File name: | to_any_run_PowerShall.txt |
Full analysis: | https://app.any.run/tasks/27f83226-abb2-46b7-a2e4-b3e1268239fc |
Verdict: | Malicious activity |
Analysis date: | December 18, 2018, 12:58:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with no line terminators |
MD5: | B45B8D5FDDCD48E8B62450BCA12613F8 |
SHA1: | 89AAB9FDD558F22EAAC8490C19E081BCF6B48DBE |
SHA256: | EBEC6CB03304E69FA5C76EF37E7252453116A7826EC1AC100859314404B139EA |
SSDEEP: | 6:oRFe2jIngXIq5lyYjQO0cb2ZzD5vIJSon:oRFjjInwInppcqFVHon |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2760 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2724 | "C:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\7za.exe" x -o"C:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall" -bd -y "C:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\chocolatey.zip" | C:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\7za.exe | powershell.exe | |
User: admin Company: Igor Pavlov Integrity Level: MEDIUM Description: 7-Zip Standalone Console Exit code: 0 Version: 18.05 | ||||
3016 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\hsvnoc38.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
3936 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESA9D4.tmp" "c:\Users\admin\AppData\Local\Temp\CSCA9D3.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) | ||||
2436 | "C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate "Tue Dec 18 12:58:53 2018" | C:\Windows\System32\setx.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Setx - Sets environment variables Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3060 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3852 | powershell.exe -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3292 | "C:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\7za.exe" x -o"C:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall" -bd -y "C:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\chocolatey.zip" | C:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\7za.exe | powershell.exe | |
User: admin Company: Igor Pavlov Integrity Level: MEDIUM Description: 7-Zip Standalone Console Exit code: 0 Version: 18.05 | ||||
3908 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\v80mf7pe.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
2664 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES2E17.tmp" "c:\Users\admin\AppData\Local\Temp\CSC2E16.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2760 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LMWIRFR2RLNGYOUVBTCE.temp | — | |
MD5:— | SHA256:— | |||
2724 | 7za.exe | C:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\tools\init.ps1 | text | |
MD5:D32690E6F05677507BF637E505B38F1A | SHA256:E8181C626AF782580BDF0083B7C7F3C9B9AED7B4CE9B35362FC101A042BB4905 | |||
2724 | 7za.exe | C:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall.ps1 | text | |
MD5:BA6315B965CD598537CCBCE10E5279CF | SHA256:9E5D5358FCE2C06C27A2DD5DAD9ECD921F58E122CD051CFF01723F93E7CBD3BF | |||
2724 | 7za.exe | C:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1 | text | |
MD5:A33EC0E0467EF4DB75AF97FC74F07D9B | SHA256:DF18B15F15AFF41697C8C1C2FD9E4DFA14F46F30AC2749292E2AB82B21FABB91 | |||
2724 | 7za.exe | C:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\_rels\.rels | xml | |
MD5:83C8FF56AAF2B30DD36C1976EB10D8F4 | SHA256:CCD7F13E7F738D18BE35A7BBF6F9F043F550EDDEF2477726711F0155E95879E7 | |||
2760 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2724 | 7za.exe | C:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\chocolatey.nuspec | xml | |
MD5:EF4F3D93A25A14882B5C2BC265AACB4B | SHA256:C20DE5F1045EB23F364C38139E4F6D01BFF28D83690AF269D86C7141A61444E6 | |||
2760 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF199800.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2760 | powershell.exe | C:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\chocolatey.zip | compressed | |
MD5:54C5AE123FE526B22C395CFC87AFFA83 | SHA256:9EACB90BF8745609875906C8CA5D1DBEDB8BE99FE18D422529908A1F224D681E | |||
2724 | 7za.exe | C:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\helpers\chocolateyInstaller.psm1 | text | |
MD5:C182F16ECA18063977C8884F5F45ADCD | SHA256:49D809792D9B2C48E62E5940830C6E5563104DB78AECAD36B6A29B17B84C9400 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2760 | powershell.exe | 104.20.73.28:443 | chocolatey.org | Cloudflare Inc | US | shared |
3852 | powershell.exe | 104.20.73.28:443 | chocolatey.org | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
chocolatey.org |
| whitelisted |
packages.chocolatey.org |
| suspicious |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|