Random PowerShell scripts in Windows Temp [closed]











up vote
0
down vote

favorite












I noticed recently that Sysmon logs an event Powershell creating a file in Windows Temp folder.



For example, this is the name of PS Script:



C:\Windows\Temp\xgyxfpqs.ilw.ps1 


I would like to know what is the cause of this and especially whether such files are product of some malicious activity going on. The name pattern is always the same, but the the actual characters differ.



Because I investigated similar issue with PS Script Policy Test. However, in that case, you would clearly see in the directory path '__PSScriptPolicyTest_' which is not present in the above scenario - although it still follow the pattern of 8 chars '.' 3 chars.



Any insights would be useful.










share|improve this question













closed as unclear what you're asking by Ramhound, fixer1234, Pimp Juice IT, DrMoishe Pippik, VL-80 Dec 9 at 4:11


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.











  • 2




    sounds weird. what does the script do? have you ever looked inside one? did you run a full system check with your anti virus software?
    – SimonS
    Dec 3 at 12:45










  • Backup your files and assume the worst.
    – root
    Dec 3 at 18:43















up vote
0
down vote

favorite












I noticed recently that Sysmon logs an event Powershell creating a file in Windows Temp folder.



For example, this is the name of PS Script:



C:\Windows\Temp\xgyxfpqs.ilw.ps1 


I would like to know what is the cause of this and especially whether such files are product of some malicious activity going on. The name pattern is always the same, but the the actual characters differ.



Because I investigated similar issue with PS Script Policy Test. However, in that case, you would clearly see in the directory path '__PSScriptPolicyTest_' which is not present in the above scenario - although it still follow the pattern of 8 chars '.' 3 chars.



Any insights would be useful.










share|improve this question













closed as unclear what you're asking by Ramhound, fixer1234, Pimp Juice IT, DrMoishe Pippik, VL-80 Dec 9 at 4:11


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.











  • 2




    sounds weird. what does the script do? have you ever looked inside one? did you run a full system check with your anti virus software?
    – SimonS
    Dec 3 at 12:45










  • Backup your files and assume the worst.
    – root
    Dec 3 at 18:43













up vote
0
down vote

favorite









up vote
0
down vote

favorite











I noticed recently that Sysmon logs an event Powershell creating a file in Windows Temp folder.



For example, this is the name of PS Script:



C:\Windows\Temp\xgyxfpqs.ilw.ps1 


I would like to know what is the cause of this and especially whether such files are product of some malicious activity going on. The name pattern is always the same, but the the actual characters differ.



Because I investigated similar issue with PS Script Policy Test. However, in that case, you would clearly see in the directory path '__PSScriptPolicyTest_' which is not present in the above scenario - although it still follow the pattern of 8 chars '.' 3 chars.



Any insights would be useful.










share|improve this question













I noticed recently that Sysmon logs an event Powershell creating a file in Windows Temp folder.



For example, this is the name of PS Script:



C:\Windows\Temp\xgyxfpqs.ilw.ps1 


I would like to know what is the cause of this and especially whether such files are product of some malicious activity going on. The name pattern is always the same, but the the actual characters differ.



Because I investigated similar issue with PS Script Policy Test. However, in that case, you would clearly see in the directory path '__PSScriptPolicyTest_' which is not present in the above scenario - although it still follow the pattern of 8 chars '.' 3 chars.



Any insights would be useful.







windows powershell malware






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 3 at 11:29









secureshell

1




1




closed as unclear what you're asking by Ramhound, fixer1234, Pimp Juice IT, DrMoishe Pippik, VL-80 Dec 9 at 4:11


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.






closed as unclear what you're asking by Ramhound, fixer1234, Pimp Juice IT, DrMoishe Pippik, VL-80 Dec 9 at 4:11


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.










  • 2




    sounds weird. what does the script do? have you ever looked inside one? did you run a full system check with your anti virus software?
    – SimonS
    Dec 3 at 12:45










  • Backup your files and assume the worst.
    – root
    Dec 3 at 18:43














  • 2




    sounds weird. what does the script do? have you ever looked inside one? did you run a full system check with your anti virus software?
    – SimonS
    Dec 3 at 12:45










  • Backup your files and assume the worst.
    – root
    Dec 3 at 18:43








2




2




sounds weird. what does the script do? have you ever looked inside one? did you run a full system check with your anti virus software?
– SimonS
Dec 3 at 12:45




sounds weird. what does the script do? have you ever looked inside one? did you run a full system check with your anti virus software?
– SimonS
Dec 3 at 12:45












Backup your files and assume the worst.
– root
Dec 3 at 18:43




Backup your files and assume the worst.
– root
Dec 3 at 18:43















active

oldest

votes






















active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes

Popular posts from this blog

flock() on closed filehandle LOCK_FILE at /usr/bin/apt-mirror

Mangá

Eduardo VII do Reino Unido