Source: https://riell.top/white.scr |
Avira URL Cloud: Label: malware |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
Source: Yara match |
File source: C:\Users\user\AppData\Roaming\white72911.scr, type: DROPPED |
Source: Yara match |
File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\white[1].htm, type: DROPPED |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: unknown |
HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.2 |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Source: global traffic |
DNS query: name: riell.top |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 188.114.96.3:443 |
Source: global traffic |
TCP traffic: 188.114.96.3:443 -> 192.168.2.22:49163 |
Source: Joe Sandbox View |
IP Address: 188.114.96.3 188.114.96.3 |
Source: Joe Sandbox View |
IP Address: 188.114.96.3 188.114.96.3 |
Source: Joe Sandbox View |
ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS |
Source: Joe Sandbox View |
JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b |
Source: global traffic |
HTTP traffic detected: GET /white.scr HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: riell.topConnection: Keep-Alive |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{946CCB1C-A640-4FD8-834D-6A235994F9AB}.tmp |
Jump to behavior |
Source: global traffic |
HTTP traffic detected: GET /white.scr HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: riell.topConnection: Keep-Alive |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000961000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo) |
Source: global traffic |
DNS traffic detected: DNS query: riell.top |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000961000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000920000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.346288953.0000000000961000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06 |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000961000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.entrust.net/2048ca.crl0 |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000920000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.346288953.0000000000961000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.entrust.net/server1.crl0 |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000961000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000920000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0 |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000920000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.346288953.0000000000961000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0 |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000961000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.use |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000961000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0 |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000920000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0% |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000961000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0- |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000920000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.346288953.0000000000961000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.comodoca.com0/ |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000920000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.comodoca.com05 |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000920000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.346288953.0000000000961000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.entrust.net03 |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000961000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ocsp.entrust.net0D |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000961000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.digicert.com.my/cps.htm02 |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000920000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.346288953.0000000000961000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0 |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000920000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://riell.top/: |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000920000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://riell.top/a |
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.346288953.00000000008DF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://riell.top/white.scr |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.00000000008DF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://riell.top/white.scrj |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.00000000008DF000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://riell.top/white.scrjjC: |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000920000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.346288953.0000000000961000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://secure.comodo.com/CPS0 |
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.346288953.0000000000920000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.346288953.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, white[1].htm.2.dr, white72911.scr.2.dr |
String found in binary or memory: https://www.cloudflare.com/5xx-error-landing |
Source: EQNEDT32.EXE, 00000002.00000002.346288953.0000000000920000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.346288953.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, white[1].htm.2.dr, white72911.scr.2.dr |
String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/ |
Source: unknown |
Network traffic detected: HTTP traffic on port 49163 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49163 |
Source: unknown |
HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49163 version: TLS 1.2 |
Source: xJvN1QBl91.rtf, type: SAMPLE |
Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Memory allocated: 770B0000 page execute and read and write |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Memory allocated: 770B0000 page execute and read and write |
Jump to behavior |
Source: xJvN1QBl91.rtf, type: SAMPLE |
Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. |
Source: classification engine |
Classification label: mal100.phis.expl.winRTF@4/11@1/1 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: xJvN1QBl91.rtf |
ReversingLabs: Detection: 48% |
Source: xJvN1QBl91.rtf |
Virustotal: Detection: 47% |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: wow64win.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: wow64cpu.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: msi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: rpcrtremote.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: credssp.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: bcrypt.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: wow64win.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: wow64cpu.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: msi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: rpcrtremote.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: xJvN1QBl91.LNK.0.dr |
LNK file: ..\..\..\..\..\Desktop\xJvN1QBl91.rtf |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_008F6A8E push esp; ret |
2_2_008F6A8F |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_008F6888 push dword ptr [esp+ebx*8+53h]; ret |
2_2_008F68A3 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_008F6A84 push esp; ret |
2_2_008F6A87 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_008F6A96 push esp; ret |
2_2_008F6A97 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_008F68A8 push ebx; ret |
2_2_008F68AB |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_008F68B0 push ebx; ret |
2_2_008F68B3 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_008F64DF push esi; ret |
2_2_008F64E3 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_008F64D8 push esi; ret |
2_2_008F64DB |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_008F64E7 push esi; ret |
2_2_008F64EB |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_008F6A4C push esp; ret |
2_2_008F6A4F |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_008F6A46 push esp; ret |
2_2_008F6A47 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_008F6C6F push esi; ret |
2_2_008F6C73 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_008F686A push ebx; ret |
2_2_008F686B |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_008F6C68 push esi; ret |
2_2_008F6C6B |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_008F8C7B push ebp; ret |
2_2_008F8C7F |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_008F6C77 push esi; ret |
2_2_008F6C7B |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_008E01F4 push eax; retf |
2_2_008E01F5 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_008EC3F0 push A0008EC4h; ret |
2_2_008EC3F5 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 2_2_008E8F60 push eax; retf |
2_2_008E8F61 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1452 |
Thread sleep time: -240000s >= -30000s |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3272 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |