31.0.0 Red Diamond
IR
333865
CloudBasic
09:19:51
24/12/2020
drfone.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
545f38fbb74881142712052a5b6eabce
4cbaf1ecb48629b163f4387605c8a9011e89183c
7b8ef3f064d0de0c27d56ff4df7d360f0d546d32aabbdf96a746bab5c84277ec
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{62186B86-460C-11EB-90E5-ECF4BB2D2496}.dat
false
8AB1C2144389CBDA535358D187CA3B5D
2C7B1BF2DE6E72C56C91801CC563064DCB7F39C4
2872567100BEFAD8B578F82895080EC4F223126E27FFF0B1FD83A1877332F142
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{62186B88-460C-11EB-90E5-ECF4BB2D2496}.dat
false
BD511BFC810CD09B46A5DCCDE5EE6E91
DA99DC233CAF2D8D1BA25C13A30D59BAF6046DA1
D1E3F18E1FA2783C3F488391BF9DA7CC27DDDE37999901F844E78A8823247DB0
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{62186B8A-460C-11EB-90E5-ECF4BB2D2496}.dat
false
1C2D721EF26669C9355A459BB8179F7D
2A884C9B9BABD1BC3987597290E04E665ABAE5C5
C7F89581F8DB5CE77D80553C52D3220C514B221D073B506B758FBD63B15BB320
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{62186B8C-460C-11EB-90E5-ECF4BB2D2496}.dat
false
C7C8B74DB6376766A7FA3D1B813F7192
9C830DCAF27470DCCAE224B3A035802D5E07275A
4B63575E5B85AE1A9C9F415E0505D85D02BF03039DF925F45F9DBA26A0C65A62
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{681EFB23-460C-11EB-90E5-ECF4BB2D2496}.dat
false
7FD03D6C2FD479F8B0DCAE83C7FCBA0D
F874705F3EA367F1C4382AE4260B03A90C9149F2
E3DA760A65AC031C5878498499265D0F4F69A1818CA187A7655308F145DD2783
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{681EFB25-460C-11EB-90E5-ECF4BB2D2496}.dat
false
181C7459865AF68F290A9C873F441A7E
5A807DBB15A0645B5E563C0CCB47057018F53F98
C544D35EC60DAD04EB766AA4632C77CC97362004FAA553C8B7191DF16C883E0D
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{681EFB27-460C-11EB-90E5-ECF4BB2D2496}.dat
false
5C494D239E2947160C2432C847F72B16
76B27335104FA45C3E5E6193E717C459420505C7
26E9A8AA5CE95B9F63AE26CABC2133055C1102EE84B35199F918C24C2B580C5A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{681EFB29-460C-11EB-90E5-ECF4BB2D2496}.dat
false
6BEBC9A7A0CA150E408974FE3820454C
34AC7AA29A19C35C9A2C0596EAEBD37B529D758A
E62C877701348111C5C1E818F96A17337BDD1C0D00F525012FE3056E98E82D1F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6F48692F-460C-11EB-90E5-ECF4BB2D2496}.dat
false
9BE1C73C0AD7E3D4E36FFDBC4A88B758
9A15641F7B064A707594ED25AF41DD05BB307B95
FB021FEF98B01B9134A45DF7A5B32E5E486F450F1C11F91DE9E2BC5A0B8EE0E6
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6F486931-460C-11EB-90E5-ECF4BB2D2496}.dat
false
8A4AFDA973E970DDD6E7C7261BC80CE3
68593009FF2ECAA44532B23F171F9B8C4D50B5A0
9236B30FD12BF25A3B54B5F4AAAFAC697C8055D12EF1698E1DFBEDA598F67496
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6F486933-460C-11EB-90E5-ECF4BB2D2496}.dat
false
287724487D42C2D9EADD0798ACA57233
AAD9EC7787DE054E2878BA1F52FD122AE2261D27
9A7126EFEA1AAA0551373BB8847E9931963DA88B8DE4D14A463DC98854A3747D
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6F486935-460C-11EB-90E5-ECF4BB2D2496}.dat
false
9837F768E27D99963FC04FCAE62ED9A0
9E362E626F375911AF5DB56CF2FF5616B9F22D2E
1297BBDEB6CFAC20E8FFA02EAC0AE29799E6DCA9C466D33386BEF721C9AA04AC
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
false
716C2195327D7C25C494D0BD22F2A7FC
4A86A3AC74ECC4DEEE7139140788EE85F86F4A03
F3CB610015993B530BF00E0890CDE2D63CC823E0AE25610AA88F327D4E491EB3
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
false
AA3C118C418E4197F8A682F7DED621E8
E17C86D3DA7B36105FF4953C93569314657771F2
92D7778F0719467F1CDAF910B62FF9058140EB66DB275A464DD52E744F68FB9E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
false
3224AD929DD8D3798851740786569BDA
79B7E51E9E862C8D11112010912D808EC32ED688
A32213502145BD1414D8CEB92F7669207D1E2EF92C304579FEC3C3C9886B0398
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
false
A5A83E7DDA9A7823E2E33E2CBB224663
CA3C1F0EBBF65BCD7F5814949EA8E8092C1B3F58
D7B58AEFEF25A37F1BE7C97FC5D34E05295F572B8518324480871AF444648B7D
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
false
5106873387127736100C37E3348A4C3A
F9F51426EBA7C2B9BED2953A686EFFAE68AB1D9B
7F7DF055969025146D2A74CA537162329599BA85210906DAD0787B1B194AF084
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
false
4F3B47938C7F66284C949794BBB4CB25
C75AC9B64D0BD43961E81420757B5CDB32E1DD90
B00FEE5CACC3AF975A42889625A57778559B351F18356FEEABF7C8804EF157DA
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
false
93D2EC8D469AB9CA305491A6D3413B16
E7ED80F9D03F40F88DBDD595208D68881E28B22A
29FC9C68C270A3EBBF4106F4CA899212149C1CA4CB899CFAFB878B8B1C91C3CA
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
false
85B2ED97BB49D886E1E3BD8025C9F270
E5687B591D1F335B14A7852749B08C0C55221BDF
04377E9C2A08023723741E75445F9FEE11F21E230F6D8CC41146F5D9E48DF365
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
false
07EABAD0C3492524E400AD06DD437E9D
57B4684FFC6D7F02E9BBC14FFCF11578120FF6D8
F9150C3661C567CC36317FDA8C5BA7787CB9BD0F01740FE84512BCF56C2EAAE6
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\wlm7n14\imagestore.dat
false
E157199BEACFD7E69F876ED709318CBF
46ABD9AED048354972BF7306553E8F51DF3A90A1
4DDF4EB3A2EC795B3EE6E82EB2C1F9B372CFA41D7AE04D845F8786E148E09967
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\index[1].htm
false
FE8538DB9D0AD5E27C66A00BC9F86CDB
B23927E18D2A52AC9B11E4BC3BB11569E6DE2B9F
F27B1AAB9130532BBD03E36E7FCBA55D85DE8FA09B9E367F782CB62C1391AC98
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\favicon[1].ico
false
A976D227E5D1DCF62F5F7E623211DD1B
A2A9DC1ABDD3D888484678663928CB024C359EE6
66332859BD8E3441A019E073A318B62A47014BA244121301034B510DC7532271
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\index[1].htm
false
60D16364AF71B1C06930BE081FD0F14A
4BBD54ABBDB7A0B04FBC333AF44C6ECD8BD87978
81A6610F0059F6AF53CE53D44403CE0C61EA7151F1758B14AD5B56023733C412
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
1F1446CE05A385817C3EF20CBD8B6E6A
1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
13AF6BE1CB30E2FB779EA728EE0A6D67
F33581AC2C60B1F02C978D14DC220DCE57CC9562
168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
C:\Users\user\AppData\Local\Temp\B7F7.bin
false
76CDB2BAD9582D23C1F6F4D868218D6C
B04F3EE8F5E43FA3B162981B50BB72FE1ACABB33
8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
false
132F51C71609996A338F9AE0F0E78C54
6F31E269704056C7B5491B8A48E92E77E4C86068
5AFBAB26EA341CCA5D2BAAAF92074150091F07EC37AF940D2858B849F779E513
C:\Users\user\AppData\Local\Temp\RESE3A5.tmp
false
36F098E1094504D4BE5DF5BA69A03664
BB6F3E131F60E154FBCD5B501952096059FFD5B8
AC39013115EF282109EA8035A30D22DE6E891383B7A9A4EFF5BB9F4CC6FC3DFC
C:\Users\user\AppData\Local\Temp\RESF2B8.tmp
false
67831FBACF5C21123C028A11397CB84E
882AE624FE8E5D5D5A24791E0318A1B2A2AA3CE8
871150174E0D820BFA4B1D09900AD31BA36DD714E28C64E767FAE9DD1D8F68B7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twtk1mxv.bss.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wj54lnla.ppb.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\r1g0ykja\CSC64F5131A8743441E92CD84029AD3C82.TMP
false
0B8E4F316DA223909D4133EA91F2F78C
FF0844D45CAFD125B043D715A9CC61E74A2F772A
32E3B5330A97050DAB4EB6965D19C10581128877FEE75AF4BED5916FCB2AC14B
C:\Users\user\AppData\Local\Temp\r1g0ykja\r1g0ykja.0.cs
true
D4D5A517F9067C63FF1E2CD06FF04EFC
0814005B14788AB122B61239F6F9A0DF5E2EA4C1
456457E03D6545970FAE9EE000DEBD99315D67B26070A927D0FFBA9313557902
C:\Users\user\AppData\Local\Temp\r1g0ykja\r1g0ykja.cmdline
false
FEDF72FBAF0AE3A02EC3D671D95BAA75
5C74224C3A3604DCF5C4F90CF752580296CC662B
76590DFFF46EE208D871031F48184D37D53C2A2F2695082E1747A1209E835BBA
C:\Users\user\AppData\Local\Temp\r1g0ykja\r1g0ykja.dll
false
970658B4D68B77DACF171054D23A2990
4ED65D8F7B69150B8D5FD0D02192CC65346F5B3F
14F0D127C7A74F96AF43966E890F6FB23AEFDBCC8023804A73F665F9340A42D2
C:\Users\user\AppData\Local\Temp\r1g0ykja\r1g0ykja.out
false
83B3C9D9190CE2C57B83EEE13A9719DF
ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\xqhvpwja\CSC8240488428EC4188955E47238990560.TMP
false
858640289204DB103BDFC164EEBEC503
8625C37E27B3A2D68A62617A0FFB8CD0EF285A8B
24086F60838586C71AD3410C4C46479D082ED9A8ECC70D3F21725478F6A2244E
C:\Users\user\AppData\Local\Temp\xqhvpwja\xqhvpwja.0.cs
false
0D1C0BD44D28AD43DEB9258AA123E80D
F7B712E4C18DF96BD4045D5DB9735172AF42F79E
CA05CF7C9B3B13FC2F81A65EC43DC19B46902295CF6B2C64F28A0DC86AE6E1EA
C:\Users\user\AppData\Local\Temp\xqhvpwja\xqhvpwja.cmdline
true
6BCDB8862C634C0AE1201D0646AF2557
1454DBE830DA1DF951F3354601951492BBDEF481
2A405251F26B7A6D6B0FB859C3FBB3455BBF8775CA5316C7E5AF6DF2C49CBEBA
C:\Users\user\AppData\Local\Temp\xqhvpwja\xqhvpwja.dll
false
AC053B0041524AB8A894DC7DC85CA114
72601703377F02E2784B1D32E244B0136D43E648
974410A0D53EC6D51163F593F2330EF8884DDCF7083B1BD632B3AD62E2888BD8
C:\Users\user\AppData\Local\Temp\xqhvpwja\xqhvpwja.out
false
83B3C9D9190CE2C57B83EEE13A9719DF
ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\~DF11859F0CE418C879.TMP
false
F87A36FDDD96E4DD5B027C6BF63F0E30
0029F68B8110AAF47572293006A55F492D7ADD56
83F5E094881E11CE933C89B5B2B4F03249747A345E013245B4849BCEF6B31BEC
C:\Users\user\AppData\Local\Temp\~DF1646937B045BC3DA.TMP
false
137D88466C66B846AF424580522605DA
856F616E97973669733D47C22DEA88E1D24EAC61
51FDAB6FB59448DAF17B74291568B57B70120FDB78E13F55F568E52030C3176F
C:\Users\user\AppData\Local\Temp\~DF1B1DBFA3EAAA43B8.TMP
false
44200671A5F600B54347A32F1D025A10
E28F03BDE035EBE9935BACE3886490DA4FFFEFC2
F216D6CF08793F41F330913F0C0BB03A93B7B13A31098FCCE21A34F18B708057
C:\Users\user\AppData\Local\Temp\~DF353841425800A3EB.TMP
false
C4147132309B647849105AC9D68E711D
B8F553EA146033BF8E9BF9CBBE3DFB41F1CA67AD
828DFD7CF11F1E89C7F6D53F216DEB2C504AF22CC233B427B31CA3034746BCF1
C:\Users\user\AppData\Local\Temp\~DF64557C5276C97698.TMP
false
72D7408B7A4FC76AAA8C3060E90F684B
52BE9AD67A633994292348595904180E87CF8ECF
9D7B7B012DBF73E180578D60F6758383C75C530318B11C2D598150535E1C29C4
C:\Users\user\AppData\Local\Temp\~DF709AE905AEF802CA.TMP
false
66287218A994E4276F8075B1C8659562
441981933374FA397BDE6F8DA3515753C932FF4B
665A69F849A7A876C333FB866F2D46617298A40FDFBFE5781E04A3FEF1403929
C:\Users\user\AppData\Local\Temp\~DFA3603797F71A738A.TMP
false
70617EAE1DE7B88AF34D42C7E43C0125
0EFE52ADD752CC0A4D996E37936F5F86935535A8
30561D0992189E8848CD53857D5C4000785224E3BB734370D9BA485C5895B606
C:\Users\user\AppData\Local\Temp\~DFA4C86E0B864A7E93.TMP
false
593006FFEBA10A74B54605453DCC03CA
6D214078D0083CF2E4B7016250ECC677AC8FEB4C
1A73520BA4C936EEEA78319EF6CE3CE7B224C4977FF3BF6968293D89AD567AD6
C:\Users\user\AppData\Local\Temp\~DFAF1A2F0656D99F13.TMP
false
B57E03F4B608C78CB7BD3536B3E1CA26
3105E6A780ECCDCBA90DBDD1D3FA08C72D642A1D
42A6339EBB4E210E4911965D99C48265EAB24453711326E84F30586D7A5D08E1
C:\Users\user\AppData\Local\Temp\~DFBE97E048CA6F4955.TMP
false
DE0DE10252C2E060DEE0CBCD79E3CCD9
10522E3D7D0DC66E6AE9D11711124F9884F2A1C3
816951C1E260117CAB19299B843C1B251B8812D512A33D8B45E28C0BCD68F2B8
C:\Users\user\AppData\Local\Temp\~DFC2435DFFEF16A3A4.TMP
false
D023359207D72718A2A63E1E35EBD919
5765C32A88A92F1380BB25E7F97088ADABA8C8E8
F222A85A462D01005F6131C32EFBEAAABF7A6398FFDB9E85B0BA82EBBF49C6A9
C:\Users\user\AppData\Local\Temp\~DFE5D4803967180654.TMP
false
AA69B957BDA27C32CCD353298E15C524
467DBB09138BCD3AEE58051B7D8DB785D5ED95AE
46CADB6F5299427EFF894C7883AA6FCD656DEE8BBB04A74E3BEE076C13D29971
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J3HTYE83WO6W3OX06V2A.temp
false
D902A6C8599E2E4C824DC5230766D13C
8AD771D90B11B7B8DD07BC2FA1DF3E1D0BC62696
F7F73C1B86B950137A3DECF2D51212F3093BCB9A7C34862B9C9BD5A6760C8F3D
C:\Users\user\Documents\20201224\PowerShell_transcript.226533.mTDKxmTU.20201224092137.txt
false
911145BFB70E8C23CFFAC744B43771C8
AD95EBB48198F0E87F0F6EDFBBA9198AB4CB8562
838778E2765B2BF8422855C60EA164F49A03C59CEC7C5A95A0F448BC59F8B6E1
45.133.216.84
45.142.215.100
babsgans.website
true
45.142.215.100
hapynewyear.xyz
false
45.133.216.84
Compiles code for process injection (via .Net compiler)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a COM Internet Explorer object
Encrypted powershell cmdline option found
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Csc.exe Source File Folder
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
System process connects to network (likely due to code injection or exploit)
Yara detected Ursnif