description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\firefox\\firefox.exe"	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Program Files (x86)\\firefox\\firefox.exe"	vbc.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{L54DCK60-6827-PGC8-6LF1-GXHMH3UCU202}	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{L54DCK60-6827-PGC8-6LF1-GXHMH3UCU202}\StubPath = "C:\\Program Files (x86)\\firefox\\firefox.exe Restart"	vbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{L54DCK60-6827-PGC8-6LF1-GXHMH3UCU202}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{L54DCK60-6827-PGC8-6LF1-GXHMH3UCU202}\StubPath = "C:\\Program Files (x86)\\firefox\\firefox.exe"	explorer.exe

resource	yara_rule
behavioral1/memory/976-64-0x0000000010410000-0x0000000010482000-memory.dmp	upx
behavioral1/memory/976-74-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/848-79-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/848-82-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/976-87-0x0000000010510000-0x0000000010582000-memory.dmp	upx
behavioral1/memory/1936-92-0x0000000010510000-0x0000000010582000-memory.dmp	upx
behavioral1/memory/1936-93-0x0000000010510000-0x0000000010582000-memory.dmp	upx
behavioral1/memory/848-97-0x0000000010490000-0x0000000010502000-memory.dmp	upx
behavioral1/memory/1936-100-0x0000000010510000-0x0000000010582000-memory.dmp	upx

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\firefox.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\firefox.exe	explorer.exe

description	ioc	Process
File created	C:\Program Files (x86)\firefox\firefox.exe	vbc.exe
File opened for modification	C:\Program Files (x86)\firefox\firefox.exe	vbc.exe

description	pid	Process
Token: SeBackupPrivilege	848	explorer.exe
Token: SeRestorePrivilege	848	explorer.exe
Token: SeBackupPrivilege	1936	explorer.exe
Token: SeRestorePrivilege	1936	explorer.exe
Token: SeDebugPrivilege	1936	explorer.exe
Token: SeDebugPrivilege	1936	explorer.exe

pid	Process
976	vbc.exe
924	DllHost.exe
924	DllHost.exe
924	DllHost.exe
924	DllHost.exe

description	pid	Process	procid_target
PID 828 wrote to memory of 976	828	e2aaf2355bd00dd156caf87118892fd613aa5a1b09de7fc4444d5af4a5d6b1a5.exe	29
PID 828 wrote to memory of 976	828	e2aaf2355bd00dd156caf87118892fd613aa5a1b09de7fc4444d5af4a5d6b1a5.exe	29
PID 828 wrote to memory of 976	828	e2aaf2355bd00dd156caf87118892fd613aa5a1b09de7fc4444d5af4a5d6b1a5.exe	29
PID 828 wrote to memory of 976	828	e2aaf2355bd00dd156caf87118892fd613aa5a1b09de7fc4444d5af4a5d6b1a5.exe	29
PID 828 wrote to memory of 976	828	e2aaf2355bd00dd156caf87118892fd613aa5a1b09de7fc4444d5af4a5d6b1a5.exe	29
PID 828 wrote to memory of 976	828	e2aaf2355bd00dd156caf87118892fd613aa5a1b09de7fc4444d5af4a5d6b1a5.exe	29
PID 828 wrote to memory of 976	828	e2aaf2355bd00dd156caf87118892fd613aa5a1b09de7fc4444d5af4a5d6b1a5.exe	29
PID 828 wrote to memory of 976	828	e2aaf2355bd00dd156caf87118892fd613aa5a1b09de7fc4444d5af4a5d6b1a5.exe	29
PID 828 wrote to memory of 976	828	e2aaf2355bd00dd156caf87118892fd613aa5a1b09de7fc4444d5af4a5d6b1a5.exe	29
PID 828 wrote to memory of 976	828	e2aaf2355bd00dd156caf87118892fd613aa5a1b09de7fc4444d5af4a5d6b1a5.exe	29
PID 828 wrote to memory of 976	828	e2aaf2355bd00dd156caf87118892fd613aa5a1b09de7fc4444d5af4a5d6b1a5.exe	29
PID 828 wrote to memory of 976	828	e2aaf2355bd00dd156caf87118892fd613aa5a1b09de7fc4444d5af4a5d6b1a5.exe	29
PID 828 wrote to memory of 976	828	e2aaf2355bd00dd156caf87118892fd613aa5a1b09de7fc4444d5af4a5d6b1a5.exe	29
PID 828 wrote to memory of 976	828	e2aaf2355bd00dd156caf87118892fd613aa5a1b09de7fc4444d5af4a5d6b1a5.exe	29
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15
PID 976 wrote to memory of 1260	976	vbc.exe	15

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.