34.0.0 Boulder Opal
IR
626605
CloudBasic
15:27:31
14/05/2022
iuvRyl9i7D
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
f7ecd12d134aaf3541396c78337ce672
bb41a84d4f5eef537e41cf4bde375c99bff86a04
ec2f5710fdf33c7b843829ebd9f088b15141b643b4354dd92d39b6e290ceca70
Win32 Executable (generic) Net Framework (10011505/4) 49.80%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iuvRyl9i7D.exe.log
true
EA78C102145ED608EF0E407B978AF339
66C9179ED9675B9271A97AB1FC878077E09AB731
8BF01E0C445BD07C0B4EDC7199B7E17DAF1CA55CA52D4A6EAC4EF211C2B1A73E
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
B37685386C11149B349B3D36F3272C90
0226975575203F0CD37C354F3AD0E487282B1D43
28D1714B9C88A5CC6E75003C38FA50BAC871340F109EFAB722EC00F1366A0C34
C:\Users\user\AppData\Local\Temp\DB1
false
81DB1710BB13DA3343FC0DF9F00BE49F
9B1F17E936D28684FFDFA962340C8872512270BB
9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21wlmt0u.5nd.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ekjb5no.0s4.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp280F.tmp
true
BB9A391C3FC862B873BE57126F43023A
7C8FCB74AB71109806F8DC898205988205AC599C
BC7496050B45F9AFEAC4A3197FEB044287FFBA3FCF2627DB958FE701CC8C0AF3
C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe
true
F7ECD12D134AAF3541396C78337CE672
BB41A84D4F5EEF537E41CF4BDE375C99BFF86A04
EC2F5710FDF33C7B843829EBD9F088B15141B643B4354DD92D39B6E290CECA70
C:\Users\user\AppData\Roaming\dDqpEdJEtzi.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20220514\PowerShell_transcript.305090.7Vik_2vb.20220514152854.txt
false
73CEC78D744EB0750820765761E7ACC7
5F2D5D6A88E3DB9FE65F51DE6C6DE7089A6CE639
F7C865F08C0D6F50B6E194B0B533B58BA793FE0F2DAD8758089E3DA2FCF02E5B
38.34.163.59
35.209.127.155
5.183.8.183
35.241.47.216
198.54.116.236
198.54.117.216
a6.pingcache.com
true
38.34.163.59
www.bldh45.xyz
false
35.241.47.216
www.dems-clicks.com
true
5.183.8.183
www.jamesreadtanusa.com
true
35.209.127.155
parkingpage.namecheap.com
false
198.54.117.216
vip.myshopline.shop
false
104.17.232.29
properscooter.com
true
198.54.116.236
www.zeavd.com
true
unknown
www.properscooter.com
true
unknown
www.kickball.site
true
unknown
www.uspplongee.com
true
unknown
http://kace.uspplongee.com/
false
unknown
http://www.fontbureau.comueo
false
unknown
https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1
false
unknown
http://ansu.uspplongee.com/
false
unknown
https://consent.google.com/hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?g
false
unknown
http://sangdu.uspplongee.com/
false
unknown
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
false
unknown
http://meilong.uspplongee.com/
false
unknown
http://www.fontbureau.com/designers
false
unknown
http://www.uspplongee.com
false
unknown
http://tanshuan.uspplongee.com/
false
unknown
http://www.msn.com/ocid=iehp
false
unknown
http://tuikun.uspplongee.com/
false
unknown
https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
false
unknown
http://www.sajatypeworks.com
false
unknown
http://epa.uspplongee.com/
false
unknown
http://www.founder.com.cn/cn/cThe
false
unknown
http://www.jiyu-kobo.co.jp/:
false
unknown
https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
false
unknown
https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
false
unknown
http://sanque.uspplongee.com/
false
unknown
http://www.jiyu-kobo.co.jp/2
false
unknown
http://penjian.uspplongee.com/
false
unknown
http://www.jiyu-kobo.co.jp/ana
false
unknown
http://www.fontbureau.com:
false
unknown
http://www.galapagosdesign.com/DPlease
false
unknown
http://www.fontbureau.comgrito
false
unknown
http://www.ascendercorp.com/typedesigners.html
false
unknown
http://www.jiyu-kobo.co.jp/(
false
unknown
http://genzi.uspplongee.com/
false
unknown
http://www.urwpp.deDPlease
false
unknown
http://www.zhongyicts.com.cn
false
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
false
unknown
http://www.uspplongee.com/n6g4/
true
38.34.163.59
http://www.fontbureau.com.TTF
false
unknown
http://www.msn.com/de-ch/?ocid=iehp4
false
unknown
https://consent.google.com/setpc=s&uxe=4421591
false
unknown
http://www.galapagosdesign.com/
false
unknown
http://www.jiyu-kobo.co.jp/U
false
unknown
http://gonglang.uspplongee.com/
false
unknown
https://www.google.com/?gws_rd=ssl
false
unknown
https://www.google.com/?gws_rd=sslLMEMh
false
unknown
http://www.properscooter.com/n6g4/
true
198.54.116.236
http://www.fontbureau.com/designers/frere-user.htmlZ
false
unknown
http://www.galapagosdesign.com/staff/dennis.html
false
unknown
http://qunben.uspplongee.com/
false
unknown
http://www.fontbureau.comlic
false
unknown
http://www.bldh45.xyz/n6g4/
false
35.241.47.216
http://www.fontbureau.comI.TTF:
false
unknown
https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
false
unknown
https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C
false
unknown
http://www.kickball.site/n6g4/
true
198.54.117.216
https://www.google.com/favicon.ico
false
unknown
http://www.carterandcone.coml
false
unknown
http://randu.uspplongee.com/
false
unknown
http://www.jiyu-kobo.co.jp/y
false
unknown
http://www.founder.com.cn/cn.
false
unknown
http://www.jiyu-kobo.co.jp/Y0(
false
unknown
http://www.fontbureau.com/designers/frere-user.html
false
unknown
http://www.kickball.site/n6g4/?r2MLI=tjrDPFcXi&3fe=WPwjmGPV/4M22m+CqZhMswVRWzk0CJ3SgF5yTNe9lepyZyn4WVCBytWkJrBAR4vfZGHu
true
198.54.117.216
http://en.wi5
false
unknown
http://shangeng.uspplongee.com/
false
unknown
http://www.jiyu-kobo.co.jp/r
false
unknown
http://www.jiyu-kobo.co.jp/o
false
unknown
http://www.jamesreadtanusa.com/n6g4/?3fe=T/V9232RQ/ScvLe6YjNRob4pJIAHZz6ft2oS65luWeOdjKzDide1cQ8VyF5HdhGZwVKQ&r2MLI=tjrDPFcXi
true
35.209.127.155
http://www.jiyu-kobo.co.jp/n
false
unknown
https://consent.google.com/done8continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.goo
false
unknown
http://www.founder.com.cn/cn5
false
unknown
https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
false
unknown
http://weimen.uspplongee.com/
false
unknown
https://consent.google.com/set?pc=s&uxe=4421591
false
unknown
https://consent.google.com/set?pc=s&uxe=4421591LMEM
false
unknown
https://www.google.com/searchsource=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3kt
false
unknown
http://mianta.uspplongee.com/
false
unknown
http://www.fontbureau.com/designersG
false
unknown
http://www.fontbureau.comFU
false
unknown
http://www.fontbureau.comsivao
false
unknown
http://www.carterandcone.comn-u
false
unknown
http://www.msn.com/?ocid=iehpLMEM
false
unknown
http://www.fontbureau.com/designers/?
false
unknown
http://www.dems-clicks.com/n6g4/?r2MLI=tjrDPFcXi&3fe=oW3KVVYaOTtIW39xG4fO+4eOl+SZoa0wNC6PzHd9cdjmCRbC1fenw4N50qr8bcYtnznV
true
5.183.8.183
http://rechan.uspplongee.com/
false
unknown
http://wudie.uspplongee.com/
false
unknown
http://www.founder.com.cn/cn/bThe
false
unknown
https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
false
unknown
http://www.msn.com/de-ch/?ocid=iehpLMEMh
false
unknown
http://www.fontbureau.com/designers?
false
unknown
https://www.google.com/intl/en_uk/chrome/S
false
unknown
https://www.google.com/searchW
false
unknown
http://www.fontbureau.com/designersC
false
unknown
https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
false
unknown
http://www.tiro.com
false
unknown
http://www.fontbureau.com/designersV
false
unknown
http://saoshui.uspplongee.com/
false
unknown
http://www.goodfont.co.kr
false
unknown
http://www.carterandcone.com
false
unknown
http://www.zhongyicts.com.cn)
false
unknown
https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591LMEM(
false
unknown
http://www.typography.netD
false
unknown
https://www.google.com/intl/en_uk/chrome/LMEMx
false
unknown
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Found malware configuration
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Adds a directory exclusion to Windows Defender
Multi AV Scanner detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Snort IDS alert for network traffic