Analysis Report
Overview
General Information |
---|
Joe Sandbox Version: | 21.0.0 |
Analysis ID: | 487031 |
Start time: | 19:13:34 |
Joe Sandbox Product: | Cloud |
Start date: | 24.01.2018 |
Overall analysis duration: | 0h 9m 10s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | DoNotOpen2.doc |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43) |
Number of analysed new started processes analysed: | 11 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies |
|
Detection: | MAL |
Classification: | mal96.evad.expl.troj.winDOC@7/13@7/2 |
HCA Information: |
|
EGA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 96 | 0 - 100 | Report FP / FN |
Confidence |
---|
Strategy | Score | Range | Further Analysis Required? | Confidence | |
---|---|---|---|---|---|
Threshold | 5 | 0 - 5 | false |
Classification |
---|
Analysis Advice |
---|
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior |
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook |
Signature Overview |
---|
Click to jump to signature section
Exploits: |
---|
Office Equation Editor has been started | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: |
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Process created: |
Key, Mouse, Clipboard, Microphone and Screen Capturing: |
---|
Creates a window with clipboard capturing capabilities | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Window created: |
Software Vulnerabilities: |
---|
Potential document exploit detected (performs DNS queries) | Show sources |
Source: global traffic | DNS query: |
Potential document exploit detected (performs HTTP gets) | Show sources |
Source: global traffic | TCP traffic: |
Potential document exploit detected (unknown TCP traffic) | Show sources |
Source: global traffic | TCP traffic: |
Document exploit detected (drops PE files) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Networking: |
---|
Downloads files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Downloads files from webservers via HTTP | Show sources |
Source: global traffic | HTTP traffic detected: |
Performs DNS lookups | Show sources |
Source: unknown | DNS traffic detected: |
Posts data to webserver | Show sources |
Source: unknown | HTTP traffic detected: |
Urls found in memory or binary data | Show sources |
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: explorer.exe | String found in binary or memory: | ||
Source: explorer.exe | String found in binary or memory: | ||
Source: iexplore.exe | String found in binary or memory: | ||
Source: iexplore.exe | String found in binary or memory: | ||
Source: iexplore.exe | String found in binary or memory: | ||
Source: iexplore.exe | String found in binary or memory: | ||
Source: iexplore.exe | String found in binary or memory: | ||
Source: iexplore.exe | String found in binary or memory: | ||
Source: iexplore.exe | String found in binary or memory: | ||
Source: iexplore.exe | String found in binary or memory: | ||
Source: iexplore.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: explorer.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: explorer.exe | String found in binary or memory: | ||
Source: WINWORD.EXE | String found in binary or memory: | ||
Source: iexplore.exe | String found in binary or memory: | ||
Source: iexplore.exe | String found in binary or memory: | ||
Source: iexplore.exe | String found in binary or memory: | ||
Source: explorer.exe | String found in binary or memory: |
May check the online IP address of the machine | Show sources |
Source: unknown | DNS query: | ||
Source: unknown | DNS query: | ||
Source: unknown | DNS query: | ||
Source: unknown | DNS query: | ||
Source: unknown | DNS query: | ||
Source: unknown | DNS query: | ||
Source: unknown | DNS query: |
Boot Survival: |
---|
Creates an autostart registry key | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Registry value created or modified: | ||
Source: C:\Program Files\Internet Explorer\iexplore.exe | Registry value created or modified: | ||
Source: C:\Program Files\Internet Explorer\iexplore.exe | Registry value created or modified: | ||
Source: C:\Program Files\Internet Explorer\iexplore.exe | Registry value created or modified: |
Creates an autostart registry key pointing to binary in C:\Windows | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Registry value created or modified: |
Remote Access Functionality: |
---|
Contains functionality to launch a control a shell (cmd.exe) | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_00515486 |
Stealing of Sensitive Information: |
---|
Searches for user specific document files | Show sources |
Source: C:\Windows\explorer.exe | Key value created or modified: | ||
Source: C:\Windows\explorer.exe | Key value created or modified: | ||
Source: C:\Windows\explorer.exe | Key value created or modified: | ||
Source: C:\Windows\explorer.exe | Key value created or modified: | ||
Source: C:\Windows\explorer.exe | Key value created or modified: |
Persistence and Installation Behavior: |
---|
Contains functionality to read ini properties file for application configuration | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_005114F8 |
Drops PE files | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | File created: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Drops files with a non-matching file extension (content does not match file extension) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Data Obfuscation: |
---|
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_00517143 |
Uses code obfuscation techniques (call, push, ret) | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Code function: | 2_2_617B34B6 | |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Code function: | 2_2_617B333C |
System Summary: |
---|
Reads the Windows registered owner settings | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Key value created or modified: |
Uses Rich Edit Controls | Show sources |
Source: C:\Windows\explorer.exe | File opened: |
Found graphical window changes (likely an installer) | Show sources |
Source: Window Recorder | Window detected: |
Checks if Microsoft Office is installed | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: |
Uses new MSVCR Dlls | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File opened: |
Binary contains paths to development resources | Show sources |
Source: iexplore.exe | Binary or memory string: |
Classification label | Show sources |
Source: classification engine | Classification label: |
Contains functionality to check free disk space | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_00516D52 |
Contains functionality to enum processes or threads | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F2A05 |
Creates files inside the user directory | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Creates temporary files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Launches a second explorer.exe instance | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: |
Reads ini files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File read: |
Reads software policies | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: |
Reads the Windows registered organization settings | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Key value created or modified: |
Spawns processes | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Process created: |
Uses an in-process (OLE) Automation server | Show sources |
Source: C:\Windows\explorer.exe | Key value queried: |
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011) | Show sources |
Source: NavShExt.dll.3.dr | Static PE information: |
Detected potential crypto function | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Code function: | 2_2_617B223D | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F13F5 | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_00513ABC | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_00519361 | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_00519958 | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_005186ED | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_00519591 | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_00518EF8 |
Found potential string decryption / allocating functions | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: |
Office process drops PE file | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
HIPS / PFW / Operating System Protection Evasion: |
---|
May try to detect the Windows Explorer process (often used for injection) | Show sources |
Source: iexplore.exe, explorer.exe | Binary or memory string: | ||
Source: iexplore.exe, explorer.exe | Binary or memory string: | ||
Source: iexplore.exe, explorer.exe | Binary or memory string: |
Creates a process in suspended mode (likely to inject code) | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Process created: |
Contains functionality to inject code into remote processes | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Code function: | 2_2_617B223D |
Contains functionality to inject threads in other processes | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Code function: | 2_2_617B223D |
Anti Debugging: |
---|
Contains functionality to register its own exception handler | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Code function: | 2_2_617B2860 | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F32A0 | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_0051A460 |
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | System information queried: |
Contains functionality to check if a debugger is running (IsDebuggerPresent) | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Code function: | 2_2_617B223D |
Contains functionality to dynamically determine API calls | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_00517143 |
Malware Analysis System Evasion: |
---|
Contains functionality to query system information | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_00517535 |
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) | Show sources |
Source: iexplore.exe | Binary or memory string: | ||
Source: iexplore.exe | Binary or memory string: | ||
Source: iexplore.exe | Binary or memory string: | ||
Source: iexplore.exe | Binary or memory string: | ||
Source: iexplore.exe | Binary or memory string: | ||
Source: iexplore.exe | Binary or memory string: | ||
Source: iexplore.exe | Binary or memory string: | ||
Source: iexplore.exe | Binary or memory string: | ||
Source: iexplore.exe | Binary or memory string: |
Contains functionality to query network adapater information | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F2FA1 | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_005177AB | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_00514B82 | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_00514AAC |
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) | Show sources |
Source: C:\Windows\explorer.exe | Window / User API: |
Found dropped PE file which has not been started or loaded | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Dropped PE file which has not been started: |
May sleep (evasive loops) to hinder dynamic analysis | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE TID: 3440 | Thread sleep time: | ||
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE TID: 3440 | Thread sleep time: | ||
Source: C:\Windows\explorer.exe TID: 3540 | Thread sleep time: | ||
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE TID: 3536 | Thread sleep time: |
Contains functionality to detect sandboxes (MAC address check) | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F2FA1 | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F2FA1 | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F2FA1 |
Contains functionality to detect sandboxes (registry check) | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F28FC | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F28FC | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F28FC | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F28FC | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F28FC | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F28FC | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F28FC | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F28FC | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F28FC | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F28FC | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F28FC |
Contains functionality to detect virtual machines (IN, VMware) | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F278F |
Tries to detect sandboxes and other dynamic analysis tools (process name) | Show sources |
Source: iexplore.exe | Binary or memory string: | ||
Source: iexplore.exe | Binary or memory string: | ||
Source: iexplore.exe | Binary or memory string: | ||
Source: iexplore.exe | Binary or memory string: | ||
Source: iexplore.exe | Binary or memory string: | ||
Source: iexplore.exe | Binary or memory string: | ||
Source: iexplore.exe | Binary or memory string: | ||
Source: iexplore.exe | Binary or memory string: | ||
Source: iexplore.exe | Binary or memory string: | ||
Source: iexplore.exe | Binary or memory string: | ||
Source: iexplore.exe | Binary or memory string: |
Tries to detect virtual machines | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F2A05 | |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_004F27E5 |
Hooking and other Techniques for Hiding and Protection: |
---|
Disables application error messsages (SetErrorMode) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Windows\explorer.exe | Process information set: | ||
Source: C:\Windows\explorer.exe | Process information set: | ||
Source: C:\Windows\explorer.exe | Process information set: |
Language, Device and Operating System Detection: |
---|
Contains functionality to query local / system time | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Code function: | 2_2_617B3362 |
Contains functionality to query the account / user name | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_00517143 |
Queries the cryptographic machine GUID | Show sources |
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE | Key value queried: |
Contains functionality locales information (e.g. system language) | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_00516DF6 |
Queries information about the installed CPU (vendor, model number etc) | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Registry key value queried: |
Queries the product ID of Windows | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Key value queried: | ||
Source: C:\Program Files\Internet Explorer\iexplore.exe | Key value queried: |
Uses the system / local time for branch decision (may execute only at specific dates) | Show sources |
Source: C:\Program Files\Internet Explorer\iexplore.exe | Code function: | 3_2_005163DA |
Behavior Graph |
---|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
19:15:15 | API Interceptor | 340x Sleep call for process: WINWORD.EXE modified from: 60000ms to: 5000ms |
19:15:17 | API Interceptor | 3x Sleep call for process: EQNEDT32.EXE modified from: 60000ms to: 5000ms |
19:15:18 | API Interceptor | 938x Sleep call for process: explorer.exe modified from: 60000ms to: 5000ms |
19:15:20 | API Interceptor | 2x Sleep call for process: WINWORD.EXE modified from: 30000ms to: 5000ms |
Antivirus Detection |
---|
Yara Overview |
---|
Initial Sample |
---|
No yara matches |
---|
PCAP (Network Traffic) |
---|
No yara matches |
---|
Dropped Files |
---|
No yara matches |
---|
Memory Dumps |
---|
No yara matches |
---|
Unpacked PEs |
---|
No yara matches |
---|
Screenshot |
---|
Startup |
---|
|
Created / dropped Files |
---|
File Type: | |
Size (bytes): | 72704 |
Entropy (8bit): | 7.792067824152349 |
Encrypted: | false |
MD5: | CD36BBD7F949CF017EDBA0E6AAADF28C |
SHA1: | 2FDE32F2695BC7B3B702A1E3B53A8C38E60B7402 |
SHA-256: | 6DC2A49D58DC568944FEF8285AD7A03B772B9BDF1FE4BDDFF3F1ADE3862EAE79 |
SHA-512: | 37C99E8FF71C6FF4FFBE39F0358E019379094D75C5B0C7E7837C783134704369C860B22AE2EE0346692FFF44738F592CFAAA050C4BF649D7F661964BC1F252B5 |
Malicious: | true |
Reputation: | low |
File Type: | |
Size (bytes): | 26 |
Entropy (8bit): | 3.9500637564362093 |
Encrypted: | false |
MD5: | FBCCF14D504B7B2DBCB5A5BDA75BD93B |
SHA1: | D59FC84CDD5217C6CF74785703655F78DA6B582B |
SHA-256: | EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 |
SHA-512: | AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98 |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 1234 |
Entropy (8bit): | 7.673826510159546 |
Encrypted: | false |
MD5: | 1DDCBB5BE7004A9C3D60E6EA201EC6BF |
SHA1: | B76B1345B5863020D49913A5DDFC9104275D4E02 |
SHA-256: | DBDDA9E664A2F00F69F618B41A50F0DEE1380A6A1251AAAEC4A071147BDD85E8 |
SHA-512: | 4B846E55A4ACD6486707087DD527468EE69B3CF74BD7FE9D0EB0EEB6AE9CA663D4FCEDB107E256B0C8B34A05BFBC59CF1A3564EF96E5AE6264D39C1EB3C75A40 |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 4952 |
Entropy (8bit): | 3.5299498766178474 |
Encrypted: | false |
MD5: | 76A6A9E9C48C004024044BCE75D37E51 |
SHA1: | 4C00770A39340B2A048510A0950634831A05D5B1 |
SHA-256: | 4F8B5CF21952829BAC2C984A04B8C842ED1E410D66A399E4EDBA08F12518DA00 |
SHA-512: | 6C465F047EFA3CCC419DF87DCF6F3A29DEA5C16C0F922B13F637987D9914F7897735D6930CCD950127E229BDE384C1660A3670EA706473A82CCEC2E075E7AC70 |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 4096 |
Entropy (8bit): | 2.0923481278854603 |
Encrypted: | false |
MD5: | 92086E57A2606B48530BD480E4433466 |
SHA1: | 7846DDC450B391B6C8CFB816C809E6456C7082A1 |
SHA-256: | 8D758651DD164E0528775ED8F4A639E8BE4432CF862D346043CCD012FADFB22F |
SHA-512: | BA7F634EDF1FB4849590103703A52CBF5474C27695D347BF1AE46809B5403B76C8E4248B0C0E9E9B4E055179392B6AA8865E7A93774D1C15B3E087CA334F4F18 |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 1024 |
Entropy (8bit): | 0.05390218305374581 |
Encrypted: | false |
MD5: | 5D4D94EE7E06BBB0AF9584119797B23A |
SHA1: | DBB111419C704F116EFA8E72471DD83E86E49677 |
SHA-256: | 4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 |
SHA-512: | 95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4 |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 17162 |
Entropy (8bit): | 3.885473232990777 |
Encrypted: | false |
MD5: | DEF82BC50419BEA3579CE03222140012 |
SHA1: | 6140A77DA25681CB99C87FC6F64DB4871CA8D97C |
SHA-256: | D80AA9834FBB4564C928BB46C06FD6258DF3DAE1F6977C6DEAA08BFB9228C498 |
SHA-512: | 68231D80CB4A2C7DC0F0E0A28AD5F2C5FFA200E38B1ADF7FD196018424768C0460638F0E4F3D8E16B60020839D324BCB012891F58177876A4945B1CDD90C2446 |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 2066 |
Entropy (8bit): | 4.571699609436004 |
Encrypted: | false |
MD5: | AB3ECA74AF0ED11F094BE0571FE5F06B |
SHA1: | 74597A880CA352A5AF0A8B6B9C4BEED26E676F32 |
SHA-256: | 31A8A67BBC167FE4C7CC81DE2F66A4825C22DFE5C7E631C924C35542141A9DF9 |
SHA-512: | 6AF53713B731666836042EA1BB301D9C3FDC98BC3EB3DFA468F5A2605E005D2E048B331BC5E09FD62688DF2987370C35861999A2AE27FA1A63BCCBF599F4AF96 |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 54 |
Entropy (8bit): | 4.416653011302537 |
Encrypted: | false |
MD5: | 95E7739FE75359E97BD88812A26D19B6 |
SHA1: | E6AAC3EF7260591E2AB3ABA6C47541C2BC39D9DE |
SHA-256: | C842AE68D3CEBFB0E8AEAEF9547AF8A8C5D235BDD39E8383695880F50352E824 |
SHA-512: | DA9CB469DE47C83A41322130584708E24C76E81259F7E5C9DF08F061882F9C5C8105F7A59D97ED6D3176EA087A7E4553700CAB0DF1368E0868C9EA23C9E4195F |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 162 |
Entropy (8bit): | 3.020922996257724 |
Encrypted: | false |
MD5: | FFCBCAB394CED9465D4D47DA6DDDAD73 |
SHA1: | E4E8220021519959D56383BE9F0DAAB4419B106B |
SHA-256: | 0F219C83F79A184F98D27BADD94BC48A8025B49A7E62A28B67FDBE27AB229AB5 |
SHA-512: | 0A182F9A4A8686F25CD40723186E8BD2C7FA86C87D88F10FAD74040E122E37905538FEB7951C374AA982B793C08F85D28B91F0DF6787F684F8BAB8B4189E4025 |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 72704 |
Entropy (8bit): | 7.792067824152349 |
Encrypted: | false |
MD5: | CD36BBD7F949CF017EDBA0E6AAADF28C |
SHA1: | 2FDE32F2695BC7B3B702A1E3B53A8C38E60B7402 |
SHA-256: | 6DC2A49D58DC568944FEF8285AD7A03B772B9BDF1FE4BDDFF3F1ADE3862EAE79 |
SHA-512: | 37C99E8FF71C6FF4FFBE39F0358E019379094D75C5B0C7E7837C783134704369C860B22AE2EE0346692FFF44738F592CFAAA050C4BF649D7F661964BC1F252B5 |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 162 |
Entropy (8bit): | 3.020922996257724 |
Encrypted: | false |
MD5: | FFCBCAB394CED9465D4D47DA6DDDAD73 |
SHA1: | E4E8220021519959D56383BE9F0DAAB4419B106B |
SHA-256: | 0F219C83F79A184F98D27BADD94BC48A8025B49A7E62A28B67FDBE27AB229AB5 |
SHA-512: | 0A182F9A4A8686F25CD40723186E8BD2C7FA86C87D88F10FAD74040E122E37905538FEB7951C374AA982B793C08F85D28B91F0DF6787F684F8BAB8B4189E4025 |
Malicious: | false |
Reputation: | low |
File Type: | |
Size (bytes): | 116 |
Entropy (8bit): | 4.053374040827533 |
Encrypted: | false |
MD5: | 080E701E8B8E2E9C68203C150AC7C6B7 |
SHA1: | 4EF041621388B805758AE1D3B122F9D364705223 |
SHA-256: | FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D |
SHA-512: | C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719D892B4C0D22BB67BE0D57EAB368BA1BC057E79 |
Malicious: | false |
Reputation: | low |
Contacted Domains/Contacted IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection |
---|---|---|---|---|
api.ipaddress.com | 209.126.119.177 | true | true |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|
103.236.150.14 | Indonesia | 55664 | IDNIC-SERVERKEREN-AS-IDPTExaRekatekProsolusiID | false | |
209.126.119.177 | United States | 30083 | SERVER4YOU-server4youIncUS | false |
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 4.652722413777991 |
TrID: |
|
File name: | DoNotOpen2.doc |
File size: | 261090 |
MD5: | f12fc711529b48bcef52c5ca0a52335a |
SHA1: | 5f89a6b2f1f38b581c65e9a1117c43a3060bfdc1 |
SHA256: | d3fc69a9f2ae2c446434abbfbe1693ef0f81a5da0a7f39d27c80d85f4a49c411 |
SHA512: | dcec5673653561354867fa1586a60899e4fd952fd693922aaba86c765710cd32186ca7c1d94bc364e4d384681f4f5fd1de9f2836b4cd53bef39fcb2e96dc0a51 |
File Content Preview: | {\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch13\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman; |
File Icon |
---|
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 24, 2018 19:14:59.392513037 MEZ | 56975 | 53 | 192.168.1.16 | 8.8.8.8 |
Jan 24, 2018 19:15:00.392843008 MEZ | 56975 | 53 | 192.168.1.16 | 8.8.8.8 |
Jan 24, 2018 19:15:01.468115091 MEZ | 56975 | 53 | 192.168.1.16 | 8.8.8.8 |
Jan 24, 2018 19:15:03.470319986 MEZ | 56975 | 53 | 192.168.1.16 | 8.8.8.8 |
Jan 24, 2018 19:15:07.470093012 MEZ | 56975 | 53 | 192.168.1.16 | 8.8.8.8 |
Jan 24, 2018 19:15:08.509563923 MEZ | 53 | 56975 | 8.8.8.8 | 192.168.1.16 |
Jan 24, 2018 19:15:08.509613991 MEZ | 53 | 56975 | 8.8.8.8 | 192.168.1.16 |
Jan 24, 2018 19:15:08.509638071 MEZ | 53 | 56975 | 8.8.8.8 | 192.168.1.16 |
Jan 24, 2018 19:15:08.509663105 MEZ | 53 | 56975 | 8.8.8.8 | 192.168.1.16 |
Jan 24, 2018 19:15:08.519042969 MEZ | 51208 | 53 | 192.168.1.16 | 8.8.8.8 |
Jan 24, 2018 19:15:08.983194113 MEZ | 53 | 56975 | 8.8.8.8 | 192.168.1.16 |
Jan 24, 2018 19:15:09.517062902 MEZ | 51208 | 53 | 192.168.1.16 | 8.8.8.8 |
Jan 24, 2018 19:15:09.659126043 MEZ | 53 | 51208 | 8.8.8.8 | 192.168.1.16 |
Jan 24, 2018 19:15:09.665558100 MEZ | 49188 | 80 | 192.168.1.16 | 209.126.119.177 |
Jan 24, 2018 19:15:09.665606976 MEZ | 80 | 49188 | 209.126.119.177 | 192.168.1.16 |
Jan 24, 2018 19:15:09.665831089 MEZ | 49188 | 80 | 192.168.1.16 | 209.126.119.177 |
Jan 24, 2018 19:15:09.666721106 MEZ | 49188 | 80 | 192.168.1.16 | 209.126.119.177 |
Jan 24, 2018 19:15:09.666749001 MEZ | 80 | 49188 | 209.126.119.177 | 192.168.1.16 |
Jan 24, 2018 19:15:10.673778057 MEZ | 53 | 51208 | 8.8.8.8 | 192.168.1.16 |
Jan 24, 2018 19:15:17.092802048 MEZ | 80 | 49188 | 209.126.119.177 | 192.168.1.16 |
Jan 24, 2018 19:15:17.172864914 MEZ | 49189 | 80 | 192.168.1.16 | 103.236.150.14 |
Jan 24, 2018 19:15:17.172935009 MEZ | 80 | 49189 | 103.236.150.14 | 192.168.1.16 |
Jan 24, 2018 19:15:17.173010111 MEZ | 49189 | 80 | 192.168.1.16 | 103.236.150.14 |
Jan 24, 2018 19:15:17.173393011 MEZ | 49189 | 80 | 192.168.1.16 | 103.236.150.14 |
Jan 24, 2018 19:15:17.173419952 MEZ | 80 | 49189 | 103.236.150.14 | 192.168.1.16 |
Jan 24, 2018 19:15:17.173904896 MEZ | 49189 | 80 | 192.168.1.16 | 103.236.150.14 |
Jan 24, 2018 19:15:17.173933983 MEZ | 80 | 49189 | 103.236.150.14 | 192.168.1.16 |
Jan 24, 2018 19:15:17.295620918 MEZ | 80 | 49188 | 209.126.119.177 | 192.168.1.16 |
Jan 24, 2018 19:15:17.295701981 MEZ | 49188 | 80 | 192.168.1.16 | 209.126.119.177 |
Jan 24, 2018 19:15:19.410465002 MEZ | 80 | 49188 | 209.126.119.177 | 192.168.1.16 |
Jan 24, 2018 19:15:19.410650015 MEZ | 49188 | 80 | 192.168.1.16 | 209.126.119.177 |
Jan 24, 2018 19:15:19.413503885 MEZ | 49188 | 80 | 192.168.1.16 | 209.126.119.177 |
Jan 24, 2018 19:15:19.413541079 MEZ | 80 | 49188 | 209.126.119.177 | 192.168.1.16 |
Jan 24, 2018 19:15:20.774741888 MEZ | 80 | 49189 | 103.236.150.14 | 192.168.1.16 |
Jan 24, 2018 19:15:20.775095940 MEZ | 49189 | 80 | 192.168.1.16 | 103.236.150.14 |
Jan 24, 2018 19:15:20.775259972 MEZ | 80 | 49189 | 103.236.150.14 | 192.168.1.16 |
Jan 24, 2018 19:15:20.775757074 MEZ | 49189 | 80 | 192.168.1.16 | 103.236.150.14 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 24, 2018 19:14:59.392513037 MEZ | 56975 | 53 | 192.168.1.16 | 8.8.8.8 |
Jan 24, 2018 19:15:00.392843008 MEZ | 56975 | 53 | 192.168.1.16 | 8.8.8.8 |
Jan 24, 2018 19:15:01.468115091 MEZ | 56975 | 53 | 192.168.1.16 | 8.8.8.8 |
Jan 24, 2018 19:15:03.470319986 MEZ | 56975 | 53 | 192.168.1.16 | 8.8.8.8 |
Jan 24, 2018 19:15:07.470093012 MEZ | 56975 | 53 | 192.168.1.16 | 8.8.8.8 |
Jan 24, 2018 19:15:08.509563923 MEZ | 53 | 56975 | 8.8.8.8 | 192.168.1.16 |
Jan 24, 2018 19:15:08.509613991 MEZ | 53 | 56975 | 8.8.8.8 | 192.168.1.16 |
Jan 24, 2018 19:15:08.509638071 MEZ | 53 | 56975 | 8.8.8.8 | 192.168.1.16 |
Jan 24, 2018 19:15:08.509663105 MEZ | 53 | 56975 | 8.8.8.8 | 192.168.1.16 |
Jan 24, 2018 19:15:08.519042969 MEZ | 51208 | 53 | 192.168.1.16 | 8.8.8.8 |
Jan 24, 2018 19:15:08.983194113 MEZ | 53 | 56975 | 8.8.8.8 | 192.168.1.16 |
Jan 24, 2018 19:15:09.517062902 MEZ | 51208 | 53 | 192.168.1.16 | 8.8.8.8 |
Jan 24, 2018 19:15:09.659126043 MEZ | 53 | 51208 | 8.8.8.8 | 192.168.1.16 |
Jan 24, 2018 19:15:10.673778057 MEZ | 53 | 51208 | 8.8.8.8 | 192.168.1.16 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jan 24, 2018 19:14:59.392513037 MEZ | 192.168.1.16 | 8.8.8.8 | 0xe608 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 24, 2018 19:15:00.392843008 MEZ | 192.168.1.16 | 8.8.8.8 | 0xe608 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 24, 2018 19:15:01.468115091 MEZ | 192.168.1.16 | 8.8.8.8 | 0xe608 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 24, 2018 19:15:03.470319986 MEZ | 192.168.1.16 | 8.8.8.8 | 0xe608 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 24, 2018 19:15:07.470093012 MEZ | 192.168.1.16 | 8.8.8.8 | 0xe608 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 24, 2018 19:15:08.519042969 MEZ | 192.168.1.16 | 8.8.8.8 | 0x5ec4 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 24, 2018 19:15:09.517062902 MEZ | 192.168.1.16 | 8.8.8.8 | 0x5ec4 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Replay Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jan 24, 2018 19:15:08.509563923 MEZ | 8.8.8.8 | 192.168.1.16 | 0xe608 | No error (0) | 209.126.119.177 | A (IP address) | IN (0x0001) | ||
Jan 24, 2018 19:15:08.509613991 MEZ | 8.8.8.8 | 192.168.1.16 | 0xe608 | No error (0) | 209.126.119.177 | A (IP address) | IN (0x0001) | ||
Jan 24, 2018 19:15:08.509638071 MEZ | 8.8.8.8 | 192.168.1.16 | 0xe608 | No error (0) | 209.126.119.177 | A (IP address) | IN (0x0001) | ||
Jan 24, 2018 19:15:08.509663105 MEZ | 8.8.8.8 | 192.168.1.16 | 0xe608 | No error (0) | 209.126.119.177 | A (IP address) | IN (0x0001) | ||
Jan 24, 2018 19:15:08.983194113 MEZ | 8.8.8.8 | 192.168.1.16 | 0xe608 | No error (0) | 209.126.119.177 | A (IP address) | IN (0x0001) | ||
Jan 24, 2018 19:15:09.659126043 MEZ | 8.8.8.8 | 192.168.1.16 | 0x5ec4 | No error (0) | 209.126.119.177 | A (IP address) | IN (0x0001) | ||
Jan 24, 2018 19:15:10.673778057 MEZ | 8.8.8.8 | 192.168.1.16 | 0x5ec4 | No error (0) | 209.126.119.177 | A (IP address) | IN (0x0001) |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.1.16 | 49188 | 209.126.119.177 | 80 | C:\Program Files\Internet Explorer\iexplore.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 24, 2018 19:15:09.666721106 MEZ | 1 | OUT | |
Jan 24, 2018 19:15:17.092802048 MEZ | 2 | IN | |
Jan 24, 2018 19:15:17.295620918 MEZ | 6 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.1.16 | 49189 | 103.236.150.14 | 80 | C:\Program Files\Internet Explorer\iexplore.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 24, 2018 19:15:17.173393011 MEZ | 3 | OUT | |
Jan 24, 2018 19:15:17.173904896 MEZ | 6 | OUT | |
Jan 24, 2018 19:15:20.774741888 MEZ | 7 | IN |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 19:15:14 |
Start date: | 24/01/2018 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x77390000 |
File size: | 1423008 bytes |
MD5 hash: | 5D798FF0BE2A8970D932568068ACFD9D |
Has administrator privileges: | |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 19:15:16 |
Start date: | 24/01/2018 |
Path: | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x77390000 |
File size: | 543304 bytes |
MD5 hash: | A87236E214F6D42A65F5DEDAC816AEC8 |
Has administrator privileges: | |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 19:15:17 |
Start date: | 24/01/2018 |
Path: | C:\Program Files\Internet Explorer\iexplore.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x77390000 |
File size: | 815312 bytes |
MD5 hash: | EE79D654A04333F566DF07EBDE217928 |
Has administrator privileges: | |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 19:15:18 |
Start date: | 24/01/2018 |
Path: | C:\Windows\explorer.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x77390000 |
File size: | 2972672 bytes |
MD5 hash: | 6DDCA324434FFA506CF7DC4E51DB7935 |
Has administrator privileges: | |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 19:15:18 |
Start date: | 24/01/2018 |
Path: | C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x77390000 |
File size: | 543304 bytes |
MD5 hash: | A87236E214F6D42A65F5DEDAC816AEC8 |
Has administrator privileges: | |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 19:15:18 |
Start date: | 24/01/2018 |
Path: | C:\Windows\explorer.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x77390000 |
File size: | 2972672 bytes |
MD5 hash: | 6DDCA324434FFA506CF7DC4E51DB7935 |
Has administrator privileges: | |
Programmed in: | C, C++ or other language |
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 10.6% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 15.9% |
Total number of Nodes: | 207 |
Total number of Limit Nodes: | 13 |
Graph
Callgraph |
---|
Executed Functions |
---|
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Non-executed Functions |
---|
Control-flow Graph |
---|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Execution Graph |
---|
Execution Coverage: | 20.5% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 19.3% |
Total number of Nodes: | 491 |
Total number of Limit Nodes: | 5 |
Graph
Executed Functions |
---|
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Non-executed Functions |
---|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
APIs |
|
Strings |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|