Edit tour

Windows Analysis Report
cacaduk.captcha.ps1

Overview

General Information

Sample name:cacaduk.captcha.ps1
Analysis ID:1603242
MD5:2ce909baa390d7c43462bdb42aebc0a2
SHA1:9f09538159e42c6d932335a33d8b9d520983f03a
SHA256:d109c3b246d193f8d28790f60bfd461dad0b05a61084b8243c721d66d7bbdf80
Tags:ps1user-ttakvam
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
.NET source code contains potential unpacker
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • powershell.exe (PID: 4672 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cacaduk.captcha.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 3716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dllhost.exe (PID: 3060 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
    • powershell.exe (PID: 5236 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 3784 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 728 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 5912 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 3060 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 6300 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 4676 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 6572 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 5240 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 5308 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.2300786531.000001EC0DF11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    Process Memory Space: powershell.exe PID: 4672JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      Process Memory Space: powershell.exe PID: 4672INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0xade2b:$b2: ::FromBase64String(
      • 0x252270:$b2: ::FromBase64String(
      • 0xadd60:$s1: -join
      • 0x1008d5:$s1: -join
      • 0x1057cf:$s1: -join
      • 0x18996f:$s1: -join
      • 0x1f28f9:$s1: -join
      • 0x1ff9ce:$s1: -join
      • 0x202da0:$s1: -join
      • 0x203452:$s1: -join
      • 0x204f43:$s1: -join
      • 0x207149:$s1: -join
      • 0x207970:$s1: -join
      • 0x2081e0:$s1: -join
      • 0x20891b:$s1: -join
      • 0x20894d:$s1: -join
      • 0x208995:$s1: -join
      • 0x2089b4:$s1: -join
      • 0x209204:$s1: -join
      • 0x209380:$s1: -join
      • 0x2093f8:$s1: -join

      System Summary

      barindex
      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cacaduk.captcha.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cacaduk.captcha.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cacaduk.captcha.ps1", ProcessId: 4672, ProcessName: powershell.exe
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cacaduk.captcha.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cacaduk.captcha.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cacaduk.captcha.ps1", ProcessId: 4672, ProcessName: powershell.exe
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 87.0% probability
      Source: unknownHTTPS traffic detected: 104.17.150.117:443 -> 192.168.2.5:49704 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 199.91.155.176:443 -> 192.168.2.5:49705 version: TLS 1.2
      Source: global trafficHTTP traffic detected: GET /file_premium/9nj120vuey1opz8/nlhg.dat/file HTTP/1.1Host: www.mediafire.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ivou5d4z1okgY7G9-wWN3TreftR5k-fPDqyNSgwUys4njCcxM1O2fV1SeluA0Htg3qvlkD504kEwIarskdv2X8_xiKJjCd7GVjuqTDvbEPvjWPOM9Liqzc0M7mxj9EpM90Fujuzlcx1Vq4uQNleRRabBdzy6DUskN3cm1vmhQ6M/9nj120vuey1opz8/nlhg.dat HTTP/1.1Host: download2435.mediafire.comCookie: ukey=gr35u6ruedi4zo8hggaiez99hwlcnrco; __cf_bm=pj0uFzDW3TmiCknk4Y.f2SEpT6S.LqoGiIlS4mBJkiM-1738258576-1.0.1.1-riKv5V.D02cEEd6Gq0eDEgwBzIpfaPv8T7GXwQHUqvztvVE5uhq.KoP8bFKMTWvQR.6iw0e0n7ad00axpHl1VgConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 104.17.150.117 104.17.150.117
      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /file_premium/9nj120vuey1opz8/nlhg.dat/file HTTP/1.1Host: www.mediafire.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /ivou5d4z1okgY7G9-wWN3TreftR5k-fPDqyNSgwUys4njCcxM1O2fV1SeluA0Htg3qvlkD504kEwIarskdv2X8_xiKJjCd7GVjuqTDvbEPvjWPOM9Liqzc0M7mxj9EpM90Fujuzlcx1Vq4uQNleRRabBdzy6DUskN3cm1vmhQ6M/9nj120vuey1opz8/nlhg.dat HTTP/1.1Host: download2435.mediafire.comCookie: ukey=gr35u6ruedi4zo8hggaiez99hwlcnrco; __cf_bm=pj0uFzDW3TmiCknk4Y.f2SEpT6S.LqoGiIlS4mBJkiM-1738258576-1.0.1.1-riKv5V.D02cEEd6Gq0eDEgwBzIpfaPv8T7GXwQHUqvztvVE5uhq.KoP8bFKMTWvQR.6iw0e0n7ad00axpHl1VgConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: www.mediafire.com
      Source: global trafficDNS traffic detected: DNS query: download2435.mediafire.com
      Source: powershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000000.00000002.2300786531.000001EC0D922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: powershell.exe, 00000000.00000002.2300786531.000001EC08981000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000000.00000002.2300786531.000001EC0D922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: powershell.exe, 00000000.00000002.2300786531.000001EC08981000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
      Source: powershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000000.00000002.2300786531.000001EC0DEA5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download2435.mediafire.com
      Source: powershell.exe, 00000000.00000002.2300786531.000001EC0DEA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2300786531.000001EC0DEA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download2435.mediafire.com/ivou5d4z1okgY7G9-wWN3TreftR5k-fPDqyNSgwUys4njCcxM1O2fV1SeluA0Htg3
      Source: powershell.exe, 00000000.00000002.2300786531.000001EC0D922000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: powershell.exe, 00000000.00000002.2300786531.000001EC0DF11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
      Source: powershell.exe, 00000000.00000002.2300786531.000001EC0DEA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2300786531.000001EC0DBCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mediafire.com
      Source: powershell.exe, 00000000.00000002.2300786531.000001EC0DBCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mediafire.com/file_premium/9nj120vuey1opz8/nlhg.dat/file
      Source: powershell.exe, 00000000.00000002.2300786531.000001EC0DBCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mediafire.com/file_premium/9nj120vuey1opz8/nlhg.dat/file1HLfsLMqRXkC
      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
      Source: unknownHTTPS traffic detected: 104.17.150.117:443 -> 192.168.2.5:49704 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 199.91.155.176:443 -> 192.168.2.5:49705 version: TLS 1.2

      System Summary

      barindex
      Source: Process Memory Space: powershell.exe PID: 4672, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
      Source: Process Memory Space: powershell.exe PID: 4672, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
      Source: classification engineClassification label: mal68.evad.winPS1@23/5@2/2
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Nxqwwly
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3716:120:WilError_03
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hl2tilnw.dou.ps1Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cacaduk.captcha.ps1"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
      Source: C:\Windows\System32\dllhost.exeSection loaded: kernel.appcore.dll
      Source: C:\Windows\System32\dllhost.exeSection loaded: uxtheme.dll
      Source: C:\Windows\System32\dllhost.exeSection loaded: thumbcache.dll
      Source: C:\Windows\System32\dllhost.exeSection loaded: propsys.dll
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
      Source: cacaduk.captcha.ps1Static file information: File size 1226553 > 1048576

      Data Obfuscation

      barindex
      Source: 0.2.powershell.exe.1ec0de70538.0.raw.unpack, Tfayc.cs.Net Code: Xyzuqb System.AppDomain.Load(byte[])
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($BXJgbZVOGLekF));$iVLughHMB = $pabFAJblcCcgwbwViPHqz.GetBytes($EeRUCaaYUYmMCDll);$nMXISOyZwPncbGv = $(for ($VEdYERmlkFFUloexW = 0; $VEdYERmlkFFUloexW -lt $iVLughHMB.length; ) {for ($P
      Source: Yara matchFile source: 00000000.00000002.2300786531.000001EC0DF11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4672, type: MEMORYSTR
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Source: powershell.exe, 00000000.00000002.2300786531.000001EC0DF11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4832
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5020
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6532Thread sleep time: -3689348814741908s >= -30000s
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
      Source: powershell.exe, 00000000.00000002.2300786531.000001EC0DF11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
      Source: powershell.exe, 00000000.00000002.2300786531.000001EC0DF11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
      DLL Side-Loading
      11
      Process Injection
      1
      Masquerading
      OS Credential Dumping11
      Security Software Discovery
      Remote ServicesData from Local System1
      Encrypted Channel
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
      DLL Side-Loading
      21
      Virtualization/Sandbox Evasion
      LSASS Memory1
      Process Discovery
      Remote Desktop ProtocolData from Removable Media1
      Ingress Tool Transfer
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
      Process Injection
      Security Account Manager21
      Virtualization/Sandbox Evasion
      SMB/Windows Admin SharesData from Network Shared Drive2
      Non-Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
      Software Packing
      NTDS1
      Application Window Discovery
      Distributed Component Object ModelInput Capture3
      Application Layer Protocol
      Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading
      LSA Secrets1
      File and Directory Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials11
      System Information Discovery
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1603242 Sample: cacaduk.captcha.ps1 Startdate: 30/01/2025 Architecture: WINDOWS Score: 68 19 www.mediafire.com 2->19 21 download2435.mediafire.com 2->21 27 Malicious sample detected (through community Yara rule) 2->27 29 .NET source code contains potential unpacker 2->29 31 Joe Sandbox ML detected suspicious sample 2->31 33 Yara detected Costura Assembly Loader 2->33 7 powershell.exe 14 20 2->7         started        signatures3 process4 dnsIp5 23 download2435.mediafire.com 199.91.155.176, 443, 49705 MEDIAFIREUS United States 7->23 25 www.mediafire.com 104.17.150.117, 443, 49704 CLOUDFLARENETUS United States 7->25 35 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->35 37 Found suspicious powershell code related to unpacking or dynamic code loading 7->37 11 conhost.exe 7->11         started        13 dllhost.exe 7->13         started        15 powershell.exe 7->15         started        17 9 other processes 7->17 signatures6 process7

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      cacaduk.captcha.ps16%VirustotalBrowse
      cacaduk.captcha.ps15%ReversingLabs
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      NameIPActiveMaliciousAntivirus DetectionReputation
      download2435.mediafire.com
      199.91.155.176
      truefalse
        high
        www.mediafire.com
        104.17.150.117
        truefalse
          high
          NameMaliciousAntivirus DetectionReputation
          https://www.mediafire.com/file_premium/9nj120vuey1opz8/nlhg.dat/filefalse
            high
            https://download2435.mediafire.com/ivou5d4z1okgY7G9-wWN3TreftR5k-fPDqyNSgwUys4njCcxM1O2fV1SeluA0Htg3qvlkD504kEwIarskdv2X8_xiKJjCd7GVjuqTDvbEPvjWPOM9Liqzc0M7mxj9EpM90Fujuzlcx1Vq4uQNleRRabBdzy6DUskN3cm1vmhQ6M/9nj120vuey1opz8/nlhg.datfalse
              high
              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                https://stackoverflow.com/q/14436606/23354powershell.exe, 00000000.00000002.2300786531.000001EC0DF11000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000000.00000002.2300786531.000001EC0D922000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000000.00000002.2300786531.000001EC0D922000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://contoso.com/powershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://nuget.org/nuget.exepowershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://contoso.com/Licensepowershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://download2435.mediafire.compowershell.exe, 00000000.00000002.2300786531.000001EC0DEA5000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://www.mediafire.com/file_premium/9nj120vuey1opz8/nlhg.dat/file1HLfsLMqRXkCpowershell.exe, 00000000.00000002.2300786531.000001EC0DBCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://contoso.com/Iconpowershell.exe, 00000000.00000002.2513143838.000001EC1909D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://www.mediafire.compowershell.exe, 00000000.00000002.2300786531.000001EC0DEA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2300786531.000001EC0DBCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://download2435.mediafire.com/ivou5d4z1okgY7G9-wWN3TreftR5k-fPDqyNSgwUys4njCcxM1O2fV1SeluA0Htg3powershell.exe, 00000000.00000002.2300786531.000001EC0DEA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2300786531.000001EC0DEA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://aka.ms/pscore68powershell.exe, 00000000.00000002.2300786531.000001EC08981000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000000.00000002.2300786531.000001EC08981000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://github.com/Pester/Pesterpowershell.exe, 00000000.00000002.2300786531.000001EC0D922000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs
                                            IPDomainCountryFlagASNASN NameMalicious
                                            104.17.150.117
                                            www.mediafire.comUnited States
                                            13335CLOUDFLARENETUSfalse
                                            199.91.155.176
                                            download2435.mediafire.comUnited States
                                            46179MEDIAFIREUSfalse
                                            Joe Sandbox version:42.0.0 Malachite
                                            Analysis ID:1603242
                                            Start date and time:2025-01-30 18:35:11 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 4m 25s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:15
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:cacaduk.captcha.ps1
                                            Detection:MAL
                                            Classification:mal68.evad.winPS1@23/5@2/2
                                            EGA Information:Failed
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Found application associated with file extension: .ps1
                                            • Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
                                            • TCP Packets have been reduced to 100
                                            • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                            TimeTypeDescription
                                            12:36:02API Interceptor1x Sleep call for process: dllhost.exe modified
                                            12:36:07API Interceptor102x Sleep call for process: powershell.exe modified
                                            No context
                                            No context
                                            No context
                                            No context
                                            No context
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:modified
                                            Size (bytes):9434
                                            Entropy (8bit):4.928515784730612
                                            Encrypted:false
                                            SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                            MD5:D3594118838EF8580975DDA877E44DEB
                                            SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                            SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                            SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                            Malicious:false
                                            Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):6222
                                            Entropy (8bit):3.704236064752253
                                            Encrypted:false
                                            SSDEEP:48:KhTDTjPB6sCJCIRbU2K+5XEukvhkvklCywfn2GhGalzCSogZo+mhGal/CSogZo61:GtbeCLoHkvhkvCCtdhGadH2hGa5HB
                                            MD5:9D10FD492A757B194BDA4B31341B996A
                                            SHA1:E7995CAC8A1E4B8D92964C9964C6F49F83CEEBD1
                                            SHA-256:F8B673D516C522DD42D902159235A0A7D61E6BA2E600D496433A2B72CB78B93F
                                            SHA-512:8EEB65A935A2FD50B8A31467BE021679115C324E3F43B26B0B5D2FE65AF0AF183A8FA51CA5CB11D5CC1C16C491538F1F4F72078A01AA4F8FBF004C1F96AD8E7B
                                            Malicious:false
                                            Preview:...................................FL..................F.".. ...d........un=s..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....G@.i=s.._|.n=s......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl>Zx.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....>Z{...Roaming.@......DWSl>Z{.....C......................3..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl>Zx.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl>Zx.....E.....................a...W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl>Zx.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl>Zx.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl>Z......q...........
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):6222
                                            Entropy (8bit):3.704236064752253
                                            Encrypted:false
                                            SSDEEP:48:KhTDTjPB6sCJCIRbU2K+5XEukvhkvklCywfn2GhGalzCSogZo+mhGal/CSogZo61:GtbeCLoHkvhkvCCtdhGadH2hGa5HB
                                            MD5:9D10FD492A757B194BDA4B31341B996A
                                            SHA1:E7995CAC8A1E4B8D92964C9964C6F49F83CEEBD1
                                            SHA-256:F8B673D516C522DD42D902159235A0A7D61E6BA2E600D496433A2B72CB78B93F
                                            SHA-512:8EEB65A935A2FD50B8A31467BE021679115C324E3F43B26B0B5D2FE65AF0AF183A8FA51CA5CB11D5CC1C16C491538F1F4F72078A01AA4F8FBF004C1F96AD8E7B
                                            Malicious:false
                                            Preview:...................................FL..................F.".. ...d........un=s..z.:{.............................:..DG..Yr?.D..U..k0.&...&...... M.....G@.i=s.._|.n=s......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl>Zx.....B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....>Z{...Roaming.@......DWSl>Z{.....C......................3..R.o.a.m.i.n.g.....\.1.....DW.q..MICROS~1..D......DWSl>Zx.....D.....................sy%.M.i.c.r.o.s.o.f.t.....V.1.....DW.r..Windows.@......DWSl>Zx.....E.....................a...W.i.n.d.o.w.s.......1.....DWUl..STARTM~1..n......DWSl>Zx.....G...............D......a..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DWWn..Programs..j......DWSl>Zx.....H...............@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......DWSlDWSl....I.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......DWSl>Z......q...........
                                            File type:ASCII text, with very long lines (1169), with CRLF line terminators
                                            Entropy (8bit):5.955894474253898
                                            TrID:
                                              File name:cacaduk.captcha.ps1
                                              File size:1'226'553 bytes
                                              MD5:2ce909baa390d7c43462bdb42aebc0a2
                                              SHA1:9f09538159e42c6d932335a33d8b9d520983f03a
                                              SHA256:d109c3b246d193f8d28790f60bfd461dad0b05a61084b8243c721d66d7bbdf80
                                              SHA512:14716ee50cda2d01bb0a3ccedc068100d83ddb5dbcc806a18389f5669b845f43663f7a3be3e9502dc57b9c303c4bc29d2392b9b558f853fdb59b62f006ab8fa0
                                              SSDEEP:6144:hrMriMri9riKrilrivri4riMriwrizriBriNripri0risriArikriMri9ri/riR:3R03MG9Rla4EQJx15R0WR
                                              TLSH:0345049DF68847F949596BDC8387B9CE135055BB0ABB520496E0D2AE3D0DE173A30E3C
                                              File Content Preview:$txoiHDeiAnkjE = 86..$gJStovzpoU = ((((12+32*20))+(29+9+(10+8-8))-12-17+49-(199)))..$VckypWjMobDEOxpXpDc = $gJStovzpoU..$wnjciwaDStpCohFMuwRP = 643..$pIdXOIAXAMrjCHYKXMxAh = (((43*44*9)*3-4*1*((47-32+29))*((27-18+25))-(44732)))..$GeWFMwHibZdWpUctlTva = $g
                                              Icon Hash:3270d6baae77db44
                                              • Total Packets: 46
                                              • 443 (HTTPS)
                                              • 53 (DNS)
                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 30, 2025 18:36:15.548548937 CET49704443192.168.2.5104.17.150.117
                                              Jan 30, 2025 18:36:15.548580885 CET44349704104.17.150.117192.168.2.5
                                              Jan 30, 2025 18:36:15.548665047 CET49704443192.168.2.5104.17.150.117
                                              Jan 30, 2025 18:36:15.559408903 CET49704443192.168.2.5104.17.150.117
                                              Jan 30, 2025 18:36:15.559425116 CET44349704104.17.150.117192.168.2.5
                                              Jan 30, 2025 18:36:16.134641886 CET44349704104.17.150.117192.168.2.5
                                              Jan 30, 2025 18:36:16.134758949 CET49704443192.168.2.5104.17.150.117
                                              Jan 30, 2025 18:36:16.139098883 CET49704443192.168.2.5104.17.150.117
                                              Jan 30, 2025 18:36:16.139133930 CET44349704104.17.150.117192.168.2.5
                                              Jan 30, 2025 18:36:16.139416933 CET44349704104.17.150.117192.168.2.5
                                              Jan 30, 2025 18:36:16.150562048 CET49704443192.168.2.5104.17.150.117
                                              Jan 30, 2025 18:36:16.191359043 CET44349704104.17.150.117192.168.2.5
                                              Jan 30, 2025 18:36:16.430078983 CET44349704104.17.150.117192.168.2.5
                                              Jan 30, 2025 18:36:16.430180073 CET44349704104.17.150.117192.168.2.5
                                              Jan 30, 2025 18:36:16.430250883 CET49704443192.168.2.5104.17.150.117
                                              Jan 30, 2025 18:36:16.441644907 CET49704443192.168.2.5104.17.150.117
                                              Jan 30, 2025 18:36:16.452564955 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:16.452662945 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:16.452826977 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:16.453005075 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:16.453030109 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:16.982909918 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:16.983027935 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.000633001 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.000669956 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.000902891 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.009087086 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.055346966 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.140363932 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.172332048 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.172349930 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.172416925 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.172488928 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.172523975 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.172550917 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.230967045 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.230984926 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.231036901 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.231069088 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.231095076 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.231112957 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.312499046 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.312524080 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.312596083 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.312623978 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.312674999 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.318789005 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.318805933 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.318890095 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.318908930 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.318965912 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.320566893 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.320581913 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.320636034 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.320652008 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.320678949 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.320739985 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.322396994 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.322417974 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.322489977 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.322509050 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.322540045 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.322559118 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.401278973 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.401298046 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.401421070 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.401444912 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.401494026 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.407119036 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.407134056 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.407198906 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.407212019 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.407283068 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.407898903 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.407915115 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.407989025 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.408000946 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.408063889 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.409568071 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.409584045 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.409655094 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.409667969 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.409719944 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.410300016 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.410315037 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.410398960 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.410410881 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.410461903 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.438309908 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.438324928 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.438416004 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.438433886 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.438484907 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.438842058 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.438858032 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.438922882 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.438934088 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.438987017 CET49705443192.168.2.5199.91.155.176
                                              Jan 30, 2025 18:36:17.495527983 CET44349705199.91.155.176192.168.2.5
                                              Jan 30, 2025 18:36:17.495549917 CET44349705199.91.155.176192.168.2.5
                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 30, 2025 18:36:15.534867048 CET6502053192.168.2.51.1.1.1
                                              Jan 30, 2025 18:36:15.542197943 CET53650201.1.1.1192.168.2.5
                                              Jan 30, 2025 18:36:16.442704916 CET5446453192.168.2.51.1.1.1
                                              Jan 30, 2025 18:36:16.451973915 CET53544641.1.1.1192.168.2.5
                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Jan 30, 2025 18:36:15.534867048 CET192.168.2.51.1.1.10x3dbcStandard query (0)www.mediafire.comA (IP address)IN (0x0001)false
                                              Jan 30, 2025 18:36:16.442704916 CET192.168.2.51.1.1.10x1e1aStandard query (0)download2435.mediafire.comA (IP address)IN (0x0001)false
                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jan 30, 2025 18:36:15.542197943 CET1.1.1.1192.168.2.50x3dbcNo error (0)www.mediafire.com104.17.150.117A (IP address)IN (0x0001)false
                                              Jan 30, 2025 18:36:15.542197943 CET1.1.1.1192.168.2.50x3dbcNo error (0)www.mediafire.com104.17.151.117A (IP address)IN (0x0001)false
                                              Jan 30, 2025 18:36:16.451973915 CET1.1.1.1192.168.2.50x1e1aNo error (0)download2435.mediafire.com199.91.155.176A (IP address)IN (0x0001)false
                                              • www.mediafire.com
                                              • download2435.mediafire.com
                                              Target ID:0
                                              Start time:12:36:01
                                              Start date:30/01/2025
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\cacaduk.captcha.ps1"
                                              Imagebase:0x7ff7be880000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2300786531.000001EC0DF11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              Target ID:1
                                              Start time:12:36:01
                                              Start date:30/01/2025
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true
                                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                              Target ID:2
                                              Start time:12:36:02
                                              Start date:30/01/2025
                                              Path:C:\Windows\System32\dllhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                              Imagebase:0x7ff669820000
                                              File size:21'312 bytes
                                              MD5 hash:08EB78E5BE019DF044C26B14703BD1FA
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate
                                              Has exited:true

                                              Target ID:4
                                              Start time:12:36:26
                                              Start date:30/01/2025
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                              Imagebase:0x7ff7be880000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:5
                                              Start time:12:36:26
                                              Start date:30/01/2025
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                              Imagebase:0x7ff7be880000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:6
                                              Start time:12:36:27
                                              Start date:30/01/2025
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                              Imagebase:0x7ff7be880000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:7
                                              Start time:12:36:27
                                              Start date:30/01/2025
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                              Imagebase:0x7ff7be880000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:8
                                              Start time:12:36:27
                                              Start date:30/01/2025
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                              Imagebase:0x7ff7be880000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:9
                                              Start time:12:36:27
                                              Start date:30/01/2025
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                              Imagebase:0x7ff7be880000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Target ID:10
                                              Start time:12:36:27
                                              Start date:30/01/2025
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                              Imagebase:0x7ff7be880000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Target ID:11
                                              Start time:12:36:28
                                              Start date:30/01/2025
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                              Imagebase:0x7ff7be880000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Target ID:12
                                              Start time:12:36:28
                                              Start date:30/01/2025
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                              Imagebase:0x7ff7be880000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Target ID:13
                                              Start time:12:36:28
                                              Start date:30/01/2025
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                              Imagebase:0x7ff7be880000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              No disassembly