34.0.0 Boulder Opal
IR
613862
CloudBasic
15:25:25
22/04/2022
HxEWwh74qT
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
5d2b5cbd8a574c9e35309e21ecf93a0e
c15e583e28556f5d187197937b4d2a715ebf8ca7
52d14c9cd56aa41ba98a24a4a3dc3674f7e281c3d79f6aca141382fb56585bcd
Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
true
false
false
false
100
0
100
5
0
5
false
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_2828325eddc3a9f8faabde465b0f08bdb67a44e_7cac0383_17ca004a\Report.wer
false
B50C687C29BF44DAF94017951E1B1FA4
035A1C3720BC2834F2EEA0B5C5C012FFCFA54D59
2B8D1BCCBD738DC93D23DB997E54B92B08D8E46F1DA33DA0159495779135CCD0
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_82d8da601ff98714cf9338fbdd7f7aa4314182a_7cac0383_186e5281\Report.wer
false
25AA9B5977F4E6E9486A6B0AA7367E53
49203D9B2C61AF1B0886A6DCF260AA93CA21B2BB
83C38D8B07784190C93DD783EE9D288CE2522B878FC5082287770ADAE6C7C018
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_f73ca53a05f727fe3c280efd3588c9d22d24062_7cac0383_0d5dc489\Report.wer
false
B662C448457F42C86FF6AE872E829F12
6B760A764DFF5FEDE5A923E3953359ABE59BF098
BCA2030589C0C03A6958D7A5A60968DDE5EF57E5FE4861A63A6EF3D687A1F6F0
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8D1.tmp.dmp
false
045591FB9A51E43D170A2F09CC3DADC1
81CF74B064211B7258D207E5E299206175584D6D
AC3064CB253A5F508A4883613F1FA63A694AE5572B5D22F80E4F38375E533FD2
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE12.tmp.WERInternalMetadata.xml
false
0DB5E90F9A50EBD43F3DF77C0DA85950
B4EB81ABFEDA2C5FCF0A3F8D04F78B19BFB1BF70
833B8C530A023BD671DDD8012AA17D0C0F15F255008D3C946443CCE66ADC0BFF
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFA9.tmp.xml
false
1DBFF782298A0B63A1CC9CDF1DF61976
3024D4229EEE1DFBB8E000183F6CDFAC66732407
6BC464DB5E86A06C79A21B34035437175F2C1D128EE0DCE7DC01D45E2E1CD1D8
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD53.tmp.dmp
false
2001588067FFF81F56C55A45CFC8D00C
FCC83C72DF6A50E9E5A0B2EE60D4AF17CAFF3F79
6F54FE4171D5D68F0FBDCC4AAE1C49EA13E04D8A592EDDE299D97232536071EB
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0A0.tmp.WERInternalMetadata.xml
false
516269548DB5CE174DADC69DEBA1EB5C
11FAF3721AA9894B5591B1BCE04F5F72D2DC8DE4
E9EF7AB53DF211C4A0A1D12C6E5A073BF1F9702B1A6EBE440E9C23BCA2565AC6
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD237.tmp.xml
false
DED0973B6E25A0EFCBA8347616282B2D
488F0BA05EEBD3FD6F3234A170074152C02906B3
358350ADB96A3F7620569B6C9551773225FC09060ED4C99FFC5F3E2BC6FF9AC3
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2CD.tmp.dmp
false
8C90697300310A9955BFECD8FBE19128
89ECCBCAF68529209F03D80BB216F6AB2E42020D
B47100BC6B1B609C64B3ACE915F911B109B86CE453B7A16B0884763B01B5ADB8
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF629.tmp.WERInternalMetadata.xml
false
62B8619A4E1DEEB3CFE96784DC7BCE24
7B61FB3B1F695606412A6DA9E26671521D321E0D
A5988942CA222FF850B4FFBEA7BE18868602C422ABFCA475C81EBAAC33718685
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF7B1.tmp.xml
false
94F0237F61D6A72BF9FD262D5DAF1CB8
77BA53C28A3D168D892F2D06300803EC5CF62C34
0A82D2F9FA529CEBB573FD7A8D54A1EE0C689179A013A2B1AA5C3F6E7F333A79
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
243581397F734487BD471C04FB57EA44
38CB3BAC7CDC67CB3B246B32117C2C6188243E77
7EA86BC5C164A1B76E3893A6C1906B66A1785F366E092F51B1791EC0CC2AAC90
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
13AF6BE1CB30E2FB779EA728EE0A6D67
F33581AC2C60B1F02C978D14DC220DCE57CC9562
168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
C:\Users\user\AppData\Local\Temp\RESD841.tmp
false
0207AEB635BFA2BFB793AA26D45D28BC
EFC69E173AB42B6B1AF939C8BE54DC73301AC851
C94D40766F2B91F22AD5E55BA35D947AE2825F5B9A34E0ECE134B0A86ECCE5AF
C:\Users\user\AppData\Local\Temp\RESED31.tmp
false
79C2F50A254E8807286FA0F3634DCDAA
3ED67CB1DE55A3B1B93CBD8510385B9608F4F624
983C6748597DC864F47D16C32EAAA59C226FBE8DF3ADCC37C48640A59BAD0C93
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itmkjels.31u.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xeni10bs.j5c.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\lboh4mlq\CSC3DF21D054A9F4C66BF1FA9CD771B1F79.TMP
false
3D9C89F9813A7154E8FB79DA7D10E8B2
4E2EA7F78C62941F644D9F1FAD64D127E31306CE
B76B5C81AFE17B214527AC8DCD85285CED0102DC6164A4304188B5D4D4E69239
C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.0.cs
false
AE91D1351B9FB773FEF9B6F31D0A22EE
323F9FAD2F10ABDC97A7BF643A35DE67E3A32E31
2CEDA574437717CB5084A6D8315F059002F22D45837C60C003F1F09BB0A72DCD
C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.cmdline
false
657DF5DBF2CD40C8427224A737044E8C
9BB8F1884A4BF325B5E07D3874D7CB7CD163A047
47A5E44ED29C7B102C323480B9BFB1992012E17C84BD7C5A601E3AADC9690BCA
C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.dll
false
010A7FEF0AA253BE01A7D57105104C99
EC3146FF9E8A4218C2D14CE70863692B953A751E
B291831CDE532E047D0BBDB58CEFA9AAF938BEFE3F2FDF3762F7F7387A134DD5
C:\Users\user\AppData\Local\Temp\lboh4mlq\lboh4mlq.out
false
77A926519D8FA89DF6F5D0C77E79D0A3
7912DA6B9435D7AF26FA649341CB5E0124EA8FC3
452BD2C2631FDB744B80E6DD5A033C45548FE8733869C2F9F41110A529F1F9B0
C:\Users\user\AppData\Local\Temp\pkbugtxo\CSC26C720E9EBC041F086604EECC7DD3CDD.TMP
false
E2051F8A521B2F3B00C715BD57DCCC78
667FC3B5ED67494166B61D57050519DA3C24C9EC
9FC45C88A9D75B6A1856480057CACF18B668C8C61992A417C1FB48EB0C4381F1
C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.0.cs
false
248E15CD19191D4333303E0E1F8E9A70
9896EF9708F81AE4E3F2CA86329AD6BD82C700C3
0C6C066612882CD36BB425C21983258A23536FFA9E444FE57056C2D95D8B32DF
C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.cmdline
false
23922C7400B5639004534C21A8FC6FD9
EFC910B97F452FB59BF063CB331136BF7B5EE364
65423661DBE57376B2BFEE4E014394645B6A2C67FC8C71C9F9196D586FBBAE09
C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.dll
false
DF0CED5409923E601543A19300A5F2C0
B5055B13C52F28A7AC23A4DC6F1BC7058B50EA16
95927D387C19566BAF533827449CDAF0EB132DF3DFF1F500ECCDDB1DAEC9313D
C:\Users\user\AppData\Local\Temp\pkbugtxo\pkbugtxo.out
false
1057CD175F0A0ED38ECEADB83BD825CC
1510C0179E5FC3A55FB866668781A6CF04B43611
2CC8FD12A44EEFECF8ED908C4EE2C450036626C87C13A238A7F560E1891A528C
C:\Users\user\Documents\20220422\PowerShell_transcript.910646.1Eiln6hD.20220422152728.txt
false
0B43799452C644E51F9DD4EF713574B6
70329EFE7607D70C080CE16FE4CB78592B878CED
134FFA52B0570D604C1799C9CBB7AD9F2CD2B4154DD6166D79176D53A8C4BD58
192.168.2.1
146.70.35.138
l-0007.l-dc-msedge.net
true
13.107.43.16
a-0019.standard.a-msedge.net
false
204.79.197.222
http://146.70.35.138/phpadmin/1p0semBcWFOiJ/VuHxHtu5/AN830nRWQ1d2xctaoA3KLHR/918Z9VEhPV/P8ohXldFwnNmepL6Q/uKTfc4fmSrkK/BfYNKcK_2Bx/w_2FA1ltM5KCgm/3UT06OWaufeDOP8Oq_2FL/oIF6meLVrySmPHH0/RIFJ_2FHuhWguIS/4hvBrDpXZ_2FB9M_2F/VjlCK_2FC/TflkNLJtzRIEzaze5_2F/wDsLbDghNL5li48V5rm/4qe0lRbO5_2FdP6RKk3aIg/j40b09twfw_2F/PdHkwNcC/i0_2BVuZ/L.src
true
146.70.35.138
http://146.70.35.138/phpadmin/sJOLDU_2FhOUoo/k46SW66GV6I1pQKjWA9TE/PWpby4hvIkOnAKsS/x0Aee5T7Xyol_2F/mHBJFq72pa7ZryIdq5/j7jpLfh_2/B9C_2B8rr1N7pwYs7Hbz/HAjnG5DvkxUUwsnvZ2H/7mKa3lBAhH1k0Vg5CBUe72/SPp1Kc_2FZv6K/7UGQxmIh/q1dxSy205p9HqV1EWhDaIi0/wpq760vWJe/2wvTRaTBNSXKAlgWL/PHcpI3wJ6a_2/BROCpFJpoTX/N2ZuQyATVgKAeO/_2Fd3SdF.src
true
146.70.35.138
http://https://file://USER.ID%lu.exe/upd
false
unknown
http://ns.adobY
false
unknown
http://constitution.org/usdeclar.txt
false
unknown
http://pesterbdd.com/images/Pester.png
false
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
false
unknown
http://www.apache.org/licenses/LICENSE-2.0.html
false
unknown
https://github.com/Pester/Pester
false
unknown
http://constitution.org/usdeclar.txtC:
false
unknown
Found malware configuration
Sigma detected: Windows Shell File Write to Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Multi AV Scanner detection for submitted file
Changes memory attributes in foreign processes to executable or writable
Malicious sample detected (through community Yara rule)
Sigma detected: Accessing WinAPI in PowerShell. Code Injection
Sigma detected: Suspicious Remote Thread Created
Machine Learning detection for sample
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Yara detected Ursnif
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Uses ping.exe to sleep
System process connects to network (likely due to code injection or exploit)
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Suspicious Call by Ordinal
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI