File name:

.docm

Full analysis: https://app.any.run/tasks/21273a2c-5b7f-4aff-adbe-38f9258d00c6
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: July 04, 2024, 07:49:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
macros
macros-on-open
ransomware
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

83854FB53AEF0D0597DF194487F22E64

SHA1:

40A25F83D4F46B2DC146C58BC79A32B0A3AD34E0

SHA256:

3E7E321CA46B1337D69B9D39AD4DC1B268ABB33C9331C06AD07FBB93F29FAB89

SSDEEP:

768:KHcGwQsffnH7G5lN3XJkuin4n56mmuZP3t:K8GwQUH7oFmO6mmqt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from MS Office

      • WINWORD.EXE (PID: 1280)
      • WINWORD.EXE (PID: 736)
      • WINWORD.EXE (PID: 2052)

  • SUSPICIOUS

    • Creates files like ransomware instruction

      • WINWORD.EXE (PID: 2356)

    • Creates file in the systems drive root

      • WINWORD.EXE (PID: 2356)

  • INFO

    • An automatically generated document

      • WINWORD.EXE (PID: 1280)

    • Checks proxy server information

      • DWWIN.EXE (PID: 5316)
      • DWWIN.EXE (PID: 2888)
      • DWWIN.EXE (PID: 1452)

    • Reads the software policy settings

      • DWWIN.EXE (PID: 5316)
      • DWWIN.EXE (PID: 2888)
      • DWWIN.EXE (PID: 1452)

    • Creates files in the program directory

      • DWWIN.EXE (PID: 5316)
      • DWWIN.EXE (PID: 2888)
      • DWWIN.EXE (PID: 1452)

    • Reads Microsoft Office registry keys

      • DWWIN.EXE (PID: 2888)
      • msedge.exe (PID: 2008)
      • DWWIN.EXE (PID: 1452)
      • msedge.exe (PID: 2868)
      • DWWIN.EXE (PID: 5316)

    • Manual execution by a user

      • WINWORD.EXE (PID: 5332)
      • WINWORD.EXE (PID: 2052)
      • WINWORD.EXE (PID: 2356)
      • WINWORD.EXE (PID: 736)

    • Application launched itself

      • msedge.exe (PID: 2008)
      • msedge.exe (PID: 2868)

    • Checks supported languages

      • identity_helper.exe (PID: 6148)

    • Reads the computer name

      • identity_helper.exe (PID: 6148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x8da2e8cf
ZipCompressedSize: 516
ZipUncompressedSize: 2527
ZipFileName: [Content_Types].xml

XML

Template: Normal.dotm
TotalEditTime: -
Pages: 1
Words: 58
Characters: 333
Application: Microsoft Office Word
DocSecurity: None
Lines: 2
Paragraphs: 1
ScaleCrop: No
HeadingPairs:
  • Название
  • 1
TitlesOfParts: -
Company: -
LinksUpToDate: No
CharactersWithSpaces: 390
SharedDoc: No
HyperlinksChanged: No
AppVersion: 14
LastModifiedBy: Михаил
RevisionNumber: 2
CreateDate: 2022:10:23 11:21:00Z
ModifyDate: 2022:10:23 11:21:00Z
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
35
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe dwwin.exe winword.exe ai.exe no specs winword.exe dwwin.exe winword.exe dwwin.exe winword.exe ai.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
480"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4504 --field-trial-handle=2064,i,9456008185544465820,3146261400959103737,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
736"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\21273a2c-5b7f-4aff-adbe-38f9258d00c6.docm" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1280"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\Desktop\21273a2c-5b7f-4aff-adbe-38f9258d00c6.docm /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
4
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1452C:\WINDOWS\system32\dwwin.exe -x -s 4600C:\Windows\System32\DWWIN.EXE
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Error Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dwwin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wer.dll
c:\windows\system32\version.dll
c:\windows\system32\ucrtbase.dll
1700"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x268,0x26c,0x270,0x264,0x178,0x7ffd93515fd8,0x7ffd93515fe4,0x7ffd93515ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2008"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/p/?linkID=2185272C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2052"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\21273a2c-5b7f-4aff-adbe-38f9258d00c6.docm" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
4
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
2176"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2672 --field-trial-handle=2064,i,9456008185544465820,3146261400959103737,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2220"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2792 --field-trial-handle=2508,i,991440940585912615,16456310471635468276,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2356"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\21273a2c-5b7f-4aff-adbe-38f9258d00c6.docm" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
Total events
86 509
Read events
85 549
Write events
844
Delete events
116

Modification events

(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E01000000000000000500000000000000
(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete valueName:0
Value:
ซ괐殺ࠆꯞꝅ莼跳⏺䘅헉꾍樁င$梅摝麨…ީ湕湫睯쥮௅賙ᒳ೅肫
(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete keyName:(default)
Value:
(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\1280
Operation:writeName:0
Value:
0B0E10ABFF810CD73D874BB942F12C649FB5CE230046A5F0DCD0EABCB3ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511800AD2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources
Operation:writeName:UISnapshotLanguages
Value:
de-de;en-us;es-es;fr-fr;it-it;ja-jp;ko-kr;pt-br;ru-ru;tr-tr
(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
1
(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
1
(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
1
(PID) Process:(1280) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
1
Executable files
6
Suspicious files
189
Text files
87
Unknown types
15

Dropped files

PID
Process
Filename
Type
5316DWWIN.EXEC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WINWORD.EXE_3fa78d8334cb8c44aa2ed19faafaec1a7ab7346_00000000_d0d4a410-e087-4de6-ac42-8e9d4413ae92\Report.wer
MD5:
SHA256:
1280WINWORD.EXEC:\Users\admin\Desktop\~$273a2c-5b7f-4aff-adbe-38f9258d00c6.docmabr
MD5:8227591168E28B7C9D795B126C25EE3B
SHA256:F416ADE83B1687DF99D61E4A7FBBC6E2A9216E273D198DCB1D0886644E0D5E82
1280WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmabr
MD5:A091DB2F6C65350B5FAE6BED7A23FF4F
SHA256:5A64E55392B7EAA669E608908A034D7826A7B9230ABC362C0B3ED5955D18E322
1280WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:36488CE229E9580AE409DFBCDB3BA8F9
SHA256:5B76684375BD2CC0779F70B64DE28C1B48942265F2ED4D5CD104FCD6C1DC78D3
5332WINWORD.EXEC:\Users\admin\AppData\Local\Temp\Diagnostics\WINWORD\App1720079384801109700_AA1E6058-9AA1-4F1E-8A80-A5DD4B4247E9.log
MD5:
SHA256:
1280WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\21273a2c-5b7f-4aff-adbe-38f9258d00c6.docm.LNKbinary
MD5:3A3AFF1882C5EBC38A3454D97737DAB7
SHA256:C8AF0584A4A46CE859D4720C41760EE95B6E1238D62BE539C52C7AE0EE4FFAFC
1280WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbresbinary
MD5:2D506154298193F7A743F02858FBA9E6
SHA256:F101D658647DCAA545039EDFB1C026B47B573C1EB6596A0C4C7B4DF1E4A7AA66
5316DWWIN.EXEC:\ProgramData\Microsoft\Windows\WER\Temp\WER6B9.tmp.WERInternalMetadata.xmlxml
MD5:F2B7E67964271EA9301BBA4A048436DB
SHA256:76C3611291A86B97EB90D900EE67DB236D2C8075BE7AED0BC819ADE20E3A9348
5316DWWIN.EXEC:\ProgramData\Microsoft\Windows\WER\Temp\WER6E9.tmp.xmlxml
MD5:2E716686329066A2AD52E420BA10519F
SHA256:B031FC8F77D61846AEEBF6CCF785C534577A6BEB139AFBEB5AB66CAD3D37889A
1280WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{981B25CD-CC40-493B-BEEE-CB930443845F}.tmpbinary
MD5:830FBF83999E052538EAF156AB6ECB17
SHA256:D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
97
TCP/UDP connections
123
DNS requests
44
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4448
svchost.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
2272
RUXIMICS.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
444
MoUsoCoreWorker.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
GET
23.48.23.30:443
https://omex.cdn.office.net/addinclassifier/officesharedentities
unknown
4448
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
444
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
2272
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
GET
23.48.23.30:443
https://omex.cdn.office.net/addinclassifier/officesharedentities
unknown
GET
204.79.197.239:443
https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0
unknown
GET
301
null:443
https://go.microsoft.com/fwlink/p/?linkID=2185272
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4448
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2272
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
444
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
1280
WINWORD.EXE
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
unknown
4448
svchost.exe
2.16.164.72:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
444
MoUsoCoreWorker.exe
2.16.164.72:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
4448
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5316
DWWIN.EXE
20.189.173.20:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
crl.microsoft.com
  • 2.16.164.72
  • 2.16.164.97
  • 2.16.164.18
  • 2.16.164.81
  • 2.16.164.43
  • 23.48.23.156
  • 23.48.23.143
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.20
  • 13.89.179.12
  • 20.189.173.21
whitelisted
omex.cdn.office.net
  • 104.124.11.8
  • 104.124.11.10
  • 23.48.23.18
  • 23.48.23.30
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 20.189.173.2
  • 13.69.239.74
whitelisted
messaging.lifecycle.office.com
  • 52.111.243.12
whitelisted
metadata.templates.cdn.office.net
  • 2.17.100.210
  • 2.17.100.200
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.