File name:

2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe

Full analysis: https://app.any.run/tasks/9e57a5e0-caa4-4f6c-a4ab-9355f78c94b7
Verdict: Malicious activity
Analysis date: May 19, 2024, 21:09:54
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

00992FD8D299EE5026503F4AEE06E340

SHA1:

90D3547CFCF202C24644D437FEF9B81E071867E2

SHA256:

2575493220598C4387F938B4254B58E356B13DA101C1F1B7BA98EAD9965E8646

SSDEEP:

1536:okKRJOd/kibf2bR7m+vbODE7hZegUzNVDtXLGCgtIKlL:o/Cdcibf2bRdvSrzlLGtRlL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 6476)
      • 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe (PID: 6892)

    • Changes appearance of the Explorer extensions

      • SPOOLSV.EXE (PID: 7068)
      • CTFMON.EXE (PID: 7144)
      • 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe (PID: 6892)
      • SVCHOST.EXE (PID: 6996)

    • Changes the login/logoff helper path in the registry

      • CTFMON.EXE (PID: 7144)
      • SPOOLSV.EXE (PID: 7068)
      • 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe (PID: 6892)
      • SVCHOST.EXE (PID: 6996)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe (PID: 6892)

    • Starts a Microsoft application from unusual location

      • 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe (PID: 6892)

    • Application launched itself

      • SVCHOST.EXE (PID: 6996)
      • CTFMON.EXE (PID: 7144)
      • SPOOLSV.EXE (PID: 7068)

    • Starts itself from another location

      • SPOOLSV.EXE (PID: 7068)
      • CTFMON.EXE (PID: 7144)
      • SVCHOST.EXE (PID: 6996)
      • 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe (PID: 6892)

    • The process creates files with name similar to system file names

      • 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe (PID: 6892)

    • Reads the date of Windows installation

      • 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe (PID: 6892)

    • Reads security settings of Internet Explorer

      • 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe (PID: 6892)

    • Process requests binary or script from the Internet

      • WINWORD.EXE (PID: 4704)

    • Write to the desktop.ini file (may be used to cloak folders)

      • 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe (PID: 6892)

  • INFO

    • Create files in a temporary directory

      • 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe (PID: 6892)
      • SVCHOST.EXE (PID: 7048)
      • SPOOLSV.EXE (PID: 7068)
      • SVCHOST.EXE (PID: 7100)
      • SPOOLSV.EXE (PID: 7120)
      • CTFMON.EXE (PID: 7144)
      • SVCHOST.EXE (PID: 1208)
      • SPOOLSV.EXE (PID: 6296)
      • SPOOLSV.EXE (PID: 4920)
      • CTFMON.EXE (PID: 3712)
      • CTFMON.EXE (PID: 5180)
      • CTFMON.EXE (PID: 4936)
      • SVCHOST.EXE (PID: 6996)

    • Checks supported languages

      • SVCHOST.EXE (PID: 7048)
      • SPOOLSV.EXE (PID: 7068)
      • SVCHOST.EXE (PID: 7100)
      • 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe (PID: 6892)
      • SPOOLSV.EXE (PID: 7120)
      • CTFMON.EXE (PID: 7144)
      • SVCHOST.EXE (PID: 1208)
      • SPOOLSV.EXE (PID: 6296)
      • SPOOLSV.EXE (PID: 4920)
      • CTFMON.EXE (PID: 5180)
      • CTFMON.EXE (PID: 3712)
      • CTFMON.EXE (PID: 4936)
      • SVCHOST.EXE (PID: 6996)

    • Creates files in the program directory

      • 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe (PID: 6892)

    • Reads the computer name

      • 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe (PID: 6892)

    • Process checks computer location settings

      • 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe (PID: 6892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2003:08:06 18:34:23+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 7.1
CodeSize: 61440
InitializedDataSize: 20480
UninitializedDataSize: -
EntryPoint: 0x11d0
OSVersion: 4
ImageVersion: 10
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
18
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe svchost.exe svchost.exe no specs spoolsv.exe svchost.exe no specs spoolsv.exe no specs ctfmon.exe svchost.exe no specs spoolsv.exe no specs ctfmon.exe no specs ctfmon.exe no specs spoolsv.exe no specs ctfmon.exe no specs winword.exe ai.exe no specs filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1208C:\recycled\SVCHOST.EXE :agentC:\Recycled\SVCHOST.EXECTFMON.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Word
Exit code:
0
Version:
11.0.5604
Modules
Images
c:\recycled\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
3712C:\recycled\CTFMON.EXE :agentC:\Recycled\CTFMON.EXECTFMON.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Word
Exit code:
0
Version:
11.0.5604
Modules
Images
c:\recycled\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
4704"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.doc" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4920C:\recycled\SPOOLSV.EXE :agentC:\Recycled\SPOOLSV.EXE2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Word
Exit code:
0
Version:
11.0.5604
Modules
Images
c:\recycled\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
4936C:\recycled\CTFMON.EXE :agentC:\Recycled\CTFMON.EXE2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Word
Exit code:
0
Version:
11.0.5604
Modules
Images
c:\recycled\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5180C:\recycled\CTFMON.EXE :agentC:\Recycled\CTFMON.EXESVCHOST.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Word
Exit code:
0
Version:
11.0.5604
Modules
Images
c:\recycled\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6152"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "A4DE39F5-8133-469D-ADE7-456D64287E8F" "3ECFB04C-5369-4454-9BC5-841D53437D22" "4704"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\sechost.dll
6296C:\recycled\SPOOLSV.EXE :agentC:\Recycled\SPOOLSV.EXECTFMON.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Office Word
Exit code:
0
Version:
11.0.5604
Modules
Images
c:\recycled\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6476"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Minimized -Command "Start-Process C:\Users\admin\Desktop\2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe -Verb runas ; echo 'Started the file with administrator privileges, this is not part of the sample!' ; exit 0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6484\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
32 044
Read events
31 086
Write events
922
Delete events
36

Modification events

(PID) Process:(6476) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6476) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6476) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6476) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6892) 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config\command
Operation:delete keyName:(default)
Value:
(PID) Process:(6892) 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config
Operation:delete keyName:(default)
Value:
(PID) Process:(6892) 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command
Operation:delete keyName:(default)
Value:
(PID) Process:(6892) 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install
Operation:delete keyName:(default)
Value:
(PID) Process:(6892) 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exeKey:HKEY_CLASSES_ROOT\*
Operation:writeName:QuickTip
Value:
prop:Type;Size
(PID) Process:(6892) 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exeKey:HKEY_CLASSES_ROOT\*
Operation:writeName:TileInfo
Value:
prop:Type;Size
Executable files
11
Suspicious files
135
Text files
49
Unknown types
1

Dropped files

PID
Process
Filename
Type
6476powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V5XQQQ1DZGH2FPHO222U.temp
MD5:
SHA256:
7144CTFMON.EXEC:\Users\admin\AppData\Local\Temp\~DF295B2BC617E3E2D0.TMP
MD5:
SHA256:
6476powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lt5o41yu.11o.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6476powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1139d9.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6476powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vmiixucd.jrx.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6476powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:BC624035B72C8789E96437F411D19374
SHA256:C2AE6C4220B494BA0F62491186B184E4FD7A821E73499A89158EFF1D23BC24FD
1208SVCHOST.EXEC:\Users\admin\AppData\Local\Temp\~DF3385F71EDD6272D4.TMPbinary
MD5:BD92709DB1DAAA347C4B9E49ACC169A0
SHA256:D13974D8E93F00C9F41BAB35A4E38D21BDC66B65B06615E88F5E72B10A62C9CC
68922575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exeC:\Users\admin\AppData\Local\Temp\Flu Burung.txttext
MD5:1A1DCE35D60D2C70CA8894954FD5D384
SHA256:2661C05273F33EFA4B7FAA6ED8A6F7E69A13AD86077F69EE285ECE9CBA57E44C
7120SPOOLSV.EXEC:\Users\admin\AppData\Local\Temp\~DF0E726462ED7A58D9.TMPbinary
MD5:3B6733279633A4F16004263A20D6ADD8
SHA256:29558024360D422A420C3398D8757B0D762B56BC179D256B38DD06C7D639DB43
6296SPOOLSV.EXEC:\Users\admin\AppData\Local\Temp\~DF07342FB31B841E93.TMPbinary
MD5:9A46C4E2DFABFF860AD2203A9A268887
SHA256:F20E0176EE55382A1B446EB6FE3DE7656947DE6C447F0A7F38941672865626A6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
73
TCP/UDP connections
83
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4264
svchost.exe
GET
200
23.214.95.215:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1324
RUXIMICS.exe
GET
200
23.214.95.215:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.214.95.215:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1324
RUXIMICS.exe
GET
200
23.48.10.36:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.48.10.36:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4264
svchost.exe
GET
200
23.48.10.36:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4704
WINWORD.EXE
GET
200
52.109.32.97:443
https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3
unknown
xml
168 Kb
unknown
4704
WINWORD.EXE
GET
200
52.111.236.4:443
https://messaging.lifecycle.office.com/getcustommessage16?app=0&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7BB9479A2B-457E-4C95-AF00-B26CE521D60E%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofjhlwlmoc1pz531%22%7D
unknown
text
542 b
unknown
GET
200
23.214.95.213:443
https://omex.cdn.office.net/addinclassifier/officesharedentities
unknown
text
314 Kb
unknown
4704
WINWORD.EXE
GET
200
23.214.95.207:443
https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851222.cab
unknown
compressed
28.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4364
svchost.exe
239.255.255.250:1900
unknown
4264
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1324
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4264
svchost.exe
23.214.95.215:80
crl.microsoft.com
AKAMAI-AS
BR
unknown
1324
RUXIMICS.exe
23.214.95.215:80
crl.microsoft.com
AKAMAI-AS
BR
unknown
5140
MoUsoCoreWorker.exe
23.214.95.215:80
crl.microsoft.com
AKAMAI-AS
BR
unknown
4264
svchost.exe
23.48.10.36:80
www.microsoft.com
Akamai International B.V.
US
unknown
1324
RUXIMICS.exe
23.48.10.36:80
www.microsoft.com
Akamai International B.V.
US
unknown
5140
MoUsoCoreWorker.exe
23.48.10.36:80
www.microsoft.com
Akamai International B.V.
US
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.214.95.215
  • 23.214.95.196
whitelisted
www.microsoft.com
  • 23.48.10.36
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
omex.cdn.office.net
  • 23.214.95.215
  • 23.214.95.213
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
messaging.lifecycle.office.com
  • 52.111.236.4
whitelisted
self.events.data.microsoft.com
  • 20.189.173.1
  • 52.168.117.168
whitelisted
metadata.templates.cdn.office.net
  • 23.212.62.219
  • 23.212.62.204
unknown
binaries.templates.cdn.office.net
  • 23.214.95.207
  • 23.214.95.200
whitelisted

Threats

No threats detected
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe