029&crev=3\0
Operation:writeName:FilePath
Value:
officeclient.microsoft.com\77E72758-9DBE-4434-9F0A-1A1A8D4A57D2
(PID) Process:(5968) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.19029&crev=3\0
Operation:writeName:StartDate
Value:
1022FD1C310EDC01
(PID) Process:(5968) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.19029&crev=3\0
Operation:writeName:EndDate
Value:
10E26647FA0EDC01
(PID) Process:(5968) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.19029&crev=3\0
Operation:writeName:Properties
Value:
1
(PID) Process:(5968) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--syslcid=1033&build=16.0.19029&crev=3\0
Operation:writeName:Url
Value:
https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.19029&crev=3
(PID) Process:(5968) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache
Operation:writeName:LastClean
Value:
1093FF1C310EDC01
(PID) Process:(5968) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officesetup.exe\ULSMonitor
Operation:delete keyName:(default)
Value:
(PID) Process:(5968) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officesetup.exe
Operation:delete keyName:(default)
Value:
(PID) Process:(5968) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officesetup.exe\ULSMonitor
Operation:writeName:ULSTagIds0
Value:
41816131,577889346,5804129,17102418,39389248,7202269,41484365,24262478,595174594,3700754,593359442,17110988,17962391,17962392,17110992,20502174,3702920,3462423,3965062,24262474,4297094,7153421,24262473,18716193,7153487,7153435,7202265,24262477,6308191,18407617,51475283,9179410,3462365,6104718,9179409,9179411,41185282,39125643,539756558,539756557,528570079
Executable files
409
Suspicious files
61
Text files
454
Unknown types
26

Dropped files

PID
Process
Filename
Type
3872OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\25197796-55E8-48DD-A754-941E85ABB29Axml
MD5:EE47065A25923B44FF2E2207DB670B6C
SHA256:361F5A37D531C0FCF18E5627727BB5C6C8049AF4DA433AEC6573B61A5F2D062B
6948OfficeClickToRun.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\BE912149-8B62-44A0-97A6-6033F52FBC2COfficeC2R04609DDA-EEEB-41EB-9B30-E08552024BB1\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:19DF2B0F78DC3D8C470E836BAE85E1FF
SHA256:BD9E07BBC62CE82DBC30C23069A17FBFA17F1C26A9C19E50FE754D494E6CD0B1
5968OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\77E72758-9DBE-4434-9F0A-1A1A8D4A57D2xml
MD5:DDBD5C5BDD57F4F95FFE481F94AA367F
SHA256:617FFE95F883FA286A863203FC922B1BCDBB79F2D18E8288CD76224B4FE28C5A
6948OfficeClickToRun.exeC:\Users\admin\AppData\Local\Temp\DESKTOP-JGLLJLD-20250815-2208.logtext
MD5:5564518BBBA1589477ECBA606356A936
SHA256:ACF879577F7585F8A12D1358E7B2992FF7BB0912AC0A197E60ABD3C20AA31F39
6948OfficeClickToRun.exeC:\Users\admin\AppData\Local\Temp\DESKTOP-JGLLJLD-20250815-2208a.logtext
MD5:DAFE11AE5577CCA58320A89BFF890078
SHA256:71D624B32FCF4E243473EB31975D51ED3497C915D1F543CC8AD3730F279BBF9F
3872OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2RAC203F3E-8753-4329-B5BB-EA68617A3871\VersionDescriptor.xmlxml
MD5:DAD681B98B47B858DA48D9E7E2B29293
SHA256:A87FD128A983279C72F45F470FA95459B93CCB509C47DF2E45AB4FD035EC49AB
3872OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:210435C0AEF4137ADED99048DDA6C50B
SHA256:DE4BA1AA692ED09C2BE3B46656DCEAB9AADCF7561ACA48056C15C3754E50F1AF
5968OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-walbinary
MD5:C5427BA99DF638FCADB259F3F92F9723
SHA256:3569BBA70235654F2DD6603076B3B1B73416B09FD7D932EDCF4C47024A7E3C7C
5968OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-shmbinary
MD5:61F04CBBCCC027605B396C86221CE237
SHA256:2071D281D04A5CA0BD5AA2C24C75171FACBA5D16332BADD8F7C0BEAF004DED5C
3872OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59C76228DF8A2918214D353D01EDF08der
MD5:21DD5A9C356D99539C83AB9C2ACC7BA8
SHA256:33519FB85B00DE8333D536D13E18451E7BF6C1A212CD1E9220D4BB31D78DEE3F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
825
TCP/UDP connections
127
DNS requests
61
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.29:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
52.109.89.18:443
https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.19029&crev=3
unknown
xml
182 Kb
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.29:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4844
RUXIMICS.exe
GET
200
23.216.77.29:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
52.109.89.18:443
https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.19029&crev=3
unknown
xml
182 Kb
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4844
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
52.123.129.14:443
https://ecs.office.com/config/v2/Office/officeclicktorun/16.0.19029.20184/Production/CC?&EcsCanary=1&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=officeclicktorun&Platform=win32&Version=16.0.19029.20184&MsoVersion=16.0.19029.20184&SDX=fa000000002.2.0.1907.31003&SDXfa000000002=2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDXfa000000005=1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDXfa000000006=1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDXfa000000008=1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDXfa000000009=1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDXfa000000016=1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDXfa000000029=1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDXfa000000033=1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&SDXwa104381125=1.0.1810.9001&ProcessName=C2R.exe&Audience=Production&Build=ship&Architecture=x86&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b389CCE62-78A7-4955-A842-EFE2775D179E%7d&LabMachine=false
unknown
binary
113 Kb
whitelisted
POST
200
20.190.159.71:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4844
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.29:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.29:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5968
OfficeSetup.exe
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
4844
RUXIMICS.exe
23.216.77.29:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.216.77.29
  • 23.216.77.16
  • 23.216.77.21
  • 23.216.77.20
  • 23.216.77.28
  • 23.216.77.31
  • 23.216.77.18
  • 23.216.77.32
  • 23.216.77.25
  • 23.216.77.26
  • 23.216.77.23
  • 23.216.77.22
  • 23.216.77.15
  • 23.216.77.38
  • 23.216.77.13
  • 23.216.77.36
  • 23.216.77.8
  • 23.216.77.4
  • 23.216.77.39
  • 23.216.77.42
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
  • 52.109.89.18
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
login.live.com
  • 20.190.159.131
  • 20.190.159.64
  • 40.126.31.73
  • 40.126.31.131
  • 20.190.159.4
  • 40.126.31.1
  • 20.190.159.130
  • 40.126.31.67
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.110.17.70
  • 52.110.17.62
  • 52.110.17.74
  • 52.110.17.32
  • 52.110.17.26
  • 52.110.17.73
  • 52.110.17.25
  • 52.110.17.11
whitelisted
f.c2r.ts.cdn.office.net
  • 199.232.214.172
  • 199.232.210.172
  • 23.213.161.18
  • 23.213.161.24
whitelisted
mobile.events.data.microsoft.com
  • 20.189.173.1
  • 20.189.173.7
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OfficeSetup.exe