36.0.0 Rainbow Opal
IR
755933
CloudBasic
10:32:08
29/11/2022
New PO-RJ-IN-003 - Knauf Queimados.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
244fc9610f75225aa3dc09958195beb1
ef0d6103d27090fc9d25e3ef3de2e1b6d9670d9c
05cdda3567b913d99627f8e41336404d5830816df65e1001d6b2ad05bd9ed18d
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rubthqnwyfue.exe_1078f5d9a12c4fe091b0b1b063f9270e1879244_c652c34e_0b3f82dd\Report.wer
false
6483B1F032E7C7A2064F3902C60460C5
308780D73090910FB14EFD18F7EC0F579D5F6AC8
309CD45651DC1A312A62DB06F88BC948F67A9BEF2B132F7EB2C3F24D9312A71C
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rubthqnwyfue.exe_1078f5d9a12c4fe091b0b1b063f9270e1879244_c652c34e_15731f22\Report.wer
false
EA4872801B7758ABB5B9724582927345
C8A3B4E7DA468965CE8EFDE4B9AFA0897DDA8C19
623023C565AA132FE1174E1E1774BCE708E94940B1FBD45464DB6280EEC15CB0
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1493.tmp.dmp
false
4BB1A8465A8E8CC0512777E6E2FCACF2
D0AB572DED8BD72E988B0EF7ABCDD5A061DCE1BB
73D48BEA30E4D193508EF8C7DDFED7527CF3CED302B7EF0A5B232932B321B850
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1753.tmp.WERInternalMetadata.xml
false
0C2AA2BEACEC714648312E4758CC6398
D0B12EB6E0D73080570C74BD6A89A128619D448E
8F1FBF663B7649EEC73BBA5BE84352F37F68EEB7D56824A84070722740305BDE
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1810.tmp.xml
false
787E667FEA93058BAABB354313A383EA
EBE6B5FEF5282B1A9C48E51A4009C84BB7F60EBA
DA14B3F4C5FE0CAB3583006C73483CEB04A9ADE3558750569B8BBD30C0EB2DCA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER206.tmp.WERInternalMetadata.xml
false
34D0C29EDEB9291888F5D1A50A014FEF
B7821B75BDF77EB93EA9A6F46BD51D9D9A3415FE
A4A9F780CABA96FAF2230242D42E1DBD129EF0EA355A35805CC8F18D9B61900E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A3.tmp.xml
false
62377028B54AEE8D136411AB5EABFB35
4CA2C3D9E7E1DE5292BFCB850BF09CD0E785DD0C
5E5B155E3AE0838AD92071C53510DF5BC0F8169EE6224BC2BB757C7D67858150
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF75.tmp.dmp
false
106AFACC119E90AC953EEABE57CEA3B4
A6ABBED87500BFE854024C5341771C65692FD7FD
38475C67FD546492D1F7D6D3350CD6F329A101B380E26B2FEC0ED5D67253751B
C:\Users\user\AppData\Local\Temp\456b6ELMQ
false
292F98D765C8712910776C89ADDE2311
E9F4CCB4577B3E6857C6116C9CBA0F3EC63878C5
9C63F8321526F04D4CD0CFE11EA32576D1502272FE8333536B9DEE2C3B49825E
C:\Users\user\AppData\Local\Temp\eojsm.wx
false
8C5E7C152ED8F18A0B9DE322E94A3CE2
35C05FA705DC9E6C1998F53F248E0332BC4FB0E2
B0950EC5415DCFC9BF3394770C2071FAD57B1A02E28416E5E41C3B13266A720A
C:\Users\user\AppData\Local\Temp\jaxdij.exe
true
2DD6C8B13AE7D028B0047435FF0DCB8A
D50BC8834758E1583AEE729B6C148E4849967097
01CB657E996E468706F5C733853419678B8294E7F12669C98DB23C1F0D0EFC7A
C:\Users\user\AppData\Local\Temp\nsqB9A3.tmp
true
6B34F2B63558A2CC41B3CB5AF526EC23
8877B4A75BD7DD4DE02CC16643E2AA2E0C193D78
9C8ACF6A541EE2C83930C4CF4D0E682AE8FFDAF4FCC9FDC244ACCF37416F75A8
C:\Users\user\AppData\Local\Temp\uqnwrddys.k
false
A342BD922F1907E57D17E98F522B64EF
934596A7680633634741A445C5D9E0BDCF9C3D8F
1C1AD949B639CDD656A62B398660A1CCEE4A7FC40E1912BF1A5BBAB78E51B176
C:\Users\user\AppData\Roaming\fqkyib\rubthqnwyfue.exe
true
2DD6C8B13AE7D028B0047435FF0DCB8A
D50BC8834758E1583AEE729B6C148E4849967097
01CB657E996E468706F5C733853419678B8294E7F12669C98DB23C1F0D0EFC7A
206.83.40.92
107.148.15.81
74.208.236.65
93.179.127.27
23.111.12.177
74.208.236.214
38.40.166.195
192.185.90.105
62.233.121.61
188.114.97.3
178.208.83.20
38.163.214.169
172.67.214.243
216.40.34.41
198.54.121.81
www.porggiret.site
true
198.54.121.81
www.dailyheraldresearch.com
true
172.67.214.243
www.ybkos.link
true
107.148.15.81
tobewell.store
true
178.208.83.20
www.tommy57.shop
true
74.208.236.65
www.bookmygennie.com
true
38.163.214.169
www.new-thinking.digital
true
62.233.121.61
www.oonrreward.xyz
true
188.114.97.3
pp.3105.net
true
93.179.127.27
gmrsnodes.com
true
192.185.90.105
www.frwqc.com
true
38.40.166.195
amspustaka.com
true
23.111.12.177
www.spirituallyzen.com
true
74.208.236.214
publickit.website
true
206.83.40.92
www.lee-perez.com
true
216.40.34.41
www.publickit.website
true
unknown
www.davidemarone.com
true
unknown
www.gmrsnodes.com
true
unknown
www.tobewell.store
true
unknown
www.700544.com
true
unknown
www.amspustaka.com
true
unknown
http://www.amspustaka.com/m9ae/?F6z4=qV5DC7gvSDrvRRGewn1q/I/EwjqoLGbs6Pm0OHOL9iW03iXh+4kaxlrb2hUer6xMCUxzC2FjXkfJjvQV3jFRWlDNN37fVrd03A==&mN6Hg=kRq8Chx0sXs4Nnu0
true
23.111.12.177
https://duckduckgo.com/chrome_newtab
false
unknown
www.spirituallyzen.com/m9ae/
true
https://duckduckgo.com/ac/?q=
false
unknown
https://www.instagram.com/hover_domains
false
unknown
http://www.frwqc.com/m9ae/?F6z4=pynBU+gmcVJLvmAk24XYTH3CuEH61wNq2RizpB0aNcQM45kGiq+MbQwB99t5gTqC+tvIVg5qQAlCnSYFpOBmFRnmyN3XSGsj5w==&mN6Hg=kRq8Chx0sXs4Nnu0
true
38.40.166.195
https://supportservices.easyspace.com/
false
unknown
https://controlpanel.easyspace.com/
false
unknown
http://www.tobewell.store/m9ae/
true
178.208.83.20
https://search.yahoo.com?fr=crmas_sfpf
false
unknown
https://www.easyspace.com/assets/images/structure/easyspace-logo-main.svg
false
unknown
http://www.lee-perez.com/m9ae/?F6z4=nJLDtYwD0af/ePmsJ0ZKjiSVJI8rGVPKc+UQspc6K5yuMKQDKTWfrb6tVbro5/Rq1DJ6W8y/y+8M88qCUODrzxtLw2C30JMyEA==&mN6Hg=kRq8Chx0sXs4Nnu0
true
216.40.34.41
http://www.ybkos.link/m9ae/
true
107.148.15.81
https://www.hover.com/email?source=parked
false
unknown
http://www.bookmygennie.com/m9ae/
true
38.163.214.169
https://www.hover.com/about?source=parked
false
unknown
http://www.oonrreward.xyz
false
unknown
http://www.spirituallyzen.com/m9ae/
true
74.208.236.214
https://www.hover.com/domains/results
false
unknown
http://www.spirituallyzen.com/m9ae/?F6z4=4ec4fK6CMrtHuja3pViXkl8dlfKAbA0cl+B6ZD+yu2XjTt2h0hV8coMCjgRVKURuW2bGAgNBkAmkGWEjBIBjWi0t+MmK3uNJiA==&mN6Hg=kRq8Chx0sXs4Nnu0
true
74.208.236.214
http://www.amspustaka.com/m9ae/
true
23.111.12.177
http://www.tobewell.store/m9ae/?F6z4=IYAlNlE+FJHaxy8xKQwy2r7+8XL3SaTnyfpqtFACBxvA1+IYQm/X+/KTYzdsJPpQzBa/f1IulPzZtkKHtHHlpgqy4oXa9op1jw==&mN6Hg=kRq8Chx0sXs4Nnu0
true
178.208.83.20
http://www.lee-perez.com/m9ae/
true
216.40.34.41
http://www.700544.com/m9ae/
true
93.179.127.27
http://oonrreward.xyz/m9ae/?F6z4=LevhYPqdwsQo7WECD6x58K9v32wKr9jEH/unqFqLIkFUX6m7L7
false
unknown
https://www.hover.com/tools?source=parked
false
unknown
https://help.hover.com/home?source=parked
false
unknown
http://www.new-thinking.digital/m9ae/?F6z4=yeGgPnkUyrtnR7ayT+iAJkQi5P+hLqfzRu7/UIGlFriReHTN1+d7DIiWZVVmKJ4cvvB3dwEDWmLuBMYDpMvfxEUSQC8X9wPCmA==&mN6Hg=kRq8Chx0sXs4Nnu0
true
62.233.121.61
http://www.bookmygennie.com/m9ae/?F6z4=6mtkb9sgLdU5EKgBox+sPzjX7gz7/N2rxrRH87049IJ0dh9Tn6WPD5ftVfyzJnBGA3PJpfJHiW/BJrwPQwZWSWvRAWejN4CLLw==&mN6Hg=kRq8Chx0sXs4Nnu0
true
38.163.214.169
http://code.jquery.com/jquery-3.3.1.min.js
false
unknown
https://www.hover.com/domain_pricing?source=parked
false
unknown
https://www.hover.com/privacy?source=parked
false
unknown
http://www.autoitscript.com/autoit3/J
false
unknown
https://twitter.com/hover
false
unknown
http://www.frwqc.com/m9ae/
true
38.40.166.195
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
false
unknown
http://www.publickit.website/m9ae/?F6z4=XxObD+bozu8R8o86HZokIAwRDcTSUgt1X0zVs8jY2xx2j7amGX2Nanqc4HjuSpD/F/TSiqNoyiNwTcXhTU7ob6qQALfoq6EoqQ==&mN6Hg=kRq8Chx0sXs4Nnu0
true
206.83.40.92
http://www.tommy57.shop/m9ae/?F6z4=SKemUsRCc/T/1VtJMmoBZUTfzvZVAKOrpHPFHv5bIcLS1NPOIJ3jWavklE8DT12a+oeWOwZfdDSidPGYCemgiB/muCJBu0rQaA==&mN6Hg=kRq8Chx0sXs4Nnu0
true
74.208.236.65
https://www.hover.com/transfer_in?source=parked
false
unknown
http://www.dailyheraldresearch.com/m9ae/?F6z4=q+GqSbkO5kqO+W9u2R8uyv/azK/Tyw9Ktq6EIVL87IABA33EfP0KANVapKUQlEGAPHMNZ2Czo2C9EtWkfzzg2b9ydKIDbcUulA==&mN6Hg=kRq8Chx0sXs4Nnu0
true
172.67.214.243
https://www.easyspace.com/
false
unknown
https://www.hover.com/renew?source=parked
false
unknown
https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css
false
unknown
http://www.dailyheraldresearch.com/m9ae/
true
172.67.214.243
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
false
unknown
http://www.porggiret.site/m9ae/?F6z4=la9UBuDbTkNYLSjTdKhHvd+t7tYwPiF7FtZOQELnOBzejFZlEJsWuQ55NoeYz7TqoHjnmCP3NdRIHdLBoOXytpXMXLmthCtowg==&mN6Hg=kRq8Chx0sXs4Nnu0
true
198.54.121.81
http://www.oonrreward.xyz/m9ae/?F6z4=LevhYPqdwsQo7WECD6x58K9v32wKr9jEH/unqFqLIkFUX6m7L7+nio4XOLlDaWup3nHmZdjhK28JVchKAobJnM2R7Dp3tDlOSA==&mN6Hg=kRq8Chx0sXs4Nnu0
true
188.114.97.3
http://www.ybkos.link/m9ae/?F6z4=19Acn/cRxsS2hMIvbksqz2Fo9/tvE3PmoTWmDY67F7eOm0DJL1plqZyOKvwSm3g2XK4MIkQK6hC8KTphNB2J9vZOQC2YpVwH6g==&mN6Hg=kRq8Chx0sXs4Nnu0
true
107.148.15.81
https://mchost.ru/
false
unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
false
unknown
http://nsis.sf.net/NSIS_ErrorError
false
unknown
http://www.porggiret.site/m9ae/
true
198.54.121.81
http://www.gmrsnodes.com/m9ae/
true
192.185.90.105
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
false
unknown
http://gmpg.org/xfn/11
false
unknown
https://ac.ecosia.org/autocomplete?q=
false
unknown
https://search.yahoo.com?fr=crmas_sfp
false
unknown
http://www.gmrsnodes.com/m9ae/?F6z4=mwF44ViOu9spAX9yiKWO/GCmf5D0pm7R930/p+8373gvxGpTfL4o/Lm9AHizqU6H72eF1eWgDLpzZ2SfuF6Kyw289k0D2VxhyA==&mN6Hg=kRq8Chx0sXs4Nnu0
true
192.185.90.105
http://nsis.sf.net/NSIS_Error
false
unknown
http://www.700544.com/m9ae/?F6z4=Mu7XrmbNuBpRkVuoTBGU/iHqS/OhVA7Any/uXbqYT12baRfdD/rxJiFT6KJrK4J1cV2pSA20UCfshAzQrgjlnBPfig9iswk20g==&mN6Hg=kRq8Chx0sXs4Nnu0
true
93.179.127.27
https://www.hover.com/tos?source=parked
false
unknown
http://www.new-thinking.digital/m9ae/
true
62.233.121.61
http://www.publickit.website/m9ae/
true
206.83.40.92
http://www.tommy57.shop/m9ae/
true
74.208.236.65
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
false
unknown
https://www.hover.com/?source=parked
false
unknown
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Multi AV Scanner detection for dropped file
Tries to harvest and steal browser information (history, passwords, etc)
Snort IDS alert for network traffic