File name:

2628ad9be62db33bcc2dd982d80a7ec4ff840349a658795e13ef9611b784eefe

Full analysis: https://app.any.run/tasks/9a2e2630-3072-4b97-9a5c-8c0e66d6e8a4
Verdict: Malicious activity
Analysis date: November 29, 2024, 21:51:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
macros
macros-on-open
arch-exec
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Adler, Last Saved By: Adler, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Dec 19 06:27:34 2019, Last Saved Time/Date: Thu Dec 19 06:52:24 2019, Security: 0
MD5:

FA6A95DF0AF45FF6601696678AF711B6

SHA1:

C87653F543D7C9386B92732E02EE64DEAC0E0100

SHA256:

2628AD9BE62DB33BCC2DD982D80A7EC4FF840349A658795E13EF9611B784EEFE

SSDEEP:

1536:mgSWB3d4VeP4BaEQK5zG0NXpbkHd+kMUGsQzRQXUIQ9m6F+e50ReRjOiFjKKBzaU:H8VeP4BF5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from MS Office

      • EXCEL.EXE (PID: 6436)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 6436)

  • SUSPICIOUS

    • Creates a Folder object (SCRIPT)

      • EXCEL.EXE (PID: 6436)

    • Connects to unusual port

      • rlbwrarhsa.exe (PID: 7048)
      • rlbwrarhsa.exe (PID: 7136)

    • Runs shell command (SCRIPT)

      • EXCEL.EXE (PID: 6436)

  • INFO

    • Reads mouse settings

      • EXCEL.EXE (PID: 6436)

    • Checks supported languages

      • rlbwrarhsa.exe (PID: 7048)
      • rlbwrarhsa.exe (PID: 7136)

    • Reads the computer name

      • rlbwrarhsa.exe (PID: 7136)
      • rlbwrarhsa.exe (PID: 7048)

    • Creates files in the program directory

      • EXCEL.EXE (PID: 6436)

    • The process uses the downloaded file

      • EXCEL.EXE (PID: 6436)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • EXCEL.EXE (PID: 6436)

    • Reads the machine GUID from the registry

      • rlbwrarhsa.exe (PID: 7136)
      • rlbwrarhsa.exe (PID: 7048)

    • Reads Environment values

      • rlbwrarhsa.exe (PID: 7048)
      • rlbwrarhsa.exe (PID: 7136)

    • Manual execution by a user

      • rlbwrarhsa.exe (PID: 7136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (48)
.xls | Microsoft Excel sheet (alternate) (39.2)

EXIF

FlashPix

Author: Adler
LastModifiedBy: Adler
Software: Microsoft Excel
CreateDate: 2019:12:19 06:27:34
ModifyDate: 2019:12:19 06:52:24
Security: None
CodePage: Windows Latin 1 (Western European)
AppVersion: 14
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Sheet1
  • Sheet2
  • Sheet3
HeadingPairs:
  • Worksheets
  • 3
CompObjUserTypeLen: 31
CompObjUserType: Microsoft Excel 2003 Worksheet
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe rlbwrarhsa.exe rlbwrarhsa.exe

Process information

PID
CMD
Path
Indicators
Parent process
6436"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" C:\Users\admin\Desktop\2628ad9be62db33bcc2dd982d80a7ec4ff840349a658795e13ef9611b784eefe.xlsC:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
7048C:\ProgramData\Tdlawis\rlbwrarhsa.exeC:\ProgramData\Tdlawis\rlbwrarhsa.exe
EXCEL.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
rlbwrarhsa
Version:
1.0.0.0
Modules
Images
c:\programdata\tdlawis\rlbwrarhsa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
7136"C:\Users\admin\Desktop\rlbwrarhsa.exe" C:\Users\admin\Desktop\rlbwrarhsa.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
rlbwrarhsa
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\rlbwrarhsa.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
12 451
Read events
12 197
Write events
230
Delete events
24

Modification events

(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common
Operation:writeName:SessionId
Value:
6C7973CC839C05488143F9C7877D0482
(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:1
Value:
01D014000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\6436
Operation:writeName:0
Value:
0B0E1042B766CE7E1DF44D8F276D92FB1B9AC6230046B0E89ECA8DD5D0ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C50E8908C91003783634C511A432D2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel
Operation:writeName:FontInfoCache
Value:
6000000060000000F5FFFFFF0000000000000000000000009001000000000000000000205400610068006F006D00610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000001B000000000000000D0000000B000000020000000200000000000000330000000000000000000000F5FFFFFF0000000000000000000000009001000000000000000000205300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000001C000000000000000D0000000B000000020000000200000000000000330000000000000000000000F5FFFFFF000000000000000000000000BC02000000000000000000205400610068006F006D006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000600000020000000000000000D0000000B000000020000000200000000000000330000000000000000000000F3FFFFFF0000000000000000000000009001000000000000000000005400610068006F006D00610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000002000000000000000100000000D000000030000000300000000000000330000000000000000000000F3FFFFFF000000000000000000000000E803000000000000000000005400610068006F006D00610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000070000002600000000000000100000000D000000030000000300000000000000330000000000000000000000F1FFFFFF000000000000000000000000900100000000000000000000430061006C0069006200720069000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000001A00000000000000120000000E000000040000000300000000000000330000000000000000000000F3FFFFFF0000000000000000000000009001000000000000000000005300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000070000002100000000000000110000000E000000030000000400000000000000330000000000000000000000F3FFFFFF000000000000000000000000BC02000000000000000000005300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000002100000000000000110000000E000000030000000400000000000000330000000000000000000000F3FFFFFF0000000000000000000000009001000000000000000000205300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000070000002100000000000000110000000E000000030000000400000000000000330000000000000000000000F3FFFFFF000000000000000000000000BC02000000000000000000205300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000002100000000000000110000000E000000030000000400000000000000330000000000000000000000F5FFFFFF0000000000000000000000009001000000000000000000205300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000001C000000000000000D0000000B000000020000000200000000000000330000000000000000000000F1FFFFFF000000000000000000000000900100000000000000000000430061006C0069006200720069000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000001A00000000000000120000000E000000040000000300000000000000330000000000000000000000F5FFFFFF0000000000000000000000009001000000000000000000205300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000001C000000000000000D0000000B000000020000000200000000000000330000000000000000000000F5FFFFFF0000000000000000000000009001000000000000000000205400610068006F006D00610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000001B000000000000000D0000000B000000020000000200000000000000330000000000000000000000F5FFFFFF000000000000000000000000BC02000000000000000000205300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000001C000000000000000D0000000B000000020000000200000000000000330000000000000000000000F1FFFFFF000000000000000000000000900100000000000000000000430061006C0069006200720069000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000001A00000000000000120000000E000000040000000300000000000000330000000000000000000000F3FFFFFF000000000000000000000000BC02000000000000000000005300650067006F006500200055004900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000080000002100000000000000110000000E000000030000000400000000000000330000000000000000000000
(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\13886E
Operation:writeName:13886E
Value:
04000000241900005B00000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C0032003600320038006100640039006200650036003200640062003300330062006300630032006400640039003800320064003800300061003700650063003400660066003800340030003300340039006100360035003800370039003500650031003300650066003900360031003100620037003800340065006500660065002E0078006C007300000000001700000043003A005C00550073006500720073005C00610064006D0069006E005C004400650073006B0074006F0070005C000100000000000000608BA4D9A842DB016E8813006E88130000000000E0020000001800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel
Operation:writeName:ExcelWorkbookOpenedCount
Value:
1
(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\13886E
Operation:delete valueName:13886E
Value:

(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery\13886E
Operation:delete keyName:(default)
Value:
(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\DocumentRecovery
Operation:delete keyName:(default)
Value:
(PID) Process:(6436) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
Operation:delete valueName:m0,
Value:
ね,ᤤ
Executable files
2
Suspicious files
16
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6436EXCEL.EXEC:\ProgramData\Tdlawis\rlbwrarhsa.exeexecutable
MD5:8A1F4A512FE9EDBCC62BA4B1C3E08F0A
SHA256:ECD7D7A27A2A043919A233BB91E3B009C05B7C81FF132A7C29228E1C45D2B6A6
6436EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:69E142B4392B3BE5309E54BCF7E08EE1
SHA256:599E488A1FAFBCB44A142C5BD0476B33F9945CE300B3E88EE97D8265FD115D1B
6436EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\Wef\CustomFunctions\v1.7\hostproperties.jsonbinary
MD5:7A29F1E157244591277E3C25F29A8029
SHA256:05EEBA4D6CA7148DCD0A6317A45241A49A4C8D88D628B27D8B19889EF6E70771
6436EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\SmartLookupCache\dictionary_words_bloom_filter.databinary
MD5:A4AF96BCD3EE55F0CB99B37C806A82A5
SHA256:1BE6D822C31EDC308903E04B986F13388B216DB44019E2BCC3C060284B480BA6
6436EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xmltext
MD5:6E777ED8A64C8D314E44C19C1AB6A99A
SHA256:5635FA87DC677DF7B62C190853B41088759C1A5B765C413F6D67142B3B342FBC
6436EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:0B9BE5BFF9DA3354BB1652D50C60E647
SHA256:779F9ACC1C46EB88FC9C50FA94E4B2B1BA147C0506DAA3C06E0A5080FE1C79AE
6436EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\2628ad9be62db33bcc2dd982d80a7ec4ff840349a658795e13ef9611b784eefe.xls.LNKbinary
MD5:FD5993AC4A5B18B38C05D8911A9A9865
SHA256:D1D0FC4741A8D2CD1B832B419050902214F57B390EAA45138E63E449A5239CA8
6436EXCEL.EXEC:\Users\admin\Documents\VB989C.tmptext
MD5:967A03C2EEF50D0CC8F1A40116D0E06E
SHA256:0CF947D47AEBA73DB43096C6A6E6E778C67E9BCE22927275B136C8D50EC33CB5
6436EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LRH8FI3Y083F2DCWKAAY.tempbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
6436EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L4X06JKGAFDGTCBYICOK.tempbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
30
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
HEAD
200
23.38.80.37:443
https://uci.cdn.office.net/mirrored/smartlookup/current/version.json
unknown
GET
200
52.109.32.97:443
https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3
unknown
xml
177 Kb
whitelisted
GET
200
52.111.231.8:443
https://messaging.lifecycle.office.com/getcustommessage16?app=1&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7BCE66B742-1D7E-4DF4-8F27-6D92FB1B9AC6%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofaa1msspvo2xw31%22%7D
unknown
text
542 b
whitelisted
GET
200
52.113.194.132:443
https://ecs.office.com/config/v2/Office/excel/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=excel.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bCE66B742-1D7E-4DF4-8F27-6D92FB1B9AC6%7d&LabMachine=false
unknown
binary
370 Kb
whitelisted
GET
200
23.38.80.37:443
https://uci.cdn.office.net/mirrored/smartlookup/current/dictionary_words_bloom_filter.data
unknown
binary
117 Kb
whitelisted
OPTIONS
400
23.38.80.37:443
https://uci.cdn.office.net/mirrored/smartlookup/current/
unknown
xml
297 b
whitelisted
POST
200
13.89.179.13:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
whitelisted
POST
200
20.42.73.24:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
85 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
524
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.182:443
www.bing.com
Akamai International B.V.
GB
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
524
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.23.209.182
  • 2.23.209.133
  • 2.23.209.187
  • 2.23.209.130
  • 2.23.209.149
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
messaging.lifecycle.office.com
  • 52.111.231.8
whitelisted
self.events.data.microsoft.com
  • 13.89.179.13
  • 20.42.65.93
whitelisted
uci.cdn.office.net
  • 23.38.80.37
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2628ad9be62db33bcc2dd982d80a7ec4ff840349a658795e13ef9611b784eefe