31.0.0 Red Diamond
IR
320914
CloudBasic
05:20:10
20/11/2020
a7APrVP2o2vA.vbs
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
34088bd5124b06eec3371c1879f73cf5
bcd7d1067588adcacefaa342af8b0ef8a899bd6f
10a87c4636ca9178acba76c3303c9e6d9ea99efee1b10864b934abc05bdd6b89
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{48F8DB8C-2B33-11EB-90E4-ECF4BB862DED}.dat
false
9299593907C5EABFD7027C291518DEDE
1DA9951D1ABAB0DA7808456AA436E457AE837916
F9463D178AA4B7421F348461E64545794266C04AD49F8D3A30F391B919FAC413
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{638D4EEF-2B33-11EB-90E4-ECF4BB862DED}.dat
false
B4ACE99C089C8020F01806EAE9E9A7F6
120C02B75852501A645DA4F96DC7BBFC893FB254
15282B89E0EEC2396A134653EE28D32E20D07B4843B63BC603C4EDC0ED775748
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{48F8DB8E-2B33-11EB-90E4-ECF4BB862DED}.dat
false
42FAF6BE1CAC0782E71351FA937DD9E8
8D735CA12040710B03193A27ED98817029EE9FD1
C2B635CACCB72A452D1F18D4BECFEDB3C1F145C8CDA44864449E5BB961C4FF62
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{638D4EF1-2B33-11EB-90E4-ECF4BB862DED}.dat
false
54FD8E91253B5A8B16BE1D5F3ECB5880
C8479409CE2DAA97AF2911DC3CFDD4C1FD84BC13
2A717529D7B294C4AEAA004087F915B8152ADA9598F454B847EE31DFC209A9EA
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{638D4EF3-2B33-11EB-90E4-ECF4BB862DED}.dat
false
721DF9B1ECA32E12891908271A848529
8D85C4CA7C7DA5C6532CE3F8D2C2811A0F550431
FB1025039CDE627459760F48F01223312432C783E7E3F4E18674A54023758728
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{638D4EF5-2B33-11EB-90E4-ECF4BB862DED}.dat
false
271F9965B597452C9E5C0A05469A704A
E792218D68BC6EF55E62D2E253175FAAE10F4CD4
730104388806535BC0B5708F10A95FE2F0A47D76AD01A316D12ECE7EE79B89CE
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
false
541F18517371F5A47022692185EE703B
37F8E6546C25B32E18732A8210B7860A39BC898C
524A99CB9C96D484E6834CEFAECC3031F7F42E408F7F7792A77FA839C8ADC0C8
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
false
9D466C77D69740DA09AA47DABF7A7E6D
4E59D4AFA1E6203C85C0636CEDE25F8A076FC1DE
50108C67E66E3EF616C05E6186529CAE19406112D9236CC0D21D7DC1779580D1
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
false
7E7075DD3A8030A0C23703524204922E
2ACE1C5ACD5F8F50DCAC21B1ECF00F5B13B95C5B
DFE98C203E64BA3EE0ECC5A34FAEC3A24F46BA78F221040D01A8B1A76DBC628E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
false
AE803AFC03527EF4F18AAC61FCCC6136
6385915F6E7C191B9E39397F9D44BE0CE3A995A6
1A8686AF6B7A1E60B2F24BCB8F0E22F35C4A94CD5328AA176FBC14BF47EFF06A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
false
D7BA782DBF4D77E7E9F49EBBFA30DDD5
8C287A5A9CA78DF7DD3C54D77064D076A53E0DD3
D24062E509A24316C33084FA1A0FCF7B5EDB61E2915E55B33D3CD86C596242FD
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
false
556A24B1940E7DC4612136C54E61454E
BEAD226500DE1B103819F5D958E2A96CF65535DF
CEF7E4F17DE097AD7F85C7C98E7867BC66E6D610A27739CC4CF8EBD534D35733
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
false
71D6C452DCB46D3653CE1BF93496D717
8202D99F04C65DEABAEA8A56C5A0885151651812
E7348F46353FA28AEED59FBC63B9368B341EB6A0B0DD66616F8B23DDB2D90EDB
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
false
DBA7BE6E6D63331385AEEA3DD2D69781
07BE73562F0F34236BC90C23AEBA24F59FBDE77A
C99E703C6228E7A83F520984A1522D97DD5BBE6BAAA132DEC5C792071573182C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
false
5DD2E31BC8D810FD032343E272316081
F85008D162BBB9C4BD6022498D2EA3BA128E30B2
06D2C4DDFF15ABFC086601CB9BFA153B37E0FF71A49BDEA9123FA3FBE949B86A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\down[1]
false
C4F558C4C8B56858F15C09037CD6625A
EE497CC061D6A7A59BB66DEFEA65F9A8145BA240
39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[1]
false
D65EC06F21C379C87040B83CC1ABAC6B
208D0A0BB775661758394BE7E4AFB18357E46C8B
A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\sCy[1].htm
false
99911885EF8527B9BB520959D0400D23
A214A86649EBA314D4BF4C1ED2AC48CAC7EEBA1B
6A56806C098AA9CD6ADFD325BE3E9A05FDA817BD175A469A5027339EEA4C9058
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\ErrorPageTemplate[1]
false
F4FE1CB77E758E1BA56B8A8EC20417C5
F4EDA06901EDB98633A686B11D02F4925F827BF0
8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\bullet[1]
false
26F971D87CA00E23BD2D064524AEF838
7440BEFF2F4F8FABC9315608A13BF26CABAD27D9
1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\m[1].htm
false
03D61BB1F49164FA9812A5E896C67F3E
85FA697A67481A5631B61FB3F539B4503B929EA1
CDE50C5D8FC8B941FD19E1F70B357635061FBFE6F9A0D5BD4C0CFD9F46BF8436
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\background_gradient[1]
false
20F0110ED5E4E0D5384A496E4880139B
51F5FC61D8BF19100DF0F8AADAA57FCD9C086255
1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[1]
false
9234071287E637F85D721463C488704C
CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152
65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\http_404[1]
false
F65C729DC2D457B7A1093813F1253192
5006C9B50108CF582BE308411B157574E5A893FC
B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\info_48[1]
false
5565250FCC163AA3A79F0B746416CE69
B97CC66471FCDEE07D0EE36C7FB03F342C231F8F
51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\j[1].htm
false
FC226C805B21348897F9CF750630EBA6
5F20971E026402B862B9A62A6B4CCCE997BFE90E
B2BA15FFD15238328B301C92BC4CB4CA7C5B500826146DBFACB98B261E12FB31
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
1F1446CE05A385817C3EF20CBD8B6E6A
1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
13AF6BE1CB30E2FB779EA728EE0A6D67
F33581AC2C60B1F02C978D14DC220DCE57CC9562
168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
C:\Users\user\AppData\Local\Temp\3cg2gow2\3cg2gow2.0.cs
false
D318CFA6F0AA6A796C421A261F345F96
8CC7A3E861751CD586D810AB0747F9C909E7F051
F0AC8098FC8D2D55052F4EA57D9B57E17A7BF211C3B51F261C8194CECB6007E2
C:\Users\user\AppData\Local\Temp\3cg2gow2\3cg2gow2.cmdline
true
71F8CB00B6C50E1D7DD2B6AFEE931EB6
2554BD85602FCD60452D080AD4534661AC796F18
D4471DF42D09542430DBB6961E11ECC14EA84C34776E316BC6849E4CD5CD2A63
C:\Users\user\AppData\Local\Temp\3cg2gow2\3cg2gow2.dll
false
AB216BA7214F797A37E28B3A30AF81D3
F1DE6D5C6EFFE2D1DA4A5B07611C4045A5BD8B65
3A774892B23EBBE4D959E23DA83FF2163D7B8B1380EF0508288672583B86134C
C:\Users\user\AppData\Local\Temp\3cg2gow2\3cg2gow2.out
false
83B3C9D9190CE2C57B83EEE13A9719DF
ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\3cg2gow2\CSCC7D6D6B9E2E2482A90484ECDA4303A65.TMP
false
C3AD2C105F0FFA6EE9B4AE4D540F9A6A
2DAC9CB0B18976F5B9071695B23756320C703A5D
805A6D4797549C6CF864691E9F547BBD8DCAEBE62E4463EF60D4F1101F785F50
C:\Users\user\AppData\Local\Temp\Ammerman.zip
true
94F926A14F611ED85B2AD7F5C108D930
920C9F8B4B8100DEDA928646DBFABA7D8E7AA6DE
BA9979A733F1226AD56803023880155FECAAEDAB7ABB4DC9552BD674D47FE62F
C:\Users\user\AppData\Local\Temp\FCC.cxx
false
1F1A0E8B8B957A4E0A9E76DAD9F94896
CC1DDD54FA942B6731653D8B35C1DB90E6DBBD34
D106B73E76E447E35062AE309FE801B57BBEE7AC193B7ABCF45178ADA7D40BB3
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
false
1548C640BD577D94B3EBB4E4A0E9A29A
EF25134D3741C3CB085F239A304EFF0151A4C408
15F7119855CF1741BB0D0F8BAD22C343CFD85018286A7A53B50C4CEE986D2D07
C:\Users\user\AppData\Local\Temp\RESEF81.tmp
false
BD9319A289457B73CDB8687BA23B2610
5F890B0A82902100031E2AAC0A4591C67D7AFBC3
4F74518807CFF1E433E5EF8B02B69A78980C2C8BB1F4F9ADE6604FE98427725F
C:\Users\user\AppData\Local\Temp\Tolstoy.3gp
false
DE116F46B1AB756FE5FC714826D9C77C
C0543E108146A86E97F9C92D84550415FF0D07F6
B83A7A9918FBC774A1CBF2D5C700D86B64D91961728A7BBEC91FF74CE27C6CBA
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4e01b4v0.lgo.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cbgrc3b0.yd2.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\adobe.url
false
99D9EE4F5137B94435D9BF49726E3D7B
4AE65CB58C311B5D5D963334F1C30B0BD84AFC03
F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
C:\Users\user\AppData\Local\Temp\bowerbird.m3u
false
FCA5D5C49A23B8614C6F821ABC873200
C6982C28BD133E0317D388EFDFE29CB78A5AB6BA
9EC7D8CE210B398464E1AE84073DA79284983AEA1AE6AD5985DC77AE95C1C242
C:\Users\user\AppData\Local\Temp\earmark.avchd
true
78B3444199A2932805D85CFDB30AD6FB
A1826A8BDD4AA6FC0BF2157A6063CCA5534A3A46
66EAF5C2BC2EC2A01D74DB9CC50744C748388CD9B0FA1F07181E639E128803EF
C:\Users\user\AppData\Local\Temp\pjhhilfe\CSC3FCB40168F8F43A79C916E3E14812F23.TMP
false
0882AE6EE1F85A07872D5E7805909CEC
B1F849D8095D9DC408FC47163BB531E4766696D1
FBCE2838FD718ECC1145295C0CF30CF54FC420920B2EB212C1E851F70089EBAE
C:\Users\user\AppData\Local\Temp\pjhhilfe\pjhhilfe.0.cs
true
216105852331C904BA5D540DE538DD4E
EE80274EBF645987E942277F7E0DE23B51011752
408944434D89B94CE4EB33DD507CA4E0283419FA39E016A5E26F2C827825DDCC
C:\Users\user\AppData\Local\Temp\pjhhilfe\pjhhilfe.cmdline
false
18238DDE42711FDE84A3D331E81E9E0D
211D18C7C0C14E6EC1EBAA7167CFF8984076615E
3CAA1667E8FB7046981D68EA254BD0E40AD63F341295AF2B2094232AD4E2501A
C:\Users\user\AppData\Local\Temp\pjhhilfe\pjhhilfe.dll
false
697E2F48267FE9B6ECE7B6FEEA79312D
8D64C1D0CD84A6B9AF5383AD5EA827B92A24C35A
2224EE67155E4E4C83B7A33B42CA5C64797CF0240FC3B593AC066420D147C052
C:\Users\user\AppData\Local\Temp\pjhhilfe\pjhhilfe.out
false
83B3C9D9190CE2C57B83EEE13A9719DF
ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\~DF1B3A3B6AB333EE87.TMP
false
AFB515445BAE2FADA5BF52E5B814C217
EE5E3AFA220CB93D2143DFDFE3AFEBD6264AEE83
059C28E2EED630DC221A3CB1E70D7B5F39473E54E4E84498E35D0C65CB7318CE
C:\Users\user\AppData\Local\Temp\~DF355482E4E7DEE5A3.TMP
false
D194614AC0EA458FFBA1E4B08ADD2CDD
F278E24E679AFC36B785E2FCFB5976E9E504913B
C9370BA5AED9AA7E0F3004947E5E592F47552458F7F020F34F92F4FBEBA7BF99
C:\Users\user\AppData\Local\Temp\~DF59F7FE070035D0FB.TMP
false
D146F2F521184092B2C6B3DB7A8FF89D
8F6F160FAEB95CDFE941E92680FBFB8D990D916B
1AECF7695D500829F0D68168A3355E1ADADC93908324FD2D975F6AE90BDB144B
C:\Users\user\AppData\Local\Temp\~DF897443D483D7C528.TMP
false
C3D7C59D47B630560F911FD0A9D253BC
8154ABC686D1793B3D8440B96CFA50357BF59783
2E9AAF41565B73F9592700A82F4D92DF3A69132F422911B618F5A793F4ECB6C3
C:\Users\user\AppData\Local\Temp\~DFA0DC02764BBFFD70.TMP
false
1B30EAC5DB0F6585C2A28814E7A06C8C
47EBBC1C080B4F3CDFF3E667CFA2CF80B006FAF7
C6EDDDC79C4060B11DB458AC489373C3E44B24CA2D7A2D7B76488189C1317DBA
C:\Users\user\AppData\Local\Temp\~DFC1B22A1CB1C1EB4D.TMP
false
3588E70EFA3446A8FEB9CDE79C990461
7527E1C787545BCCE5E317C29BBDB19DFDE6E51C
4F6E725B00D9B6FD6550C752FC0955731AA6F6B868F218528311F33BE9545AEE
C:\Users\user\Documents\20201120\PowerShell_transcript.715575.I4F9bCTu.20201120052227.txt
false
839730236D191965CFF5970E23514FEB
3B5B47752D463A27825A05670B7A92138287F07D
0835A44D36FCB30FFD146F8DD3AAE9BBD47630E6FF8ECB3C74B4CAAF7C4B2CE9
47.241.19.44
c56.lepini.at
true
47.241.19.44
resolver1.opendns.com
false
208.67.222.222
api3.lepini.at
false
47.241.19.44
api10.laptok.at
false
47.241.19.44
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Deletes itself after installation
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Antivirus detection for dropped file
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif