File name:

poc.exe

Full analysis: https://app.any.run/tasks/1794de99-63a9-4b87-baa6-ad99af4dfb99
Verdict: Malicious activity
Analysis date: January 06, 2025, 14:53:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

8A159707810806A8FAEF802D10036883

SHA1:

EF4BA8EEF919251F7502C7E66926BB3A5422065B

SHA256:

0D610A6E7CBAFE1D18A51A06CB154A95D40278E3AC01A7440BFF1886E73ED93A

SSDEEP:

1536:SFrl2r0h+o0u6J94JJF9xMMePQ6iGih/tka6Qn+b3FZM:gTwo5I8JF9xePLfih/tka6Qn+b3bM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • poc.exe (PID: 3540)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4544)

    • Starts Visual C# compiler

      • powershell.exe (PID: 4544)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • poc.exe (PID: 3540)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 4544)

    • The process executes Powershell scripts

      • poc.exe (PID: 3540)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4544)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 4544)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 4544)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 4544)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 4144)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 4144)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 4544)

  • INFO

    • Checks supported languages

      • poc.exe (PID: 3540)
      • cvtres.exe (PID: 2380)

    • Create files in a temporary directory

      • poc.exe (PID: 3540)

    • UPX packer has been detected

      • poc.exe (PID: 3540)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4544)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 4544)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 4544)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 4544)

    • Disables trace logs

      • powershell.exe (PID: 4544)

    • The process uses the downloaded file

      • powershell.exe (PID: 4544)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 4144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.1)
.dll | Win32 Dynamic Link Library (generic) (15.5)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:02:01 20:22:18+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 45056
InitializedDataSize: 69632
UninitializedDataSize: 131072
EntryPoint: 0x2b050
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start poc.exe powershell.exe conhost.exe no specs tiworker.exe no specs csc.exe cvtres.exe no specs poc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2380C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESA694.tmp" "c:\Users\admin\AppData\Local\Temp\z2yp2uus\CSCF7EFD871330C474AA7598B2163C89624.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2928\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3540"C:\Users\admin\Desktop\poc.exe" C:\Users\admin\Desktop\poc.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\poc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
3612"C:\Users\admin\Desktop\poc.exe" C:\Users\admin\Desktop\poc.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\poc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4144"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\z2yp2uus\z2yp2uus.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
4544"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" –NoProfile -ExecutionPolicy Bypass -File C:\Users\admin\AppData\Local\Temp\6312.tmp\6313.tmp\6314.ps1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
poc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5540C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Exit code:
0
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
Total events
27 266
Read events
27 249
Write events
17
Delete events
0

Modification events

(PID) Process:(4544) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
Operation:writeName:ExecutionPolicy
Value:
Bypass
(PID) Process:(5540) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31154250
(PID) Process:(5540) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
(PID) Process:(4544) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4544) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4544) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4544) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4544) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4544) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4544) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
1
Suspicious files
3
Text files
22
Unknown types
0

Dropped files

PID
Process
Filename
Type
4544powershell.exeC:\Users\admin\AppData\Local\Temp\jntfqzqa.2wh\Download.txttext
MD5:11F7FB30162E252103C325B40E902B20
SHA256:40420C947F287FA5D48877663372929BAB0F1D4D09D21D3CEF0CA25B94FFB95F
4544powershell.exeC:\Windows\edc2tocq.nm1.ps1text
MD5:75ED6F6A8E6245971BFD6D888F0B608F
SHA256:39694103F8D50723CE4C7075C52658A5BB0E216AFA19493040E22728072AEB42
3540poc.exeC:\Users\admin\AppData\Local\Temp\6312.tmp\6313.tmp\6314.ps1text
MD5:315F561E0CDDE12F8160D1B30904E618
SHA256:6FA92AA4BB222560805392DA26E21A4F6CC3CA0F2B89E75CF18A89D93F36505D
4544powershell.exeC:\Users\admin\AppData\Local\Temp\jntfqzqa.2wh\NetAda.txttext
MD5:B4DA798C9B69B5AC48D5A3564E75C994
SHA256:9D9F4336E266801AFFFF0253C561A393B26438E83D475D4076EADE36DFDD136A
4544powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_eeo5e0vl.25c.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5540TiWorker.exeC:\Windows\Logs\CBS\CBS.logtext
MD5:1CCAC55D067751E21DDFCA71DE9E9148
SHA256:9151FD00D5F822CEEB93278473EE66714DDDAC2977F54D4744238C19D1799B07
4544powershell.exeC:\Users\admin\AppData\Local\Temp\z2yp2uus\z2yp2uus.0.cstext
MD5:A29444398AC9A819C5D208948B81A14C
SHA256:F447865E0C75B6C39BECAB9B9527FCC583DEF24C18A66CC815A9419F375DDC11
4544powershell.exeC:\Users\admin\AppData\Local\Temp\jntfqzqa.2wh\Document.txttext
MD5:A72741D749BB9FEF5D41AD0278AD2CF4
SHA256:BEBBB81732ADCCE5315A6AF2B86567A675F0DBE2EB61EE5771BB51DA0C8F4E24
4544powershell.exeC:\Users\admin\AppData\Local\Temp\jntfqzqa.2wh\Desktop.txttext
MD5:C53DDDCF9F7E3E3B4D3753EBC9433948
SHA256:FC0D7F6018B8C6C7DCA4518CDCD6A93F7AEF3A7C71C8D7495C4A903AC71EE07C
4544powershell.exeC:\Users\admin\AppData\Local\Temp\jntfqzqa.2wh\Ip.txttext
MD5:F877232612D0D04F0DCD3A884E34CF10
SHA256:C9F8897E9A8A1B3E7DBC8D8D6B7D08F2539AFB7E5354AB8E45B062AA545B4472
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
18
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3416
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
302
184.30.21.171:443
https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409
unknown
unknown
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
152.199.19.161:443
https://onegetcdn.azureedge.net/providers/psl-1.0.0.210.package.swidtag
unknown
xml
858 b
whitelisted
GET
200
152.199.19.161:443
https://onegetcdn.azureedge.net/providers/providers.masterList.feed.swidtag
unknown
xml
1.80 Kb
unknown
GET
200
152.199.19.161:443
https://onegetcdn.azureedge.net/providers/nuget-2.8.5.208.package.swidtag
unknown
xml
822 b
whitelisted
GET
200
152.199.19.161:443
https://onegetcdn.azureedge.net/providers/ChocolateyPrototype-2.8.5.130.package.swidtag
unknown
xml
847 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
unknown
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3416
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3416
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3416
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4544
powershell.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 172.217.18.110
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.158
  • 23.48.23.166
  • 23.48.23.159
  • 23.48.23.145
  • 23.48.23.176
  • 23.48.23.180
  • 23.48.23.183
  • 23.48.23.147
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
onegetcdn.azureedge.net
  • 152.199.19.161
whitelisted
self.events.data.microsoft.com
  • 20.189.173.27
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
poc.exe