Random PowerShell scripts in Windows Temp [closed]
up vote
0
down vote
favorite
I noticed recently that Sysmon logs an event Powershell creating a file in Windows Temp folder.
For example, this is the name of PS Script:
C:\Windows\Temp\xgyxfpqs.ilw.ps1
I would like to know what is the cause of this and especially whether such files are product of some malicious activity going on. The name pattern is always the same, but the the actual characters differ.
Because I investigated similar issue with PS Script Policy Test. However, in that case, you would clearly see in the directory path '__PSScriptPolicyTest_' which is not present in the above scenario - although it still follow the pattern of 8 chars '.' 3 chars.
Any insights would be useful.
windows powershell malware
closed as unclear what you're asking by Ramhound, fixer1234, Pimp Juice IT, DrMoishe Pippik, VL-80 Dec 9 at 4:11
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
up vote
0
down vote
favorite
I noticed recently that Sysmon logs an event Powershell creating a file in Windows Temp folder.
For example, this is the name of PS Script:
C:\Windows\Temp\xgyxfpqs.ilw.ps1
I would like to know what is the cause of this and especially whether such files are product of some malicious activity going on. The name pattern is always the same, but the the actual characters differ.
Because I investigated similar issue with PS Script Policy Test. However, in that case, you would clearly see in the directory path '__PSScriptPolicyTest_' which is not present in the above scenario - although it still follow the pattern of 8 chars '.' 3 chars.
Any insights would be useful.
windows powershell malware
closed as unclear what you're asking by Ramhound, fixer1234, Pimp Juice IT, DrMoishe Pippik, VL-80 Dec 9 at 4:11
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
2
sounds weird. what does the script do? have you ever looked inside one? did you run a full system check with your anti virus software?
– SimonS
Dec 3 at 12:45
Backup your files and assume the worst.
– root
Dec 3 at 18:43
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I noticed recently that Sysmon logs an event Powershell creating a file in Windows Temp folder.
For example, this is the name of PS Script:
C:\Windows\Temp\xgyxfpqs.ilw.ps1
I would like to know what is the cause of this and especially whether such files are product of some malicious activity going on. The name pattern is always the same, but the the actual characters differ.
Because I investigated similar issue with PS Script Policy Test. However, in that case, you would clearly see in the directory path '__PSScriptPolicyTest_' which is not present in the above scenario - although it still follow the pattern of 8 chars '.' 3 chars.
Any insights would be useful.
windows powershell malware
I noticed recently that Sysmon logs an event Powershell creating a file in Windows Temp folder.
For example, this is the name of PS Script:
C:\Windows\Temp\xgyxfpqs.ilw.ps1
I would like to know what is the cause of this and especially whether such files are product of some malicious activity going on. The name pattern is always the same, but the the actual characters differ.
Because I investigated similar issue with PS Script Policy Test. However, in that case, you would clearly see in the directory path '__PSScriptPolicyTest_' which is not present in the above scenario - although it still follow the pattern of 8 chars '.' 3 chars.
Any insights would be useful.
windows powershell malware
windows powershell malware
asked Dec 3 at 11:29
secureshell
1
1
closed as unclear what you're asking by Ramhound, fixer1234, Pimp Juice IT, DrMoishe Pippik, VL-80 Dec 9 at 4:11
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
closed as unclear what you're asking by Ramhound, fixer1234, Pimp Juice IT, DrMoishe Pippik, VL-80 Dec 9 at 4:11
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
2
sounds weird. what does the script do? have you ever looked inside one? did you run a full system check with your anti virus software?
– SimonS
Dec 3 at 12:45
Backup your files and assume the worst.
– root
Dec 3 at 18:43
add a comment |
2
sounds weird. what does the script do? have you ever looked inside one? did you run a full system check with your anti virus software?
– SimonS
Dec 3 at 12:45
Backup your files and assume the worst.
– root
Dec 3 at 18:43
2
2
sounds weird. what does the script do? have you ever looked inside one? did you run a full system check with your anti virus software?
– SimonS
Dec 3 at 12:45
sounds weird. what does the script do? have you ever looked inside one? did you run a full system check with your anti virus software?
– SimonS
Dec 3 at 12:45
Backup your files and assume the worst.
– root
Dec 3 at 18:43
Backup your files and assume the worst.
– root
Dec 3 at 18:43
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
2
sounds weird. what does the script do? have you ever looked inside one? did you run a full system check with your anti virus software?
– SimonS
Dec 3 at 12:45
Backup your files and assume the worst.
– root
Dec 3 at 18:43