Windows
Analysis Report
cacaduk.captcha.ps1
Overview
General Information
Detection
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
powershell.exe (PID: 4672 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -noLogo -E xecutionPo licy unres tricted -f ile "C:\Us ers\user\D esktop\cac aduk.captc ha.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9) conhost.exe (PID: 3716 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) dllhost.exe (PID: 3060 cmdline:
C:\Windows \system32\ DllHost.ex e /Process id:{AB8902 B4-09CA-4B B6-B78D-A8 F59079A8D5 } MD5: 08EB78E5BE019DF044C26B14703BD1FA) powershell.exe (PID: 5236 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9) powershell.exe (PID: 3784 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9) powershell.exe (PID: 728 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9) powershell.exe (PID: 5912 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9) powershell.exe (PID: 3060 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9) powershell.exe (PID: 6300 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9) powershell.exe (PID: 4676 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9) powershell.exe (PID: 6572 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9) powershell.exe (PID: 5240 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9) powershell.exe (PID: 5308 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |
---|
Source: | Author: frack113: |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
Click to jump to signature section
AV Detection |
---|
Source: | Integrated Neural Analysis Model: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: |
Source: | JA3 fingerprint: |
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Matched rule: |
Source: | Matched rule: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | File opened: |
Source: | Static file information: |
Data Obfuscation |
---|
Source: | .Net Code: |
Source: | Anti Malware Scan Interface: |
Source: | File source: | ||
Source: | File source: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | Binary or memory string: |
Source: | Thread delayed: |
Source: | Window / User API: | ||
Source: | Window / User API: |
Source: | Thread sleep time: |
Source: | Thread delayed: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: |
Source: | Process token adjusted: | ||
Source: | Process token adjusted: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Masquerading | OS Credential Dumping | 11 Security Software Discovery | Remote Services | Data from Local System | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 21 Virtualization/Sandbox Evasion | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Ingress Tool Transfer | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 11 Process Injection | Security Account Manager | 21 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 2 Software Packing | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 3 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 DLL Side-Loading | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | Steganography | Cached Domain Credentials | 11 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
6% | Virustotal | Browse | ||
5% | ReversingLabs |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
download2435.mediafire.com | 199.91.155.176 | true | false | high | |
www.mediafire.com | 104.17.150.117 | true | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | high | ||
false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
104.17.150.117 | www.mediafire.com | United States | 13335 | CLOUDFLARENETUS | false | |
199.91.155.176 | download2435.mediafire.com | United States | 46179 | MEDIAFIREUS | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1603242 |
Start date and time: | 2025-01-30 18:35:11 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 25s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 15 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | cacaduk.captcha.ps1 |
Detection: | MAL |
Classification: | mal68.evad.winPS1@23/5@2/2 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): WMIADAP.exe, SI HClient.exe - TCP Packets have been reduced
to 100 - Excluded IPs from analysis (wh
itelisted): 20.12.23.50, 13.10 7.246.45 - Excluded domains from analysis
(whitelisted): ocsp.digicert. com, slscr.update.microsoft.co m, otelrules.azureedge.net, ct ldl.windowsupdate.com, fe3cr.d elivery.mp.microsoft.com - Not all processes where analyz
ed, report is missing behavior information - Some HTTPS proxied raw data pa
ckets have been limited to 10 per session. Please view the P CAPs for the complete data.
Time | Type | Description |
---|---|---|
12:36:02 | API Interceptor | |
12:36:07 | API Interceptor |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | modified |
Size (bytes): | 9434 |
Entropy (8bit): | 4.928515784730612 |
Encrypted: | false |
SSDEEP: | 192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47 |
MD5: | D3594118838EF8580975DDA877E44DEB |
SHA1: | 0ACABEA9B50CA74E6EBAE326251253BAF2E53371 |
SHA-256: | 456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE |
SHA-512: | 103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.038920595031593 |
Encrypted: | false |
SSDEEP: | 3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX |
MD5: | D17FE0A3F47BE24A6453E9EF58C94641 |
SHA1: | 6AB83620379FC69F80C0242105DDFFD7D98D5D9D |
SHA-256: | 96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
SHA-512: | 5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82 |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 6222 |
Entropy (8bit): | 3.704236064752253 |
Encrypted: | false |
SSDEEP: | 48:KhTDTjPB6sCJCIRbU2K+5XEukvhkvklCywfn2GhGalzCSogZo+mhGal/CSogZo61:GtbeCLoHkvhkvCCtdhGadH2hGa5HB |
MD5: | 9D10FD492A757B194BDA4B31341B996A |
SHA1: | E7995CAC8A1E4B8D92964C9964C6F49F83CEEBD1 |
SHA-256: | F8B673D516C522DD42D902159235A0A7D61E6BA2E600D496433A2B72CB78B93F |
SHA-512: | 8EEB65A935A2FD50B8A31467BE021679115C324E3F43B26B0B5D2FE65AF0AF183A8FA51CA5CB11D5CC1C16C491538F1F4F72078A01AA4F8FBF004C1F96AD8E7B |
Malicious: | false |
Preview: |
Process: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 6222 |
Entropy (8bit): | 3.704236064752253 |
Encrypted: | false |
SSDEEP: | 48:KhTDTjPB6sCJCIRbU2K+5XEukvhkvklCywfn2GhGalzCSogZo+mhGal/CSogZo61:GtbeCLoHkvhkvCCtdhGadH2hGa5HB |
MD5: | 9D10FD492A757B194BDA4B31341B996A |
SHA1: | E7995CAC8A1E4B8D92964C9964C6F49F83CEEBD1 |
SHA-256: | F8B673D516C522DD42D902159235A0A7D61E6BA2E600D496433A2B72CB78B93F |
SHA-512: | 8EEB65A935A2FD50B8A31467BE021679115C324E3F43B26B0B5D2FE65AF0AF183A8FA51CA5CB11D5CC1C16C491538F1F4F72078A01AA4F8FBF004C1F96AD8E7B |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 5.955894474253898 |
TrID: | |
File name: | cacaduk.captcha.ps1 |
File size: | 1'226'553 bytes |
MD5: | 2ce909baa390d7c43462bdb42aebc0a2 |
SHA1: | 9f09538159e42c6d932335a33d8b9d520983f03a |
SHA256: | d109c3b246d193f8d28790f60bfd461dad0b05a61084b8243c721d66d7bbdf80 |
SHA512: | 14716ee50cda2d01bb0a3ccedc068100d83ddb5dbcc806a18389f5669b845f43663f7a3be3e9502dc57b9c303c4bc29d2392b9b558f853fdb59b62f006ab8fa0 |
SSDEEP: | 6144:hrMriMri9riKrilrivri4riMriwrizriBriNripri0risriArikriMri9ri/riR:3R03MG9Rla4EQJx15R0WR |
TLSH: | 0345049DF68847F949596BDC8387B9CE135055BB0ABB520496E0D2AE3D0DE173A30E3C |
File Content Preview: | $txoiHDeiAnkjE = 86..$gJStovzpoU = ((((12+32*20))+(29+9+(10+8-8))-12-17+49-(199)))..$VckypWjMobDEOxpXpDc = $gJStovzpoU..$wnjciwaDStpCohFMuwRP = 643..$pIdXOIAXAMrjCHYKXMxAh = (((43*44*9)*3-4*1*((47-32+29))*((27-18+25))-(44732)))..$GeWFMwHibZdWpUctlTva = $g |
Icon Hash: | 3270d6baae77db44 |
- Total Packets: 46
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 30, 2025 18:36:15.548548937 CET | 49704 | 443 | 192.168.2.5 | 104.17.150.117 |
Jan 30, 2025 18:36:15.548580885 CET | 443 | 49704 | 104.17.150.117 | 192.168.2.5 |
Jan 30, 2025 18:36:15.548665047 CET | 49704 | 443 | 192.168.2.5 | 104.17.150.117 |
Jan 30, 2025 18:36:15.559408903 CET | 49704 | 443 | 192.168.2.5 | 104.17.150.117 |
Jan 30, 2025 18:36:15.559425116 CET | 443 | 49704 | 104.17.150.117 | 192.168.2.5 |
Jan 30, 2025 18:36:16.134641886 CET | 443 | 49704 | 104.17.150.117 | 192.168.2.5 |
Jan 30, 2025 18:36:16.134758949 CET | 49704 | 443 | 192.168.2.5 | 104.17.150.117 |
Jan 30, 2025 18:36:16.139098883 CET | 49704 | 443 | 192.168.2.5 | 104.17.150.117 |
Jan 30, 2025 18:36:16.139133930 CET | 443 | 49704 | 104.17.150.117 | 192.168.2.5 |
Jan 30, 2025 18:36:16.139416933 CET | 443 | 49704 | 104.17.150.117 | 192.168.2.5 |
Jan 30, 2025 18:36:16.150562048 CET | 49704 | 443 | 192.168.2.5 | 104.17.150.117 |
Jan 30, 2025 18:36:16.191359043 CET | 443 | 49704 | 104.17.150.117 | 192.168.2.5 |
Jan 30, 2025 18:36:16.430078983 CET | 443 | 49704 | 104.17.150.117 | 192.168.2.5 |
Jan 30, 2025 18:36:16.430180073 CET | 443 | 49704 | 104.17.150.117 | 192.168.2.5 |
Jan 30, 2025 18:36:16.430250883 CET | 49704 | 443 | 192.168.2.5 | 104.17.150.117 |
Jan 30, 2025 18:36:16.441644907 CET | 49704 | 443 | 192.168.2.5 | 104.17.150.117 |
Jan 30, 2025 18:36:16.452564955 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:16.452662945 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:16.452826977 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:16.453005075 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:16.453030109 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:16.982909918 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:16.983027935 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.000633001 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.000669956 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.000902891 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.009087086 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.055346966 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.140363932 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.172332048 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.172349930 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.172416925 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.172488928 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.172523975 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.172550917 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.230967045 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.230984926 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.231036901 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.231069088 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.231095076 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.231112957 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.312499046 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.312524080 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.312596083 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.312623978 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.312674999 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.318789005 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.318805933 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.318890095 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.318908930 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.318965912 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.320566893 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.320581913 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.320636034 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.320652008 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.320678949 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.320739985 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.322396994 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.322417974 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.322489977 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.322509050 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.322540045 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.322559118 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.401278973 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.401298046 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.401421070 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.401444912 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.401494026 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.407119036 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.407134056 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.407198906 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.407212019 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.407283068 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.407898903 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.407915115 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.407989025 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.408000946 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.408063889 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.409568071 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.409584045 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.409655094 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.409667969 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.409719944 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.410300016 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.410315037 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.410398960 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.410410881 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.410461903 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.438309908 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.438324928 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.438416004 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.438433886 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.438484907 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.438842058 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.438858032 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.438922882 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.438934088 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.438987017 CET | 49705 | 443 | 192.168.2.5 | 199.91.155.176 |
Jan 30, 2025 18:36:17.495527983 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Jan 30, 2025 18:36:17.495549917 CET | 443 | 49705 | 199.91.155.176 | 192.168.2.5 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 30, 2025 18:36:15.534867048 CET | 65020 | 53 | 192.168.2.5 | 1.1.1.1 |
Jan 30, 2025 18:36:15.542197943 CET | 53 | 65020 | 1.1.1.1 | 192.168.2.5 |
Jan 30, 2025 18:36:16.442704916 CET | 54464 | 53 | 192.168.2.5 | 1.1.1.1 |
Jan 30, 2025 18:36:16.451973915 CET | 53 | 54464 | 1.1.1.1 | 192.168.2.5 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Jan 30, 2025 18:36:15.534867048 CET | 192.168.2.5 | 1.1.1.1 | 0x3dbc | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Jan 30, 2025 18:36:16.442704916 CET | 192.168.2.5 | 1.1.1.1 | 0x1e1a | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Jan 30, 2025 18:36:15.542197943 CET | 1.1.1.1 | 192.168.2.5 | 0x3dbc | No error (0) | 104.17.150.117 | A (IP address) | IN (0x0001) | false | ||
Jan 30, 2025 18:36:15.542197943 CET | 1.1.1.1 | 192.168.2.5 | 0x3dbc | No error (0) | 104.17.151.117 | A (IP address) | IN (0x0001) | false | ||
Jan 30, 2025 18:36:16.451973915 CET | 1.1.1.1 | 192.168.2.5 | 0x1e1a | No error (0) | 199.91.155.176 | A (IP address) | IN (0x0001) | false |
|
Click to jump to process
Target ID: | 0 |
Start time: | 12:36:01 |
Start date: | 30/01/2025 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7be880000 |
File size: | 452'608 bytes |
MD5 hash: | 04029E121A0CFA5991749937DD22A1D9 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Has exited: | true |
Target ID: | 1 |
Start time: | 12:36:01 |
Start date: | 30/01/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6d64d0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 12:36:02 |
Start date: | 30/01/2025 |
Path: | C:\Windows\System32\dllhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff669820000 |
File size: | 21'312 bytes |
MD5 hash: | 08EB78E5BE019DF044C26B14703BD1FA |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | true |
Target ID: | 4 |
Start time: | 12:36:26 |
Start date: | 30/01/2025 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7be880000 |
File size: | 452'608 bytes |
MD5 hash: | 04029E121A0CFA5991749937DD22A1D9 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 12:36:26 |
Start date: | 30/01/2025 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7be880000 |
File size: | 452'608 bytes |
MD5 hash: | 04029E121A0CFA5991749937DD22A1D9 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 12:36:27 |
Start date: | 30/01/2025 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7be880000 |
File size: | 452'608 bytes |
MD5 hash: | 04029E121A0CFA5991749937DD22A1D9 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 7 |
Start time: | 12:36:27 |
Start date: | 30/01/2025 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7be880000 |
File size: | 452'608 bytes |
MD5 hash: | 04029E121A0CFA5991749937DD22A1D9 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 8 |
Start time: | 12:36:27 |
Start date: | 30/01/2025 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7be880000 |
File size: | 452'608 bytes |
MD5 hash: | 04029E121A0CFA5991749937DD22A1D9 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 9 |
Start time: | 12:36:27 |
Start date: | 30/01/2025 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7be880000 |
File size: | 452'608 bytes |
MD5 hash: | 04029E121A0CFA5991749937DD22A1D9 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 10 |
Start time: | 12:36:27 |
Start date: | 30/01/2025 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7be880000 |
File size: | 452'608 bytes |
MD5 hash: | 04029E121A0CFA5991749937DD22A1D9 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 11 |
Start time: | 12:36:28 |
Start date: | 30/01/2025 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7be880000 |
File size: | 452'608 bytes |
MD5 hash: | 04029E121A0CFA5991749937DD22A1D9 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 12 |
Start time: | 12:36:28 |
Start date: | 30/01/2025 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7be880000 |
File size: | 452'608 bytes |
MD5 hash: | 04029E121A0CFA5991749937DD22A1D9 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Has exited: | true |
Target ID: | 13 |
Start time: | 12:36:28 |
Start date: | 30/01/2025 |
Path: | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7be880000 |
File size: | 452'608 bytes |
MD5 hash: | 04029E121A0CFA5991749937DD22A1D9 |
Has elevated privileges: | false |
Has administrator privileges: | false |
Programmed in: | C, C++ or other language |
Has exited: | true |