File name:

O365ProPlusRetail.exe

Full analysis: https://app.any.run/tasks/a5050941-b336-4abf-8f1c-d15843daecf6
Verdict: Malicious activity
Analysis date: April 15, 2025, 02:11:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

469C0D78D1261E02077AF579ECDE8526

SHA1:

9EEC18714E6A0DD90056985C48BBE8AFC00238F6

SHA256:

F0FA41FD2B9692B3213EC455336E1E78F8BE22C33EE827DEAC8CE5AE7C3676DB

SSDEEP:

98304:EjjCG9DuXIcwZarYM6dQAopLGlF5y9XOe8K0TPjslfbC6LE+JPoDf4K20I086C8u:r7VH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • O365ProPlusRetail.exe (PID: 5640)
      • O365ProPlusRetail.exe (PID: 6028)

    • GENERIC has been found (auto)

      • OfficeClickToRun.exe (PID: 4112)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • O365ProPlusRetail.exe (PID: 6808)
      • OfficeClickToRun.exe (PID: 4112)
      • OfficeClickToRun.exe (PID: 7944)

    • Starts a Microsoft application from unusual location

      • O365ProPlusRetail.exe (PID: 6028)
      • O365ProPlusRetail.exe (PID: 6808)
      • O365ProPlusRetail.exe (PID: 5640)

    • Application launched itself

      • O365ProPlusRetail.exe (PID: 6808)
      • O365ProPlusRetail.exe (PID: 6028)

    • Reads security settings of Internet Explorer

      • O365ProPlusRetail.exe (PID: 5640)
      • O365ProPlusRetail.exe (PID: 6028)

    • Searches for installed software

      • O365ProPlusRetail.exe (PID: 5640)

    • Executable content was dropped or overwritten

      • OfficeClickToRun.exe (PID: 4112)
      • OfficeClickToRun.exe (PID: 7944)

    • The process drops C-runtime libraries

      • OfficeClickToRun.exe (PID: 4112)

  • INFO

    • Reads the machine GUID from the registry

      • O365ProPlusRetail.exe (PID: 6028)
      • O365ProPlusRetail.exe (PID: 5640)
      • OfficeClickToRun.exe (PID: 4112)
      • OfficeClickToRun.exe (PID: 7944)
      • OfficeClickToRun.exe (PID: 8080)

    • Checks supported languages

      • O365ProPlusRetail.exe (PID: 6028)
      • O365ProPlusRetail.exe (PID: 6808)
      • O365ProPlusRetail.exe (PID: 5640)
      • OfficeClickToRun.exe (PID: 4112)
      • OfficeClickToRun.exe (PID: 7944)
      • OfficeClickToRun.exe (PID: 8080)

    • Process checks whether UAC notifications are on

      • O365ProPlusRetail.exe (PID: 6028)

    • Process checks computer location settings

      • O365ProPlusRetail.exe (PID: 6028)
      • O365ProPlusRetail.exe (PID: 5640)

    • Reads the computer name

      • O365ProPlusRetail.exe (PID: 6028)
      • O365ProPlusRetail.exe (PID: 5640)
      • OfficeClickToRun.exe (PID: 4112)
      • OfficeClickToRun.exe (PID: 7944)
      • OfficeClickToRun.exe (PID: 8080)

    • Reads the software policy settings

      • O365ProPlusRetail.exe (PID: 6028)
      • O365ProPlusRetail.exe (PID: 5640)
      • slui.exe (PID: 7620)
      • OfficeClickToRun.exe (PID: 8080)
      • OfficeClickToRun.exe (PID: 7944)
      • OfficeClickToRun.exe (PID: 4112)

    • Creates files or folders in the user directory

      • O365ProPlusRetail.exe (PID: 6028)
      • O365ProPlusRetail.exe (PID: 5640)
      • OfficeClickToRun.exe (PID: 4112)
      • OfficeClickToRun.exe (PID: 8080)

    • Reads Microsoft Office registry keys

      • O365ProPlusRetail.exe (PID: 6028)
      • O365ProPlusRetail.exe (PID: 5640)
      • OfficeClickToRun.exe (PID: 4112)
      • OfficeClickToRun.exe (PID: 7944)
      • OfficeClickToRun.exe (PID: 8080)

    • Create files in a temporary directory

      • O365ProPlusRetail.exe (PID: 6028)
      • O365ProPlusRetail.exe (PID: 5640)
      • OfficeClickToRun.exe (PID: 4112)
      • OfficeClickToRun.exe (PID: 8080)

    • Checks proxy server information

      • O365ProPlusRetail.exe (PID: 6028)
      • OfficeClickToRun.exe (PID: 4112)
      • slui.exe (PID: 7620)
      • OfficeClickToRun.exe (PID: 7944)
      • OfficeClickToRun.exe (PID: 8080)
      • O365ProPlusRetail.exe (PID: 5640)

    • Reads Environment values

      • O365ProPlusRetail.exe (PID: 5640)
      • O365ProPlusRetail.exe (PID: 6028)

    • Creates files in the program directory

      • OfficeClickToRun.exe (PID: 4112)
      • OfficeClickToRun.exe (PID: 7944)

    • The sample compiled with english language support

      • OfficeClickToRun.exe (PID: 4112)

    • The sample compiled with Italian language support

      • OfficeClickToRun.exe (PID: 4112)

    • The sample compiled with arabic language support

      • OfficeClickToRun.exe (PID: 4112)

    • The sample compiled with german language support

      • OfficeClickToRun.exe (PID: 4112)

    • The sample compiled with czech language support

      • OfficeClickToRun.exe (PID: 4112)

    • The sample compiled with spanish language support

      • OfficeClickToRun.exe (PID: 4112)

    • The sample compiled with french language support

      • OfficeClickToRun.exe (PID: 4112)

    • The sample compiled with Indonesian language support

      • OfficeClickToRun.exe (PID: 4112)

    • The sample compiled with japanese language support

      • OfficeClickToRun.exe (PID: 4112)

    • The sample compiled with bulgarian language support

      • OfficeClickToRun.exe (PID: 4112)

    • The sample compiled with korean language support

      • OfficeClickToRun.exe (PID: 4112)

    • The sample compiled with portuguese language support

      • OfficeClickToRun.exe (PID: 4112)

    • The sample compiled with turkish language support

      • OfficeClickToRun.exe (PID: 4112)

    • The sample compiled with slovak language support

      • OfficeClickToRun.exe (PID: 4112)

    • The sample compiled with russian language support

      • OfficeClickToRun.exe (PID: 4112)

    • The sample compiled with swedish language support

      • OfficeClickToRun.exe (PID: 4112)

    • The sample compiled with chinese language support

      • OfficeClickToRun.exe (PID: 4112)

    • Executes as Windows Service

      • OfficeClickToRun.exe (PID: 7944)

    • The sample compiled with polish language support

      • OfficeClickToRun.exe (PID: 4112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:02:08 11:26:35+00:00
ImageFileCharacteristics: Executable, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 14.4
CodeSize: 4563456
InitializedDataSize: 2999808
UninitializedDataSize: -
EntryPoint: 0x3e3a33
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 16.0.18429.20158
ProductVersionNumber: 16.0.18429.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft 365 and Office
FileVersion: 16.0.18429.20158
InternalName: Bootstrapper.exe
LegalTrademarks1: Microsoft® is a registered trademark of Microsoft Corporation.
LegalTrademarks2: Windows® is a registered trademark of Microsoft Corporation.
OriginalFileName: Bootstrapper.exe
ProductName: Microsoft Office
ProductVersion: 16.0.18429.20158
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start o365proplusretail.exe no specs o365proplusretail.exe o365proplusretail.exe #GENERIC officeclicktorun.exe Delivery Optimization User no specs slui.exe officeclicktorun.exe officeclicktorun.exe

Process information

PID
CMD
Path
Indicators
Parent process
4112OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365ProPlusRetail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.18623.20178 mediatype=CDN sourcetype=CDN O365ProPlusRetail.excludedapps=teams,groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=True scenario=CLIENTUPDATEC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
O365ProPlusRetail.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Exit code:
0
Version:
16.0.16026.20140
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5640"C:\Users\admin\AppData\Local\Temp\O365ProPlusRetail.exe" ELEVATED sid=S-1-5-21-1693682860-607145093-2874071422-1001 RELAUNCHED C:\Users\admin\AppData\Local\Temp\O365ProPlusRetail.exe
O365ProPlusRetail.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft 365 and Office
Version:
16.0.18429.20158
Modules
Images
c:\users\admin\appdata\local\temp\o365proplusretail.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6028O365ProPlusRetail.exe RELAUNCHED C:\Users\admin\AppData\Local\Temp\O365ProPlusRetail.exe
O365ProPlusRetail.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18429.20158
Modules
Images
c:\users\admin\appdata\local\temp\o365proplusretail.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6808"C:\Users\admin\AppData\Local\Temp\O365ProPlusRetail.exe" C:\Users\admin\AppData\Local\Temp\O365ProPlusRetail.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft 365 and Office
Version:
16.0.18429.20158
Modules
Images
c:\users\admin\appdata\local\temp\o365proplusretail.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7232C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
7620C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7944"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /serviceC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18623.20178
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140_1.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140.dll
c:\program files\common files\microsoft shared\clicktorun\msvcp140.dll
c:\program files\common files\microsoft shared\clicktorun\apiclient.dll
c:\windows\system32\advapi32.dll
8080OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365ProPlusRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.18623.20178 mediatype.16=CDN sourcetype.16=CDN O365ProPlusRetail.excludedapps.16=teams,groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown uninstallcentennial=TrueC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
O365ProPlusRetail.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Click-to-Run (SxS)
Version:
16.0.18623.20178
Modules
Images
c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140_1.dll
c:\program files\common files\microsoft shared\clicktorun\vcruntime140.dll
c:\program files\common files\microsoft shared\clicktorun\msvcp140.dll
c:\program files\common files\microsoft shared\clicktorun\apiclient.dll
Total events
32 244
Read events
31 838
Write events
210
Delete events
196

Modification events

(PID) Process:(6028) O365ProPlusRetail.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(6028) O365ProPlusRetail.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(6028) O365ProPlusRetail.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(6028) O365ProPlusRetail.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(6028) O365ProPlusRetail.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(6028) O365ProPlusRetail.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(6028) O365ProPlusRetail.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(6028) O365ProPlusRetail.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(6028) O365ProPlusRetail.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
(PID) Process:(6028) O365ProPlusRetail.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:tr-tr
Value:
2
Executable files
385
Suspicious files
108
Text files
81
Unknown types
0

Dropped files

PID
Process
Filename
Type
6028O365ProPlusRetail.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\ACF82969-F49F-45F8-A22D-10C0FFCF5EF0xml
MD5:7776D3714C68784813BD9494F6FBCBFD
SHA256:8FB8BAF26EB97A09F346D0EC2E63C3D6F2366E09816997F0D379582980B994B9
6028O365ProPlusRetail.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\o365proplusretail.exe.dbbinary
MD5:D0DE7DB24F7B0C0FE636B34E253F1562
SHA256:B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED
5640O365ProPlusRetail.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\36AC0BE60E1243344AE145F746D881FEbinary
MD5:411D4C6D9068F0593E05D0F67B46BF77
SHA256:743747DD59C21B0ECD5328A93F31A5D89A9765AFC6740C4963EBA797AA383043
5640O365ProPlusRetail.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A583E2A51BFBDC1E492A57B7C8325850binary
MD5:147DB0E4271403EF0AF9CADD6BBD69E2
SHA256:3C9D01C6399AF9FD160C58B7B37C3C8531C54E616176EEFCBD8CD6E35095B899
5640O365ProPlusRetail.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\o365proplusretail.exe.db-journalbinary
MD5:0B7E0B9B07E849364259A3CDE32AF6BD
SHA256:F36BEDA1357AD4A00A7670D26929D4DFEFA0E64EA6565A8182B5039806426710
5640O365ProPlusRetail.exeC:\Users\admin\AppData\Local\Temp\OfficeC2R1BD825B4-8803-4F06-BADF-7C5BBF8B51E4OfficeC2R2839BBEA-10E3-4B74-A0E3-5FCC4A9F49EA\v64.hashtext
MD5:D3F12CC58773285B04403F89CD1F0EC4
SHA256:1DBB4DF022BA6F5DCB835CC632EE9746DBDC4818460D38D0C476211CA81B45AB
5640O365ProPlusRetail.exeC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1D46142D-3611-4856-A8C7-FC6235A3CBA9xml
MD5:FC1EF05E7EED54666BE7B814765A9CFB
SHA256:33D3936283941067A794659376B4599E560F2D8C0AB63F1C0460AF2D51485058
5640O365ProPlusRetail.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0B8A20E1F3F4D73D52A19929F922C892binary
MD5:CB0BF7779501DB0D4AB56C44DD13CEFF
SHA256:F3C27A5F606A7FDBA1104AF40D3E34F71E7E0C3255E88DFA8784D1992C5D7B2E
6028O365ProPlusRetail.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\o365proplusretail.exe.db-shmbinary
MD5:BAFDEE6E2854B3F846098C8FEB42AC20
SHA256:1F10F65AAC8965ED591C22107893B030AA55032D46541E82501D73ADE9C5CC3A
6028O365ProPlusRetail.exeC:\Users\admin\AppData\Local\Microsoft\Office\OTele\o365proplusretail.exe.db-walbinary
MD5:00BA28EDECA2889199E15CF406664D1B
SHA256:F1113874E5603C8E88006FDD8336BF595410DFA973C3D4B84B360EAE5B56EBB7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
308
TCP/UDP connections
79
DNS requests
47
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
88.221.25.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
88.221.25.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5640
O365ProPlusRetail.exe
HEAD
200
151.101.38.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.16026.20146.cab
unknown
whitelisted
5640
O365ProPlusRetail.exe
HEAD
200
151.101.38.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18623.20178.cab
unknown
whitelisted
2104
svchost.exe
GET
200
88.221.25.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5640
O365ProPlusRetail.exe
HEAD
200
151.101.38.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18623.20178.cab
unknown
whitelisted
516
svchost.exe
HEAD
200
151.101.38.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18623.20178.cab
unknown
whitelisted
516
svchost.exe
GET
206
151.101.38.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18623.20178.cab
unknown
whitelisted
516
svchost.exe
HEAD
200
151.101.38.172:80
http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v64_16.0.18623.20178.cab
unknown
whitelisted
6544
svchost.exe
GET
200
2.22.98.7:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
88.221.25.177:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
88.221.25.177:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
88.221.25.177:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6028
O365ProPlusRetail.exe
52.109.89.18:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5640
O365ProPlusRetail.exe
52.109.89.18:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6028
O365ProPlusRetail.exe
52.123.240.103:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5640
O365ProPlusRetail.exe
52.123.240.103:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.179.174
whitelisted
crl.microsoft.com
  • 88.221.25.177
whitelisted
officeclient.microsoft.com
  • 52.109.89.18
whitelisted
ecs.office.com
  • 52.123.240.103
  • 52.123.128.14
whitelisted
mrodevicemgr.officeapps.live.com
  • 52.110.0.28
whitelisted
f.c2r.ts.cdn.office.net
  • 151.101.38.172
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.69
whitelisted
ocsp.digicert.com
  • 2.22.98.7
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
O365ProPlusRetail.exe