File name:

Mshounia_ Payroll_memo.docx

Full analysis: https://app.any.run/tasks/4d980fae-fc7d-4fb6-a877-d9f7da985709
Verdict: Malicious activity
Analysis date: August 01, 2025, 05:24:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
qrcode
phishing
phish-url
susp-redirect
qr-redirect
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

D7C9A614712A4F61109F19F4322EB501

SHA1:

8841A68E1C4F60621C8F0F2D7CF6BC1EEF774BDD

SHA256:

B818D9B19CBE8B4F04C4F3A8C2D71C37856F8A82EE7DA389714AF19FA2FFF587

SSDEEP:

1536:6gaWGbygdZT4Gq+PWTOGcUuSrfzIftENki5M8l9wCcme1ppDV3qTxOG5ulw:sWGuEZT4QPWT9vuszIVlswv55xqTPT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Suspicious URL found

      • WINWORD.EXE (PID: 3736)

    • QR code contains URL with email

      • WINWORD.EXE (PID: 3736)

  • SUSPICIOUS

    • Detected QR code with redirect chain

      • WINWORD.EXE (PID: 3736)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:07:30 13:39:48
ZipCRC: 0xd8108942
ZipCompressedSize: 346
ZipUncompressedSize: 1371
ZipFileName: [Content_Types].xml

XML

TotalEditTime: -
Pages: -
Words: -
Characters: -
Application: Microsoft Office Word
DocSecurity: None
Lines: -
Paragraphs: -
ScaleCrop: No
Company: -
LinksUpToDate: No
CharactersWithSpaces: -
SharedDoc: No
HyperlinksChanged: No
AppVersion: 12
RevisionNumber: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe ai.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
760"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "2A83243B-0C24-4952-BE9C-E6A9C3DB6BFD" "EDB66D87-44AA-4555-B91C-880B5C2D41FC" "3736"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
3736"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Mshounia_ Payroll_memo.docx" /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
4724C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 117
Read events
7 045
Write events
58
Delete events
14

Modification events

(PID) Process:(3736) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common
Operation:writeName:SessionId
Value:
95AAF6E1BBB45440B6B30777CF5F8137
(PID) Process:(3736) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\2200
Operation:delete valueName:0
Value:
ซ鴐㝅娴Ꝇ힬꿹�䙔�닜樁င$驄摽鶲…ީ湕湫睯쥮Ȇ∢්ł¢ᣂ숁씀褎예됏죃캲ǭ჉砃㐶ᇅᆘዒ看椀渀眀漀爀搀⸀攀砀攀씀‖ៅ肀줄࠘㈲㈱䐭捥
(PID) Process:(3736) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\GracefulExit\WINWORD\2200
Operation:delete keyName:(default)
Value:
(PID) Process:(3736) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3736
Operation:writeName:0
Value:
0B0E10ABABEE7BE4BF704F8C0C4BFB1D97485D230046EFD4F7CCC8D480EE016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C50E8908C91003783634C511981DD2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(3736) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Resiliency\StartupItems
Operation:writeName:/-3
Value:
2F2D3300980E0000040000000000000032CCD489A402DC018C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(3736) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:(3736) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\3736
Operation:writeName:0
Value:
0B0E10ABABEE7BE4BF704F8C0C4BFB1D97485D230046EFD4F7CCC8D480EE016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511981DD2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(3736) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(3736) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(3736) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
Executable files
0
Suspicious files
7
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
3736WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Word\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.Sbinary
MD5:C29F168EEB3B37E3F80CA6F1FEC65B0B
SHA256:B60C7AFB1BF21277ED51600EBCAA460150F7AA91F2A6BDECF0625574DBD69CE7
3736WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$hounia_ Payroll_memo.docxpgc
MD5:BD1DFDD25E6B9D418E45E090784D53AF
SHA256:8E9CA2250E023039F3E3071CCEF5E6E91E002AE33F2FD567A3180588541B9D9E
3736WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:51AE169E550E0A891FF1054EFEAA90E0
SHA256:44836A1C5313AF5782327F856B1D59B582009A32869607D39B2927A5BE84B18E
3736WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:46980C2C54C1F7F63F4A9EDC5F3AA317
SHA256:122FC019DA71C2258DB77B6A71370E1F756AC51418B7D530CA2C560888CC53C6
3736WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:A656056355A256F1C0A574148A9629A3
SHA256:BD7E7F6682B6F848F9D8D4AC3015F219E296E47338EDB43D094FCBA8C4C0BBF4
3736WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbresbinary
MD5:A290007376557C508DCB12487C27A51F
SHA256:FC024044BAA5205DE845E85C4AFEC1524B7B19B8D8B53FC7CA2EFD73449C4101
3736WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lextext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
3736WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
3736WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XRKPOKEWP4PSH7PRU6QA.tempbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
3736WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF18f48c.TMPbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
142
DNS requests
11
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
472
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3736
WINWORD.EXE
52.109.76.240:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6024
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3736
WINWORD.EXE
23.32.238.155:443
omex.cdn.office.net
Akamai International B.V.
DE
whitelisted
3736
WINWORD.EXE
52.123.129.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.46
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
whitelisted
omex.cdn.office.net
  • 23.32.238.155
  • 23.32.238.120
  • 2.19.198.51
  • 2.19.198.73
  • 23.32.238.89
  • 2.19.198.58
  • 2.19.198.40
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
messaging.lifecycle.office.com
  • 52.111.231.8
whitelisted
self.events.data.microsoft.com
  • 52.182.143.209
  • 20.189.173.24
whitelisted
metadata.templates.cdn.office.net
  • 95.100.158.105
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Mshounia_ Payroll_memo.docx