{"Version": "1.2.2.0", "Mutex": "7547b95a-3564-48ed-9de2-e9e7593f", "Group": "ikenna", "Domain1": "194.5.98.127", "Domain2": "127.0.0.1", "Port": 54984, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Source: Process started | Author: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, CommandLine: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, CommandLine|base64offset|contains: m, Image: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, NewProcessName: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, OriginalFileName: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, ParentCommandLine: 'C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe' , ParentImage: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, ParentProcessId: 4328, ProcessCommandLine: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, ProcessId: 3528 |
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack | Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "7547b95a-3564-48ed-9de2-e9e7593f", "Group": "ikenna", "Domain1": "194.5.98.127", "Domain2": "127.0.0.1", "Port": 54984, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Enable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Enable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"} |
Source: C:\Users\user\AppData\Roaming\DCBdvFPc.exe | ReversingLabs: Detection: 30% |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Virustotal: Detection: 30% | Perma Link |
Source: Yara match | File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR |
Source: C:\Users\user\AppData\Roaming\DCBdvFPc.exe | Joe Sandbox ML: detected |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Joe Sandbox ML: detected |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll | Jump to behavior |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: mscorrc.pdb source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.259800511.00000000029C0000.00000002.00000001.sdmp |
Source: Malware configuration extractor | URLs: 194.5.98.127 |
Source: Malware configuration extractor | URLs: 127.0.0.1 |
Source: Yara match | File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR |
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR | Matched rule: Detetcs the Nanocore RAT Author: Florian Roth |
Source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR | Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net> |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Code function: 0_2_00007FFA165F1069 | 0_2_00007FFA165F1069 |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Code function: 4_2_004C9626 | 4_2_004C9626 |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Code function: 5_2_005C9626 | 5_2_005C9626 |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Code function: 6_2_00E39626 | 6_2_00E39626 |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Code function: 7_2_00E69626 | 7_2_00E69626 |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Code function: 8_2_004E9626 | 8_2_004E9626 |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: DCBdvFPc.exe.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.258514535.0000000000874000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.258791813.0000000000C59000.00000004.00000020.sdmp | Binary or memory string: OriginalFilenamemscorwks.dllT vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.265911861.000000001C470000.00000002.00000001.sdmp | Binary or memory string: originalfilename vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.265911861.000000001C470000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.265290815.000000001BD60000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameStoreElement.dllB vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.259722065.00000000011C0000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameConfigNodeType.dll> vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.259800511.00000000029C0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamemscorrc.dllT vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.265676778.000000001C370000.00000002.00000001.sdmp | Binary or memory string: System.OriginalFileName vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000004.00000000.251695079.00000000005E4000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000005.00000002.253481024.00000000006E4000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000006.00000000.254482952.0000000000F54000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000007.00000000.256067829.0000000000F84000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000008.00000002.258139772.0000000000604000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Binary or memory string: OriginalFilenameResourceManagerMediat.exe6 vs RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe |
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE | Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/ |
Source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR | Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ |
Source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR | Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: DCBdvFPc.exe.0.dr | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine | Classification label: mal100.troj.evad.winEXE@14/4@0/0 |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File created: C:\Users\user\AppData\Roaming\DCBdvFPc.exe | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5600:120:WilError_01 |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File created: C:\Users\user\AppData\Local\Temp\tmp5F10.tmp | Jump to behavior |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dll | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File read: C:\Users\user\Desktop\desktop.ini | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Virustotal: Detection: 30% |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File read: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Jump to behavior |
Source: unknown | Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe 'C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe' | |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DCBdvFPc' /XML 'C:\Users\user\AppData\Local\Temp\tmp5F10.tmp' | |
Source: C:\Windows\System32\schtasks.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DCBdvFPc' /XML 'C:\Users\user\AppData\Local\Temp\tmp5F10.tmp' | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll | Jump to behavior |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Static file information: File size 1203712 > 1048576 |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dll | Jump to behavior |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Static PE information: Raw size of .text is bigger than: 0x100000 < 0x120e00 |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: mscorrc.pdb source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.259800511.00000000029C0000.00000002.00000001.sdmp |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Code function: 0_2_00007FFA165F7B0C pushad ; iretd | 0_2_00007FFA165F7B0D |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Code function: 0_2_00007FFA165FD19A push cs; retn 0000h | 0_2_00007FFA165FD1B1 |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Code function: 0_2_00007FFA165FC95F push cs; retn 0000h | 0_2_00007FFA165FC971 |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Code function: 0_2_00007FFA165FB427 push cs; retn 0000h | 0_2_00007FFA165FB441 |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Code function: 0_2_00007FFA165F4021 push cs; retn 0000h | 0_2_00007FFA165F4025 |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Code function: 0_2_00007FFA165F9C06 push es; retf | 0_2_00007FFA165F9C07 |
Source: initial sample | Static PE information: section name: .text entropy: 7.70845208383 |
Source: initial sample | Static PE information: section name: .text entropy: 7.70845208383 |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe | |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe | |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe | |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe | |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe | |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe | |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File created: \rfq cl-2021 - 0188 rockwell land (wever).xls.exe | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | File created: C:\Users\user\AppData\Roaming\DCBdvFPc.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DCBdvFPc' /XML 'C:\Users\user\AppData\Local\Temp\tmp5F10.tmp' |
Source: initial sample | Icon embedded in binary file: icon matches a legit application icon: download (67).png |
Source: Possible double extension: xls.exe | Static PE information: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: Yara match | File source: 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp | Binary or memory string: WINE_GET_UNIX_FILE_NAME |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp | Binary or memory string: SBIEDLL.DLL |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe TID: 5840 | Thread sleep time: -40406s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe TID: 2584 | Thread sleep time: -922337203685477s >= -30000s | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Last function: Thread delayed |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Thread delayed: delay time: 40406 | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp | Binary or memory string: vmware |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp | Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp | Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp | Binary or memory string: VMWARE |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp | Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp | Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp | Binary or memory string: VMware SVGA II |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.260617186.0000000002EC1000.00000004.00000001.sdmp | Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process information queried: ProcessInformation | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process token adjusted: Debug | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\DCBdvFPc' /XML 'C:\Users\user\AppData\Local\Temp\tmp5F10.tmp' | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Jump to behavior |
Source: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Process created: C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe C:\Users\user\Desktop\RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe | Jump to behavior |
Source: Yara match | File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR |
Source: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe, 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp | String found in binary or memory: NanoCore.ClientPluginHost |
Source: Yara match | File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe.131bde30.3.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.263221894.000000001304A000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: RFQ CL-2021 - 0188 ROCKWELL LAND (WEVER).xls.exe PID: 4328, type: MEMORYSTR |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.