Click to jump to signature section
Source: https://dukeenergyltd.top/I | Avira URL Cloud: Label: malware |
Source: https://dukeenergyltd.top/hon.scrF | Avira URL Cloud: Label: malware |
Source: https://dukeenergyltd.top/A | Avira URL Cloud: Label: malware |
Source: https://dukeenergyltd.top/hon.scr | Avira URL Cloud: Label: malware |
Source: https://dukeenergyltd.top/hon.scrP | Avira URL Cloud: Label: malware |
Source: https://dukeenergyltd.top/hon.scrj | Avira URL Cloud: Label: malware |
Source: dukeenergyltd.top | Virustotal: Detection: 25% | Perma Link |
Source: https://dukeenergyltd.top/hon.scr | Virustotal: Detection: 23% | Perma Link |
Source: New Order .doc | ReversingLabs: Detection: 50% |
Source: New Order .doc | Virustotal: Detection: 43% | Perma Link |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Network connect: IP: 172.67.134.136 Port: 443 | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Process created: unknown | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll | Jump to behavior |
Source: unknown | HTTPS traffic detected: 172.67.134.136:443 -> 192.168.2.22:49163 version: TLS 1.2 |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Source: global traffic | DNS query: name: dukeenergyltd.top |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49163 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49163 |
Source: global traffic | TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49163 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49163 |
Source: global traffic | TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49163 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49163 |
Source: global traffic | TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49163 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49163 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49163 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49163 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49163 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49163 |
Source: global traffic | TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49163 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: global traffic | TCP traffic: 172.67.134.136:443 -> 192.168.2.22:49163 |
Source: global traffic | TCP traffic: 192.168.2.22:49163 -> 172.67.134.136:443 |
Source: Joe Sandbox View | ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS |
Source: Joe Sandbox View | JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b |
Source: global traffic | HTTP traffic detected: GET /hon.scr HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: dukeenergyltd.topConnection: Keep-Alive |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A25D5808-01F0-4641-9DFA-252321211B8D}.tmp | Jump to behavior |
Source: global traffic | HTTP traffic detected: GET /hon.scr HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: dukeenergyltd.topConnection: Keep-Alive |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.00000000005BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo) |
Source: unknown | DNS traffic detected: queries for: dukeenergyltd.top |
Source: global traffic | HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 24 Apr 2024 04:57:34 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Mar 2024 01:13:19 GMTCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lod%2FR6mMtjBBPEHRsSwYKXP1yEGL4v6rZ%2B5491vOExu0sagjCJVTnoZ3jt44A0TOg5CDQsbsAPKl6%2FO83OdyQ1%2BYwq%2BT8DbndKdcj6bpKq8dO9%2BdGLra8Y6ScLgr3h%2BYfl6yEw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Strict-Transport-Security: max-age=0; includeSubDomains; preloadX-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 87938362e9512b5e-LAXalt-svc: h3=":443"; ma=86400 |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.00000000005BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.00000000005BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06 |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.00000000005BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.entrust.net/2048ca.crl0 |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.00000000005BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.entrust.net/server1.crl0 |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.00000000005BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.00000000005BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0 |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.00000000005BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0 |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.00000000005BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.comodoca.com0 |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.00000000005BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.comodoca.com0% |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.00000000005BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.comodoca.com0- |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.00000000005BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.comodoca.com0/ |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.00000000005BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.comodoca.com05 |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.00000000005BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.entrust.net03 |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.00000000005BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.entrust.net0D |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.00000000005BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://www.digicert.com.my/cps.htm02 |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.00000000005BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0 |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.000000000056D000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dukeenergyltd.top/A |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.000000000056D000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dukeenergyltd.top/I |
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.355359988.00000000040B0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dukeenergyltd.top/hon.scr |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.000000000053F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dukeenergyltd.top/hon.scrF |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.000000000053F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dukeenergyltd.top/hon.scrP |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.000000000053F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://dukeenergyltd.top/hon.scrj |
Source: EQNEDT32.EXE, 00000002.00000002.355159790.00000000005BA000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://secure.comodo.com/CPS0 |
Source: unknown | Network traffic detected: HTTP traffic on port 49163 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49163 |
Source: unknown | HTTPS traffic detected: 172.67.134.136:443 -> 192.168.2.22:49163 version: TLS 1.2 |
Source: New Order .doc, type: SAMPLE | Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen |
Source: Screenshot number: 4 | Screenshot OCR: Enable editing from the yellow bar above.The independent auditors' opinion says the financial state |
Source: Screenshot number: 8 | Screenshot OCR: Enable editing Hom the yellow bx above.The indqpendmt auditors' opinion says the fnancial statemmts |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Memory allocated: 770B0000 page execute and read and write | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Memory allocated: 770B0000 page execute and read and write | Jump to behavior |
Source: New Order .doc, type: SAMPLE | Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. |
Source: classification engine | Classification label: mal100.expl.winDOC@4/7@1/1 |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: C:\Users\user\Desktop\~$w Order .doc | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: C:\Users\user\AppData\Local\Temp\CVR74D1.tmp | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File read: C:\Users\desktop.ini | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: New Order .doc | ReversingLabs: Detection: 50% |
Source: New Order .doc | Virustotal: Detection: 43% |
Source: unknown | Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: wow64win.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: wow64cpu.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: msi.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: rpcrtremote.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: dwmapi.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: version.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: secur32.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: winhttp.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: webio.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: iphlpapi.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: winnsi.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: dnsapi.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: nlaapi.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: dhcpcsvc6.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: dhcpcsvc.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: rasadhlp.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: credssp.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: ncrypt.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: bcrypt.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: gpapi.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: wow64win.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: wow64cpu.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: msi.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: rpcrtremote.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Section loaded: dwmapi.dll | Jump to behavior |
Source: New Order .LNK.0.dr | LNK file: ..\..\..\..\..\Desktop\New Order .doc |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_00556E46 push ebp; ret | 2_2_00556E47 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_0054E505 push 127256F0h; ret | 2_2_0054E641 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_00549031 push edx; retf | 2_2_00549032 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_00556E3E push ebp; ret | 2_2_00556E3F |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_0055542A push ebx; ret | 2_2_0055542B |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_005564D4 push dword ptr [ecx+ebp-50h]; ret | 2_2_005564DB |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_00556DDE push ebx; ret | 2_2_00556DDF |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_005401F4 push eax; retf | 2_2_005401F5 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_005564E1 push dword ptr [ecx+ebp-50h]; ret | 2_2_005564EB |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_005552EE push ecx; ret | 2_2_005552EF |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_00555492 push esp; ret | 2_2_00555493 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Code function: 2_2_0055548A push esp; ret | 2_2_0055548B |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2064 | Thread sleep time: -240000s >= -30000s | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3268 | Thread sleep time: -180000s >= -30000s | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |