34.0.0 Boulder Opal
IR
557830
CloudBasic
17:17:28
21/01/2022
775578748333_FEDEX.vbs
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
5d3ad82ef16521df753bc6baff37f72f
ac4df3a47570b88a4768c2c461b15f78b99753dd
19469f11cba8ab55b84cf26efa8835e906d07fdb73572c9ee3594e5c44c798bf
Visual Basic Script (13500/0) 100.00%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
937C6E940577634844311E349BD4614D
379440E933201CD3E6E6BF9B0E61B7663693195F
30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
C:\Users\user\AppData\Local\Temp\CSCB8D22C72555343A48341CA7311A8A12.TMP
false
110398E3A6E3FAFF6B7917E605399EF4
2C99A1588B22A3F1B168F9C413CAB1364E98098B
1F79ED65EF4FD4135D4315A79EC6FE75A158DA0B23C47935330C5943E248F7E3
C:\Users\user\AppData\Local\Temp\CSCF0319BB5C3414E72AB519E7A67BBFBFC.TMP
false
4B615CCC4447D672FE1859E8364297C2
8109B8E9BDF7EE9F06AED6DE3FBCD39105D86F11
9A02A83D27F40171E09271FD9F52A1C9CFDF2E02D1A1EDA59379932A2713F2F6
C:\Users\user\AppData\Local\Temp\Grund.dat
false
2EC027F5AF868CCA83AD50C2E2604925
61EA6D742EFE598567175352E6D39E7949CE3CDC
ECCF8BD7ACAFE87BE6FC4F5AE205D55475C631064C307B5BFCF4FFFED570299A
C:\Users\user\AppData\Local\Temp\RESADA2.tmp
false
AE16F44AF1EC43161EED5BAE183D41FA
885430D172B8533098F8F273F846CB5F440BF45E
18BD2DC6A856E1DAC8B4DCD9B31D6F0DA5684877A0649188C7B3C87432A943C1
C:\Users\user\AppData\Local\Temp\RESD568.tmp
false
49297CF41EFFCE47C344B08866E9F1BD
421DF45146B3DB830F3690CE5CCD70549D2E0C32
485E053014ACBEF851F70379D5E634E3FC6E951F76519B98EA8CAAC2E0EB3229
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ey3l5zz.5em.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44sbwrlu.vpn.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ansctxp0.z0a.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j5juvrhk.vf2.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mdkzcoqz.qqx.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n2mec0pm.ex3.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmioe5ck.e4k.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s0eeuky2.wtr.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sbqcuw3q.cze.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yatvffab.mac.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\t20mycit.0.cs
false
6314FACBE2F665388A6B8F4B896DC466
E2C28D0A6F2296F48C3CFB1E446CD6691BF1C252
CD7E99D32CB2B1D17DB5AA28CAB64BF5A54562C1D3B46C2E19C07B924DA350AF
C:\Users\user\AppData\Local\Temp\t20mycit.cmdline
false
CD847B5284CDDB272692B5D1D47C3459
FA4316BDE37F448A93F44CB08607597536F3A85D
1A1CAF1E50C5B823027736DD27BFA694DDAF5D8FB4A81BC19B1E081BEA88A8B6
C:\Users\user\AppData\Local\Temp\t20mycit.out
false
A4559742D2EC3AF78C5EECEC6A3B40B9
15E0A3E691E705969C545FD86DDD31A48A89F57E
B8DB630A91E899C72EBBBED21F2BC95B3BC6CB7AA15739729DBBEBAD7C3273C5
C:\Users\user\AppData\Local\Temp\tm43worv.0.cs
false
6314FACBE2F665388A6B8F4B896DC466
E2C28D0A6F2296F48C3CFB1E446CD6691BF1C252
CD7E99D32CB2B1D17DB5AA28CAB64BF5A54562C1D3B46C2E19C07B924DA350AF
C:\Users\user\AppData\Local\Temp\tm43worv.cmdline
false
11654963EF047BDF4202258E21F47249
82658B3772E819CA9EDD56FD4D98CDD331C1EDC4
A579778FE788EE679AFCCE0811A469246A79B87005B3CFF434E0E1EEBE93187A
C:\Users\user\AppData\Local\Temp\tm43worv.dll
false
4DBA98A8B20E7DEF07399B1F3B4178C3
EF9FFD8C9D5B9697473FBDBA5236FAB73B38F537
283AB71A50C1B0F281C15AA7FB1948E715B63025806B8EF14D8577C08844FCBC
C:\Users\user\AppData\Local\Temp\tm43worv.out
false
E48144B120BC6ECB4E6982ACB5B8507D
9DDC45A0FBFDCF8133ABB9D124C7176A6AF773FD
8B187D402EB2C6FC9FB65F9CAD1ADFD79F05BD8FD2DD3464D7D81817421FAAC3
C:\Users\user\AppData\Local\Temp\yy0zjl34.0.cs
false
6314FACBE2F665388A6B8F4B896DC466
E2C28D0A6F2296F48C3CFB1E446CD6691BF1C252
CD7E99D32CB2B1D17DB5AA28CAB64BF5A54562C1D3B46C2E19C07B924DA350AF
C:\Users\user\AppData\Local\Temp\yy0zjl34.cmdline
false
B907ECA574C06990FA05BDF55E900AF5
09FB6894BFC6761065A6162062D56D4682F3DEAB
00149F5AF310F566B64A13E0C38BBE680865935D0AFFBF327CF24ECAAF042EF3
C:\Users\user\AppData\Local\Temp\yy0zjl34.dll
false
D22D9B0B09FA15E00141CBCBDFAE1301
21AA769A4A4DF0B61E927BB1BFDFB251726FE824
FA03FA068DABDC268980A2653C1BB5390D95FBEC37C07BF740D09CFA1745A6D5
C:\Users\user\AppData\Local\Temp\yy0zjl34.out
false
62E97906E41AF478E45642B6ACCEF0E8
48C2463FC1CFB502FBA57D68B8ED09C08A738E12
2FAF6029B76249BEA7BEB4303A5B71546F9DEE946FF38B570B1A36AA48FFA96E
C:\Users\user\AppData\Roaming\remcos\logs.dat
false
62B5144F940979F0659FFA6B9FBD0F11
1D15D8C46D5C6BF297DB5998B0FAF3469ED1D3D9
E25285C1307C85775824210E3CE0B760C7D7444C7F27FC93E16D06B5CBC01A82
C:\Users\user\Documents\20220121\PowerShell_transcript.936905.4mIv9YDg.20220121172114.txt
false
0EC084B217C2F41A7D7CF4F115A8A503
ED92826ECD6A5BABDE86FD39C95A38292A9B2D34
A213EF9DC6A8EC55AA131D3794E5A709EA7B66E4EEC692FB75C950D44381B3BC
C:\Users\user\Documents\20220121\PowerShell_transcript.936905.D1RoMi0p.20220121172156.txt
false
9CDACE65DE2EBD03B4778306EC880CCD
D0E73803E8A90C57D3D8947C4E4EF94BCBD66A1C
5D6A312D77B27AA42812A3F7F334693FC5774D814873B4FB3782354FF3C7DC73
C:\Users\user\Documents\20220121\PowerShell_transcript.936905.KCw_zsFX.20220121171948.txt
false
B4B824725B79F10F94CF660A81244798
D0C09FBC299AFB884E1B78E1FF6889E574437846
0C595BF5AF37DE735B18ED6CADDEE668ED86B8EF0B8AD702C849779352307C31
C:\Users\user\Documents\20220121\PowerShell_transcript.936905.XaMWoUUI.20220121172118.txt
false
7AE0FE7E7E225B86E5E37AA31C226C5E
BC635767F3C52EF9059B85D9DDE36E4AF372A502
7EF5F44B981096AE1DE147595FEF41A51EE2A53D90D17211D527A3C716587779
C:\Users\user\Documents\20220121\PowerShell_transcript.936905.p0XZL_7o.20220121172125.txt
false
7B3337C0D3444E77B42B5341AD46C3CF
CDCD9EF3ACF2E04356EB1A673C7B74851FE6C98D
7C70E4DAD60EECDD44EFDB5FAC759105451ABBF83F15CC496559313F7D641DDE
52.68.15.223
199.195.253.181
rnnfibi.hopto.org
true
199.195.253.181
www.wizumiya.co.jp
false
52.68.15.223
Hides threads from debuggers
Installs a global keyboard hook
Creates an autostart registry key pointing to binary in C:\Windows
Found malware configuration
Potential evasive VBS script found (sleep loop)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
VBScript performs obfuscated calls to suspicious functions
Yara detected Remcos RAT
Suspicious powershell command line found
Creates autostart registry keys with suspicious values (likely registry only malware)
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Multi AV Scanner detection for domain / URL
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected GuLoader