31.0.0 Red Diamond
IR
334007
CloudBasic
20:04:22
24/12/2020
fo.dll
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
b72c009b01b9321cbcb327cf285ccef7
8599a832cdc973e8949a631c349980c0f41ffc48
edf82bc9c74787acbae4fc2a22aa35646616d23b781d6a75a7799a25431398c6
Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{76F37E59-4666-11EB-90E4-ECF4BB862DED}.dat
false
3BA40B952E8AE2226129E9FFBDFCE86F
58E72451A1BABB726B4B6C9C178D5DCD5AD390EB
51E43890FB861E66B3F765CC577457F9A65A9CE932C4198E9823659934FEB804
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{76F37E5B-4666-11EB-90E4-ECF4BB862DED}.dat
false
BDF39A01D5B6930DFFBCC014A4E20D0E
B65857A04CDDF2AAAE530325E6D2B20047722986
E5099D30232FC511ABDCBD78C6ABFF45CDA166BBA9DB38B149EF24070E019685
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{76F37E5D-4666-11EB-90E4-ECF4BB862DED}.dat
false
4CC6588A2130BC9243A79FE607FFFBEE
672A8E0A0DD98FDB277B41C129BCD778C265A9ED
328E16C9551AB5D731DAA862A0C1B49A7BF7EE71B2982C387F70B822C8827A0A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{76F37E5F-4666-11EB-90E4-ECF4BB862DED}.dat
false
7C325C3F297C4DCF0BF1C197EE980E39
6814BFBF8F902662AA3C4BDA71FFDEC60886C297
89F481EF96B0B3E8C1AD4502AD82BEC2686F8CD8C7411DBFE942AB91455807A8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\m40BS[1].htm
false
65DF8DC167A20C263A4D3534FFF80DA1
FA869DCD5A6DD621650C6F2BDD633C89C0FD8F80
3D7118852FB84D0DC3D1416E5A952F1362C0FC2830B59C7BB32C59BEA72CC1E6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dh68UKBF[1].htm
false
FE25148E04D4F5E36248F4ED7EF32D51
065BC9E2F194E00B370C09937CE8980BE22A82D6
BD24C0946CDE89C66BB749921A4F0E476471E25A1DD219F044CC9D0477BEABB4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\c[1].htm
false
5D7CEF728FB6CEF31E56E02DCF81A722
D817BC33E2242AA5C3E73379CA028CF2E6D64F3A
A60C4644F3831A39E2A2F054B3D79AEF8AED1A70D145FA4EED92B9C1987BD74B
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
1F1446CE05A385817C3EF20CBD8B6E6A
1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
13AF6BE1CB30E2FB779EA728EE0A6D67
F33581AC2C60B1F02C978D14DC220DCE57CC9562
168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
C:\Users\user\AppData\Local\Temp\1E42.bin
false
C776E0BF04DF2D40BB86437F43C74CBF
3241F454C899AA8984347141AB38D85FC5756036
56BDA2DD863AE13A0BD1748BA442E85992AD0DB739BE0CACF881BF9EAF632F75
C:\Users\user\AppData\Local\Temp\1dcawf3x\1dcawf3x.0.cs
true
66C992425F6FC8E496BCA0C59044EDFD
9900C115A66028CD4E43BD8C2D01401357FD7579
85FEE59EDA69CF81416915A84F0B8F7D8980A3A582B5FA6CC27A8C1340838B6C
C:\Users\user\AppData\Local\Temp\1dcawf3x\1dcawf3x.cmdline
false
B59FF73B6F2356C8B3A7D53ED5B6A984
79952785C7C98A8CEEF5E6A6BC831D29E646CB35
101A98677CAE531FC2DD33F58EC9C71231D260824C7AF1AF23FAC46A8F6EF92B
C:\Users\user\AppData\Local\Temp\1dcawf3x\1dcawf3x.dll
false
681EB1FEADCF19F96249850A9BF3C44D
A2EA9BC5955DC7E43A8D8CB3FAA5411E3805E388
2143EBA7F00C01B97CEFCAF004818DE2AD5A504017CEA4988FD737F312247C4F
C:\Users\user\AppData\Local\Temp\1dcawf3x\1dcawf3x.out
false
83B3C9D9190CE2C57B83EEE13A9719DF
ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\1dcawf3x\CSCA42BA027116C433D856471BB95F3A1F.TMP
false
4A96CE1037F4F42665427827B103AC20
0B9A6C891779474103D93DF4575C13693E1E0F09
9F4168602570EDA2026FD4A76F88478ED6B6279D4E3FD8C6C9E804BEF969DBB0
C:\Users\user\AppData\Local\Temp\9634.bin
false
8BACB2C9EB749ECDB8092B8A8F619E75
2225F4165AFBC56A3C03FAF5A319582BD04D870A
9639B2B099DE0E8288A272AC7E66845617612B7DD60E2AC5CF381ADC8C2C029B
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
false
423B1FA12F8995B5F6845BB7F45C3625
56838D71082660229E4D9E59C7B5E8FA7D8161E7
EB6D1D164BC713159B697C801ABDE2DCC6783177181F7D6BAE6E12F811D92DB6
C:\Users\user\AppData\Local\Temp\RES8A0A.tmp
false
A03D82A9136D98FA3BD91E9184B0BBD1
02F4CA54A9C0ED19EB356C7A1ECA83E3EBE3ED78
3213A0A5DC54F048FBA85A138A3CA82E4BF93D0E1B91982DD39DBF9019C5E30A
C:\Users\user\AppData\Local\Temp\RES97F5.tmp
false
A96DC2A7E9D8FD224A6C7D5E7554BC07
B7EB62A39397C95AAD5428DFEA767BBCD515EA77
44991F6758348263713125B660535611E46B46F42A004EF84A643E6F2ADBAF66
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5em5ahyt.yzd.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lil2rdrc.l5h.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\b5r2gs3w\CSCC26898CFCBA4739B5B18589DB58EA5A.TMP
false
38CF2D951D4318C2C2A048F44659F2FA
ED3F7B3899285E7AC7BE66E053A1AE240F3603A5
B4E9229BD0F6446F0685E62478FC8C7E1FFBBDABC0F688DAA798F595DF26314E
C:\Users\user\AppData\Local\Temp\b5r2gs3w\b5r2gs3w.0.cs
false
9B2165E59D51BB6E8E99190BD9C6BC8B
02B2F188D7654CA079ADA726994D383CF75FF114
36E14435EE02B02C2B06087FF3750569342E8B8D8571F3F45E61AF50D3B03CEA
C:\Users\user\AppData\Local\Temp\b5r2gs3w\b5r2gs3w.cmdline
true
3B4D9EAC8C2E75560D56D6C821D46B4B
EAB33668975673269FCF24231B31EECCCC9CB80E
6705597A8270976A98451200DE1F37B06ABC0B8BF1A4CFF9DA8031BF6E01BBCB
C:\Users\user\AppData\Local\Temp\b5r2gs3w\b5r2gs3w.dll
false
81F30C38D7E34BC044039A696C2AD767
8D95ACD7DFC46DA99687C5FEA99DBBEE4BCB3FB8
170B4BF11B20E8E2D6CDBE68C5A4AFF91827D9DE66EC60070059D8970689F1BF
C:\Users\user\AppData\Local\Temp\b5r2gs3w\b5r2gs3w.out
false
83B3C9D9190CE2C57B83EEE13A9719DF
ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\~DF5EC5B053F0D07BBB.TMP
false
3C3295D5682D8B7D2191E266AD608DB1
2B450FDC8A8167F27A826F5655B0629218ABD442
C3E2316A2D004FAE565A5AE2F28029EC31D781C139D21362203F97C5C544A9C2
C:\Users\user\AppData\Local\Temp\~DFB66FFAD31CD35F0D.TMP
false
CA52C0FA479249691F85569D97DFCAF5
3E7E2CCF6245992FBEEC4A02C5548175F0F551AC
133585CAA9CAB798CA3E2AA3F53CAEE9CC073D83BE46B7A33EDE2AA42D9E76B4
C:\Users\user\AppData\Local\Temp\~DFCE9772CEB2FA999E.TMP
false
772F68DB8C47C363934A50FFF843DDDF
B7B1DC3A421B7E50EBFA753A473680FF32EF96F6
4AA529B4748022D309EE1EC9B7697B8AA7D1BF4AE6AC3DCDF6DABC657D7741DD
C:\Users\user\AppData\Local\Temp\~DFEC113D747FBB8244.TMP
false
4D5AF508FD40653DB3EDC398A730109A
9E8434474945CAF9EE34645C001DC00F979F5021
91515EA59940698096425716363B8B12115B3DFBA833C0A5C2CC166857F741F4
C:\Users\user\AppData\Roaming\Microsoft\{FC666F93-2B96-8EB5-95F0-8FA2992433F6}
false
613E892365E73A324B6725D5C69FAD21
C8EFB9264DAC2A48C94722446D94CCB7882EF36F
D0BE0EC8E2FE86A6DE6C6292BA2A95103F1D5B42DA225DF05057EA3D206DC0AF
C:\Users\user\Documents\20201224\PowerShell_transcript.579569.evZorecE.20201224200606.txt
false
BDB088ECAF159870C10B53505822040D
B283FFE225CB8A0BD7F77FD48615E7D0F35A97FE
707378DAA8774518869558B9A49526C23E571D414B99379CB1020E82C7E56555
192.168.2.1
46.173.218.93
c56.lepini.at
false
46.173.218.93
resolver1.opendns.com
false
208.67.222.222
api3.lepini.at
false
46.173.218.93
golang.feel500.at
false
46.173.218.93
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a COM Internet Explorer object
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Detected Gozi e-Banking trojan
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif