File name:

to_any_run_PowerShall.txt

Full analysis: https://app.any.run/tasks/495ec796-bbe6-4d44-8955-170281d73ffa
Verdict: Malicious activity
Analysis date: December 18, 2018, 12:59:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

B45B8D5FDDCD48E8B62450BCA12613F8

SHA1:

89AAB9FDD558F22EAAC8490C19E081BCF6B48DBE

SHA256:

EBEC6CB03304E69FA5C76EF37E7252453116A7826EC1AC100859314404B139EA

SSDEEP:

6:oRFe2jIngXIq5lyYjQO0cb2ZzD5vIJSon:oRFjjInwInppcqFVHon

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 2564)

    • Application was dropped or rewritten from another process

      • 7za.exe (PID: 3404)
      • choco.exe (PID: 1028)

  • SUSPICIOUS

    • Creates files in the program directory

      • choco.exe (PID: 1028)
      • powershell.exe (PID: 3472)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3472)
      • 7za.exe (PID: 3404)

    • Creates files in the user directory

      • powershell.exe (PID: 3472)

  • INFO

    • Reads settings of System Certificates

      • powershell.exe (PID: 3472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
9
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start notepad.exe no specs cmd.exe powershell.exe 7za.exe csc.exe cvtres.exe no specs setx.exe no specs setx.exe no specs choco.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1028"C:\ProgramData\chocolatey\choco.exe" -vC:\ProgramData\chocolatey\choco.exepowershell.exe
User:
admin
Company:
Chocolatey Software, Inc.
Integrity Level:
HIGH
Description:
chocolatey
Exit code:
0
Version:
0.10.11.0
Modules
Images
c:\programdata\chocolatey\choco.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2564"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2824C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESD3D2.tmp" "c:\Users\admin\AppData\Local\Temp\CSCD3D1.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.4940 (Win7SP1.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
3328"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\to_any_run_PowerShall.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3376"C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate "Tue Dec 18 13:00:36 2018"C:\Windows\System32\setx.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Setx - Sets environment variables
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\setx.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3404"C:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\7za.exe" x -o"C:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall" -bd -y "C:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\chocolatey.zip"C:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\7za.exe
powershell.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Standalone Console
Exit code:
0
Version:
18.05
Modules
Images
c:\users\admin\appdata\local\temp\chocolatey\chocinstall\7za.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3472powershell.exe -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3652"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\e3lqincx.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3828"C:\Windows\System32\setx.exe" ChocolateyLastPathUpdate "Tue Dec 18 13:00:37 2018"C:\Windows\System32\setx.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Setx - Sets environment variables
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\setx.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
343
Read events
262
Write events
81
Delete events
0

Modification events

(PID) Process:(3472) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3472) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3472) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3472) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3472) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3472) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3472) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3472) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3472) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3472) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
Executable files
38
Suspicious files
4
Text files
129
Unknown types
0

Dropped files

PID
Process
Filename
Type
3472powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\78H6MJZN5PKIMR07P7DB.temp
MD5:
SHA256:
3472powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:
SHA256:
3472powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF19c431.TMPbinary
MD5:
SHA256:
3472powershell.exeC:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\7za.exeexecutable
MD5:744D0E63BCB20438DD3EFCD764503490
SHA256:77613CCA716EDF68B9D5BAB951463ED7FADE5BC0EC465B36190A76299C50F117
34047za.exeC:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall.ps1text
MD5:BA6315B965CD598537CCBCE10E5279CF
SHA256:9E5D5358FCE2C06C27A2DD5DAD9ECD921F58E122CD051CFF01723F93E7CBD3BF
34047za.exeC:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateysetup.psm1text
MD5:A33EC0E0467EF4DB75AF97FC74F07D9B
SHA256:DF18B15F15AFF41697C8C1C2FD9E4DFA14F46F30AC2749292E2AB82B21FABB91
34047za.exeC:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\_rels\.relsxml
MD5:83C8FF56AAF2B30DD36C1976EB10D8F4
SHA256:CCD7F13E7F738D18BE35A7BBF6F9F043F550EDDEF2477726711F0155E95879E7
34047za.exeC:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\tools\init.ps1text
MD5:D32690E6F05677507BF637E505B38F1A
SHA256:E8181C626AF782580BDF0083B7C7F3C9B9AED7B4CE9B35362FC101A042BB4905
34047za.exeC:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\tools\chocolateyInstall\choco.exeexecutable
MD5:153D260471A77E4BED99282C2E99F415
SHA256:56DE89FF2B4712B7515D333189782E4C3FC3EBCF9F4BABEC7D1D0DC586F7826D
3472powershell.exeC:\Users\admin\AppData\Local\Temp\chocolatey\chocInstall\chocolatey.zipcompressed
MD5:54C5AE123FE526B22C395CFC87AFFA83
SHA256:9EACB90BF8745609875906C8CA5D1DBEDB8BE99FE18D422529908A1F224D681E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3472
powershell.exe
104.20.74.28:443
chocolatey.org
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
chocolatey.org
  • 104.20.74.28
  • 104.20.73.28
whitelisted
packages.chocolatey.org
  • 104.20.74.28
  • 104.20.73.28
suspicious

Threats

No threats detected
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
to_any_run_PowerShall.txt