File name:

OfficeSetup.exe

Full analysis: https://app.any.run/tasks/3438733a-98e4-403e-8dc1-af9e1023655e
Verdict: Malicious activity
Analysis date: June 21, 2025, 20:22:55
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

191A4E55E313520C28E0961D72DFBB9A

SHA1:

451D9EE28C24AFFB6DF03CD4C06BFF4AD8A764E9

SHA256:

D2D9C5F6D5554EC34AAD0302BB9D3AC1DA6A1781C6CCFFAA96D0A54533F83ADC

SSDEEP:

98304:2bW17Ityal6XBdctwHrIcdO73YKwEoIhXZ1AGRnKwg98iL29suGR/R3XYqz1xyrf:0w52SMr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • OfficeSetup.exe (PID: 6840)
      • OfficeSetup.exe (PID: 1324)

    • GENERIC has been found (auto)

      • OfficeClickToRun.exe (PID: 7076)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • OfficeSetup.exe (PID: 516)
      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)

    • Process drops legitimate windows executable

      • OfficeSetup.exe (PID: 516)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)

    • Application launched itself

      • OfficeSetup.exe (PID: 516)
      • OfficeSetup.exe (PID: 1324)

    • Reads security settings of Internet Explorer

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)

    • Searches for installed software

      • OfficeSetup.exe (PID: 6840)

    • Executable content was dropped or overwritten

      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)

    • The process drops C-runtime libraries

      • OfficeClickToRun.exe (PID: 7076)

  • INFO

    • Reads the computer name

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)
      • OfficeClickToRun.exe (PID: 1200)

    • Reads Microsoft Office registry keys

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)
      • OfficeClickToRun.exe (PID: 1200)

    • Reads the machine GUID from the registry

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)
      • OfficeClickToRun.exe (PID: 1200)

    • Checks supported languages

      • OfficeSetup.exe (PID: 516)
      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)
      • OfficeClickToRun.exe (PID: 1200)

    • Process checks computer location settings

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)

    • Process checks whether UAC notifications are on

      • OfficeSetup.exe (PID: 1324)

    • Checks proxy server information

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)
      • OfficeClickToRun.exe (PID: 1200)
      • slui.exe (PID: 6900)

    • Reads the software policy settings

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 1200)
      • OfficeClickToRun.exe (PID: 3540)
      • slui.exe (PID: 6900)

    • Creates files or folders in the user directory

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 1200)

    • Reads CPU info

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)

    • Create files in a temporary directory

      • OfficeSetup.exe (PID: 6840)
      • OfficeSetup.exe (PID: 1324)
      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 1200)

    • Reads Environment values

      • OfficeSetup.exe (PID: 1324)
      • OfficeSetup.exe (PID: 6840)

    • The sample compiled with german language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with bulgarian language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with spanish language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with english language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with french language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with arabic language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with czech language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with japanese language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with Indonesian language support

      • OfficeClickToRun.exe (PID: 7076)

    • Creates files in the program directory

      • OfficeClickToRun.exe (PID: 7076)
      • OfficeClickToRun.exe (PID: 3540)

    • The sample compiled with Italian language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with korean language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with russian language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with polish language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with portuguese language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with chinese language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with slovak language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with turkish language support

      • OfficeClickToRun.exe (PID: 7076)

    • The sample compiled with swedish language support

      • OfficeClickToRun.exe (PID: 7076)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 3540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:06:14 01:21:38+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.4
CodeSize: 4643840
InitializedDataSize: 2992128
UninitializedDataSize: -
EntryPoint: 0x3f8501
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 16.0.18827.20164
ProductVersionNumber: 16.0.18827.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft 365 and Office
FileVersion: 16.0.18827.20164
InternalName: Bootstrapper.exe
LegalTrademarks1: Microsoft® is a registered trademark of Microsoft Corporation.
LegalTrademarks2: Windows® is a registered trademark of Microsoft Corporation.
OriginalFileName: Bootstrapper.exe
ProductName: Microsoft Office
ProductVersion: 16.0.18827.20164
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start officesetup.exe no specs officesetup.exe officesetup.exe #GENERIC officeclicktorun.exe Delivery Optimization User no specs slui.exe officeclicktorun.exe officeclicktorun.exe

Process information

PID
CMD
Path
Indicators
Parent process
516"C:\Users\admin\Desktop\OfficeSetup.exe" C:\Users\admin\Desktop\OfficeSetup.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18827.20164
Modules
Images
c:\users\admin\desktop\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
1200OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365AppsBasicRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18827.20164 mediatype.16=CDN sourcetype.16=CDN O365AppsBasicRetail.excludedapps.16=groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=TrueC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18827.20164
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1324OfficeSetup.exe RELAUNCHED C:\Users\admin\Desktop\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18827.20164
Modules
Images
c:\users\admin\desktop\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
3540"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18827.20164
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140.dll
5432C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
6840"C:\Users\admin\Desktop\OfficeSetup.exe" ELEVATED sid=S-1-5-21-1693682860-607145093-2874071422-1001 RELAUNCHED C:\Users\admin\Desktop\OfficeSetup.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft 365 and Office
Version:
16.0.18827.20164
Modules
Images
c:\users\admin\desktop\officesetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6900C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7076OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365AppsBasicRetail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18827.20164 mediatype=CDN sourcetype=CDN O365AppsBasicRetail.excludedapps=groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATEC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
OfficeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Exit code:
0
Version:
16.0.16026.20140
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
40 175
Read events
39 731
Write events
234
Delete events
210

Modification events

(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
(PID) Process:(1324) OfficeSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:tr-tr
Value:
2
Executable files
409
Suspicious files
62
Text files
443
Unknown types
1

Dropped files

PID
Process
Filename
Type
1324OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\64AFC463-07A4-44CF-84FE-A5708D0150F5xml
MD5:085A97EA0A3E67D300D85A39F1B69CDD
SHA256:DA83E33309FCE731EBFFD4346FFD813B5D641E7334B7992D07B8F4E555AF72EC
6840OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:63C4D5B99237372167811ACEBD4D202E
SHA256:B420E53683C479EF7FEBDBB102EAB3D1237AE201C4CA9738BD4024B0D85B7966
6840OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59C76228DF8A2918214D353D01EDF08binary
MD5:E468B4C4A219F9B49766E6090E9D667F
SHA256:79328A32320DB64F79448E33EC16692E080C18ACD4765D638837A5E676E50478
6840OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59C76228DF8A2918214D353D01EDF08binary
MD5:CD93AAA8A4F87F74DF938E4E31159BE0
SHA256:4F6E6D2F1C0B2EB29922152BC4D9D9B0D414FEC73A4CF39D502EB21B04621EA4
6840OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2RA69CC738-5C19-4906-8FD0-BE3532BFC668OfficeC2R7312C6DB-D57F-4192-BA40-1F738375AA3A\VersionDescriptor.xmlxml
MD5:060987475E26CCD95F9235782B74F796
SHA256:D088A667C0033F4AF2FC878215902670427E394FC40FD015D1A523C12A6A8247
1324OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db-walbinary
MD5:4A61DA04779740F69A0543B27DAE75C5
SHA256:2C9A208C7148682B0B57310E86B56D9E089E4F737DA84A2A5DCF6FC8C3DFA51A
6840OfficeSetup.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4DB25DB0-F4C6-43A3-A8DB-ECD08E208923xml
MD5:6CC21D36917701737F526AF5D46EDDAC
SHA256:5EABBF62CC98980AA77B2658BC893A3A4089319B538AEA9238F490A493B796D0
6840OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0B8A20E1F3F4D73D52A19929F922C892binary
MD5:A511DAB56DC44A64A1114B7814E4F8C6
SHA256:08FA57906B20E454242889F05F1609C276B91A06561121E9012A88A50FF23F9F
6840OfficeSetup.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:144D698C7F3CCD662F9460D8F443A2BB
SHA256:C5714AC85358D727F4EA913F814CCADCD7F6E063D95B54B886CCF6BFC31612C1
6840OfficeSetup.exeC:\Users\admin\AppData\Local\Temp\OfficeC2RA69CC738-5C19-4906-8FD0-BE3532BFC668\VersionDescriptor.xmlxml
MD5:060987475E26CCD95F9235782B74F796
SHA256:D088A667C0033F4AF2FC878215902670427E394FC40FD015D1A523C12A6A8247
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
769
TCP/UDP connections
122
DNS requests
57
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
52.109.32.97:443
https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.18827&crev=3
unknown
xml
181 Kb
whitelisted
1268
svchost.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
52.109.32.97:443
https://officeclient.microsoft.com/config16/?syslcid=1033&build=16.0.18827&crev=3
unknown
xml
181 Kb
whitelisted
4868
RUXIMICS.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
52.123.128.14:443
https://ecs.office.com/config/v2/Office/officeclicktorun/16.0.18827.20164/Production/CC?&EcsCanary=1&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=officeclicktorun&Platform=win32&Version=16.0.18827.20164&MsoVersion=16.0.18827.20164&SDX=fa000000002.2.0.1907.31003&SDXfa000000002=2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDXfa000000005=1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDXfa000000006=1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDXfa000000008=1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDXfa000000009=1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDXfa000000016=1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDXfa000000029=1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDXfa000000033=1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&SDXwa104381125=1.0.1810.9001&ProcessName=C2R.exe&Audience=Production&Build=ship&Architecture=x86&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b831BBC01-193B-49DB-A94E-2434CB4BA48D%7d&LabMachine=false
unknown
binary
109 Kb
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4868
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
52.123.128.14:443
https://ecs.office.com/config/v2/Office/officeclicktorun/16.0.18827.20164/Production/CC?&EcsCanary=1&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=officeclicktorun&Platform=win32&Version=16.0.18827.20164&MsoVersion=16.0.18827.20164&SDX=fa000000002.2.0.1907.31003&SDXfa000000002=2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDXfa000000005=1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDXfa000000006=1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDXfa000000008=1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDXfa000000009=1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDXfa000000016=1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDXfa000000029=1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDXfa000000033=1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&SDXwa104381125=1.0.1810.9001&ProcessName=C2R.exe&Audience=Production&Build=ship&Architecture=x86&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bE68B0E2C-61D5-4D3E-82D5-E634C9841EE5%7d&LabMachine=false
unknown
binary
109 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4868
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1324
OfficeSetup.exe
52.109.76.240:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6840
OfficeSetup.exe
52.109.76.240:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4868
RUXIMICS.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
  • 52.109.28.46
whitelisted
crl.microsoft.com
  • 184.24.77.37
  • 184.24.77.24
  • 184.24.77.38
  • 184.24.77.29
  • 184.24.77.31
  • 184.24.77.41
  • 184.24.77.7
  • 184.24.77.30
  • 184.24.77.10
  • 184.24.77.35
  • 184.24.77.19
  • 184.24.77.23
  • 184.24.77.34
  • 184.24.77.27
  • 184.24.77.22
  • 184.25.50.10
  • 184.25.50.8
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
  • 184.30.21.171
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.110.17.53
  • 52.110.17.47
  • 52.110.17.32
  • 52.110.17.43
  • 52.110.17.59
  • 52.110.17.67
  • 52.110.17.25
  • 52.110.17.46
whitelisted
login.live.com
  • 20.190.159.0
  • 40.126.31.73
  • 20.190.159.68
  • 20.190.159.129
  • 40.126.31.71
  • 40.126.31.2
  • 40.126.31.3
  • 20.190.159.131
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
f.c2r.ts.cdn.office.net
  • 199.232.210.172
  • 199.232.214.172
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
OfficeSetup.exe