34.0.0 Boulder Opal
IR
614287
CloudBasic
08:10:43
23/04/2022
VoevdOQpeU.dll
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
ba155d8aed7ca303fcfc3f0248d218e1
600453c21cdbecdbea9c825df4754b8a1829d649
a5ea92139f59d185548e8f48d1ce65cbf54bf1e3e1930de221091017fd1d4f0a
Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
true
false
false
false
100
0
100
5
0
5
false
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_5a7bdef4ffd6df7a7664cf7158b49db77a1e6c9_7cac0383_164b3f26\Report.wer
false
AC7F4345BC16B046B4BD7A4B49FAD9DE
31DB96A77E8C9352345D2D35BDD922C5A989733E
0FE9F258A2E001391DD7FE936ED71F39F02E4A21502048E07AD9AFF57D5D9B8A
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_5f68951fc85ec886a9cff2e6302d69913a8368e_7cac0383_107353c7\Report.wer
false
E3453784F5987FFC4297D68B3E5806EC
8AE5D7F0D9E1EDD426FD57793895BF06C7D55090
A19FAA5C0A3344576E5CA6B3D224AF727B5260220821BFD197D80F502CC5D9FC
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F57.tmp.dmp
false
C917F1742DC83F5A043197F2F54A0C4E
AACA0FC29708705FDBB4F63CC4E9962D0EC5E3EF
142F090B56F1D4E7F37963F99E41AAD407C6F3C1F845BC0915A7EFF81C662889
C:\ProgramData\Microsoft\Windows\WER\Temp\WER36F9.tmp.WERInternalMetadata.xml
false
03FE517493CDA2DA9A9CB5CF3B51E3C8
6DAA111381E6A2BA15D14F385ECD9EE1E680EE70
088A2319CDDC0633C74897267FED482A3F4602182B6757D5E276C4283FAA5988
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3890.tmp.xml
false
1F581D2D671323001820EEC345955E8D
84D57DE07A1A92920A775FD9A2EF441FD6D55EDC
F3C1719825384E2811940641C8F25B5C7C9A8CF7FDFF96C79BD1B7094C66BDC1
C:\ProgramData\Microsoft\Windows\WER\Temp\WER49A5.tmp.dmp
false
B26D761700EC27A85A7E8306F7D9C1CD
26BA946FC504E3B720545A54C6166E6A2841B1FC
A4A981D31AF326622D356EB84A53F327157F52F7EFB02CADB292060F7810FE72
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D5F.tmp.WERInternalMetadata.xml
false
C80DFEB2FD09E96D80A105BF1416186F
C2E029A858E8ED96BB46CEB163704C526428BB15
B3CE25563BAB4D09351E626D47559203FC2F9E73F43D27AD95C8222BBF41688F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4EB8.tmp.xml
false
DF03F167543BFE5B6CDEF17CD6CDB700
6BBC61B7DBF6EB32A530D87A971944CDD312120D
84B755FD6CFD16130CE8987B8BBE160B50DAB6E97F05AB376C74909198264B80
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
F84F6C99316F038F964F3A6DB900038F
C9AA38EC8188B1C2818DBC0D9D0A04085285E4F1
F5C3C45DF33298895A61B83FC6E79E12A767A2AE4E06B43C44C93CE18431793E
C:\Users\user\AppData\Local\Temp\RES2392.tmp
false
67C978F8F6E761129B658BABBAC2C0E3
02E6453D6EA95F5A0EBB0631D927EE771F4B7B0A
9BB6FB8D9FDC155D50F117D1CE410A264593B74F41FEA700ED29099228FA1C4A
C:\Users\user\AppData\Local\Temp\RES3B60.tmp
false
E34239A621ECB61A5F50016AE522485A
EDD24063A2BC018FA0F98951A747630C5925D5FE
E0F555AAE679A2E77185A2DAD637DAD6F1477AEA45415837C204061570AC891E
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l4tlk4n5.iwk.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ldp1b5en.1s3.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\bscdh0f0\CSCCEA1AC591E3E41DFA7DCA22F6F20A95.TMP
false
8C7366A75D058E4560576098B53C2E89
5474E9C863C4BB1B86DA13FEB1DCBAC13BEA6A83
045887EA02E67AD0120E0D470B59C58099BFDBA859F1F3E31989AE8800BC7765
C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.0.cs
false
AE91D1351B9FB773FEF9B6F31D0A22EE
323F9FAD2F10ABDC97A7BF643A35DE67E3A32E31
2CEDA574437717CB5084A6D8315F059002F22D45837C60C003F1F09BB0A72DCD
C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.cmdline
false
1DFF526FD701241566C75FC5465D31AF
5D91CBBE8D1F790F3A38CE35DAB4F705A0BEEF6E
ED2CAE80D53441FB70A3307AEB276D80C5D4176F9A9D336B5C87305DC0064ACF
C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.dll
false
0DB7703243576F0A4B5D43BDB20FD12B
67974086EB1D388F41FA3D91AB2BE5C6EE06D2CF
6B514B672F123A4399CAE02C921B046A1FC00D0A01C34B758A7D14F92E1C8BE1
C:\Users\user\AppData\Local\Temp\bscdh0f0\bscdh0f0.out
false
EE4CA1452DEB397DB57596D3E6012A15
E8C4E64E4E2C6AE91EB3B78C460A8D65FB9377EA
102035269C1F6AC6AECEC5D33A268EDB5A33E3BBA56F775441E271EF9C71A7CC
C:\Users\user\AppData\Local\Temp\poet0yxq\CSCB57F583549494C91A9647985948976.TMP
false
611F888895B72D1096C460FF7EA5E4B7
67CCD8B6129567C2A7CF8B601FD2709FA13D13D0
FFF630440C6AC27F1A70771D2279FE270829A76357941949BA22EB16BD260D6F
C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.0.cs
false
248E15CD19191D4333303E0E1F8E9A70
9896EF9708F81AE4E3F2CA86329AD6BD82C700C3
0C6C066612882CD36BB425C21983258A23536FFA9E444FE57056C2D95D8B32DF
C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.cmdline
false
7261F6CD6A6D4860AC034E27509DC55F
C1282BE561B76009A43FD5BC192CE9D76AF08272
F7F9574C754A9C5B3A633B90174E4FAC3FBB9D5657E79D07D9CAAF0BAA8FE5EA
C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.dll
false
21F3C262E8990FE0E1A44D58B448B899
2CD298766EC3E59F36C316B35BB0728368117153
D594A1A6D450503AB6BDDC352174CC5F680F84CBEEAC0483BB064BA27CB381F0
C:\Users\user\AppData\Local\Temp\poet0yxq\poet0yxq.out
false
51149F7278FBC7AB67B11D6B7BF38CF0
15D9E224C099E0795568A20DAFACEEA4BF50D88A
6477E4EF8AF1EEA40F7734141A2CA95216DCD1BC01C53397ADBEABD2913543CB
192.168.2.1
146.70.35.138
http://146.70.35.138/phpadmin/Vo3V1ij8xfQAzbYEppxuGj/YfKBcB_2BiFsK/C5o_2FK1/LFX_2FAQmA1J0Gg2IGK0zii/Cqu4J51vDj/wlNBNCb18BPgk55aw/3DJofkjbHHw_/2F3O9t6XtUN/FhzyouLiXCH4qy/e6m_2F6Bp87emTDJkwB0B/GJSc0pfzfjLvMKIS/Fcz1B6FomHVea2H/3F6nRjbT0qghS0NNIb/kfO6CmRa0/E8U4GDXz2DXZU_2BDOzp/T84va5G8JnhB3/UMJfQ.src
true
146.70.35.138
http://https://file://USER.ID%lu.exe/upd
false
unknown
http://146.70.35.138/phpadmin/DRUYboFifxi6C3/_2BjVEcKiT1b8A_2BvMed/1ckh5D3V8MdKp2S2/SxMBQuJjSXDeW9Y/7fodbbXY21Jrsa2aXJ/S90Gqb_2B/KDYz_2F5NJsyx14KqPKz/ecUQVATr13lzZyN_2B_/2BoLTTXT06dmMNQURoEaga/M1AdtgAQJw1vj/q_2FSYWg/oo4zTjJDuzf2mz8BRfV3I9z/TX7m3RhRWd/LYr8gkK9WgmQ0jja9/kmBHLi0WTs_2/FFd4Km9NmRn/_2FUZ.src
true
146.70.35.138
http://constitution.org/usdeclar.txt
false
unknown
http://146.70.35.138/phpadmin/GVoID0TbPRvLYlr7up2X9/gD2XQvRshzT0oIvQ/0mEtVI_2FJuzvKC/fbaZh1y3_2FnOqy8_2/B0Y8u0dqv/V11JJbfZHGLCQ043KVhZ/2j3FiaSLUSAIqnVTtEF/p_2F7mTRIgp_2F43j86HIJ/7JamWIlhMtaxW/Qv_2BsMI/GK_2BjMae66_2B0eWRxZare/pyglkGar6g/LD_2FkUNwRZVbFFyN/qmaS1_2FZd3W/iyocOp4EpCY/lkbOHJ4rs/yFlR4ppeN_2/FAS.src
true
146.70.35.138
http://constitution.org/usdeclar.txtC:
false
unknown
Found malware configuration
Sigma detected: Windows Shell File Write to Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Multi AV Scanner detection for submitted file
Sigma detected: Accessing WinAPI in PowerShell. Code Injection
Sigma detected: Suspicious Remote Thread Created
Machine Learning detection for sample
Uses ping.exe to check the status of other devices and networks
Yara detected Ursnif
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Uses ping.exe to sleep
System process connects to network (likely due to code injection or exploit)
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Writes registry values via WMI