Windows Analysis Report
test.doc

Overview

General Information

Sample name: test.doc
Analysis ID: 1532551
MD5: f5fc224eb5cbbff8ee4bf4670ed9611a
SHA1: 8e3f85dd6fb94da77990987bd26bde7e59042490
SHA256: 80f7f23bea03b2386ae91e156835c2a685d9515e0c42f4dd89f782d64a29f701
Tags: docuser-ikoora
Infos:

Detection

Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Connects to a pastebin service (likely for C&C)
Document exploit detected (process start blacklist hit)
Installs new ROOT certificates
Office equation editor establishes network connection
Sigma detected: Equation Editor Network Connection
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: test.doc Avira: detected
Multi AV Scanner detection for submitted file
Source: test.doc ReversingLabs: Detection: 64%
Source: test.doc Virustotal: Detection: 56% Perma Link

Exploits
barindex
Office equation editor establishes network connection
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Network connect: IP: 104.20.4.235 Port: 443 Jump to behavior
Office Equation Editor has been started
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.22:49161 version: TLS 1.2

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: pastebin.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2027374 - Severity 1 - ET MALWARE Unknown VBScript Loader with Encoded PowerShell Execution Inbound : 104.20.4.235:443 -> 192.168.2.22:49161
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: pastebin.com
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox View IP Address: 104.20.4.235 104.20.4.235
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /raw/JtdAmHD5 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pastebin.comConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B78A2EBB-134B-4F32-AD23-E4D3EAD5CCE0}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /raw/JtdAmHD5 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pastebin.comConnection: Keep-Alive
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: pastebin.com
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.000000000097D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/
Source: EQNEDT32.EXE, 00000002.00000003.359634112.000000000097E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/JtdAmHD5
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/JtdAmHD5...
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/JtdAmHD5...mpoq
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/JtdAmHD556z
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/JtdAmHD5598B1687
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/JtdAmHD5:
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/JtdAmHD5Py
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.0000000000914000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/JtdAmHD5dy
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000008F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/JtdAmHD5ed
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.22:49161 version: TLS 1.2
Creates a window with clipboard capturing capabilities
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\System32\mmc.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\System32\mmc.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\System32\mmc.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: test.doc, type: SAMPLE Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 770B0000 page execute and read and write Jump to behavior
Searches for the Microsoft Outlook file path
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Yara signature match
Source: test.doc, type: SAMPLE Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: classification engine Classification label: mal92.troj.expl.winDOC@103/6@1/1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$test.doc Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\TASKMGR.879e4d63-6c0e-4544-97f2-1244bd3f6de0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVR86CB.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: test.doc ReversingLabs: Detection: 64%
Source: test.doc Virustotal: Detection: 56%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe" Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe" Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe" Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe" Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe" Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe" Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe" Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe" Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe" Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe" Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe" Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe" Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe" Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe" Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe" Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe" Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe" Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64win.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: msi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: mshtml.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: version.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: webio.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: nlaapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: oleacc.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: sxs.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: credssp.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: bcrypt.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: msls31.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: d2d1.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dwrite.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: dxgi.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: d3d11.dll Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: odbc32.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: mmcbase.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: mmfutil.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: odbc32.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: mmcbase.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: mmfutil.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Windows\System32\mmc.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe Section loaded: msls31.dll
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F5C8-98B5-11CF-BB82-00AA00BDCE0B}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\taskmgr.exe Window detected: Number of UI elements: 25
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_009201F4 push eax; retf 2_2_009201F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Code function: 2_2_0091C820 push eax; retf 2_2_0091C821

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior
Stores large binary data to the registry
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe Process information set: NOOPENFILEERRORBOX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Memory allocated: 37A0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\mmc.exe Memory allocated: 3FD0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\mmc.exe Memory allocated: 28F0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\mmc.exe Memory allocated: 3B80000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\mmc.exe Memory allocated: 3EE0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\mmc.exe Memory allocated: 6B10000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\mmc.exe Memory allocated: 3E40000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\mmc.exe Memory allocated: 3F70000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\mmc.exe Memory allocated: 4310000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\mmc.exe Memory allocated: 4350000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\mmc.exe Memory allocated: 6580000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Windows\System32\mmc.exe Memory allocated: 3E70000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 29F0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 40D0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 4350000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 4B60000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 4070000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 26B0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 3A60000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 3AA0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 6A90000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 40F0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 2870000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 3AD0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 3C20000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 6440000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 3F80000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 2FC0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 4180000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 42A0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 6950000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 3F80000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 3240000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 40D0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 41D0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 6A00000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 3570000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 2770000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 29B0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 2A70000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 6AB0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 40D0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 28F0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 3B50000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 3C10000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 6370000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 4010000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 2770000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 3A40000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 3F50000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 6520000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 3DD0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 2AF0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 4060000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 4130000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 63F0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 3C80000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 3BE0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 41D0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 43C0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 6460000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 4000000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 2770000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 2840000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 2BA0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 49D0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 3EE0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 2FC0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 4000000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 4480000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 6440000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 3EF0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 29D0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 4260000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 42A0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 62D0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 4040000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 26F0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 2870000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 2930000 memory commit | memory reserve | memory write watch
Source: C:\Windows\System32\mmc.exe Memory allocated: 6680000 memory commit | memory reserve | memory write watch
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\taskmgr.exe Window / User API: foregroundWindowGot 401 Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Window / User API: foregroundWindowGot 473 Jump to behavior
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 924 Jump to behavior
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 2494 Jump to behavior
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 898 Jump to behavior
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 2625 Jump to behavior
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 861
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 2702
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 2728
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 866
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 2578
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 867
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 824
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 2356
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 773
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 2322
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 857
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 2155
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 765
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 2128
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 794
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 1973
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 740
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 1989
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 780
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 1767
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 737
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 1509
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 1711
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 676
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 1571
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 662
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 646
Source: C:\Windows\System32\mmc.exe Window / User API: threadDelayed 1496
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3388 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Windows\System32\mmc.exe TID: 4064 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\System32\mmc.exe TID: 2964 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\System32\mmc.exe TID: 660 Thread sleep count: 898 > 30 Jump to behavior
Source: C:\Windows\System32\mmc.exe TID: 660 Thread sleep count: 2625 > 30 Jump to behavior
Source: C:\Windows\System32\mmc.exe TID: 300 Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 2864 Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 3080 Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 1780 Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 520 Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 3592 Thread sleep count: 773 > 30
Source: C:\Windows\System32\mmc.exe TID: 3592 Thread sleep count: 2322 > 30
Source: C:\Windows\System32\mmc.exe TID: 1864 Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 2520 Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 3596 Thread sleep count: 765 > 30
Source: C:\Windows\System32\mmc.exe TID: 3596 Thread sleep count: 2128 > 30
Source: C:\Windows\System32\mmc.exe TID: 628 Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 2032 Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 1876 Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 3680 Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 3832 Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 3792 Thread sleep count: 1711 > 30
Source: C:\Windows\System32\mmc.exe TID: 3792 Thread sleep count: 676 > 30
Source: C:\Windows\System32\mmc.exe TID: 1560 Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 2772 Thread sleep time: -120000s >= -30000s
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\taskmgr.exe Process created: unknown unknown Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mmc.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mmc.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mmc.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mmc.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1532551 Sample: test.doc Startdate: 13/10/2024 Architecture: WINDOWS Score: 92 34 Suricata IDS alerts for network traffic 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 4 other signatures 2->40 7 WINWORD.EXE 6 8 2->7         started        process3 file4 28 C:\Users\user\Desktop\~$test.doc, data 7->28 dropped 10 EQNEDT32.EXE 10 7->10         started        14 taskmgr.exe 7->14         started        16 taskmgr.exe 7->16         started        18 15 other processes 7->18 process5 dnsIp6 30 pastebin.com 10->30 32 pastebin.com 104.20.4.235, 443, 49161 CLOUDFLARENETUS United States 10->32 42 Installs new ROOT certificates 10->42 44 Office equation editor establishes network connection 10->44 20 mmc.exe 4 18 14->20         started        22 mmc.exe 18 14->22         started        24 mmc.exe 14->24         started        26 13 other processes 14->26 signatures7 46 Connects to a pastebin service (likely for C&C) 30->46 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.20.4.235
 pastebin.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
pastebin.com 104.20.4.235 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://pastebin.com/raw/JtdAmHD5 true
    		unknown