34.0.0 Boulder Opal
IR
560422
CloudBasic
15:11:02
26/01/2022
tregrene-KaufVertraeg-JoachimSvensson-23564334.vbs
default.jbs
Windows 10 64 bit 20H2 Native <b>physical Machine for testing VM-aware malware</b> (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
WINDOWS
b8fbb413a49b2f05872cb38372454664
2071d3476c94b3cfc924b31c705806e78df674a8
cffa320db9834e3f224aa5961073fc9d0cb14f34c6430ffa2d7468da7da7ce32
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
677C4E3A07935751EA3B092A5E23232F
0BB391E66C6AE586907E9A8F1EE6CA114ACE02CD
D05D82E08469946C832D1493FA05D9E44926911DB96A89B76C2A32AC1CBC931F
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
EAA8DFAEE509BBD1E793AA83B0F284B9
9ED1F70DA6E85688CE71411E3E3B74C7D3B7361E
18D5C29B5B8062E9F9991E07EF2262767FFA937F1CCDE05762DD4A6A79229711
C:\Users\user\AppData\Local\Temp\CSC1F7F6E38280547C88EA9F93164256468.TMP
false
319FBF211437C81C30270D61AB6A87C2
042A0181182DAFCEFDCDC41FB192C32A3D2E2ADB
FBBC5A0DB64F82ECD94477C5AEEBE57A6FA39D781039B98341628144C8DB135D
C:\Users\user\AppData\Local\Temp\CSC8CEBFB2B5FB1400592E8D3F6A040AE46.TMP
false
0756691AB92FF1F7DA51F6E76F5B2226
0AC16E93E3177257370FECA64F6FD4235C15856B
9B49A4E8F738C9D90666AB8B599FDE4A7D2BB97605AFB6F2D82BAFFE3C56CB7A
C:\Users\user\AppData\Local\Temp\CSCED2B87455DE24E4084C3BB361169C34B.TMP
false
78FACAA5C64D73B8303C2745119D8639
07C2A47D1A4CBB7DE0B25A6423D50AC41D36A627
1084F7DD1871AE1D7C6D7E3ACA36DB4515DB9FC2490668D20489EAD970A03DDD
C:\Users\user\AppData\Local\Temp\IMG_25254535627256.jpg
false
5C586EBDB38C15DE419B6F86C673E41F
B3DFA3B4D023741706513ACEB1AC931E61537A16
C68B9B35933838A331E69F93D9A495D9A223E65AAE0322F563322B174DDD7710
C:\Users\user\AppData\Local\Temp\RES330D.tmp
false
E2ED0A44339992DBC80FF119D4A1472D
0616FA4BC82266274AFBC08FDE9FCE0A077DFBD1
464ECFEC7EAE5E3DE49D51075F784FA5C11C9637D91BC26DE21AE5FFF6FF0554
C:\Users\user\AppData\Local\Temp\RESB0A3.tmp
false
DDB6A9AF7DBBF457B34A97E34C2A7AB9
B090625AE5358C9EA2793E9622898D20BE517C41
B647973EB34273CA2662BAAC4ABCB2D8A3E613D2EC048CE277106A46D11746F4
C:\Users\user\AppData\Local\Temp\RESEA37.tmp
false
F00C39B27775F987E3F4B16DA1D4BCAF
9E6FA026B1A5AF2D3FEEF759836394486AFF1062
15AFBFD2D213B6D2FE68D4BA32839A49CEBB19B900C3BD042222FB71E0851A91
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0jx5505p.jkb.psm1
false
D17FE0A3F47BE24A6453E9EF58C94641
6AB83620379FC69F80C0242105DDFFD7D98D5D9D
96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ddpbrm4.fch.psm1
false
D17FE0A3F47BE24A6453E9EF58C94641
6AB83620379FC69F80C0242105DDFFD7D98D5D9D
96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ho4kuc44.kw0.psm1
false
D17FE0A3F47BE24A6453E9EF58C94641
6AB83620379FC69F80C0242105DDFFD7D98D5D9D
96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hxpiysgi.bhw.ps1
false
D17FE0A3F47BE24A6453E9EF58C94641
6AB83620379FC69F80C0242105DDFFD7D98D5D9D
96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jzrfl0di.yca.ps1
false
D17FE0A3F47BE24A6453E9EF58C94641
6AB83620379FC69F80C0242105DDFFD7D98D5D9D
96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvaqwnn4.2ae.ps1
false
D17FE0A3F47BE24A6453E9EF58C94641
6AB83620379FC69F80C0242105DDFFD7D98D5D9D
96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qyijevp4.g2t.psm1
false
D17FE0A3F47BE24A6453E9EF58C94641
6AB83620379FC69F80C0242105DDFFD7D98D5D9D
96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vhoxudov.lfr.psm1
false
D17FE0A3F47BE24A6453E9EF58C94641
6AB83620379FC69F80C0242105DDFFD7D98D5D9D
96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w1cjsfyh.uqr.ps1
false
D17FE0A3F47BE24A6453E9EF58C94641
6AB83620379FC69F80C0242105DDFFD7D98D5D9D
96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y2udcow1.gts.ps1
false
D17FE0A3F47BE24A6453E9EF58C94641
6AB83620379FC69F80C0242105DDFFD7D98D5D9D
96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\ginqqgem.0.cs
false
6EF217E1B387262CD37C8871BD75207A
D3D9DBD4C81658B7A1F9F0F99EBC4FF4F00C0D26
38905131EE1E1DDEF2A4BC7CB49F29B1FF449275C3B21BE90AF10F2232052D57
C:\Users\user\AppData\Local\Temp\ginqqgem.cmdline
false
CB4E7CA0DFF4EDE32342A29CD65E0B59
74A8D1C899E269D2BF65001777E9EE66918434C0
65DD1522EBF42158DBA7EB76D4959EEF5CF574A40FAFC9FDED60295F8F6C3E8B
C:\Users\user\AppData\Local\Temp\ginqqgem.dll
false
7A01FB8FD3BDA7D20976F520A9D7CF93
6E13A6DF030EB0E079C392E035C08EF2B753FB44
712E05B3819BBC20B64478B0146D04BCFF165427EBC6C44BA008C069781F6E1A
C:\Users\user\AppData\Local\Temp\ginqqgem.out
false
00585E1E9A6A622706D4FE9D5F46A06B
3C0B2C0BDDFA197EE274C69BD84AA77E68815B94
8FC1A2726A5E65D06271C29055E65513971EC9A97BBBFD11F75DA46022DE633C
C:\Users\user\AppData\Local\Temp\rf0jcwxf.0.cs
false
6EF217E1B387262CD37C8871BD75207A
D3D9DBD4C81658B7A1F9F0F99EBC4FF4F00C0D26
38905131EE1E1DDEF2A4BC7CB49F29B1FF449275C3B21BE90AF10F2232052D57
C:\Users\user\AppData\Local\Temp\rf0jcwxf.cmdline
false
538F0685436C779F2FFEBB67B3265C58
26B5C217EC161AC442CFC001548E7805A6D72B7E
85746E35181140091290479393CB35248E72C25FBA368E8D2BDE72EBCF48CB76
C:\Users\user\AppData\Local\Temp\rf0jcwxf.dll
false
5BCA91A3D09C9A841A2713A1C89B152A
A72B43E71D098261CEBF32B998D2E52637601458
0EAD06D114B5D65E243A8D96DEA65784A926D89B8F966756FC26F477D562A6FE
C:\Users\user\AppData\Local\Temp\rf0jcwxf.out
false
CA1911E5049D02F843D992C11384CDED
895AFA1ED6A30BC04321058FE0850777338F917F
E4653499C9018CA141F8B043830D13F444986563EBB443E121E84A88C0DA6142
C:\Users\user\AppData\Local\Temp\wxgbxjsa.0.cs
false
6EF217E1B387262CD37C8871BD75207A
D3D9DBD4C81658B7A1F9F0F99EBC4FF4F00C0D26
38905131EE1E1DDEF2A4BC7CB49F29B1FF449275C3B21BE90AF10F2232052D57
C:\Users\user\AppData\Local\Temp\wxgbxjsa.cmdline
false
37DC0A6CB01F49597613E17A86E0BB9B
96C6CDF7D2EEEC1AE6E33CFBE67FBACDFC33A9B6
A8B69130B728623FA3E9A4FE40DDAEA6528809D1C55CDDC5586072FC59903A3F
C:\Users\user\AppData\Local\Temp\wxgbxjsa.dll
false
648CE9A07B26795B35796F8B5611D395
6461DF6DF3D818BDC15415EE317B19C20401983E
3B8E8A20708057B65761B41854AECC2B1F236AF8E2B1AA3F689EEE3BE35A9A31
C:\Users\user\AppData\Local\Temp\wxgbxjsa.out
false
1DD5A20631F3D878D94B9E629DBF1A88
FFB138520609A2AFF173C7D69BADCF135E59AD80
6C07FAB3C513BC5D18A1BC7686060C611B3D0FC26355341A0C4F0358FE48EE65
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CX7VR8NTK1JEZL7Z7HA8.temp
false
1F61D56851803222A44088001752DB40
8702A0C09938729C56FC9A0FCEA3DD568DB4EDAD
7260C73F26D25DFE5756ADFE1C810D563AA70CF5B5DE25F153905D261BB3F808
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LHBYS6CGLONKU62STSP4.temp
false
1BE9FFEF030EA207FD54EF68D69C9C91
179124112F1A7EE45D735464A9491F0138C9C4CC
1A2B5DEE2D3B8904A927C7C14D0D9ABC0198D0D4513856B6497A14395CFC5B32
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)
false
1F61D56851803222A44088001752DB40
8702A0C09938729C56FC9A0FCEA3DD568DB4EDAD
7260C73F26D25DFE5756ADFE1C810D563AA70CF5B5DE25F153905D261BB3F808
C:\Users\user\Documents\20220126\PowerShell_transcript.134349.9aadHJ3P.20220126151432.txt
false
402F9F12C702ADF31178DF89F8BC1950
AC4AA479D77568E5869A7BFB97B85E193CA22351
6D07135C4044BCCFA62778D0FD8BED573AB0564C9436CF74B095EE8E60DC3E69
C:\Users\user\Documents\20220126\PowerShell_transcript.134349.Ee+5Lwt6.20220126151517.txt
false
820758D56FE3DE30CEA889A9C6A98B50
CBF87BA7BC0DD3009B863F4290405F6CF0FE0CB3
968541B13F036DF5EA776B5B1684A0EF8536D4DBA9000CFCC76CF529ED651120
C:\Users\user\Documents\20220126\PowerShell_transcript.134349.PE71oyej.20220126151427.txt
false
9F42C05485CDB868C6150ECF700EAA4D
EBF557F9C2DEC11D7A42AB77F4CEDCEE8E4DFACF
99A6E3CDF3341B8522073804A87F24113508D3F90525BA4DA1A4E50194024A2B
C:\Users\user\Documents\20220126\PowerShell_transcript.134349.gQ3oRNES.20220126151422.txt
false
4861335CE75777214839B3C66164C260
DF8D94587E05508A3134C4D60E7D44B62643D60A
A9112093677368CFE9B5C6A2BEA198006BC124155458FFF0E64055C015A1069A
C:\Users\user\Documents\20220126\PowerShell_transcript.134349.mrnfU7dc.20220126151307.txt
false
DDC453BC34BB3D875D16446B6BA8AD85
BFBD627342AAC849C9067F98D7B75096A362491F
50B0DACB13D8E754ADB5C7D2BF0F065EC7EAF415B375D8A9F014FD45BB36F844
94.130.249.123
162.159.133.233
cdn.discordapp.com
false
162.159.133.233
Hides threads from debuggers
Creates an autostart registry key pointing to binary in C:\Windows
Found malware configuration
Writes to foreign memory regions
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Yara detected Remcos RAT
Suspicious powershell command line found
Creates autostart registry keys with suspicious values (likely registry only malware)
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Yara detected GuLoader