31.0.0 Red Diamond
IR
331120
CloudBasic
11:05:33
16/12/2020
5fd9d7ec9e7aetar.dll
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
7d675f9a252b26cd655607ae8b36c3e9
522894a5e30417192c053579d583ff7a690316a7
5e7f200f26fb2fc09ca80862fc6bec38f7d539aada080af6461771f9233c054f
Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CB1D97F9-3FD1-11EB-90E5-ECF4BB570DC9}.dat
false
DFA95E759592E6E2DC1DE37811CD8D1F
DEFE79DBB8797143A99A5146C6FA1CC4E33AE6EF
703A042BD771BC2F5CEA13426286574D32991C4203C4656E731504A232DFE186
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F0C73B55-3FD1-11EB-90E5-ECF4BB570DC9}.dat
false
3786E542BCCB59557B2C60DF88A2BEA3
EFA4B9C9DB2AD5EAF81BCC611D46411BCBC94F3A
3D81FD8EDB5C16EE30738F03B27F68B6FAD2EE054355F7F60D17F16109558810
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CB1D97FB-3FD1-11EB-90E5-ECF4BB570DC9}.dat
false
0D9D10C31ACD463ECD18435C4ED76E3B
2487A3DE332AC513F118ED655065A5D5EAA3B934
AABB3D9EED3EC8A1483F806D06EA56E7EC391FA804C6EA1906FA5B30BB68EC7E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F0C73B57-3FD1-11EB-90E5-ECF4BB570DC9}.dat
false
F96EA46A33EB38F4532FA5EFD4310154
338F6639DF50B3F93FA050661E82D4CD85A179E5
EAF8DF1732523038C92C6890389E896A409BDF167128CF5770067F6241D31F8B
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F0C73B59-3FD1-11EB-90E5-ECF4BB570DC9}.dat
false
1F2D9109C1876BED62363BFC1C36362E
07EF0FECEEFC703787F281B7070E5BE2615E2360
C3BE17D413A23B4CE7141545E4C4C8E400FA26EA6ED3C61EE09CD69CE755215E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F0C73B5B-3FD1-11EB-90E5-ECF4BB570DC9}.dat
false
C7E1A51F1BD0C909440B25E6D1535EF3
D74826A8CFD76094D471D28176C98BC5C1F5A1AE
933437E4AB319798730C9F8BF5E2318475EFCDB75E36BDC8DCB0EA5AD6A06839
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
false
5FF4FEB05335F7A1E8949DFDA01C513A
DAA720A96C1BDA14FBB565E5A8364FD05F6A3380
07355F6214123AD7E067BA831278C30ACACB26DCE603EF8DC618144E47B35685
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
false
BF25FC977528E3E0FC8832AE9927E851
8F7729FA56EE875793E84CA5026558F10A49008A
F817FA10F5922C9C98DF4FAF3193A6617115F99ECBFF88006CDA3193EA3FBD7B
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
false
C0E9345EB1ECC9FA5DD88EB8E7EBAE30
125128A0D71E086CB657B9A1953961920D3166BC
17D7D07B5D729F3C229A4D0500D22C819FF15912124BA795197E698067D8F64A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
false
6E790126C8EFC4467D256FFC36F8939F
26213E0E1B715EB786FA48516061B7F15CF3ABEC
E8DCC94D99DE8B0365B7C9819D9F0ADDD2CDBAAC46A80214991FCBC583CE39C4
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
false
1574CC7D83A650FF98AA368533F8DAFC
0AF5058CAACEFDBADB508552D9D004C68D95050E
8BAEE1CF495853231C68868750216D9D55946D4BC836BCC876E505A469973AE9
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
false
6DF8F955E2885046D2EEAF96465C7AAC
478968DAA96F2663BF4901C0B48F69209FA9B162
A66B25D35FF2CBC3645DCDAA252C80AE5FD0554990C36B8823C2D48917006821
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
false
19756710DC1E1295AD36AFCD3EDE6AB6
C4D80E91392329B6CD322615F7041D94FB1C6728
4300F027F37ED769FC6EEC6EB93712A3F73130776BF225A65A7FE6B8FC91D1C2
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
false
ED9825120C76CA457FFF6DDC117D400A
7EC4101B7B84C1A614DB09B467CF24FF45A10749
CCD0FC2242B74CE255381F6E0A01E96D533D5EE9C24F8F0A851EECDDA8145474
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
false
A90D70938200FA28E7933D6DD30E7F0F
658BB2A8836EB14B555D5580F33D81C1F6E1F3B1
74188EA6B664ADD9A6C8489F48F19331A743A84C7A67F3DAF6FD67F525100427
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat
false
9C5EF3853AC75AEB0A9AE6375470D64F
8C534692B5146BC56F4872CC413EDB2985ADAC7B
68714CB3732050560D3AFF05376F1D6A0FDDA8DC9E5AA05435FAB8E3F85202B3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AGlpBU[1].htm
false
F653BEE495A51D0BB6462700A8717922
FD0BD83B76C1904D4046A49657F3244E4F1841A6
0C91F4F38F71AF76044EB53A98AA4191BD543E18493C7FA90BA085474F9D6852
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\favicon[1].ico
false
F74755B4757448D71FDCB4650A701816
0BCBE73D6A198F6E5EBAFA035B734A12809CEFA6
E78286D0F5DFA2C85615D11845D1B29B0BFEC227BC077E74CB1FF98CE8DF4C5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\robot[1].png
false
4C9ACF280B47CEF7DEF3FC91A34C7FFE
C32BB847DAF52117AB93B723D7C57D8B1E75D36B
5F9FC5B3FBDDF0E72C5C56CDCFC81C6E10C617D70B1B93FBE1E4679A8797BFF7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\A6Pn[1].htm
false
401AF9EB95D581473470D429C23EF8BA
0C6C6FB39B2F811B224DC68BACCB8939DCD87C3B
49C07BD919280ACC3919C422BEFAF1EE260F0EB74FDEBEE843ECD5EC2FB98E12
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\fLzp[1].htm
false
E3AA1B0A45CDE8D23A403F8A2FE8927A
8723BF1632C9A15FA219DEADC680237FEB3011B2
76B2A1910AAE8E7E2DA72985A300364B0877360454F856378F4366FFEDA8B2F3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\googlelogo_color_150x54dp[1].png
false
9D73B3AA30BCE9D8F166DE5178AE4338
D0CBC46850D8ED54625A3B2B01A2C31F37977E75
DBEF5E5530003B7233E944856C23D1437902A2D3568CDFD2BEAF2166E9CA9139
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
1F1446CE05A385817C3EF20CBD8B6E6A
1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
C85C42A32E22DE29393FCCCCF3BBA96E
EAF3755C63061C96400536041D4F4EB8BC66E99E
9022F6D5F92065B07E1C63F551EC66E19B13E067C179C65EF520BA10DA8AE42C
C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.0.cs
true
5B17B009281A3C8C532B0BB82B8B44F0
BB6C2DDED8AE33AB8D0AB7A01FEAFC11C0EC0D4C
4BAFA02A0D8F4179EFFD80C32D96C3DC700E83002EFFEAA97794B80E083CFA33
C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.cmdline
false
D5DB76AA0916B868C4A3BC4FA12C8706
7E3FA41B6660E6E06B40DC2AA957531D3C961696
E5EC25B991A44F20CF1C23AC93695D2951D91548D6452381360F878879B0BA14
C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.dll
false
F7BDA195E03EC89E7B55B289BC7E858D
CE32B5F29B4962F26E9B5E6EB6AB104AE9BDB8DB
5939DA07D6C932A2E24B6022E866D102D39F829F956E91304CCDF56D44D5EC4B
C:\Users\user\AppData\Local\Temp\00wddsye\00wddsye.out
false
83B3C9D9190CE2C57B83EEE13A9719DF
ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\00wddsye\CSCFFAD43D2FB2747A5BC1271AB7CCA8A12.TMP
false
CE8B97BFEC39B9FE6E7E346212202E3A
3B4D9687D96DEBC289E1143973DC5DFF58B511F0
BC3CC5841C2B368C2655853F9A6E7913038B061D84891CBA78EA9A28F0695CDD
C:\Users\user\AppData\Local\Temp\44E8.bin
false
8C6AE88C334083F7E4B921E54C79A7AA
FD94AD0FD8824D43B1A648BE0975C9F66E27F174
0556AF85314AA8BDC2869BF3565FA07999A6F17102DFFF538FAF22E0D676FDAA
C:\Users\user\AppData\Local\Temp\6B30.bin
false
5E9DCEFCDBCA6B7DA551690911D7365C
FDFB91978207F4BB6D565287476644FF16E4B667
D14C2A580CF19E66086D93C412CD734D6DDA766000D7B83D7D877598581B05D3
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
false
4E969BAF058176DA714CD97A4E6E7303
0D1BF79EF3B3D459D2CFB3B2E24CA17767B63304
5F357770A6D4EAF945ED7ED375E2496963BDD739B9AA3688911972B5B1BA9809
C:\Users\user\AppData\Local\Temp\RES9CA2.tmp
false
646193E76577CCC753B4CE90403663D5
629B448899C18B2358E9F3AF96D63E99EC0CF956
A0AC22321D8C8231D2A2D0CEBDBC11C32E77A8C516D1EB5FC2DDD17CD7989255
C:\Users\user\AppData\Local\Temp\RESABD5.tmp
false
C93CE04B7972FD9EF43BA2CEAA942C62
4BAE01C46539FBADCD9552B01C8303EAF41002F2
74ABFD1903A530A7EB5E67993D7200E84097F574507955B08462C68DBE454C06
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ik2yfqgt.wtx.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_urtj1ih0.gmi.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\lcbc4odh\CSCECDBA1D9933D457DB056F31AC2CEEADE.TMP
false
6869D7FCD6369BC5A7E685F19B844BC4
C974FEF2EECBD33317D0AC503E0DFAFE808A960D
A282B837D32464FEEA2EB81EDF8E6726035638195E00A2FEB03D71827BDF3420
C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.0.cs
false
655283EF891D5B9C591ABE78702B0670
3F237A5F247A04C17E8BA74A2E6DC3D57BCFC27D
E3A387CCA453522A3BE7B0F258B49F7B56E9BAF62BB1EF6FEC6233EBDE53001A
C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.cmdline
true
B31CA3CD3DB9B51042C8F6B5CCC15B20
B01E8F68B356075C5077F3B1427DC903C50F2940
309AE6C65520A889B0AAC8D01A80013A78908CCAED67CD10A24E404AD489B50A
C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.dll
false
797C2074AF61D3377500F7478819D96D
403322E229E75AE7880215DB798AC5AC93403A15
B3BC6D4F92212C939C348C91EA6473C1E2331C26D353C417FC0CCAF66C4EC6D5
C:\Users\user\AppData\Local\Temp\lcbc4odh\lcbc4odh.out
false
83B3C9D9190CE2C57B83EEE13A9719DF
ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\~DF224E930954C99BCE.TMP
false
5668D53AF80E84C5F973C20AC3FC41E5
925F80906E99D4B5DFD2931D3BCE330FB2A9394A
849C82FE48D36BE9DC11D832743CF7752E630A3C2602E90095E170FDF70BD657
C:\Users\user\AppData\Local\Temp\~DF40EAD1D3FC8CB615.TMP
false
20AC230DBED08356E99807E8A74242DD
25C289205C5B50D5754F02F8C00296EAC0F61A25
AA06450A8900986E03B3048FD74ECE04346185097E0526F1FC9D8514504BD941
C:\Users\user\AppData\Local\Temp\~DF84DF937AAC9CE9CE.TMP
false
6A9DF7C79ECA70095B42727D33CAD666
4FA47B35F9D986F432413755F2E67B805977C893
50889CFC45E707D0FC042B3D1D2CF6E52F8A27191C965AF3C6C011F32F3FA565
C:\Users\user\AppData\Local\Temp\~DF861707AFF7D2DC9E.TMP
false
5B52AFF4F6CA83CBD7BFF117D946A924
CF976016C0061E1CE0E8EB255315B4981AE9489C
0CED1ABAB773B16474BDA00937199BA13A7A12390335C8C15EC829B1732B86AE
C:\Users\user\AppData\Local\Temp\~DF907A0632D9B8351A.TMP
false
4FA649B324D87D8EA220D1EC7EFC2DEC
B97A9498986C7904A1F98FA9EA2C6BAF8E6236B4
4F5BE5B62FD6F9F97B8024B0B115AA94AA08D79438E38C9344A66B9DBA1435AA
C:\Users\user\AppData\Local\Temp\~DFB41C4A7C121490E0.TMP
false
6C504FF99B3014B1E582E6E2D56346D2
7731ACD67BB31BD92132AF50D00B852502B74510
D86F6005A7EA9819B3D01A2F5505A48B4DD4A6737B6EDCCC0AB89E48F0CFA075
C:\Users\user\Documents\20201216\PowerShell_transcript.320946.tianP39F.20201216110746.txt
false
EF8BC67B66A1B184E9FBC9967CFCF074
0998E5B82EAE69A9C12A33809B8DACD7701C63BD
4221194474E6C6EC37FB1CF3D158C9D68E8A689DA5C61227C472E9B381DC5F6D
193.56.255.167
89.44.9.160
216.58.210.2
185.156.172.54
rosadalking.xyz
true
193.56.255.167
pagead46.l.doubleclick.net
false
216.58.210.2
resolver1.opendns.com
false
208.67.222.222
1.0.0.127.in-addr.arpa
true
unknown
8.8.8.8.in-addr.arpa
true
unknown
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a COM Internet Explorer object
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif