File name:

poc.exe

Full analysis: https://app.any.run/tasks/1794de99-63a9-4b87-baa6-ad99af4dfb99
Verdict: Malicious activity
Analysis date: January 06, 2025, 14:53:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

8A159707810806A8FAEF802D10036883

SHA1:

EF4BA8EEF919251F7502C7E66926BB3A5422065B

SHA256:

0D610A6E7CBAFE1D18A51A06CB154A95D40278E3AC01A7440BFF1886E73ED93A

SSDEEP:

1536:SFrl2r0h+o0u6J94JJF9xMMePQ6iGih/tka6Qn+b3FZM:gTwo5I8JF9xePLfih/tka6Qn+b3bM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • poc.exe (PID: 3540)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4544)

    • Starts Visual C# compiler

      • powershell.exe (PID: 4544)

  • SUSPICIOUS

    • The process executes Powershell scripts

      • poc.exe (PID: 3540)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4544)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 4544)

    • Starts POWERSHELL.EXE for commands execution

      • poc.exe (PID: 3540)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 4544)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 4544)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 4144)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 4544)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 4144)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 4544)

  • INFO

    • Checks supported languages

      • poc.exe (PID: 3540)
      • cvtres.exe (PID: 2380)

    • Create files in a temporary directory

      • poc.exe (PID: 3540)

    • The process uses the downloaded file

      • powershell.exe (PID: 4544)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4544)

    • UPX packer has been detected

      • poc.exe (PID: 3540)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 4544)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 4544)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4544)

    • Disables trace logs

      • powershell.exe (PID: 4544)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 4144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.1)
.dll | Win32 Dynamic Link Library (generic) (15.5)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:02:01 20:22:18+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 45056
InitializedDataSize: 69632
UninitializedDataSize: 131072
EntryPoint: 0x2b050
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start poc.exe powershell.exe conhost.exe no specs tiworker.exe no specs csc.exe cvtres.exe no specs poc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2380C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESA694.tmp" "c:\Users\admin\AppData\Local\Temp\z2yp2uus\CSCF7EFD871330C474AA7598B2163C89624.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2928\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3540"C:\Users\admin\Desktop\poc.exe" C:\Users\admin\Desktop\poc.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\poc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
3612"C:\Users\admin\Desktop\poc.exe" C:\Users\admin\Desktop\poc.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\poc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4144"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\z2yp2uus\z2yp2uus.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
4544"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" –NoProfile -ExecutionPolicy Bypass -File C:\Users\admin\AppData\Local\Temp\6312.tmp\6313.tmp\6314.ps1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
poc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5540C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Exit code:
0
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
Total events
27 266
Read events
27 249
Write events
17
Delete events
0

Modification events

(PID) Process:(4544) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
Operation:writeName:ExecutionPolicy
Value:
Bypass
(PID) Process:(5540) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31154250
(PID) Process:(5540) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
(PID) Process:(4544) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4544) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4544) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4544) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4544) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4544) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4544) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
1
Suspicious files
3
Text files
22
Unknown types
0

Dropped files

PID
Process
Filename
Type
3540poc.exeC:\Users\admin\AppData\Local\Temp\6312.tmp\6313.tmp\6314.ps1text
MD5:315F561E0CDDE12F8160D1B30904E618
SHA256:6FA92AA4BB222560805392DA26E21A4F6CC3CA0F2B89E75CF18A89D93F36505D
4544powershell.exeC:\Users\admin\AppData\Local\Temp\jntfqzqa.2wh\Download.txttext
MD5:11F7FB30162E252103C325B40E902B20
SHA256:40420C947F287FA5D48877663372929BAB0F1D4D09D21D3CEF0CA25B94FFB95F
5540TiWorker.exeC:\Windows\Logs\CBS\CBS.logtext
MD5:1CCAC55D067751E21DDFCA71DE9E9148
SHA256:9151FD00D5F822CEEB93278473EE66714DDDAC2977F54D4744238C19D1799B07
4544powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pl1o2hfr.rka.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4544powershell.exeC:\Users\admin\AppData\Local\Temp\jntfqzqa.2wh\Document.txttext
MD5:A72741D749BB9FEF5D41AD0278AD2CF4
SHA256:BEBBB81732ADCCE5315A6AF2B86567A675F0DBE2EB61EE5771BB51DA0C8F4E24
4544powershell.exeC:\Users\admin\AppData\Local\Temp\jntfqzqa.2wh\Info.txttext
MD5:9DC1C75B233F59F060F000A098E28397
SHA256:7A11D21AC22777C1310FF5FAA9F3FBFD28610976AF37A31E736997D8383B4D07
4144csc.exeC:\Users\admin\AppData\Local\Temp\z2yp2uus\z2yp2uus.dllexecutable
MD5:D694F64B65093D5F2934897A983F617E
SHA256:ABE3153F4D41D2BABF17F5FEAB995C67AEB6F382511BC794A2E404001DEC20CA
4544powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ulkog00e.32g.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4544powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_eeo5e0vl.25c.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4544powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1mm1nqgr.npd.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
18
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3416
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
302
184.30.21.171:443
https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409
unknown
GET
200
152.199.19.161:443
https://onegetcdn.azureedge.net/providers/providers.masterList.feed.swidtag
unknown
xml
1.80 Kb
GET
200
152.199.19.161:443
https://onegetcdn.azureedge.net/providers/nuget-2.8.5.208.package.swidtag
unknown
xml
822 b
whitelisted
GET
200
152.199.19.161:443
https://onegetcdn.azureedge.net/providers/ChocolateyPrototype-2.8.5.130.package.swidtag
unknown
xml
847 b
whitelisted
GET
200
152.199.19.161:443
https://onegetcdn.azureedge.net/providers/psl-1.0.0.210.package.swidtag
unknown
xml
858 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
unknown
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3416
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3416
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3416
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4544
powershell.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 172.217.18.110
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.158
  • 23.48.23.166
  • 23.48.23.159
  • 23.48.23.145
  • 23.48.23.176
  • 23.48.23.180
  • 23.48.23.183
  • 23.48.23.147
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
onegetcdn.azureedge.net
  • 152.199.19.161
whitelisted
self.events.data.microsoft.com
  • 20.189.173.27
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
poc.exe