File name:

.docm

Full analysis: https://app.any.run/tasks/21273a2c-5b7f-4aff-adbe-38f9258d00c6
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: July 04, 2024, 07:49:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
macros
macros-on-open
ransomware
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

83854FB53AEF0D0597DF194487F22E64

SHA1:

40A25F83D4F46B2DC146C58BC79A32B0A3AD34E0

SHA256:

3E7E321CA46B1337D69B9D39AD4DC1B268ABB33C9331C06AD07FBB93F29FAB89

SSDEEP:

768:KHcGwQsffnH7G5lN3XJkuin4n56mmuZP3t:K8GwQUH7oFmO6mmqt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from MS Office

      • WINWORD.EXE (PID: 1280)
      • WINWORD.EXE (PID: 2052)
      • WINWORD.EXE (PID: 736)

  • SUSPICIOUS

    • Creates files like ransomware instruction

      • WINWORD.EXE (PID: 2356)

    • Creates file in the systems drive root

      • WINWORD.EXE (PID: 2356)

  • INFO

    • An automatically generated document

      • WINWORD.EXE (PID: 1280)

    • Creates files in the program directory

      • DWWIN.EXE (PID: 5316)
      • DWWIN.EXE (PID: 1452)
      • DWWIN.EXE (PID: 2888)

    • Reads Microsoft Office registry keys

      • DWWIN.EXE (PID: 1452)
      • DWWIN.EXE (PID: 5316)
      • msedge.exe (PID: 2008)
      • msedge.exe (PID: 2868)
      • DWWIN.EXE (PID: 2888)

    • Checks proxy server information

      • DWWIN.EXE (PID: 2888)
      • DWWIN.EXE (PID: 1452)
      • DWWIN.EXE (PID: 5316)

    • Manual execution by a user

      • WINWORD.EXE (PID: 2052)
      • WINWORD.EXE (PID: 2356)
      • WINWORD.EXE (PID: 5332)
      • WINWORD.EXE (PID: 736)

    • Reads the software policy settings

      • DWWIN.EXE (PID: 5316)
      • DWWIN.EXE (PID: 1452)
      • DWWIN.EXE (PID: 2888)

    • Checks supported languages

      • identity_helper.exe (PID: 6148)

    • Application launched itself

      • msedge.exe (PID: 2008)
      • msedge.exe (PID: 2868)

    • Reads the computer name

      • identity_helper.exe (PID: 6148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x8da2e8cf
ZipCompressedSize: 516
ZipUncompressedSize: 2527
ZipFileName: [Content_Types].xml

XML

Template: Normal.dotm
TotalEditTime: -
Pages: 1
Words: 58
Characters: 333
Application: Microsoft Office Word
DocSecurity: None
Lines: 2
Paragraphs: 1
ScaleCrop: No
HeadingPairs:
  • Название
  • 1
TitlesOfParts: -
Company: -
LinksUpToDate: No
CharactersWithSpaces: 390
SharedDoc: No
HyperlinksChanged: No
AppVersion: 14
LastModifiedBy: Михаил
RevisionNumber: 2
CreateDate: 2022:10:23 11:21:00Z
ModifyDate: 2022:10:23 11:21:00Z
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
35
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe dwwin.exe winword.exe ai.exe no specs winword.exe dwwin.exe winword.exe dwwin.exe winword.exe ai.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
480"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4504 --field-trial-handle=2064,i,9456008185544465820,3146261400959103737,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
736"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\21273a2c-5b7f-4aff-adbe-38f9258d00c6.docm" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1280"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\Desktop\21273a2c-5b7f-4aff-adbe-38f9258d00c6.docm /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
4
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1452C:\WINDOWS\system32\dwwin.exe -x -s 4600C:\Windows\System32\DWWIN.EXE
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Error Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dwwin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wer.dll
c:\windows\system32\version.dll
c:\windows\system32\ucrtbase.dll
1700"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x268,0x26c,0x270,0x264,0x178,0x7ffd93515fd8,0x7ffd93515fe4,0x7ffd93515ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2008"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/p/?linkID=2185272C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2052"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\21273a2c-5b7f-4aff-adbe-38f9258d00c6.docm" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
4
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
2176"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2672 --field-trial-handle=2064,i,9456008185544465820,3146261400959103737,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2220"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2792 --field-trial-handle=2508,i,991440940585912615,16456310471635468276,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2356"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\21273a2c-5b7f-4aff-adbe-38f9258d00c6.docm" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
Total events
86 509
Read events
85 549
Write events
844
Delete events
116

Modification events

(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E01000000000000000500000000000000
(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete valueName:0
Value:
ซ괐殺ࠆꯞꝅ莼跳⏺䘅헉꾍樁င$梅摝麨…ީ湕湫睯쥮௅賙ᒳ೅肫
(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete keyName:(default)
Value:
(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\1280
Operation:writeName:0
Value:
0B0E10ABFF810CD73D874BB942F12C649FB5CE230046A5F0DCD0EABCB3ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511800AD2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources
Operation:writeName:UISnapshotLanguages
Value:
de-de;en-us;es-es;fr-fr;it-it;ja-jp;ko-kr;pt-br;ru-ru;tr-tr
(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
1
(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
1
(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
1
(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
1
Executable files
6
Suspicious files
189
Text files
87
Unknown types
15

Dropped files

PID
Process
Filename
Type
5316DWWIN.EXEC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WINWORD.EXE_3fa78d8334cb8c44aa2ed19faafaec1a7ab7346_00000000_d0d4a410-e087-4de6-ac42-8e9d4413ae92\Report.wer
MD5:
SHA256:
1280WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmabr
MD5:A091DB2F6C65350B5FAE6BED7A23FF4F
SHA256:5A64E55392B7EAA669E608908A034D7826A7B9230ABC362C0B3ED5955D18E322
1280WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\21273a2c-5b7f-4aff-adbe-38f9258d00c6.docm.LNKbinary
MD5:3A3AFF1882C5EBC38A3454D97737DAB7
SHA256:C8AF0584A4A46CE859D4720C41760EE95B6E1238D62BE539C52C7AE0EE4FFAFC
5316DWWIN.EXEC:\ProgramData\Microsoft\Windows\WER\Temp\WER6B9.tmp.WERInternalMetadata.xmlxml
MD5:F2B7E67964271EA9301BBA4A048436DB
SHA256:76C3611291A86B97EB90D900EE67DB236D2C8075BE7AED0BC819ADE20E3A9348
5332WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Diagnostics\WINWORD\App1720079384801109700_AA1E6058-9AA1-4F1E-8A80-A5DD4B4247E9.log
MD5:
SHA256:
1280WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbresbinary
MD5:2D506154298193F7A743F02858FBA9E6
SHA256:F101D658647DCAA545039EDFB1C026B47B573C1EB6596A0C4C7B4DF1E4A7AA66
5332WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonbinary
MD5:E4E83F8123E9740B8AA3C3DFA77C1C04
SHA256:6034F27B0823B2A6A76FE296E851939FD05324D0AF9D55F249C79AF118B0EB31
1280WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRF{B0567BF5-33A3-4092-9433-59FB313B4CFB}.tmpbinary
MD5:09F0005BFA77A5073A929C28F967DC6A
SHA256:079AC0730D32E2EBDBBC49268AC3EBF6417A9D85C02B82B7D3D095DBFACB166D
5332WINWORD.EXEC:\Users\admin\AppData\Local\Temp\B1C1235D.tmpbinary
MD5:1370F724DF95100E8E431D27EA9A627A
SHA256:CF7D625ECB1FF75AA2064FF24129F4768CC2853D7046AE9FC6CB40CBAAE0A314
1280WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{F46C80B6-5439-418E-9355-D6FE1EE54446}.tmpbinary
MD5:2AD4F2EBC929B36895E72F27EFCC8701
SHA256:C3F87B55C62D2A6F782D6146717757EA5404F321221B4A143C82BC6B44C5251F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
97
TCP/UDP connections
123
DNS requests
44
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4448
svchost.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
2272
RUXIMICS.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
GET
23.48.23.30:443
https://omex.cdn.office.net/addinclassifier/officesharedentities
unknown
unknown
444
MoUsoCoreWorker.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
444
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
2272
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4448
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
204.79.197.239:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
unknown
unknown
GET
301
null:443
https://go.microsoft.com/fwlink/p/?linkID=2185272
unknown
unknown
GET
23.48.23.30:443
https://omex.cdn.office.net/addinclassifier/officesharedentities
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4448
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2272
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
444
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
1280
WINWORD.EXE
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown
4448
svchost.exe
2.16.164.72:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
444
MoUsoCoreWorker.exe
2.16.164.72:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
4448
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5316
DWWIN.EXE
20.189.173.20:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
crl.microsoft.com
  • 2.16.164.72
  • 2.16.164.97
  • 2.16.164.18
  • 2.16.164.81
  • 2.16.164.43
  • 23.48.23.156
  • 23.48.23.143
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.20
  • 13.89.179.12
  • 20.189.173.21
whitelisted
omex.cdn.office.net
  • 104.124.11.8
  • 104.124.11.10
  • 23.48.23.18
  • 23.48.23.30
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 20.189.173.2
  • 13.69.239.74
whitelisted
messaging.lifecycle.office.com
  • 52.111.243.12
whitelisted
metadata.templates.cdn.office.net
  • 2.17.100.210
  • 2.17.100.200
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.