File name:

docs 06.02.2021.doc

Full analysis: https://app.any.run/tasks/b510b9f5-7cf0-4101-b3a2-692a0fd1c9e2
Verdict: Malicious activity
Analysis date: July 25, 2024, 13:31:21
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
macros
macros-on-open
maldoc
Indicators:
MIME: application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info: Microsoft Word 2007+
MD5:

F08771B9FDFE82CAAA089641E2348C8E

SHA1:

B02C121597C9D56D7FAB76B54834D5F3BD961E8C

SHA256:

CC721111B5924CFEB91440ECACCC60ECC30D10FFFBDAB262F7C0A17027F527D1

SSDEEP:

768:u5WkgUEeFPIlj5oQ0fUDjxXSwU/+BtgKpyAAlQg6DPLFXS:plekVoQTCFmgKpslepC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops known malicious image

      • WINWORD.EXE (PID: 6344)

    • Scans artifacts that could help determine the target

      • mshta.exe (PID: 5436)

    • Opens an HTTP connection (SCRIPT)

      • mshta.exe (PID: 5436)

    • Creates internet connection object (SCRIPT)

      • mshta.exe (PID: 5436)

    • Sends HTTP request (SCRIPT)

      • mshta.exe (PID: 5436)

    • Deletes a file (SCRIPT)

      • mshta.exe (PID: 5436)

    • Unusual execution from MS Office

      • WINWORD.EXE (PID: 6344)

    • Evaluates code at runtime (SCRIPT)

      • mshta.exe (PID: 5436)

  • SUSPICIOUS

    • Runs shell command (SCRIPT)

      • WINWORD.EXE (PID: 6344)
      • mshta.exe (PID: 5436)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • mshta.exe (PID: 5436)

    • Likely accesses (executes) a file from the Public directory

      • rundll32.exe (PID: 7412)

  • INFO

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 2548)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 5436)

    • Checks proxy server information

      • mshta.exe (PID: 5436)
      • slui.exe (PID: 2628)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 2548)
      • firefox.exe (PID: 7764)
      • firefox.exe (PID: 8024)

    • Application launched itself

      • firefox.exe (PID: 7764)
      • firefox.exe (PID: 8004)
      • firefox.exe (PID: 7616)
      • firefox.exe (PID: 8024)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 7764)

    • Checks supported languages

      • TextInputHost.exe (PID: 7464)

    • Reads the computer name

      • TextInputHost.exe (PID: 7464)

    • Manual execution by a user

      • firefox.exe (PID: 8004)

    • Drops the executable file immediately after the start

      • firefox.exe (PID: 7764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docm | Word Microsoft Office Open XML Format document (with Macro) (53.6)
.docx | Word Microsoft Office Open XML Format document (24.2)
.zip | Open Packaging Conventions container (18)
.zip | ZIP compressed archive (4.1)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0x3f450766
ZipCompressedSize: 399
ZipUncompressedSize: 1503
ZipFileName: [Content_Types].xml

XML

Template: Normal
TotalEditTime: -
Pages: 1
Words: 2
Characters: 86
Application: Microsoft Office Word
DocSecurity: None
Lines: 3
Paragraphs: 1
ScaleCrop: No
HeadingPairs:
  • Название
  • 1
TitlesOfParts: -
Manager: -
Company: -
LinksUpToDate: No
CharactersWithSpaces: 87
SharedDoc: No
HyperlinksChanged: No
AppVersion: 16
Keywords: -
LastModifiedBy: Пользователь Windows
RevisionNumber: 2
CreateDate: 2021:06:02 10:36:00Z
ModifyDate: 2021:06:02 10:36:00Z
Category: -

XMP

Title: -
Subject: -
Creator: fxnhqeo
Description: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
32
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe explorer.exe no specs explorer.exe no specs ai.exe no specs mshta.exe no specs slui.exe rundll32.exe no specs textinputhost.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 4 -isForBrowser -prefsHandle 2896 -prefMapHandle 5552 -prefsLen 31207 -prefMapSize 244343 -jsInitHandle 1472 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3daf3131-2fce-4c12-9bed-6433a62beded} 8024 "\\.\pipe\gecko-crash-server-pipe.8024" 1cf6f7f8150 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
888"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4444 -childID 3 -isForBrowser -prefsHandle 4452 -prefMapHandle 4456 -prefsLen 23641 -prefMapSize 240426 -jsInitHandle 1244 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec8e41c7-1f3e-4623-8486-7ada8f97d0fd} 7764 "\\.\pipe\gecko-crash-server-pipe.7764" 191b1457bd0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
892"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2936 -childID 1 -isForBrowser -prefsHandle 2928 -prefMapHandle 2924 -prefsLen 30953 -prefMapSize 244343 -jsInitHandle 1472 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7406958e-de0b-4c11-99f2-4778f2af8da7} 8024 "\\.\pipe\gecko-crash-server-pipe.8024" 1cf6a15d150 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2548C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
2628C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4092"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6536 -childID 7 -isForBrowser -prefsHandle 5544 -prefMapHandle 4840 -prefsLen 31901 -prefMapSize 244343 -jsInitHandle 1472 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {563b78d3-b1fd-42a0-8c8b-a116e75850dc} 8024 "\\.\pipe\gecko-crash-server-pipe.8024" 1cf6a0ea310 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
4708"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3564 -childID 1 -isForBrowser -prefsHandle 3500 -prefMapHandle 3496 -prefsLen 21575 -prefMapSize 240426 -jsInitHandle 1244 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fe5c800-aae4-478f-b5e4-a403db7c3666} 7764 "\\.\pipe\gecko-crash-server-pipe.7764" 191ad97a4d0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
4884"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4712 -parentBuildID 20240213221259 -prefsHandle 4720 -prefMapHandle 4728 -prefsLen 23937 -prefMapSize 240426 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97bc491f-08f6-4f74-85d5-8a21a9e6a3f7} 7764 "\\.\pipe\gecko-crash-server-pipe.7764" 191b0896e10 rddC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
1
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
5192"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "820CB557-87D6-4BA6-BFAF-204603675A5D" "B33E0990-1134-4F60-BB56-4CD303FEAE60" "6344"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
5208"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 3 -isForBrowser -prefsHandle 5576 -prefMapHandle 5572 -prefsLen 31207 -prefMapSize 244343 -jsInitHandle 1472 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7817b735-f178-4eeb-8e5a-82449904dff4} 8024 "\\.\pipe\gecko-crash-server-pipe.8024" 1cf6f7f84d0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
52 995
Read events
52 511
Write events
444
Delete events
40

Modification events

(PID) Process:(6344) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E01000000000000000500000000000000
(PID) Process:(6344) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete valueName:0
Value:
ซ괐殺ࠆꯞꝅ莼跳⏺䘅헉꾍樁င$梅摝麨…ީ湕湫睯쥮௅賙ᒳ೅肫
(PID) Process:(6344) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete keyName:(default)
Value:
(PID) Process:(6344) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6344
Operation:writeName:0
Value:
0B0E105C7EB325041E4243B36FADA4F619FFEB2300469DA89EB4EFD2B7ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511C831D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(6344) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(6344) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources
Operation:writeName:UISnapshotLanguages
Value:
de-de;en-us;es-es;fr-fr;it-it;ja-jp;ko-kr;pt-br;ru-ru;tr-tr
(PID) Process:(6344) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
1
(PID) Process:(6344) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
1
(PID) Process:(6344) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
1
(PID) Process:(6344) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
1
Executable files
21
Suspicious files
482
Text files
114
Unknown types
49

Dropped files

PID
Process
Filename
Type
6344WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
6344WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$cs 06.02.2021.doc.docmbinary
MD5:A65A1B247C18A8078539CC1447462ECB
SHA256:FF9E1737CF5FAE1FDC9E30641770CF691173225164905B3D6E844C75A11BEC1F
6344WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9binary
MD5:EAE875F5E82E417A0484273DE3BB0C4C
SHA256:AAF75E30E1E7982CA1E007A9F6477C58CD893A296151A802948D3CB1A3B741CB
6344WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:E87B8F2FB9DCE8D1650F3A2868C15ABA
SHA256:6F35E235E860EB86FC7C4985DB4CFDBFA67A6D49D67E56A39535A9D5241E0670
6344WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbresbinary
MD5:8623EA43E99D0E6F2E43563098CDDD02
SHA256:6C5477B538F5E931924766FEE06694C61744DDBBC433223600E2DB179008AF8F
6344WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryRU0419.lextext
MD5:F3B25701FE362EC84616A93A45CE9998
SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
6344WINWORD.EXEC:\Users\admin\AppData\Local\Temp\cab6705.tmpcompressed
MD5:F913DD84915753042D856CEC4E5DABA5
SHA256:AA03AFB681A76C86C1BD8902EE2BBA31A644841CE6BCB913C8B5032713265578
6344WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
6344WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M6B7CJ9Y1GQDYBKSN79S.tempbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
6344WINWORD.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9der
MD5:4EB8BD2BC530EB9109FF66A5726BF5AD
SHA256:1E8C0410131C5A732C88C64B21E530B5DD17683F07B6E80BB0BD2339B6B1A0F8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
58
TCP/UDP connections
212
DNS requests
240
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5272
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5828
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6344
WINWORD.EXE
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
unknown
whitelisted
6344
WINWORD.EXE
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
unknown
whitelisted
6344
WINWORD.EXE
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
whitelisted
6344
WINWORD.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
6344
WINWORD.EXE
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
6344
WINWORD.EXE
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5832
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.135:443
Akamai International B.V.
GB
unknown
4204
svchost.exe
4.209.32.198:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4
System
192.168.100.255:138
whitelisted
5368
SearchApp.exe
2.23.209.135:443
Akamai International B.V.
GB
unknown
3952
svchost.exe
239.255.255.250:1900
whitelisted
5368
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
5272
svchost.exe
20.190.160.17:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5272
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.174
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.160.17
  • 20.190.160.14
  • 40.126.32.138
  • 40.126.32.140
  • 40.126.32.68
  • 40.126.32.133
  • 20.190.160.20
  • 40.126.32.134
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
go.microsoft.com
  • 2.18.97.227
whitelisted
roaming.officeapps.live.com
  • 52.109.76.243
whitelisted
omex.cdn.office.net
  • 23.48.23.30
  • 23.48.23.66
  • 23.48.23.62
whitelisted

Threats

No threats detected
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
docs 06.02.2021.doc