File name:

OfficeSetup.exe

Full analysis: https://app.any.run/tasks/3438733a-98e4-403e-8dc1-af9e1023655e
Verdict: Malicious activity
Analysis date: June 21, 2025, 20:22:55
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

191A4E55E313520C28E0961D72DFBB9A

SHA1:

451D9EE28C24AFFB6DF03CD4C06BFF4AD8A764E9

SHA256:

D2D9C5F6D5554EC34AAD0302BB9D3AC1DA6A1781C6CCFFAA96D0A54533F83ADC

SSDEEP:

98304:2bW17Ityal6XBdctwHrIcdO73YKwEoIhXZ1AGRnKwg98iL29suGR/R3XYqz1xyrf:0w52SMr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • OfficeSetup.exe (PID: 6840)
      • OfficeSetup.exe (PID: 1324)

    • GENERIC has been found (auto)

      • OfficeClickToRun.exe (PID: 7076)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • OfficeSetup.exe (PID: 516)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)

    • Application launched itself

      • OfficeSetup.exe (PID: 516)
      • OfficeSetup.exe (PID: 1324)

    • Starts a Microsoft application from unusual location

      • OfficeSetup.exe (PID: 516)
      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)

    • Reads security settings of Internet Explorer

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)

    • Executable content was dropped or overwritten

      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)

    • Searches for installed software

      • OfficeSetup.exe (PID: 6840)

    • The process drops C-runtime libraries

      • OfficeClickToRun.exe (PID: 7076)

  • INFO

    • Checks supported languages

      • OfficeSetup.exe (PID: 516)
      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)
      • OfficeClickToRun.exe (PID: 1200)

    • Reads the machine GUID from the registry

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)
      • OfficeClickToRun.exe (PID: 1200)

    • Reads the computer name

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)
      • OfficeClickToRun.exe (PID: 1200)

    • Reads Microsoft Office registry keys

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)
      • OfficeClickToRun.exe (PID: 1200)

    • Process checks computer location settings

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)

    • Process checks whether UAC notifications are on

      • OfficeSetup.exe (PID: 1324)

    • Checks proxy server information

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)
      • OfficeClickToRun.exe (PID: 1200)
      • slui.exe (PID: 6900)

    • Reads the software policy settings

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 1200)
      • OfficeClickToRun.exe (PID: 3540)
      • slui.exe (PID: 6900)

    • Create files in a temporary directory

      • OfficeSetup.exe (PID: 6840)
      • OfficeSetup.exe (PID: 1324)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 1200)

    • Creates files or folders in the user directory

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 1200)

    • Reads CPU info

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)

    • Reads Environment values

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)

    • The sample compiled with english language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with bulgarian language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with arabic language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with german language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with czech language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with Indonesian language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with spanish language support

      • OfficeClickToRun.exe (PID: 7076)

    • Creates files in the program directory

      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)

    • The sample compiled with french language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with japanese language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with korean language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with Italian language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with slovak language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with turkish language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with swedish language support

      • OfficeClickToRun.exe (PID: 7076)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 3540)

    • The sample compiled with russian language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with polish language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with portuguese language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with chinese language support

      • OfficeClickToRun.exe (PID: 7076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:06:14 01:21:38+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.4
CodeSize: 4643840
InitializedDataSize: 2992128
UninitializedDataSize: -
EntryPoint: 0x3f8501
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 16.0.18827.20164
ProductVersionNumber: 16.0.18827.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft 365 and Office
FileVersion: 16.0.18827.20164
InternalName: Bootstrapper.exe
LegalTrademarks1: Microsoft® is a registered trademark of Microsoft Corporation.
LegalTrademarks2: Windows® is a registered trademark of Microsoft Corporation.
OriginalFileName: Bootstrapper.exe
ProductName: Microsoft Office
ProductVersion: 16.0.18827.20164
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start officesetup.exe no specs officesetup.exe officesetup.exe #GENERIC officeclicktorun.exe Delivery Optimization User no specs slui.exe officeclicktorun.exe officeclicktorun.exe

Process information

PID
CMD
Path
Indicators
Parent process
516"C:\Users\admin\Desktop\OfficeSetup.exe" C:\Users\admin\Desktop\OfficeSetup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18827.20164
Modules
Images
c:\users\admin\desktop\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1200OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365AppsBasicRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18827.20164 mediatype.16=CDN sourcetype.16=CDN O365AppsBasicRetail.excludedapps.16=groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=TrueC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18827.20164
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1324OfficeSetup.exe RELAUNCHED C:\Users\admin\Desktop\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18827.20164
Modules
Images
c:\users\admin\desktop\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
3540"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18827.20164
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140.dll
5432C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
6840"C:\Users\admin\Desktop\OfficeSetup.exe" ELEVATED sid=S-1-5-21-1693682860-607145093-2874071422-1001 RELAUNCHED C:\Users\admin\Desktop\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft 365 and Office
Version:
16.0.18827.20164
Modules
Images
c:\users\admin\desktop\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6900C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7076OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365AppsBasicRetail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18827.20164 mediatype=CDN sourcetype=CDN O365AppsBasicRetail.excludedapps=groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATEC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Exit code:
0
Version:
16.0.16026.20140
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
40 175
Read events
39 731
Write events
234
Delete events
210

Modification events

(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:tr-tr
Value:
2
Executable files
409
Suspicious files
62
Text files
443
Unknown types
1

Dropped files

PID
Process
Filename
Type
6840OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4DB25DB0-F4C6-43A3-A8DB-ECD08E208923xml
MD5:6CC21D36917701737F526AF5D46EDDAC
SHA256:5EABBF62CC98980AA77B2658BC893A3A4089319B538AEA9238F490A493B796D0
6840OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:144D698C7F3CCD662F9460D8F443A2BB
SHA256:C5714AC85358D727F4EA913F814CCADCD7F6E063D95B54B886CCF6BFC31612C1
1324OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\64AFC463-07A4-44CF-84FE-A5708D0150F5xml
MD5:085A97EA0A3E67D300D85A39F1B69CDD
SHA256:DA83E33309FCE731EBFFD4346FFD813B5D641E7334B7992D07B8F4E555AF72EC
1324OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-walbinary
MD5:4A61DA04779740F69A0543B27DAE75C5
SHA256:2C9A208C7148682B0B57310E86B56D9E089E4F737DA84A2A5DCF6FC8C3DFA51A
1324OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-shmbinary
MD5:CEB253E9A8F84255CC98A1A132733DA7
SHA256:3BA0E0091FBF431163295B090577BAD86EF3945E94F13A6ECEF4A4B600166439
6840OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59C76228DF8A2918214D353D01EDF08binary
MD5:E468B4C4A219F9B49766E6090E9D667F
SHA256:79328A32320DB64F79448E33EC16692E080C18ACD4765D638837A5E676E50478
6840OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:63C4D5B99237372167811ACEBD4D202E
SHA256:B420E53683C479EF7FEBDBB102EAB3D1237AE201C4CA9738BD4024B0D85B7966
7076OfficeClickToRun.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\CF712288-0FE1-4986-89EC-B3D25F1CC9F2OfficeC2RB6BB7FF8-B4FA-4CD3-BD5B-503942E497A2\api-ms-win-core-localization-l1-2-0.dllexecutable
MD5:6B4F2CA3EFCEB2C21E93F92CDC150A9D
SHA256:B39A515B9E48FC6589703D45E14DCEA2273A02D7FA6F2E1D17985C0228D32564
6840OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2RA69CC738-5C19-4906-8FD0-BE3532BFC668\v64.hashtext
MD5:2962553FDCE581F71BABF6866EDE8746
SHA256:9D989A927F0104182395C8EFDCDB2CD9F200EE2CCFDB2B10B9497BE31FF05A5E
6840OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2RA69CC738-5C19-4906-8FD0-BE3532BFC668OfficeC2R7312C6DB-D57F-4192-BA40-1F738375AA3A\VersionDescriptor.xmlxml
MD5:060987475E26CCD95F9235782B74F796
SHA256:D088A667C0033F4AF2FC878215902670427E394FC40FD015D1A523C12A6A8247
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
769
TCP/UDP connections
122
DNS requests
57
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
52.109.32.97:443
https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.18827&crev=3
GB
xml
181 Kb
whitelisted
GET
200
52.109.32.97:443
https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.18827&crev=3
GB
xml
181 Kb
whitelisted
1268
svchost.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
4868
RUXIMICS.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
GET
200
52.123.128.14:443
https://ecs.office.com/config/v2/Office/officeclicktorun/16.0.18827.20164/Production/CC?&EcsCanary=1&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=officeclicktorun&Platform=win32&Version=16.0.18827.20164&MsoVersion=16.0.18827.20164&SDX=fa000000002.2.0.1907.31003&SDXfa000000002=2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDXfa000000005=1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDXfa000000006=1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDXfa000000008=1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDXfa000000009=1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDXfa000000016=1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDXfa000000029=1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDXfa000000033=1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&SDXwa104381125=1.0.1810.9001&ProcessName=C2R.exe&Audience=Production&Build=ship&Architecture=x86&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b831BBC01-193B-49DB-A94E-2434CB4BA48D%7d&LabMachine=false
US
binary
109 Kb
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
4868
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
GET
200
13.107.6.156:443
https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData/492350f6-3a01-4f97-b9c0-c7c6ddf67d60?prids=O365AppsBasicRetail.16_en-us_x-none%7CProfessional2019Retail.16_x-none_tr-tr_ru-ru_pt-br_ko-kr_ja-jp_it-it_fr-fr_es-es_en-us_de-de%7COneNoteFreeRetail.16_x-none_en-us&osver=Client%7C10.0.19045&bit=x64&tid=&omid=542208504793ed4c82c2fd12aee08be2&susid=bedd7c3c-050f-487e-9e2a-ee5c70087701&offver=16.0.16026.20146&ring=Production&aud=Production&ch=CC&unman=0&osarch=x64&manstate=5
US
binary
294 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4868
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1324
OfficeSetup.exe
52.109.76.240:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6840
OfficeSetup.exe
52.109.76.240:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4868
RUXIMICS.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
  • 52.109.28.46
whitelisted
crl.microsoft.com
  • 184.24.77.37
  • 184.24.77.24
  • 184.24.77.38
  • 184.24.77.29
  • 184.24.77.31
  • 184.24.77.41
  • 184.24.77.7
  • 184.24.77.30
  • 184.24.77.10
  • 184.24.77.35
  • 184.24.77.19
  • 184.24.77.23
  • 184.24.77.34
  • 184.24.77.27
  • 184.24.77.22
  • 184.25.50.10
  • 184.25.50.8
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
  • 184.30.21.171
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.110.17.53
  • 52.110.17.47
  • 52.110.17.32
  • 52.110.17.43
  • 52.110.17.59
  • 52.110.17.67
  • 52.110.17.25
  • 52.110.17.46
whitelisted
login.live.com
  • 20.190.159.0
  • 40.126.31.73
  • 20.190.159.68
  • 20.190.159.129
  • 40.126.31.71
  • 40.126.31.2
  • 40.126.31.3
  • 20.190.159.131
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
f.c2r.ts.cdn.office.net
  • 199.232.210.172
  • 199.232.214.172
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OfficeSetup.exe