34.0.0 Boulder Opal
IR
614362
CloudBasic
19:14:12
23/04/2022
slowday.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
a172f4b0fa1a44cb60901944cff7f8ed
c4aa87ba839c2da6ed852ba0e936ac80d47ec5b5
94243b53eceb2662ae632d9c3e02b5b947ea56ac4ac1db3a69fc0ca3e5100816
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Temp\18da55c1-2652-5cda-252b-e5d7f7077c5d
false
454353131947D1483FF5470107478978
C559163C23E5F878BE85D05F3EDEEAA620173C3D
2DF94DC1C58E952A1EBD1AE1185A291A8A573982CA90EC1BBB87B81126002668
C:\Users\user\AppData\Local\Temp\bhv2307.tmp
false
A29FCFA1238DD40058924399606698C9
113F267240602D5516B2972C04152FB4D451B05D
F32F052AAB7FFAF25E7F9265432B5CB2DB91D7520314AAE253363D23BCEC7D86
C:\Users\user\AppData\Local\Temp\bhv8783.tmp
false
D6AAAD36F7D6E3DE6ED37B9A4F6BD7E7
A0775CE9569D571E9305AAE0592C0BE634B49C14
4D6578EDF445C1292D3ABFA6DC0D182239E20403EBA97B3B46326593F31DD11A
C:\Users\user\AppData\Local\Temp\bhvAE74.tmp
false
3E484594120CF921845E093FA28D203E
9330BE53E846459F2DB39B91DF261047A4C94042
D42DFE409DC2D00C82064DB537F05FBA4F8D14053BB334F623D552EA659A1315
C:\Users\user\AppData\Local\Temp\bhvBB7.tmp
false
A29FCFA1238DD40058924399606698C9
113F267240602D5516B2972C04152FB4D451B05D
F32F052AAB7FFAF25E7F9265432B5CB2DB91D7520314AAE253363D23BCEC7D86
C:\Users\user\AppData\Local\Temp\bhvCA97.tmp
false
3E484594120CF921845E093FA28D203E
9330BE53E846459F2DB39B91DF261047A4C94042
D42DFE409DC2D00C82064DB537F05FBA4F8D14053BB334F623D552EA659A1315
C:\Users\user\AppData\Local\Temp\bhvCE9E.tmp
false
A3DE8A8853138C76F5583A576E75DFFA
0644DFDCFFAE7C52A12C2D285BBCB498638D456F
5A9D1B9DE28AE17A1B90FE500DF091517A4BA2DDB66CD2F82BE076A3B872E7B1
C:\Users\user\AppData\Local\Temp\bhvED61.tmp
false
47BD8351E5AEA2D90AC4C82BC2632289
A0FEE3EFD2B3F93726A0DA36CA74211498211778
3864AE293CEE5140D689C2F6CAF0A04E1C0FCD48989C8FDCCD43AE3088A17D88
C:\Users\user\AppData\Local\Temp\tmp33E2.tmp
false
F3B25701FE362EC84616A93A45CE9998
D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\tmp36CB.tmp
false
F3B25701FE362EC84616A93A45CE9998
D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\tmp43C.tmp
false
F3B25701FE362EC84616A93A45CE9998
D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\tmp7E2A.tmp
false
F3B25701FE362EC84616A93A45CE9998
D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\tmp8255.tmp
false
F3B25701FE362EC84616A93A45CE9998
D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\tmpC5B7.tmp
false
F3B25701FE362EC84616A93A45CE9998
D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\tmpF1A4.tmp
false
F3B25701FE362EC84616A93A45CE9998
D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.url
true
AB33794F41AD76E56615A37D6622EA5C
7B5EF2A89CE529D5571631A1A82B312CF8E190E7
B76FE7B226CAE1B013CFEF062E7CDD14B6E4DED9A1BC9200DDBC05535DA25FFD
C:\Users\user\AppData\Roaming\winlogons\winlogons.exe
true
1C7E2FF84A8DA304070EC91B0FFC3051
B5E7C2EFE4CDF7AE512F4F1019C87386E7297D97
22887A6408711F60A471787845A385030E039DE5D5929199212886097DB2B610
C:\Users\user\AppData\Roaming\winlogons\winlogons.vbs
false
15D4DD1FDB941819CD0A875B88758F0E
D3473C83D39CB6DD96DDF534AB4037FF32E6136F
3F65EF50D30ADD441269973C0375B01CDF61C5B0656EFDE20A42EA7622398041
192.168.2.1
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
false
unknown
https://www.google.com/chrome/static/images/folder-applications.svg
false
unknown
https://www.google.com/chrome/static/css/main.v2.min.css
false
unknown
https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
false
unknown
http://www.msn.com
false
unknown
http://www.nirsoft.net
false
unknown
https://deff.nelreports.net/api/report?cat=msn
false
unknown
https://www.google.com/chrome/static/images/chrome-logo.svg
false
unknown
https://www.google.com/chrome/static/images/homepage/homepage_features.png
false
unknown
https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
false
unknown
https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
false
unknown
https://www.google.com/chrome/
false
unknown
https://a.pomf.cat/
true
unknown
https://2542116.fls.doubleclick.net/activityi;src22
false
unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
false
unknown
https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
false
unknown
https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
false
unknown
https://login.microsoftonline.com/common/oauth2/authorizeclient_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e3
false
unknown
https://maps.windows.com/windows-app-web-link
false
unknown
http://www.msn.com/?ocid=iehp
false
unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
false
unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
false
unknown
https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn
false
unknown
http://crl.pki.goog/GTS1O1core.crl0
false
unknown
https://www.google.com/chrome/static/images/icon-announcement.svg
false
unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
false
unknown
http://www.nirsoft.net/
false
unknown
https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
false
unknown
https://www.google.com/chrome/static/css/main.v3.min.css
false
unknown
https://www.google.com/chrome/application/x-msdownloadC:
false
unknown
https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
false
unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
false
unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=447687274835
false
unknown
https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
false
unknown
http://pki.goog/gsr2/GTS1O1.crt0
false
unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
false
unknown
https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
false
unknown
https://www.google.com/chrome/static/images/app-store-download.png
false
unknown
https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
false
unknown
https://contextual.media.net/
false
unknown
https://pki.goog/repository/0
false
unknown
https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
false
unknown
http://www.msn.com/
false
unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
false
unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
false
unknown
https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
false
unknown
https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
false
unknown
http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
false
unknown
https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
false
unknown
https://contextual.media.net/48/nrrV18753.js
false
unknown
https://www.google.com/chrome/static/images/fallback/icon-help.jpg
false
unknown
https://www.google.com/accounts/servicelogin
false
unknown
https://www.google.com/chrome/static/images/homepage/google-enterprise.png
false
unknown
https://www.google.com/chrome/static/images/homepage/google-dev.png
false
unknown
https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
false
unknown
http://crl.pki.goog/gsr2/gsr2.crl0?
false
unknown
http://pki.goog/gsr2/GTSGIAG3.crt0)
false
unknown
https://www.google.com/
false
unknown
https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
false
unknown
https://www.google.com/chrome/static/images/mac-ico.png
false
unknown
http://pki.goog/gsr2/GTS1O1.crt0#
false
unknown
http://pomf.cat/upload.php&https://a.pomf.cat/
true
unknown
https://aefd.nelreports.net/api/report?cat=bingth
false
unknown
https://www.google.com/chrome/static/images/google-play-download.png
false
unknown
https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
false
unknown
https://www.google.com/chrome/static/images/homepage/google-canary.png
false
unknown
https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
false
unknown
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
false
unknown
https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
false
unknown
https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
false
unknown
https://www.google.com/chrome/static/js/main.v2.min.js
false
unknown
https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
false
unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
false
unknown
https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
false
unknown
https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
false
unknown
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
false
unknown
https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
false
unknown
https://login.yahoo.com/config/login
false
unknown
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
false
unknown
https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
false
unknown
http://pomf.cat/upload.php
true
unknown
https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
false
unknown
https://www.google.com/chrome/static/images/cursor-replay.cur
false
unknown
https://www.google.com/chrome/static/js/installer.min.js
false
unknown
http://crl.pki.goog/GTSGIAG3.crl0
false
unknown
https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
false
unknown
https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
false
unknown
https://www.google.com/chrome/static/images/homepage/homepage_tools.png
false
unknown
http://bot.whatismyipaddress.com/
false
unknown
http://pki.goog/gsr2/GTS1O1.crt0M
false
unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
false
unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
false
unknown
https://www.google.com/chrome/static/images/homepage/google-beta.png
false
unknown
http://www.msn.com/de-ch/?ocid=iehp
false
unknown
https://www.google.com/chrome/static/images/icon-file-download.svg
false
unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
false
unknown
https://aefd.nelreports.net/api/report?cat=bingaot
false
unknown
https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
false
unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
false
unknown
https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
false
unknown
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Yara detected MailPassView
Yara detected HawkEye Keylogger
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Binary is likely a compiled AutoIt script file
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Antivirus detection for URL or domain
Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Writes to foreign memory regions
Multi AV Scanner detection for submitted file
.NET source code references suspicious native API functions
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected WebBrowserPassView password recovery tool
AutoIt script contains suspicious strings
Detected HawkEye Rat
Multi AV Scanner detection for domain / URL
Tries to steal Instant Messenger accounts or passwords