Source: TRA-St-0015-O01.xlsx |
Virustotal: Detection: 31% |
Perma Link |
Source: TRA-St-0015-O01.xlsx |
ReversingLabs: Detection: 22% |
Source: Yara match |
File source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY |
Source: C:\Users\Public\vbc.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\kinsvc[1].exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Roaming\XaHKwnPuj.exe |
Joe Sandbox ML: detected |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process created: C:\Users\Public\vbc.exe |
Jump to behavior |
Source: unknown |
Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: unknown |
HTTPS traffic detected: 162.241.148.128:443 -> 192.168.2.22:49165 version: TLS 1.2 |
Source: global traffic |
DNS query: name: spicesherbs.in |
Source: global traffic |
TCP traffic: 192.168.2.22:49165 -> 162.241.148.128:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49165 -> 162.241.148.128:443 |
Source: Joe Sandbox View |
JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BADF7393.emf |
Jump to behavior |
Source: unknown |
DNS traffic detected: queries for: spicesherbs.in |
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.dr |
String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c |
Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: vbc.exe, 00000004.00000002.2170919142.000000001BA40000.00000002.00000001.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: vbc.exe, 00000004.00000002.2169176262.0000000002371000.00000004.00000001.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: vbc.exe, 00000004.00000002.2170919142.000000001BA40000.00000002.00000001.sdmp |
String found in binary or memory: http://www.%s.comPA |
Source: BADF7393.emf.0.dr |
String found in binary or memory: http://www.day.com/dam/1.0 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49165 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49165 |
Source: unknown |
HTTPS traffic detected: 162.241.148.128:443 -> 192.168.2.22:49165 version: TLS 1.2 |
Source: Yara match |
File source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A |
Jump to dropped file |
Source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File created: C:\Users\Public\vbc.exe |
Jump to dropped file |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\kinsvc[1].exe |
Jump to dropped file |
Source: C:\Users\Public\vbc.exe |
Code function: 7_2_00BF3F76 |
7_2_00BF3F76 |
Source: C:\Users\Public\vbc.exe |
Code function: 7_2_00BF9369 |
7_2_00BF9369 |
Source: C:\Users\Public\vbc.exe |
Code function: 7_2_00BFDB4B |
7_2_00BFDB4B |
Source: C:\Users\Public\vbc.exe |
Code function: 7_2_00BFD8C7 |
7_2_00BFD8C7 |
Source: C:\Users\Public\vbc.exe |
Code function: 7_2_00BFDB41 |
7_2_00BFDB41 |
Source: TRA-St-0015-O01.xlsx |
OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false |
Source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: XaHKwnPuj.exe.4.dr |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal100.troj.expl.evad.winXLSX@16/14@2/1 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\Desktop\~$TRA-St-0015-O01.xlsx |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Mutant created: \Sessions\1\BaseNamedObjects\XbELoWjomkFJpgsBcjJbdEN |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Temp\CVRF0C4.tmp |
Jump to behavior |
Source: C:\Windows\System32\schtasks.exe |
Console Write: ................................................................................@...............p............................................... |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\f89061884b75dab0e3967d7221e5290d\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: TRA-St-0015-O01.xlsx |
Virustotal: Detection: 31% |
Source: TRA-St-0015-O01.xlsx |
ReversingLabs: Detection: 22% |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding |
|
Source: unknown |
Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding |
|
Source: unknown |
Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' |
|
Source: unknown |
Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XaHKwnPuj' /XML 'C:\Users\user\AppData\Local\Temp\tmp2222.tmp' |
|
Source: unknown |
Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe |
|
Source: unknown |
Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe |
|
Source: unknown |
Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe |
|
Source: unknown |
Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe |
|
Source: unknown |
Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe |
|
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XaHKwnPuj' /XML 'C:\Users\user\AppData\Local\Temp\tmp2222.tmp' |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: C:\Users\Public\vbc.exe |
File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: TRA-St-0015-O01.xlsx |
Initial sample: OLE indicators vbamacros = False |
Source: TRA-St-0015-O01.xlsx |
Initial sample: OLE indicators encrypted = True |
Source: initial sample |
Static PE information: section name: .text entropy: 7.78051129047 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File created: C:\Users\Public\vbc.exe |
Jump to dropped file |
Source: C:\Users\Public\vbc.exe |
File created: C:\Users\user\AppData\Roaming\XaHKwnPuj.exe |
Jump to dropped file |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\kinsvc[1].exe |
Jump to dropped file |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File created: C:\Users\Public\vbc.exe |
Jump to dropped file |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File created: C:\Users\Public\vbc.exe |
Jump to dropped file |
Source: unknown |
Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XaHKwnPuj' /XML 'C:\Users\user\AppData\Local\Temp\tmp2222.tmp' |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: TRA-St-0015-O01.xlsx |
Stream path 'EncryptedPackage' entropy: 7.99976973003 (max. 8.0) |
Source: Yara match |
File source: 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: vbc.exe PID: 2720, type: MEMORY |
Source: vbc.exe, 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp |
Binary or memory string: SBIEDLL.DLL |
Source: vbc.exe, 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp |
Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME |
Source: C:\Users\Public\vbc.exe |
Code function: 7_2_00BF471C sldt word ptr [edx] |
7_2_00BF471C |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2560 |
Thread sleep time: -360000s >= -30000s |
Jump to behavior |
Source: C:\Users\Public\vbc.exe TID: 824 |
Thread sleep time: -54277s >= -30000s |
Jump to behavior |
Source: C:\Users\Public\vbc.exe TID: 2916 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Users\Public\vbc.exe TID: 2900 |
Thread sleep time: -922337203685477s >= -30000s |
Jump to behavior |
Source: vbc.exe, 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp |
Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: vbc.exe, 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp |
Binary or memory string: vmware |
Source: vbc.exe, 00000004.00000002.2170020694.000000001A782000.00000004.00000001.sdmp |
Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}] |
Source: vbc.exe, 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp |
Binary or memory string: VMware SVGA II |
Source: vbc.exe, 00000004.00000002.2169219241.00000000023DE000.00000004.00000001.sdmp |
Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XaHKwnPuj' /XML 'C:\Users\user\AppData\Local\Temp\tmp2222.tmp' |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Process created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe |
Jump to behavior |
Source: C:\Users\Public\vbc.exe |
Queries volume information: C:\Users\Public\vbc.exe VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000004.00000002.2169610523.0000000012381000.00000004.00000001.sdmp, type: MEMORY |