34.0.0 Boulder Opal
IR
623326
CloudBasic
11:52:10
10/05/2022
e1f388b8a086e034b1fbd94ca7341008.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
916eb825989bc96a10eab8916995c1e1
e91e3a11ab3203c912b5d756c5f22e620760edf9
6e5ce2c28b65e3f50c89ee799de9c047c07ec4c27b4d4b8b6f4f202b1e8d557a
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e1f388b8a086e034b1fbd94ca7341008.exe.log
true
2E016B886BDB8389D2DD0867BE55F87B
25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
07C4587984660ADA43BA12DE61D64EEF
897D5E48E0516C17830E2C09ED3A8F5FCA5FE5E6
4BCFB8127C63B308F026A42EB8795AAFE832FD05B65E3288E23BB8A7940BE95B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_axfdujok.0nl.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ryl20vvq.5q2.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp5BA5.tmp
true
75F7A3F0883E114F65B5970F1FCD4CF2
24DF87D295A023E8F73C69E312DBB504288BD914
8A965519AAF417D139A3F1E5D44129DF65CACA48A9E1C174CA6F3026CD9B40D0
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
32D0AAE13696FF7F8AF33B2D22451028
EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
E578BDC4870935A8ED87C86290D526C2
A238F1F66DDEB7F15E3438B2020D9699B236907D
73DC67D9CA00AFEC69D033CA24EAC73F73F4EA97B678794A91A1F970EFADC81B
C:\Users\user\AppData\Roaming\QgGSCvPvvCY.exe
true
916EB825989BC96A10EAB8916995C1E1
E91E3A11AB3203C912B5D756C5F22E620760EDF9
6E5CE2C28B65E3F50C89EE799DE9C047C07EC4C27B4D4B8B6F4F202B1E8D557A
C:\Users\user\AppData\Roaming\QgGSCvPvvCY.exe:Zone.Identifier
false
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20220510\PowerShell_transcript.284992.KzD+VzNg.20220510115327.txt
false
229A9A51D89E599FC053B83B450DBF0F
855A0E98DBB6EA5C17C1332D6DA6AD729F0CE5E1
558143EEDE6ED094BEDC9268C81C9506EEE016326E7175DDE197915EEAB2127E
185.140.53.3
ella666.duckdns.org
true
185.140.53.3
http://www.apache.org/licenses/LICENSE-2.0
false
unknown
http://www.fontbureau.com
false
unknown
http://www.fontbureau.com/designersG
false
unknown
http://www.fontbureau.com/designers/?
false
unknown
http://www.founder.com.cn/cn/bThe
false
unknown
http://www.fontbureau.com/designers?
false
unknown
http://www.tiro.com
false
unknown
http://www.fontbureau.com/designers
false
unknown
http://www.goodfont.co.kr
false
unknown
http://www.carterandcone.coml
false
unknown
http://www.sajatypeworks.com
false
unknown
http://www.typography.netD
false
unknown
http://www.fontbureau.com/designers/cabarga.htmlN
false
unknown
http://www.founder.com.cn/cn/cThe
false
unknown
http://www.galapagosdesign.com/staff/dennis.htm
false
unknown
http://fontfabrik.com
false
unknown
http://www.founder.com.cn/cn
false
unknown
http://www.fontbureau.com/designers/frere-jones.html
false
unknown
http://www.jiyu-kobo.co.jp/
false
unknown
ella666.duckdns.org
true
http://www.galapagosdesign.com/DPlease
false
unknown
http://www.fontbureau.com/designers8
false
unknown
http://www.fonts.com
false
unknown
http://www.sandoll.co.kr
false
unknown
mikeljack321.ddns.net
true
http://www.urwpp.deDPlease
false
unknown
http://www.zhongyicts.com.cn
false
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
false
unknown
http://www.sakkal.com
false
unknown
Found malware configuration
Multi AV Scanner detection for submitted file
Connects to many ports of the same IP (likely port scanning)
.NET source code references suspicious native API functions
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Yara detected Nanocore RAT
Snort IDS alert for network traffic