34.0.0 Boulder Opal
IR
548650
CloudBasic
08:07:13
06/01/2022
T5dzWoyBkt.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
f073b540a352759bb44d7a1eb641fe61
af036e219b6e7d6551713ad406d816d9f88b4312
067e76900265c87d66a44f765bb720bd310e52181badf19efd63f30210f62001
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_C48A.exe_2673aa158c6a893c1138be40a650902eb2d08864_a906c4f4_16b24a5a\Report.wer
false
FFA64FFB53135179CA3504ECEA761388
BD04CF2A570DC92A4E4A3F01FE77B765608A8519
C0814EC4BE749555B9BC57CC0D2D45EF723092AE9F63FB67C712055A078EB7AA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9092.tmp.csv
false
9639EE6323474BD1727E280FB9036B21
1A557BCE0725554A606127E6CF196BC8000ED29D
E29D9F54930D000AB92189D12B4DEB3455E7C6E7F946A1BC80AD2A3FC32FB0D2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9487.tmp.dmp
false
E449097EE84DDED661F0E50B9294BB93
3F4B83338B2B630CD955D1D6D5D7C8EBA78AD486
41FB819F129B64C90C06CA60FD835A79294496DF5397DAA3D3939B16C5DF9A06
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9A96.tmp.txt
false
95A6C17192DAA133C694926E425D1279
A5407D55DA2E8221041112C522C0C03515AD605E
BCE3C15C5EC4076085FF28BE89C16A516C05B4A1B9023A000C20B487A8A1C188
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E40.tmp.csv
false
00B7C8A4058E7DE333FE9CCA099CA575
F1EE0480008B33C87AD0C5AAA1B3385383658316
92413D4622D409D9508F037319BFB8F722753FBCCBFF91243C9D9A9146526D0B
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EBA.tmp.WERInternalMetadata.xml
false
44D50011F077C1546B84C2E9B796D7DF
0D97ED9AAB461386AD0781483B0421B6B7FB039C
29211ABA4C27408F9A6F6A331C61C698AFAF52A16959C4894F6B8A18DFD4BAC4
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F7A.tmp.txt
false
04E0A447AACB518675A98D1B4747E655
9E7AB3246C0020C8BB5EAE18BE9DAC10F1F84E31
31B05853043ADD528910BF72755A7FEBAFAFB182B095DD21F30C8CF4BA2C8A37
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA552.tmp.xml
false
DEB1520205DD1A7C7533323BC82E2D2B
ADAA096798EF0356D3673072F8CCEBD0838426EE
67CCCE881CF08FFEF42E7554E594B634D56CDD10B8A1CA61762F97BE2447184C
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA94D.tmp.csv
false
EB89FA4719BFBB3BA4FD8CCA245EE2F4
36918F7E02008D85CC73E171EEDB8C83E943C205
2CD5120F861AC0F4292E39E3B8F20F7409C3F6B009285A648C540E7A5B2347E6
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB11E.tmp.txt
false
931D4A8915227AC5EB617448B86F6B32
C952F2E91D71E8439627EA260D3FDDB6F25A6609
EDCEDB6E9935AC7060A688D8DA66D1336995E70CD4693FD374F466D9ED092504
C:\ProgramData\sqlite3.dll
false
E477A96C8F2B18D6B5C27BDE49C990BF
E980C9BF41330D1E5BD04556DB4646A0210F7409
16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EF80.exe.log
false
65CF801545098D915A06D8318D296A01
456149D5142C75C4CF74D4A11FF400F68315EBD0
32E502D76DBE4F89AEE586A740F8D1CBC112AA4A14D43B9914C785550CCA130F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\sqlite3[1].dll
false
E477A96C8F2B18D6B5C27BDE49C990BF
E980C9BF41330D1E5BD04556DB4646A0210F7409
16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
false
BC7F0CC1FAB305DDB2FDEFEE52548966
4A3F37B70A8F29668BC589855CAE479EB7147F86
A3F18986E12B23F1F889BBA6B3AF548B707C20A66579A45F79A38C8DC82E5BC9
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
false
FFC4EEAB4E82DAC3439827D1C82AC5E3
8E34DAFCB42F51542A228DCDB44503DF6A7E0547
ABB0ECDF1EBD3CAB4178A553A603F19DE34648C8BE59588FA43FCD4B5A6D1275
C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
false
C72E0B05E2B039E1A3B24CA515D4574F
64C8987CC6805BE28AB0B6F99744DCB3A4F93CB8
6607B4185D7F456D1BE266E46FB25DF116A35EC948626B368532476468BBF4C3
C:\Users\user\AppData\Local\Temp\16PP8GLX
false
00681D89EDDB6AD25E6F4BD2E66C61C6
14B2FBFB460816155190377BBC66AB5D2A15F7AB
8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
C:\Users\user\AppData\Local\Temp\26FU3EKF
false
81DB1710BB13DA3343FC0DF9F00BE49F
9B1F17E936D28684FFDFA962340C8872512270BB
9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
C:\Users\user\AppData\Local\Temp\5FCTR1D2
false
72A43D390E478BA9664F03951692D109
482FE43725D7A1614F6E24429E455CD0A920DF7C
593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\Users\user\AppData\Local\Temp\A9A9.exe
true
26C406D1218ADAEC5E5FD1E80A9166F5
6129A7F0066A0868DD88CC90E2FFAB3E40504073
B912D450E6F45F40FCC8D4D6A056206667F56B4A61100E2C3F43589C50BD6E6E
C:\Users\user\AppData\Local\Temp\AD19.exe
true
8C23CC666860658E657DC4652A48FF91
DEEBC6A7E00DB0B79C52F1D922EFA05DBCA3333E
A7EE420FD3A477E690DAB56F47B264DD6C8376941101065D6645716BBF4B6333
C:\Users\user\AppData\Local\Temp\B94A.exe
true
C085684DB882063C21F18D251679B0CC
2B5E71123ABDB276913E4438AD89F4ED1616950A
CDA92BB8E0734752DC6366275020CE48D75F95D78AF9793B40512895ECD2D470
C:\Users\user\AppData\Local\Temp\C48A.exe
true
1F935BFFF0F8128972BC69625E5B2A6C
18DB55C519BBE14311662A06FAEECC97566E2AFD
2BFA0884B172C9EAFF7358741C164F571F0565389AB9CF99A8E0B90AE8AD914D
C:\Users\user\AppData\Local\Temp\CD6F.exe
true
1FE2B9EA76D3F03CD08E9B969CD11F57
4A4A2CD043DAAC617F6E8FC700F3C240C664CD36
DFB62F76439F0D9E793B99B9674A2328D840012BC6776DF91A627D59F863B59F
C:\Users\user\AppData\Local\Temp\DACD.exe
true
6146E19CEFC8795E7C5743176213B2C2
F158BB5C21DB4EF0E6FE94547D6A423B9FCC31B4
704FA847FBC684CA65F3A0A5481EF2546CC9FDE9DDF35F18CD83C0689D124C06
C:\Users\user\AppData\Local\Temp\DB1C.exe
true
F5CA7A4283A387AC2D9FC3427D20EB17
055120692B38E06FA5B5993262DD4FF1A572DA1C
0684DF47E885AB1F70B2EE3FCFD5D2FA3E3AE1155F11ACD6BCDDAEA4022D36AA
C:\Users\user\AppData\Local\Temp\E5F9.exe
true
E97EA1C4CC3EFE421BC13D3A1FA4D0A3
C5FEEC28AC884851966DB5B266C8155D81C6C0B0
05343A42626EC21C12C2E642814860EFE16284278E6FD595D2EFCAE0647B4C0D
C:\Users\user\AppData\Local\Temp\EF80.exe
true
9D7EB9BE3B7F3A023430123BA099B0B0
18F9C9DEFA3C9C6847E6812A8EA3D1F1712A6DB1
18D57C2EB16F5A8CE1058155D2912C2C4871640C444F936469ECFEA5E3D820E5
C:\Users\user\AppData\Local\Temp\YUAI5X4W
false
16B54B80578A453C3615068532495897
03D021364027CDE0E7AE5008940FEB7E07CA293C
75A16F4B0214A2599ECFBB1F66CAE146B257D11106494858969B19CABCB9B541
C:\Users\user\AppData\Local\Temp\npcipivi.exe
true
D7D754B8387667DCD43EDD3ACA2086B6
02D83CDB8B6C525037D188A640CD6E4A59046BDD
3BA17900BF932F0948542B234D2D6A1E387979FEBA8828D514E01672B98494BB
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl.0001. (copy)
false
BC7F0CC1FAB305DDB2FDEFEE52548966
4A3F37B70A8F29668BC589855CAE479EB7147F86
A3F18986E12B23F1F889BBA6B3AF548B707C20A66579A45F79A38C8DC82E5BC9
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl.0001 (copy)
false
FFC4EEAB4E82DAC3439827D1C82AC5E3
8E34DAFCB42F51542A228DCDB44503DF6A7E0547
ABB0ECDF1EBD3CAB4178A553A603F19DE34648C8BE59588FA43FCD4B5A6D1275
C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl.0001.. (copy)
false
C72E0B05E2B039E1A3B24CA515D4574F
64C8987CC6805BE28AB0B6F99744DCB3A4F93CB8
6607B4185D7F456D1BE266E46FB25DF116A35EC948626B368532476468BBF4C3
C:\Users\user\AppData\Roaming\eijrgvi
true
F073B540A352759BB44D7A1EB641FE61
AF036E219B6E7D6551713AD406D816D9F88B4312
067E76900265C87D66A44F765BB720BD310E52181BADF19EFD63F30210F62001
C:\Users\user\AppData\Roaming\eijrgvi:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20220106_160807_384.etl
false
7A551C61C8A203F92F1A016D62FD3F4F
E095B1439739239750A44FCDDDD71804A052CA38
DA2F8F8AF2A70FFBAA340E5857D57BEB11F97BB942C97D553A8D730BF0D96B70
192.168.2.1
139.28.222.172
188.166.28.199
86.107.197.138
54.38.220.85
162.159.133.233
104.21.38.221
144.76.136.153
185.233.81.115
185.7.214.171
141.8.193.236
94.103.94.64
67.199.248.15
185.186.142.166
67.199.248.10
91.243.44.130
unicupload.top
false
54.38.220.85
f0616387.xsph.ru
false
141.8.193.236
host-data-coin-11.com
false
139.28.222.172
bit.ly
false
67.199.248.10
bitly.com
false
67.199.248.15
cdn.discordapp.com
false
162.159.133.233
goo.su
false
104.21.38.221
transfer.sh
false
144.76.136.153
privacytools-foryou-777.com
false
139.28.222.172
file-file-host4.com
false
139.28.222.172
data-host-coin-8.com
false
139.28.222.172
Sigma detected: Copying Sensitive Files with Credential Data
Yara detected RedLine Stealer
Maps a DLL or memory area into another process
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Yara detected SmokeLoader
System process connects to network (likely due to code injection or exploit)
Contains functionality to inject code into remote processes
Deletes itself after installation
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
Yara detected Vidar stealer
PE file has nameless sections
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Contains functionality to detect sleep reduction / modifications
Yara detected Tofsee