File name:

OfficeSetup.exe

Full analysis: https://app.any.run/tasks/3438733a-98e4-403e-8dc1-af9e1023655e
Verdict: Malicious activity
Analysis date: June 21, 2025, 20:22:55
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

191A4E55E313520C28E0961D72DFBB9A

SHA1:

451D9EE28C24AFFB6DF03CD4C06BFF4AD8A764E9

SHA256:

D2D9C5F6D5554EC34AAD0302BB9D3AC1DA6A1781C6CCFFAA96D0A54533F83ADC

SSDEEP:

98304:2bW17Ityal6XBdctwHrIcdO73YKwEoIhXZ1AGRnKwg98iL29suGR/R3XYqz1xyrf:0w52SMr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)

    • GENERIC has been found (auto)

      • OfficeClickToRun.exe (PID: 7076)

  • SUSPICIOUS

    • Application launched itself

      • OfficeSetup.exe (PID: 516)
      • OfficeSetup.exe (PID: 1324)

    • Reads security settings of Internet Explorer

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)

    • Process drops legitimate windows executable

      • OfficeSetup.exe (PID: 516)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)

    • Starts a Microsoft application from unusual location

      • OfficeSetup.exe (PID: 516)
      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)

    • Searches for installed software

      • OfficeSetup.exe (PID: 6840)

    • Executable content was dropped or overwritten

      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)

    • The process drops C-runtime libraries

      • OfficeClickToRun.exe (PID: 7076)

  • INFO

    • Checks supported languages

      • OfficeSetup.exe (PID: 516)
      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)
      • OfficeClickToRun.exe (PID: 1200)

    • Reads the machine GUID from the registry

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)
      • OfficeClickToRun.exe (PID: 1200)

    • Reads Microsoft Office registry keys

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)
      • OfficeClickToRun.exe (PID: 1200)

    • Reads the software policy settings

      • OfficeSetup.exe (PID: 1324)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 1200)
      • OfficeClickToRun.exe (PID: 3540)
      • slui.exe (PID: 6900)

    • Checks proxy server information

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)
      • OfficeClickToRun.exe (PID: 1200)
      • slui.exe (PID: 6900)

    • Process checks computer location settings

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)

    • Reads the computer name

      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeSetup.exe (PID: 1324)
      • OfficeClickToRun.exe (PID: 3540)
      • OfficeClickToRun.exe (PID: 1200)

    • Create files in a temporary directory

      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeSetup.exe (PID: 1324)
      • OfficeClickToRun.exe (PID: 1200)

    • Creates files or folders in the user directory

      • OfficeSetup.exe (PID: 6840)
      • OfficeSetup.exe (PID: 1324)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 1200)

    • Reads Environment values

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)

    • Reads CPU info

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)

    • Process checks whether UAC notifications are on

      • OfficeSetup.exe (PID: 1324)

    • The sample compiled with arabic language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with english language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with spanish language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with czech language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with bulgarian language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with german language support

      • OfficeClickToRun.exe (PID: 7076)

    • Creates files in the program directory

      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)

    • The sample compiled with japanese language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with Indonesian language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with korean language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with Italian language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with russian language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with french language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with portuguese language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with chinese language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with slovak language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with turkish language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with swedish language support

      • OfficeClickToRun.exe (PID: 7076)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 3540)

    • The sample compiled with polish language support

      • OfficeClickToRun.exe (PID: 7076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:06:14 01:21:38+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.4
CodeSize: 4643840
InitializedDataSize: 2992128
UninitializedDataSize: -
EntryPoint: 0x3f8501
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 16.0.18827.20164
ProductVersionNumber: 16.0.18827.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft 365 and Office
FileVersion: 16.0.18827.20164
InternalName: Bootstrapper.exe
LegalTrademarks1: Microsoft® is a registered trademark of Microsoft Corporation.
LegalTrademarks2: Windows® is a registered trademark of Microsoft Corporation.
OriginalFileName: Bootstrapper.exe
ProductName: Microsoft Office
ProductVersion: 16.0.18827.20164
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start officesetup.exe no specs officesetup.exe officesetup.exe #GENERIC officeclicktorun.exe Delivery Optimization User no specs slui.exe officeclicktorun.exe officeclicktorun.exe

Process information

PID
CMD
Path
Indicators
Parent process
516"C:\Users\admin\Desktop\OfficeSetup.exe" C:\Users\admin\Desktop\OfficeSetup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18827.20164
Modules
Images
c:\users\admin\desktop\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1200OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365AppsBasicRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18827.20164 mediatype.16=CDN sourcetype.16=CDN O365AppsBasicRetail.excludedapps.16=groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=TrueC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18827.20164
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1324OfficeSetup.exe RELAUNCHED C:\Users\admin\Desktop\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18827.20164
Modules
Images
c:\users\admin\desktop\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
3540"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18827.20164
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140.dll
5432C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
6840"C:\Users\admin\Desktop\OfficeSetup.exe" ELEVATED sid=S-1-5-21-1693682860-607145093-2874071422-1001 RELAUNCHED C:\Users\admin\Desktop\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft 365 and Office
Version:
16.0.18827.20164
Modules
Images
c:\users\admin\desktop\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6900C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7076OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365AppsBasicRetail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18827.20164 mediatype=CDN sourcetype=CDN O365AppsBasicRetail.excludedapps=groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATEC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Exit code:
0
Version:
16.0.16026.20140
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
40 175
Read events
39 731
Write events
234
Delete events
210

Modification events

(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:tr-tr
Value:
2
Executable files
409
Suspicious files
62
Text files
443
Unknown types
1

Dropped files

PID
Process
Filename
Type
1324OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\64AFC463-07A4-44CF-84FE-A5708D0150F5xml
MD5:085A97EA0A3E67D300D85A39F1B69CDD
SHA256:DA83E33309FCE731EBFFD4346FFD813B5D641E7334B7992D07B8F4E555AF72EC
1324OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-shmbinary
MD5:CEB253E9A8F84255CC98A1A132733DA7
SHA256:3BA0E0091FBF431163295B090577BAD86EF3945E94F13A6ECEF4A4B600166439
6840OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:63C4D5B99237372167811ACEBD4D202E
SHA256:B420E53683C479EF7FEBDBB102EAB3D1237AE201C4CA9738BD4024B0D85B7966
7076OfficeClickToRun.exeC:\Users\admin\AppData\Local\Temp\DESKTOP-JGLLJLD-20250621-2023.logtext
MD5:16DBC1190555CC42CA5F1839468BF109
SHA256:520AEE787E835C0244DAB81D6CDAF0DC7896521BFDF2F34F4A277056A73C9721
6840OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59C76228DF8A2918214D353D01EDF08binary
MD5:E468B4C4A219F9B49766E6090E9D667F
SHA256:79328A32320DB64F79448E33EC16692E080C18ACD4765D638837A5E676E50478
6840OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2RA69CC738-5C19-4906-8FD0-BE3532BFC668\VersionDescriptor.xmlxml
MD5:060987475E26CCD95F9235782B74F796
SHA256:D088A667C0033F4AF2FC878215902670427E394FC40FD015D1A523C12A6A8247
6840OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2RA69CC738-5C19-4906-8FD0-BE3532BFC668OfficeC2R7312C6DB-D57F-4192-BA40-1F738375AA3A\VersionDescriptor.xmlxml
MD5:060987475E26CCD95F9235782B74F796
SHA256:D088A667C0033F4AF2FC878215902670427E394FC40FD015D1A523C12A6A8247
7076OfficeClickToRun.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\CF712288-0FE1-4986-89EC-B3D25F1CC9F2OfficeC2RB6BB7FF8-B4FA-4CD3-BD5B-503942E497A2\api-ms-win-core-processthreads-l1-1-1.dllexecutable
MD5:247061D7C5542286AEDDADE76897F404
SHA256:CCB974C24DDFA7446278CA55FC8B236D0605D2CAAF273DB8390D1813FC70CD5B
6840OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2RA69CC738-5C19-4906-8FD0-BE3532BFC668\v64.hashtext
MD5:2962553FDCE581F71BABF6866EDE8746
SHA256:9D989A927F0104182395C8EFDCDB2CD9F200EE2CCFDB2B10B9497BE31FF05A5E
7076OfficeClickToRun.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\CF712288-0FE1-4986-89EC-B3D25F1CC9F2OfficeC2RB6BB7FF8-B4FA-4CD3-BD5B-503942E497A2\api-ms-win-core-file-l1-2-0.dllexecutable
MD5:19DF2B0F78DC3D8C470E836BAE85E1FF
SHA256:BD9E07BBC62CE82DBC30C23069A17FBFA17F1C26A9C19E50FE754D494E6CD0B1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
769
TCP/UDP connections
122
DNS requests
57
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
52.109.32.97:443
https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.18827&crev=3
unknown
xml
181 Kb
whitelisted
1268
svchost.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
52.109.32.97:443
https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.18827&crev=3
unknown
xml
181 Kb
whitelisted
GET
200
52.123.128.14:443
https://ecs.office.com/config/v2/Office/officeclicktorun/16.0.18827.20164/Production/CC?&EcsCanary=1&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=officeclicktorun&Platform=win32&Version=16.0.18827.20164&MsoVersion=16.0.18827.20164&SDX=fa000000002.2.0.1907.31003&SDXfa000000002=2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDXfa000000005=1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDXfa000000006=1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDXfa000000008=1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDXfa000000009=1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDXfa000000016=1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDXfa000000029=1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDXfa000000033=1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&SDXwa104381125=1.0.1810.9001&ProcessName=C2R.exe&Audience=Production&Build=ship&Architecture=x86&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b831BBC01-193B-49DB-A94E-2434CB4BA48D%7d&LabMachine=false
unknown
binary
109 Kb
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4868
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
13.107.6.156:443
https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData/492350f6-3a01-4f97-b9c0-c7c6ddf67d60?prids=O365AppsBasicRetail.16_en-us_x-none%7CProfessional2019Retail.16_x-none_tr-tr_ru-ru_pt-br_ko-kr_ja-jp_it-it_fr-fr_es-es_en-us_de-de%7COneNoteFreeRetail.16_x-none_en-us&osver=Client%7C10.0.19045&bit=x64&tid=&omid=542208504793ed4c82c2fd12aee08be2&susid=bedd7c3c-050f-487e-9e2a-ee5c70087701&offver=16.0.16026.20146&ring=Production&aud=Production&ch=CC&unman=0&osarch=x64&manstate=5
unknown
binary
294 b
whitelisted
GET
200
52.123.128.14:443
https://ecs.office.com/config/v2/Office/officeclicktorun/16.0.18827.20164/Production/CC?&EcsCanary=1&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=officeclicktorun&Platform=win32&Version=16.0.18827.20164&MsoVersion=16.0.18827.20164&SDX=fa000000002.2.0.1907.31003&SDXfa000000002=2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDXfa000000005=1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDXfa000000006=1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDXfa000000008=1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDXfa000000009=1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDXfa000000016=1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDXfa000000029=1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDXfa000000033=1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&SDXwa104381125=1.0.1810.9001&ProcessName=C2R.exe&Audience=Production&Build=ship&Architecture=x86&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bE68B0E2C-61D5-4D3E-82D5-E634C9841EE5%7d&LabMachine=false
unknown
binary
109 Kb
whitelisted
4868
RUXIMICS.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4868
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1324
OfficeSetup.exe
52.109.76.240:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6840
OfficeSetup.exe
52.109.76.240:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4868
RUXIMICS.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
  • 52.109.28.46
whitelisted
crl.microsoft.com
  • 184.24.77.37
  • 184.24.77.24
  • 184.24.77.38
  • 184.24.77.29
  • 184.24.77.31
  • 184.24.77.41
  • 184.24.77.7
  • 184.24.77.30
  • 184.24.77.10
  • 184.24.77.35
  • 184.24.77.19
  • 184.24.77.23
  • 184.24.77.34
  • 184.24.77.27
  • 184.24.77.22
  • 184.25.50.10
  • 184.25.50.8
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
  • 184.30.21.171
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.110.17.53
  • 52.110.17.47
  • 52.110.17.32
  • 52.110.17.43
  • 52.110.17.59
  • 52.110.17.67
  • 52.110.17.25
  • 52.110.17.46
whitelisted
login.live.com
  • 20.190.159.0
  • 40.126.31.73
  • 20.190.159.68
  • 20.190.159.129
  • 40.126.31.71
  • 40.126.31.2
  • 40.126.31.3
  • 20.190.159.131
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
f.c2r.ts.cdn.office.net
  • 199.232.210.172
  • 199.232.214.172
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OfficeSetup.exe