| File name: | TriageTest.bat |
| Full analysis: | https://app.any.run/tasks/0b6938cb-4226-4f08-b7b1-7bb4df893cb3 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | April 08, 2025, 12:00:24 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | Unicode text, UTF-8 text, with very long lines (411), with CRLF line terminators |
| MD5: | 23F4A4DB0D6DE43634EBA46A4C6992E7 |
| SHA1: | A0D877CD191E041F9F54D8D2C777A5A72385925C |
| SHA256: | D6BC74A7FA74244311895DB679675D0E6EB4C68378613475595A7CD1DD2DF694 |
| SSDEEP: | 48:yfWNFFOurLufL5z09DnQI9J++MTTWMTHWBrN6p:LFF3rK10hnQI9JlGqG2Brop |
MALICIOUS
Run PowerShell with an invisible window
- powershell.exe (PID: 7012)
- powershell.exe (PID: 3100)
Changes the autorun value in the registry
- reg.exe (PID: 2244)
Bypass User Account Control (fodhelper)
- fodhelper.exe (PID: 2420)
SUSPICIOUS
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 7052)
Base64-obfuscated command line is found
- cmd.exe (PID: 7052)
Downloads file from URI via Powershell
- powershell.exe (PID: 7012)
The process bypasses the loading of PowerShell profile settings
- cmd.exe (PID: 7052)
Executes script without checking the security policy
- powershell.exe (PID: 3100)
Executable content was dropped or overwritten
- powershell.exe (PID: 7012)
- csc.exe (PID: 6248)
Imports DLL using pinvoke
- powershell.exe (PID: 3100)
CSC.EXE is used to compile C# code
- csc.exe (PID: 6248)
Uses ATTRIB.EXE to modify file attributes
- cmd.exe (PID: 7052)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 7052)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 7052)
INFO
Disables trace logs
- powershell.exe (PID: 7012)
Checks proxy server information
- powershell.exe (PID: 7012)
- slui.exe (PID: 5596)
Checks supported languages
- csc.exe (PID: 6248)
- cvtres.exe (PID: 4692)
Reads the machine GUID from the registry
- csc.exe (PID: 6248)
Create files in a temporary directory
- cvtres.exe (PID: 4692)
- csc.exe (PID: 6248)
Reads the software policy settings
- slui.exe (PID: 5596)
Reads security settings of Internet Explorer
- fodhelper.exe (PID: 2420)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
138
Monitored processes
15
Malicious processes
3
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 968 | C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -Embedding | C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Modules Installer Worker Version: 10.0.19041.3989 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2096 | fodhelper.exe | C:\Windows\System32\fodhelper.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Features On Demand Helper Exit code: 3221226540 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2244 | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Updater" /d "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Themes\Cache\HeyTriage" /f | C:\Windows\System32\reg.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2420 | "C:\WINDOWS\system32\fodhelper.exe" | C:\Windows\System32\fodhelper.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Features On Demand Helper Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3100 | powershell -NoP -W hidden -Command "Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class AMSI { [DllImport(\"kernel32.dll\")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport(\"kernel32.dll\")] public static extern bool VirtualFree(IntPtr lpAddress, uint dwSize, uint dwFreeType); }'; [AmSI]::new()" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4448 | "C:\WINDOWS\system32\fodhelper.exe" | C:\Windows\System32\fodhelper.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Features On Demand Helper Exit code: 3221226540 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4692 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES16A2.tmp" "c:\Users\admin\AppData\Local\Temp\CSC55ECC4BAD9654A8EA221BE861472BC.TMP" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 14.32.31326.0 Modules
| |||||||||||||||
| 4724 | attrib +h +s "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Themes\Cache" | C:\Windows\System32\attrib.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5360 | timeout /t 4 | C:\Windows\System32\timeout.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5596 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
16 203
Read events
16 148
Write events
55
Delete events
0
Modification events
| (PID) Process: | (2244) reg.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Updater |
Value: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Themes\Cache\HeyTriage | |||
| (PID) Process: | (2420) fodhelper.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (2420) fodhelper.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000 | |||
| (PID) Process: | (2420) fodhelper.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (2420) fodhelper.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (968) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | SessionIdHigh |
Value: 31172733 | |||
| (PID) Process: | (968) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | SessionIdLow |
Value: | |||
| (PID) Process: | (968) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | SessionIdHigh |
Value: 31172734 | |||
| (PID) Process: | (968) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | SessionIdLow |
Value: 27757466 | |||
| (PID) Process: | (968) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | SessionIdLow |
Value: 27914821 | |||
Executable files
2
Suspicious files
2
Text files
8
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7012 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Themes\Cache\HeyTriage | executable | |
MD5:090BC5A664B2714D24D5520FB4469536 | SHA256:05DE6E9D2530D508683F41CE1C7FDFE6041DE637F7E876C69A569EDFFB974560 | |||
| 6248 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC55ECC4BAD9654A8EA221BE861472BC.TMP | binary | |
MD5:9CD6E80E12688A44FDD052F215822ED6 | SHA256:7FD7E5161B1CB0C655CCD783F3BE2B32376425322ABB898EAC8B925A655CA8C5 | |||
| 3100 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0jrgippp.3qr.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7012 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zvdceaez.s0l.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7012 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pyipgp0h.r4j.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3100 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_utuptizs.kcb.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6248 | csc.exe | C:\Users\admin\AppData\Local\Temp\xt0nez5o.out | text | |
MD5:6A4EBEDA456808E02B400D6CA94E7CDA | SHA256:D1B1407BC0ABA8AAB5C897A51B287D14640BC92C35ED966BB0D014910D08B345 | |||
| 4692 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES16A2.tmp | o | |
MD5:FA6E135A4E155D32E9B65805AEE43256 | SHA256:940724DB2002B469BD17768112B05534ABE190806D0557EE890265B457104579 | |||
| 7012 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:3B11FA600ED0989D4A1E56A13BD91D6B | SHA256:575B59C379BDCC1CFC4D2BBA9A6CB8AFA6C9D169C2E84784E87334CE4D5A684A | |||
| 6248 | csc.exe | C:\Users\admin\AppData\Local\Temp\xt0nez5o.dll | executable | |
MD5:321DFD515E3EB6FF9110BC611CB1553B | SHA256:F1C4601A0B82638ECD8DC3F74F7275AA5AD2F35956A8B9F96A951C622CF1A60C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
24
DNS requests
6
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 404 | 104.86.148.134:443 | https://cxcs.microsoft.net/api/settings/en-US/xml/settings-tipset?release=20h1&sku=Professional&platform=desktop | unknown | html | 26 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | GET | 200 | 140.82.121.4:443 | https://raw.githubusercontent.com/XeroxzB/weqeq/main/asdasdasdasdasd.exe | unknown | executable | 3.11 Mb | whitelisted |
— | — | POST | 404 | 2.16.204.155:443 | https://www.bing.com/RelatedSearch?addfeaturesnoexpansion=relatedsearch&mkt=en-US | unknown | — | — | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
7012 | powershell.exe | 185.199.108.133:443 | raw.githubusercontent.com | FASTLY | US | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4156 | SystemSettings.exe | 2.16.204.134:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
4156 | SystemSettings.exe | 104.86.148.134:443 | cxcs.microsoft.net | AKAMAI-AS | DE | whitelisted |
5528 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5596 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
raw.githubusercontent.com |
| whitelisted |
cxcs.microsoft.net |
| whitelisted |
www.bing.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Misc activity | ET INFO Request for EXE via Powershell |
— | — | Misc activity | ET HUNTING EXE Downloaded from Github |
— | — | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |