33.0.0 White Diamond
IR
483549
CloudBasic
08:52:10
15/09/2021
RYhdmjjr94
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
44696d252000850d3ea71d9ae238aedc
1fb61a1df500f9025641526cb4013d555b129a84
1b39d6bf218028dfe7bc8254a3b1682804e9bf05b8298c708c318236f64ad986
Win32 Executable (generic) Net Framework (10011505/4) 49.98%
true
false
false
false
100
0
100
5
0
5
false
C:\ProgramData\Microsoft\Network\Downloader\edb.log
false
93A41A680641FAE8774E80C3A4D5030D
28B20B57746D3C6203DA181122A8CE63552CED27
1C911D9ECF47823023932EE98BC8F5CF9D338F7D2CE3C6C530D2127E0BE6C204
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
false
5C63BD7D668A7342CAB71709F2D7D62D
C294BF0B2C31E6D88B9A242FB282998802F38748
C0FF6CAAE989920A2CD19A64B3E1E974BEB19F8022112B89219F701D9029CBAF
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
false
3F9F494540C9DB73C7A33507125AFE83
93C2620A4D372FA341B2ECE1A5C6990AF3262D03
43D582CE346697710D1BD21FF59CC446A58489DDBD3CCE6F40B48BC7F857CBDC
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RYhdmjjr94.exe_89963238c73da7d78cda02a97e2a0a7dda8e9bf_d37fc9e5_188fe961\Report.wer
true
B4F344BE7B8F817756C93C4AC13EEC14
A1E684E56118634EFBEA226585213407CDEF52E1
E1FDBEF3D95C9440A2402E484AA4A57D9447318D78AB0F1CB91FB56FA6104F89
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC994.tmp.dmp
false
B174EF5DB845E1D19D5C7ACAD1A79C7A
0905EF50B7644EE721FABD5B4A9EC53BD2691A06
5848BC5857635E5BD58E50CB0E9A5CC3ECC911A4BCB420FFF7F94C06E78BE3C6
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD83B.tmp.WERInternalMetadata.xml
false
24BEB6508039A7B946D1AD8C1C3E4753
3581E2B1229F02290C83B4771C4DE78B854E378D
7A0948BF3E58DF0ABA02A570D6EF66139ECD415E7918E5F354931354811589D7
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD994.tmp.xml
false
5A1025751ACE3F849799494DC0542121
9720F8283F299D63DB812BC21CD2D23AB05CC450
F9EA917400E83B530C0ACB74BE5D0ADA7910D3E4DBBC5B2B96B09BD31D860232
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD9B1.tmp.csv
false
B8443AFCA826FE6F87455104002BB20A
FE2D9FDD5FDACA132B7491529D7F9AE6FF0FFB72
467016D0B35E08DC43C13C68B59AF68A0E60F17BB9C23E26B13FF554CDBB7B34
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE124.tmp.txt
false
F1F8149BE3B2A006BA70879E4039A16A
58AEA8916C7033E45EC8DE1544496D86F7D3824E
4A4A0F88B18D70B7B2BBDF48D55615A08AFAECA40A2DCBEA4F57BC191259C5F3
C:\Users\Public\Documents\2FDD6624\svchost.exe
true
44696D252000850D3EA71D9AE238AEDC
1FB61A1DF500F9025641526CB4013D555B129A84
1B39D6BF218028DFE7BC8254A3B1682804E9BF05B8298C708C318236F64AD986
C:\Users\Public\Documents\2FDD6624\svchost.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
8D5E194411E038C060288366D6766D3D
DC1A8229ED0B909042065EA69253E86E86D71C88
44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
B36AD5223EF4DCA564037EC9D2C4FF18
3A49315B5784E5C22FE87B228C709B157715FC3F
15F99480EC16F09AD0E38A42CD60AE5D7806142484951FA92E0745F04F0EEE32
C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\AdvancedRun.exe
false
17FC12902F4769AF3A9271EB4E2DACCE
9A4A1581CC3971579574F837E110F3BD6D529DAB
29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
C:\Users\user\AppData\Local\Temp\36029300-7d61-41e1-9521-12c4a6ab3f8e\test.bat
false
B2A5EF7D334BDF866113C6F4F9036AAE
F9027F2827B35840487EFD04E818121B5A8541E0
27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\AdvancedRun.exe
false
17FC12902F4769AF3A9271EB4E2DACCE
9A4A1581CC3971579574F837E110F3BD6D529DAB
29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
C:\Users\user\AppData\Local\Temp\4a22a6d0-4aef-43ec-af0a-4fbe1184937f\test.bat
false
B2A5EF7D334BDF866113C6F4F9036AAE
F9027F2827B35840487EFD04E818121B5A8541E0
27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\AdvancedRun.exe
false
17FC12902F4769AF3A9271EB4E2DACCE
9A4A1581CC3971579574F837E110F3BD6D529DAB
29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
C:\Users\user\AppData\Local\Temp\866838ff-f925-41f4-be86-0619ea100a91\test.bat
false
B2A5EF7D334BDF866113C6F4F9036AAE
F9027F2827B35840487EFD04E818121B5A8541E0
27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\AdvancedRun.exe
false
17FC12902F4769AF3A9271EB4E2DACCE
9A4A1581CC3971579574F837E110F3BD6D529DAB
29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
C:\Users\user\AppData\Local\Temp\9de20bc9-aa79-424f-aee4-da91bc757ec8\test.bat
false
B2A5EF7D334BDF866113C6F4F9036AAE
F9027F2827B35840487EFD04E818121B5A8541E0
27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1lspoaje.tcq.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3255sxic.got.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5hvfzt5y.uov.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5stcexqa.mjh.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dci5vt12.o2u.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eiuvcs12.lov.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h00p3kfi.mal.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hpq1hxdx.5bu.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_julunsxd.nk1.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nfhky3a4.nkp.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p3nafo4w.jjh.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdaahtvp.wcr.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qobie0yt.3py.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxbwq3x5.3vw.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_skdig1ki.bhc.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_skw0nnic.ute.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x3mj0yao.kun.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xsyzh3ek.kz4.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yaftruwr.5iy.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yprbbuxu.tzk.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\AdvancedRun.exe
false
17FC12902F4769AF3A9271EB4E2DACCE
9A4A1581CC3971579574F837E110F3BD6D529DAB
29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B
C:\Users\user\AppData\Local\Temp\adcc6271-e229-4005-bcb6-10475704cb95\test.bat
false
B2A5EF7D334BDF866113C6F4F9036AAE
F9027F2827B35840487EFD04E818121B5A8541E0
27426AA52448E564B5B9DFF2DBE62037992ADA8336A8E36560CEE7A94930C45E
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe
true
44696D252000850D3EA71D9AE238AEDC
1FB61A1DF500F9025641526CB4013D555B129A84
1B39D6BF218028DFE7BC8254A3B1682804E9BF05B8298C708C318236F64AD986
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20210915\PowerShell_transcript.284992.4_2TT6xL.20210915085355.txt
false
40CBECAB20EB48D8E8BD4A8B9E038195
C47009B2981B517667FCE7B4D9CFFEC19805A887
048BCF294C886E073FEE45619FB453419E6725E3C619FF1143BF774B753FB3C8
C:\Users\user\Documents\20210915\PowerShell_transcript.284992.5Md4gwAb.20210915085436.txt
false
F1DEB865A2CB688F69D755D2E60D1FB1
F77A4E9C57F0A8CE1DBBE63F78A7530A61431DE7
C7CA8EAFBA30436EB87FE12261754B023CA52A63F54AE76D154691AA023A5B68
C:\Users\user\Documents\20210915\PowerShell_transcript.284992.65F6kbZc.20210915085351.txt
false
699F622695DE9265C458774ED5517E22
651C5B219A21C7DB14DF7B6C722E6ECE45435668
893EF02A486B4286153A6613521EF5AC67B41838E1919C5386C6069C34063637
C:\Users\user\Documents\20210915\PowerShell_transcript.284992.7GV4I+P8.20210915085342.txt
false
A395452A3C4DE84F92428C18162077E7
A8A67EA53D2F1F1287168AC81EF0C583649E4416
174121A08CA779D3F66BB4129D035FC30AC0F5B5B5A7C4094CA3C9925361F515
C:\Users\user\Documents\20210915\PowerShell_transcript.284992.8wRRpIo6.20210915085354.txt
false
1813264A77217E25811AE401F2185BFE
641C7EB694ECFFD9FA59A91E802310E9619A98FB
7D2BEF101006D302949D6718C7A45654A3F6395EAC9BEDBF1697943C29740681
C:\Users\user\Documents\20210915\PowerShell_transcript.284992.M0A9nFrO.20210915085339.txt
false
02909BE5AF30B0F46FFD9F8F6E6CC25F
A59E77F85B70EA86061FBE4E7D108D094704622D
09063EB87A3D6DDD9456C8C93C7E9476671CF8D3BDBB0240ADDD800B5ED4D4E4
C:\Users\user\Documents\20210915\PowerShell_transcript.284992.ZxpJrQlW.20210915085337.txt
false
78D3C659E3AC7494B537B37B9C2D9FD5
307DA7A6C778F11C1655963B81DA9CF4C859DC17
6AE4A1A1EF55D5206D75AD361929A3212D5854B26AA4964F2EAFE098900E63E9
C:\Users\user\Documents\20210915\PowerShell_transcript.284992.p8kQh6Fk.20210915085438.txt
false
E626BF866DBC5D68A6DAF266E3908A40
E245BCE7E1F23B835D1247AC2622ECB62443DBAC
9CBC11190B035DCD0227351583ED83AA458E0CD9DD0E2D5C9EC6E14671AB2FCE
C:\Users\user\Documents\20210915\PowerShell_transcript.284992.v0+taG7v.20210915085331.txt
false
1CA0A29BCCAEBC272168654F51689E9C
96ABDE5269C473F9B2582338B543D778ED1FF593
DE7F21FBBC1DAC9244E03C73592FBC09215C6C1FD41E706AFCC90787BBCC6E0C
C:\Users\user\Documents\20210915\PowerShell_transcript.284992.vQHTUbYb.20210915085333.txt
false
ED04B63AA54BBEABC392FE57DE5D1007
2F911BE11314D54FFAAD710672AA086A6B0BB331
DE1574984A7578934F21CD7D9CBF22C09E608E6432542F400CEE2E675B387EE5
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
false
DCA83F08D448911A14C22EBCACC5AD57
91270525521B7FE0D986DB19747F47D34B6318AD
2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
192.168.2.1
127.0.0.1
Sigma detected: System File Execution Location Anomaly
Maps a DLL or memory area into another process
Drops PE files to the startup folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
.NET source code contains very large array initializations
Tries to detect virtualization through RDTSC time measurements
Adds a directory exclusion to Windows Defender
Creates autostart registry keys with suspicious names
Drops PE files with benign system names
Yara detected UAC Bypass using CMSTP
Writes to foreign memory regions
Multi AV Scanner detection for submitted file
Yara detected FormBook
.NET source code references suspicious native API functions
Malicious sample detected (through community Yara rule)
Changes security center settings (notifications, updates, antivirus, firewall)
Sigma detected: Powershell Defender Exclusion
Multi AV Scanner detection for dropped file
Sigma detected: Powershell adding suspicious path to exclusion list