| File name: | TriageTest.bat |
| Full analysis: | https://app.any.run/tasks/3b138724-a285-470f-a8ea-8c0dc0b184ac |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | April 08, 2025, 12:04:55 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | Unicode text, UTF-8 text, with very long lines (411), with CRLF line terminators |
| MD5: | 23F4A4DB0D6DE43634EBA46A4C6992E7 |
| SHA1: | A0D877CD191E041F9F54D8D2C777A5A72385925C |
| SHA256: | D6BC74A7FA74244311895DB679675D0E6EB4C68378613475595A7CD1DD2DF694 |
| SSDEEP: | 48:yfWNFFOurLufL5z09DnQI9J++MTTWMTHWBrN6p:LFF3rK10hnQI9JlGqG2Brop |
MALICIOUS
Run PowerShell with an invisible window
- powershell.exe (PID: 5576)
- powershell.exe (PID: 6060)
Changes the autorun value in the registry
- reg.exe (PID: 6644)
Bypass User Account Control (fodhelper)
- fodhelper.exe (PID: 1180)
SUSPICIOUS
Base64-obfuscated command line is found
- cmd.exe (PID: 900)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 900)
Downloads file from URI via Powershell
- powershell.exe (PID: 5576)
Executable content was dropped or overwritten
- powershell.exe (PID: 5576)
- csc.exe (PID: 1284)
Imports DLL using pinvoke
- powershell.exe (PID: 6060)
Executes script without checking the security policy
- powershell.exe (PID: 6060)
The process bypasses the loading of PowerShell profile settings
- cmd.exe (PID: 900)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 900)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 900)
Uses ATTRIB.EXE to modify file attributes
- cmd.exe (PID: 900)
CSC.EXE is used to compile C# code
- csc.exe (PID: 1284)
INFO
Disables trace logs
- powershell.exe (PID: 5576)
Checks proxy server information
- powershell.exe (PID: 5576)
Reads the machine GUID from the registry
- csc.exe (PID: 1284)
Reads security settings of Internet Explorer
- fodhelper.exe (PID: 1180)
Create files in a temporary directory
- cvtres.exe (PID: 4008)
- csc.exe (PID: 1284)
Checks supported languages
- cvtres.exe (PID: 4008)
- csc.exe (PID: 1284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
143
Monitored processes
14
Malicious processes
3
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 900 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\TriageTest.bat" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 9009 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1180 | "C:\WINDOWS\system32\fodhelper.exe" | C:\Windows\System32\fodhelper.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Features On Demand Helper Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1244 | C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -Embedding | C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Modules Installer Worker Version: 10.0.19041.3989 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1284 | "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\e11j2z3f.cmdline" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 1512 | attrib +h +s "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Themes\Cache\HeyTriage" | C:\Windows\System32\attrib.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3900 | "C:\WINDOWS\system32\fodhelper.exe" | C:\Windows\System32\fodhelper.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Features On Demand Helper Exit code: 3221226540 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4008 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESFF13.tmp" "c:\Users\admin\AppData\Local\Temp\CSCCCA75D0B20E14A8083A7DD9583A41FB1.TMP" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 14.32.31326.0 Modules
| |||||||||||||||
| 4304 | fodhelper.exe | C:\Windows\System32\fodhelper.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Features On Demand Helper Exit code: 3221226540 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4464 | attrib +h +s "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Themes\Cache" | C:\Windows\System32\attrib.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5072 | timeout /t 4 | C:\Windows\System32\timeout.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
12 184
Read events
12 145
Write events
39
Delete events
0
Modification events
| (PID) Process: | (6644) reg.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Updater |
Value: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Themes\Cache\HeyTriage | |||
| (PID) Process: | (1180) fodhelper.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000 | |||
| (PID) Process: | (1180) fodhelper.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (1180) fodhelper.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (1180) fodhelper.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (1244) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | SessionIdHigh |
Value: 31172734 | |||
| (PID) Process: | (1244) TiWorker.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing |
| Operation: | write | Name: | SessionIdLow |
Value: | |||
Executable files
2
Suspicious files
1
Text files
8
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6060 | powershell.exe | C:\Users\admin\AppData\Local\Temp\e11j2z3f.cmdline | text | |
MD5:C7BFF818DEC0CDB7F3C603FF65FCE382 | SHA256:— | |||
| 1244 | TiWorker.exe | C:\Windows\Logs\CBS\CBS.log | text | |
MD5:B79EC92992F03EABF14A25C3BB23C654 | SHA256:— | |||
| 4008 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESFF13.tmp | o | |
MD5:2DD1B57AF82B8B2018096AE26FFF3F20 | SHA256:— | |||
| 6060 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gteoczfz.0hr.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1284 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSCCCA75D0B20E14A8083A7DD9583A41FB1.TMP | res | |
MD5:08E6B73A5DA3A3495690AD9A9396BD2F | SHA256:— | |||
| 6060 | powershell.exe | C:\Users\admin\AppData\Local\Temp\e11j2z3f.0.cs | text | |
MD5:09050F724FAAF96509F92B75620778F8 | SHA256:DE22EC9D7205D293CD3238859BF94416E87D93D1DA421F3E4112830A05106BA5 | |||
| 5576 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Themes\Cache\HeyTriage | executable | |
MD5:090BC5A664B2714D24D5520FB4469536 | SHA256:05DE6E9D2530D508683F41CE1C7FDFE6041DE637F7E876C69A569EDFFB974560 | |||
| 5576 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_05mflhty.nuh.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5576 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:6B7733D6DFFBA5E1BA4EB697302C9B7D | SHA256:— | |||
| 5576 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_53nzwpjz.a0d.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
14
DNS requests
6
Threats
10
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 140.82.121.3:443 | https://raw.githubusercontent.com/XeroxzB/weqeq/main/asdasdasdasdasd.exe | unknown | executable | 3.11 Mb | whitelisted |
— | — | POST | 404 | 2.16.204.152:443 | https://www.bing.com/RelatedSearch?addfeaturesnoexpansion=relatedsearch&mkt=en-US | unknown | — | — | whitelisted |
— | — | GET | 404 | 104.86.148.134:443 | https://cxcs.microsoft.net/api/settings/en-US/xml/settings-tipset?release=20h1&sku=Professional&platform=desktop | unknown | html | 26 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | unknown |
668 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
5496 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
5096 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
5576 | powershell.exe | 185.199.111.133:443 | raw.githubusercontent.com | FASTLY | US | unknown |
5096 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
4156 | SystemSettings.exe | 2.23.227.221:443 | www.bing.com | Ooredoo Q.S.C. | QA | unknown |
4156 | SystemSettings.exe | 23.215.18.136:443 | cxcs.microsoft.net | Akamai International B.V. | US | unknown |
4 | System | 192.168.100.255:137 | — | — | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| unknown |
settings-win.data.microsoft.com |
| unknown |
raw.githubusercontent.com |
| unknown |
cxcs.microsoft.net |
| unknown |
www.bing.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |
— | — | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Misc activity | ET INFO Request for EXE via Powershell |
— | — | Misc activity | ET HUNTING EXE Downloaded from Github |
— | — | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Misc activity | ET INFO Request for EXE via Powershell |
— | — | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
— | — | Misc activity | ET HUNTING EXE Downloaded from Github |