Malware analysis client.exe Malicious activity | ANY.RUN

Add for printing

File name:	client.exe
Full analysis:	https://app.any.run/tasks/3501b31f-9233-4276-a233-9256f42534bf
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	February 26, 2026, 07:05:54
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	evasion rat karstorat ip-check
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	FE9DB3AED6A04C762472AFDF2FACE254
SHA1:	94E98B714BFB102D143957CF1E00BD45B5B8FA4D
SHA256:	07131E3FCB9E65C1E4D2E756EFDB9F263FD90080D3FF83FBCCA1F31A4890EBDB
SSDEEP:	6144:XnYpB6s6V8VHVc/AzAvaqycSDKDAKaQb111Q:XnYP6s6V8VHVcIlqycSDK8KaK111Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java(TM) SE Development Kit 25.0.2 (64-bit) (25.0.2.0)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- KARSTORAT has been detected (YARA)
  - client.exe (PID: 7192)
  - client.exe (PID: 7412)
  - client.exe (PID: 4840)
SUSPICIOUS
- There is functionality for capture public ip (YARA)
  - client.exe (PID: 7412)
  - client.exe (PID: 7192)
  - client.exe (PID: 4840)
- Checks for external IP
  - client.exe (PID: 7412)
  - client.exe (PID: 4840)
  - client.exe (PID: 7192)
INFO
- Checks supported languages
  - client.exe (PID: 7412)
  - client.exe (PID: 7192)
  - client.exe (PID: 4840)
- Reads the computer name
  - client.exe (PID: 7412)
  - client.exe (PID: 4840)
  - client.exe (PID: 7192)
- There is functionality for taking screenshot (YARA)
  - client.exe (PID: 7192)
  - client.exe (PID: 7412)
  - client.exe (PID: 4840)
- Checks proxy server information
  - client.exe (PID: 7412)
  - client.exe (PID: 4840)
  - slui.exe (PID: 7760)
  - client.exe (PID: 7192)
- Creates files or folders in the user directory
  - client.exe (PID: 7412)
  - client.exe (PID: 4840)
  - client.exe (PID: 7192)
- Reads security settings of Internet Explorer
  - client.exe (PID: 7412)
  - client.exe (PID: 4840)
  - client.exe (PID: 7192)
- Manual execution by a user
  - WINWORD.EXE (PID: 352)
  - client.exe (PID: 7192)
  - client.exe (PID: 4840)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2026:02:16 15:09:37+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.44
CodeSize:	99328
InitializedDataSize:	52736
UninitializedDataSize:	-
EntryPoint:	0x178c0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

146

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

352

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\televisioncharacter.rtf" /o ""

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Word

Version:

16.0.16026.20146

Modules

Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

672

"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "0E38E77E-0CF0-4DEB-9987-4A7C477332C7" "9BA7D998-614E-446F-9D3F-F246CDC65E75" "352"

C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe

—

WINWORD.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.

Version:

0.12.2.0

Modules

Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll

4840

"C:\Users\admin\AppData\Local\Temp\client.exe"

C:\Users\admin\AppData\Local\Temp\client.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

7192

"C:\Users\admin\AppData\Local\Temp\client.exe"

C:\Users\admin\AppData\Local\Temp\client.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

7412

"C:\Users\admin\AppData\Local\Temp\client.exe"

C:\Users\admin\AppData\Local\Temp\client.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\client.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

7760

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

19 245

Read events

18 847

Write events

364

Delete events

Modification events


(PID) Process:	(7412) client.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7412) client.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7412) client.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7412) client.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(7412) client.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(7412) client.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(7412) client.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(352) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\352
Operation:	write	Name:	0
Value: 0B0E1039E8B1D9FE72AB4697B40085BCB64585230046A7D9D2AEE6DDA9EE016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511E002D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:	(352) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	en-US
Value: 2
(PID) Process:	(352) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:	write	Name:	de-de
Value: 2

Add for printing

Executable files

Suspicious files

Text files

Unknown types

146

Dropped files

PID	Process	Filename		Type
352	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		binary
		MD5:69D39034E3816B396D0B3DB288ECDCF0	SHA256:353AF3A27ECD6A741BB1CC3008FA504409CB4C5F9D89A73D55EF38C0864CD7BB
7412	client.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\2FYVF6OU.txt		binary
		MD5:0A47328A34A88185C77DDC70CBAA6178	SHA256:F1F9DC41BAB9BA048CAE9029E1FB4098DC50129672DF1C0291B7EA400F955FD0
352	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\televisioncharacter.rtf.LNK		binary
		MD5:3D7443261DE1007D60A63D3AFD7C689F	SHA256:169374D4BC41A703C3329CA9AB5BDEC2B82D0B8BC6AD873EDBFE1A630CDAAF93
352	WINWORD.EXE	C:\Users\admin\Desktop\~$levisioncharacter.rtf		binary
		MD5:0A9737CD36D85AE41C8952A0C65BB59D	SHA256:9DCCFECBE142776CD80013A061E049C9E1CE1CE2EEBBC690354810B72657FEA7
352	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0F99DCCD-5337-431E-BCB4-62E33238A4FE		binary
		MD5:2392F7E9CF1A6544755CD9A06B7C2370	SHA256:8D5C92D52BE3643F99CAF12871EB54225263F1E161B8554E1FDB229D61C042CA
352	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		binary
		MD5:EDCA5D7A23355F9B49CC30FA31998B64	SHA256:A989FA3C995C35370E8CF640937687725EAF4B430DD84E690EEDE3376C8E5CA0
352	WINWORD.EXE	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_EAF5D55D93603A879FA973006301F24F		binary
		MD5:1987D368D6A888811A29D99A83383666	SHA256:B140ABF88FB278A4474005E1EEAD71A6998E05921C4B24569366AF23E6F0402D
352	WINWORD.EXE	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B76BE66D46C355931939D8CF818D03FD_30070D1E013A39CA7A94F919F7922FDF		binary
		MD5:D3B1FF98B0C4CEA7A11605802F3AB1EE	SHA256:92D1688CB11566616C0645C93773598B9A98A3F9A20D512A1403AF404CB9E628
352	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin		binary
		MD5:CC90D669144261B198DEAD45AA266572	SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
352	WINWORD.EXE	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_EAF5D55D93603A879FA973006301F24F		binary
		MD5:DE589D7A00C7D23BCF0D50A8D51C1857	SHA256:61A03C01C3B1B0C943E8BC857826C4D0C6A1DA1A54E3055F53B258BBAD48808C

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

686

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5276	MoUsoCoreWorker.exe	GET	304	51.104.136.2:443	https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop	US	—	—	whitelisted
7668	svchost.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
5276	MoUsoCoreWorker.exe	GET	304	51.104.136.2:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	US	—	—	whitelisted
352	WINWORD.EXE	GET	200	52.110.17.17:443	https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3	US	binary	187 Kb	whitelisted
352	WINWORD.EXE	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAsMayxGaRewR3PGR9SvwMg%3D	US	binary	471 b	whitelisted
352	WINWORD.EXE	GET	200	204.79.197.203:80	http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBR0TBEVYklX7A9yLoLD9hqmCWDxFgQU3pGGSLehMVkx8UtfB6nciHnaqHYCEzMAAAAPMyBlN%2B5Crk8AAAAAAA8%3D	US	binary	2.23 Kb	whitelisted
2216	SIHClient.exe	GET	304	74.178.240.61:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	US	—	—	whitelisted
352	WINWORD.EXE	GET	200	184.86.251.137:443	https://omex.cdn.office.net/addinclassifier/officesharedentities	NL	—	314 Kb	whitelisted
352	WINWORD.EXE	GET	200	52.123.128.14:443	https://ecs.office.com/config/v2/Office/word/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=word&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=winword.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bD9B1E839-72FE-46AB-97B4-0085BCB64585%7d&LabMachine=false	US	—	352 Kb	unknown
352	WINWORD.EXE	POST	200	52.110.17.44:443	https://roaming.svc.cloud.microsoft/rs/RoamingSoapService.svc	US	text	654 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
7668	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
5276	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5532	SearchApp.exe	2.16.241.201:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
2260	slui.exe	48.192.1.65:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7412	client.exe	172.67.74.152:80	api.ipify.org	CLOUDFLARENET	US	whitelisted
7412	client.exe	212.227.65.132:15144	—	IONOS-AS This is the joint network for IONOS, Fasthosts, Arsys, 1&1 Mail and Media and 1&1 Telecom. Formerly known as 1&1 Internet SE.	DE	unknown
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
7668	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7668	svchost.exe	23.53.41.90:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 51.124.78.146	whitelisted
www.bing.com	2.16.241.201 2.16.241.203 2.16.241.209 2.16.241.200 2.16.241.211 2.16.241.206 2.16.241.212 2.16.241.205 2.16.241.207	whitelisted
activation-v2.sls.microsoft.com	48.192.1.65	whitelisted
google.com	142.251.127.139 142.251.127.102 142.251.127.138 142.251.127.113 142.251.127.100 142.251.127.101	whitelisted
api.ipify.org	172.67.74.152 104.26.12.205 104.26.13.205	whitelisted
self.events.data.microsoft.com	13.89.179.11	whitelisted
crl.microsoft.com	23.53.41.90 23.53.40.178 23.216.77.6 23.216.77.28	whitelisted
www.microsoft.com	23.59.18.102 88.221.169.152	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.248	whitelisted
officeclient.microsoft.com	52.110.17.17 52.110.17.62 52.110.17.67 52.110.17.61 52.110.17.38 52.110.17.52 52.110.17.39 52.110.17.26	whitelisted

Threats

PID	Process	Class	Message
7412	client.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)
7412	client.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup api.ipify.org
2232	svchost.exe	Misc activity	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
7412	client.exe	A Network Trojan was detected	RAT [ANY.RUN] KarstoRAT User-Agent observed (SecurityNotifier)
7412	client.exe	A Network Trojan was detected	RAT [ANY.RUN] KarstoRAT related IP address
7668	svchost.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
7412	client.exe	Device Retrieving External IP Address Detected	SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
7192	client.exe	Device Retrieving External IP Address Detected	POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)
7192	client.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup api.ipify.org
7192	client.exe	A Network Trojan was detected	RAT [ANY.RUN] KarstoRAT User-Agent observed (SecurityNotifier)

Add for printing

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

client.exe

FE9DB3AED6A04C762472AFDF2FACE254

94E98B714BFB102D143957CF1E00BD45B5B8FA4D

07131E3FCB9E65C1E4D2E756EFDB9F263FD90080D3FF83FBCCA1F31A4890EBDB

6144:XnYpB6s6V8VHVc/AzAvaqycSDKDAKaQb111Q:XnYP6s6V8VHVcIlqycSDK8KaK111Q

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

KARSTORAT has been detected (YARA)

SUSPICIOUS

There is functionality for capture public ip (YARA)

Checks for external IP

INFO

Checks supported languages

Reads the computer name

There is functionality for taking screenshot (YARA)

Checks proxy server information

Creates files or folders in the user directory

Reads security settings of Internet Explorer

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings