CAPE

Detections: Emotet


Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2019-12-03 05:59:09 2019-12-03 06:02:56 227 seconds Show Options Show Log
route = internet
procdump = 0
2019-12-03 05:59:10,015 [root] INFO: Date set to: 12-03-19, time set to: 05:59:10, timeout set to: 200
2019-12-03 05:59:10,046 [root] DEBUG: Starting analyzer from: C:\hxonwzw
2019-12-03 05:59:10,062 [root] DEBUG: Storing results at: C:\WPvYbYp
2019-12-03 05:59:10,062 [root] DEBUG: Pipe server name: \\.\PIPE\PkcyzMW
2019-12-03 05:59:10,062 [root] INFO: Analysis package "Extraction" has been specified.
2019-12-03 05:59:10,920 [root] DEBUG: Started auxiliary module Browser
2019-12-03 05:59:10,920 [root] DEBUG: Started auxiliary module Curtain
2019-12-03 05:59:10,936 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-12-03 05:59:12,184 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-12-03 05:59:12,184 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-12-03 05:59:12,184 [root] DEBUG: Started auxiliary module DigiSig
2019-12-03 05:59:12,184 [root] DEBUG: Started auxiliary module Disguise
2019-12-03 05:59:12,184 [root] DEBUG: Started auxiliary module Human
2019-12-03 05:59:12,184 [root] DEBUG: Started auxiliary module Screenshots
2019-12-03 05:59:12,184 [root] DEBUG: Started auxiliary module Sysmon
2019-12-03 05:59:12,184 [root] DEBUG: Started auxiliary module Usage
2019-12-03 05:59:12,184 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2019-12-03 05:59:12,184 [root] INFO: Analyzer: DLL_64 set to Extraction_x64.dll from package modules.packages.Extraction
2019-12-03 05:59:12,198 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\nonmanual.exe" with arguments "" with pid 864
2019-12-03 05:59:12,198 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-12-03 05:59:12,198 [lib.api.process] INFO: 32-bit DLL to inject is C:\hxonwzw\dll\JbUzyn.dll, loader C:\hxonwzw\bin\LBmuqlb.exe
2019-12-03 05:59:12,198 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PkcyzMW.
2019-12-03 05:59:12,198 [root] DEBUG: Loader: Injecting process 864 (thread 1672) with C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:12,198 [root] DEBUG: Process image base: 0x00400000
2019-12-03 05:59:12,198 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:12,198 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00451000 - 0x77A00000
2019-12-03 05:59:12,198 [root] DEBUG: InjectDllViaIAT: Allocated 0xf5c bytes for new import table at 0x00460000.
2019-12-03 05:59:12,214 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-12-03 05:59:12,214 [root] DEBUG: Successfully injected DLL C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:12,214 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 864
2019-12-03 05:59:14,226 [lib.api.process] INFO: Successfully resumed process with pid 864
2019-12-03 05:59:14,226 [root] INFO: Added new process to list with pid: 864
2019-12-03 05:59:14,243 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 05:59:14,243 [root] DEBUG: Process dumps disabled.
2019-12-03 05:59:14,273 [root] INFO: Disabling sleep skipping.
2019-12-03 05:59:14,273 [root] INFO: Disabling sleep skipping.
2019-12-03 05:59:14,273 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-12-03 05:59:14,273 [root] INFO: Disabling sleep skipping.
2019-12-03 05:59:14,273 [root] INFO: Disabling sleep skipping.
2019-12-03 05:59:14,273 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77a00000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x77a5124a, Wow64PrepareForException: 0x0
2019-12-03 05:59:14,273 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x3f0000
2019-12-03 05:59:14,273 [root] DEBUG: Debugger initialised.
2019-12-03 05:59:14,273 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 864 at 0x74eb0000, image base 0x400000, stack from 0x286000-0x290000
2019-12-03 05:59:14,273 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\nonmanual.exe".
2019-12-03 05:59:14,273 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00400000) returned 0x00000000.
2019-12-03 05:59:14,273 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2019-12-03 05:59:14,273 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00400000) -> AllocationBase 0x00400000 RegionSize 0x4096.
2019-12-03 05:59:14,273 [root] DEBUG: AddTrackedRegion: EntryPoint 0x14e0, Entropy 5.957643e+00
2019-12-03 05:59:14,273 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions.
2019-12-03 05:59:14,273 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-12-03 05:59:14,289 [root] INFO: Monitor successfully loaded in process with pid 864.
2019-12-03 05:59:14,289 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1000
2019-12-03 05:59:14,289 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x19000, NewAccessProtection: 0x40
2019-12-03 05:59:14,289 [root] DEBUG: ProtectionHandler: Increased region size at 0x00401000 to 0x1a000.
2019-12-03 05:59:14,289 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00401000 to 0x40.
2019-12-03 05:59:14,289 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.958180e+00.
2019-12-03 05:59:14,289 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1a000
2019-12-03 05:59:14,289 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x19000, NewAccessProtection: 0x40
2019-12-03 05:59:14,289 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.958193e+00.
2019-12-03 05:59:14,289 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1a000
2019-12-03 05:59:14,289 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x19000, NewAccessProtection: 0x80
2019-12-03 05:59:14,289 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00401000 to 0x80.
2019-12-03 05:59:14,289 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.958186e+00.
2019-12-03 05:59:14,289 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1a000
2019-12-03 05:59:14,289 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x1000, NewAccessProtection: 0x20
2019-12-03 05:59:14,289 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00401000 to 0x20.
2019-12-03 05:59:14,289 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.958186e+00.
2019-12-03 05:59:14,382 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-12-03 05:59:14,382 [root] DEBUG: DLL loaded at 0x755B0000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-12-03 05:59:14,382 [root] DEBUG: DLL loaded at 0x74E90000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-12-03 05:59:14,382 [root] DEBUG: DLL loaded at 0x74E80000: C:\Windows\system32\profapi (0xb000 bytes).
2019-12-03 05:59:14,382 [root] DEBUG: DLL loaded at 0x75820000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-12-03 05:59:14,382 [root] DEBUG: DLL loaded at 0x76C80000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-12-03 05:59:14,492 [root] DEBUG: Allocation: 0x00620000 - 0x00630000, size: 0x10000, protection: 0x40.
2019-12-03 05:59:14,492 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:14,492 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:14,492 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959690e+00.
2019-12-03 05:59:14,492 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00620000, size: 0x10000.
2019-12-03 05:59:14,507 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00620000) returned 0x00000000.
2019-12-03 05:59:14,507 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2019-12-03 05:59:14,507 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00620000) -> AllocationBase 0x00620000 RegionSize 0x65536.
2019-12-03 05:59:14,507 [root] DEBUG: AddTrackedRegion: New region at 0x00620000 size 0x10000 added to tracked regions.
2019-12-03 05:59:14,507 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00620000, TrackedRegion->RegionSize: 0x10000, thread 1672
2019-12-03 05:59:14,507 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xd4, Size=0x2, Address=0x00620000 and Type=0x1.
2019-12-03 05:59:14,507 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1672 type 1 at address 0x00620000, size 2 with Callback 0x74eb7510.
2019-12-03 05:59:14,507 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00620000
2019-12-03 05:59:14,507 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xd4, Size=0x4, Address=0x0062003C and Type=0x1.
2019-12-03 05:59:14,507 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1672 type 1 at address 0x0062003C, size 4 with Callback 0x74eb71a0.
2019-12-03 05:59:14,507 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0062003C
2019-12-03 05:59:14,507 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00620000 (size 0x10000).
2019-12-03 05:59:14,507 [root] DEBUG: DLL unloaded from 0x77BE0000.
2019-12-03 05:59:14,507 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x7661A05F (thread 1672)
2019-12-03 05:59:14,507 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00620000.
2019-12-03 05:59:14,507 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x00620000 and Type=0x0.
2019-12-03 05:59:14,507 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x620000: 0x95.
2019-12-03 05:59:14,507 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-12-03 05:59:14,507 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x7661A06E (thread 1672)
2019-12-03 05:59:14,507 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0062003C.
2019-12-03 05:59:14,523 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x182e17db (at 0x0062003C).
2019-12-03 05:59:14,523 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x00620000 already exists for thread 1672 (process 864), skipping.
2019-12-03 05:59:14,523 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00620000.
2019-12-03 05:59:14,523 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x755CCFBC (thread 1672)
2019-12-03 05:59:14,523 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00620000.
2019-12-03 05:59:14,523 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x00620000 already exists for thread 1672 (process 864), skipping.
2019-12-03 05:59:14,523 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x620000: 0xe8.
2019-12-03 05:59:14,523 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-12-03 05:59:14,523 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x755CCFBC (thread 1672)
2019-12-03 05:59:14,523 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0062003C.
2019-12-03 05:59:14,523 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xf6335756 (at 0x0062003C).
2019-12-03 05:59:14,523 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x00620000 already exists for thread 1672 (process 864), skipping.
2019-12-03 05:59:14,523 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00620000.
2019-12-03 05:59:14,523 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00620000 (thread 1672)
2019-12-03 05:59:14,523 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x00620000 (allocation base 0x00620000).
2019-12-03 05:59:14,523 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x00620000, size 0x10000).
2019-12-03 05:59:14,523 [root] DEBUG: DumpPEsInRange: Scanning range 0x620000 - 0x630000.
2019-12-03 05:59:14,523 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x62053f
2019-12-03 05:59:14,523 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-12-03 05:59:14,523 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x0062053F.
2019-12-03 05:59:14,523 [root] INFO: Added new CAPE file to list with path: C:\WPvYbYp\CAPE\864_107720636414591532122019
2019-12-03 05:59:14,523 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0xf000.
2019-12-03 05:59:14,523 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x62073f-0x630000.
2019-12-03 05:59:14,539 [root] DEBUG: ShellcodeExecCallback: PE image(s) detected and dumped.
2019-12-03 05:59:14,539 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x620000 - 0x630000.
2019-12-03 05:59:14,539 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x00620000.
2019-12-03 05:59:14,539 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x0062003C.
2019-12-03 05:59:14,539 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x00620000.
2019-12-03 05:59:14,539 [root] DEBUG: set_caller_info: Adding region at 0x00620000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-12-03 05:59:14,539 [root] DEBUG: set_caller_info: Caller at 0x00620115 in tracked regions.
2019-12-03 05:59:14,539 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:14,539 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:14,539 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959690e+00.
2019-12-03 05:59:14,539 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00620000.
2019-12-03 05:59:14,539 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:14,539 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:14,539 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959690e+00.
2019-12-03 05:59:14,539 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00620000.
2019-12-03 05:59:14,539 [root] DEBUG: ProtectionHandler: Adding region at 0x01DA1000 to tracked regions.
2019-12-03 05:59:14,539 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x01DA1000) returned 0x00000000.
2019-12-03 05:59:14,539 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2019-12-03 05:59:14,539 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x01DA1000) -> AllocationBase 0x01DA0000 RegionSize 0x53248.
2019-12-03 05:59:14,539 [root] DEBUG: AddTrackedRegion: EntryPoint 0xc983, Entropy 5.502549e+00
2019-12-03 05:59:14,539 [root] DEBUG: AddTrackedRegion: New region at 0x01DA0000 size 0xd000 added to tracked regions.
2019-12-03 05:59:14,539 [root] DEBUG: ProtectionHandler: Address: 0x01DA1000 (alloc base 0x01DA0000), NumberOfBytesToProtect: 0xca00, NewAccessProtection: 0x20
2019-12-03 05:59:14,539 [root] DEBUG: ProtectionHandler: Increased region size at 0x01DA1000 to 0xda00.
2019-12-03 05:59:14,539 [root] DEBUG: ProtectionHandler: New code detected at (0x01DA0000), scanning for PE images.
2019-12-03 05:59:14,539 [root] DEBUG: DumpPEsInRange: Scanning range 0x1da0000 - 0x1dada00.
2019-12-03 05:59:14,539 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x1da0000
2019-12-03 05:59:14,539 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x01DA0000
2019-12-03 05:59:14,539 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 05:59:14,539 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x01DA0000.
2019-12-03 05:59:14,539 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000C983.
2019-12-03 05:59:14,555 [root] INFO: Added new CAPE file to list with path: C:\WPvYbYp\CAPE\864_10140541161459532122019
2019-12-03 05:59:14,555 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xec00.
2019-12-03 05:59:14,555 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1da0200-0x1dada00.
2019-12-03 05:59:14,555 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x01DA0000.
2019-12-03 05:59:14,555 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1da0000 - 0x1dada00.
2019-12-03 05:59:14,555 [root] DEBUG: set_caller_info: Adding region at 0x01DA0000 to caller regions list (ntdll::memcpy).
2019-12-03 05:59:14,555 [root] DEBUG: set_caller_info: Caller at 0x01DAC9AE in tracked regions.
2019-12-03 05:59:14,555 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:14,555 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:14,555 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959690e+00.
2019-12-03 05:59:14,555 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00620000.
2019-12-03 05:59:14,555 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DA0000.
2019-12-03 05:59:14,569 [root] INFO: Announced 32-bit process name: nonmanual.exe pid: 1912
2019-12-03 05:59:14,569 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-12-03 05:59:14,569 [lib.api.process] INFO: 32-bit DLL to inject is C:\hxonwzw\dll\JbUzyn.dll, loader C:\hxonwzw\bin\LBmuqlb.exe
2019-12-03 05:59:14,569 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PkcyzMW.
2019-12-03 05:59:14,569 [root] DEBUG: Loader: Injecting process 1912 (thread 1764) with C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:14,569 [root] DEBUG: Process image base: 0x00400000
2019-12-03 05:59:14,585 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:14,585 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00451000 - 0x77A00000
2019-12-03 05:59:14,585 [root] DEBUG: InjectDllViaIAT: Allocated 0xf5c bytes for new import table at 0x00460000.
2019-12-03 05:59:14,585 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-12-03 05:59:14,585 [root] DEBUG: Successfully injected DLL C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:14,585 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1912
2019-12-03 05:59:14,585 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-12-03 05:59:14,585 [root] DEBUG: DLL unloaded from 0x00400000.
2019-12-03 05:59:14,585 [root] INFO: Announced 32-bit process name: nonmanual.exe pid: 1912
2019-12-03 05:59:14,585 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-12-03 05:59:14,601 [lib.api.process] INFO: 32-bit DLL to inject is C:\hxonwzw\dll\JbUzyn.dll, loader C:\hxonwzw\bin\LBmuqlb.exe
2019-12-03 05:59:14,601 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PkcyzMW.
2019-12-03 05:59:14,601 [root] DEBUG: Loader: Injecting process 1912 (thread 1764) with C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:14,601 [root] DEBUG: Process image base: 0x00400000
2019-12-03 05:59:14,601 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:14,601 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-12-03 05:59:14,601 [root] DEBUG: Successfully injected DLL C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:14,601 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1912
2019-12-03 05:59:14,601 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 864).
2019-12-03 05:59:14,601 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:14,601 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:14,601 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959690e+00.
2019-12-03 05:59:14,601 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00620000.
2019-12-03 05:59:14,601 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DA0000.
2019-12-03 05:59:14,601 [root] DEBUG: DLL unloaded from 0x77780000.
2019-12-03 05:59:14,601 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 864).
2019-12-03 05:59:14,601 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 05:59:14,601 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:14,601 [root] DEBUG: Process dumps disabled.
2019-12-03 05:59:14,601 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:14,601 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959554e+00.
2019-12-03 05:59:14,617 [root] INFO: Disabling sleep skipping.
2019-12-03 05:59:14,617 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00620000.
2019-12-03 05:59:14,617 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DA0000.
2019-12-03 05:59:14,617 [root] INFO: Notified of termination of process with pid 864.
2019-12-03 05:59:14,617 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-12-03 05:59:14,632 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77a00000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x77a5124a, Wow64PrepareForException: 0x0
2019-12-03 05:59:14,648 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x3f0000
2019-12-03 05:59:14,648 [root] DEBUG: Debugger initialised.
2019-12-03 05:59:14,648 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 1912 at 0x74eb0000, image base 0x400000, stack from 0x286000-0x290000
2019-12-03 05:59:14,648 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\--f4134209.
2019-12-03 05:59:14,648 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00400000) returned 0x00000000.
2019-12-03 05:59:14,648 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2019-12-03 05:59:14,648 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00400000) -> AllocationBase 0x00400000 RegionSize 0x4096.
2019-12-03 05:59:14,664 [root] DEBUG: AddTrackedRegion: EntryPoint 0x14e0, Entropy 5.957643e+00
2019-12-03 05:59:14,664 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions.
2019-12-03 05:59:14,664 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-12-03 05:59:14,664 [root] INFO: Added new process to list with pid: 1912
2019-12-03 05:59:14,664 [root] INFO: Monitor successfully loaded in process with pid 1912.
2019-12-03 05:59:14,664 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1000
2019-12-03 05:59:14,680 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x19000, NewAccessProtection: 0x40
2019-12-03 05:59:14,680 [root] DEBUG: ProtectionHandler: Increased region size at 0x00401000 to 0x1a000.
2019-12-03 05:59:14,680 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00401000 to 0x40.
2019-12-03 05:59:14,680 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.958180e+00.
2019-12-03 05:59:14,694 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1a000
2019-12-03 05:59:14,710 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x19000, NewAccessProtection: 0x40
2019-12-03 05:59:14,710 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.958193e+00.
2019-12-03 05:59:14,710 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1a000
2019-12-03 05:59:14,710 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x19000, NewAccessProtection: 0x80
2019-12-03 05:59:14,710 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00401000 to 0x80.
2019-12-03 05:59:14,710 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.958186e+00.
2019-12-03 05:59:14,742 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1a000
2019-12-03 05:59:14,757 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x1000, NewAccessProtection: 0x20
2019-12-03 05:59:14,757 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00401000 to 0x20.
2019-12-03 05:59:14,773 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.958186e+00.
2019-12-03 05:59:14,851 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-12-03 05:59:14,867 [root] DEBUG: DLL loaded at 0x755B0000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-12-03 05:59:14,867 [root] DEBUG: DLL loaded at 0x74E70000: C:\Windows\system32\USERENV (0x17000 bytes).
2019-12-03 05:59:14,881 [root] DEBUG: DLL loaded at 0x74EA0000: C:\Windows\system32\profapi (0xb000 bytes).
2019-12-03 05:59:14,881 [root] DEBUG: Allocation: 0x004E0000 - 0x004F0000, size: 0x10000, protection: 0x40.
2019-12-03 05:59:14,898 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:14,898 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:14,898 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959859e+00.
2019-12-03 05:59:14,898 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x004E0000, size: 0x10000.
2019-12-03 05:59:14,898 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x004E0000) returned 0x00000000.
2019-12-03 05:59:14,898 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2019-12-03 05:59:14,898 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x004E0000) -> AllocationBase 0x004E0000 RegionSize 0x65536.
2019-12-03 05:59:14,914 [root] DEBUG: AddTrackedRegion: New region at 0x004E0000 size 0x10000 added to tracked regions.
2019-12-03 05:59:14,928 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x004E0000, TrackedRegion->RegionSize: 0x10000, thread 1764
2019-12-03 05:59:14,928 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x004E0000 and Type=0x1.
2019-12-03 05:59:14,928 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1764 type 1 at address 0x004E0000, size 2 with Callback 0x74eb7510.
2019-12-03 05:59:14,928 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x004E0000
2019-12-03 05:59:14,928 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x004E003C and Type=0x1.
2019-12-03 05:59:14,928 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1764 type 1 at address 0x004E003C, size 4 with Callback 0x74eb71a0.
2019-12-03 05:59:14,928 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x004E003C
2019-12-03 05:59:14,928 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x004E0000 (size 0x10000).
2019-12-03 05:59:14,944 [root] DEBUG: DLL unloaded from 0x77BE0000.
2019-12-03 05:59:14,944 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x7661A05F (thread 1764)
2019-12-03 05:59:14,944 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x004E0000.
2019-12-03 05:59:14,944 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x004E0000 and Type=0x0.
2019-12-03 05:59:14,944 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4e0000: 0x95.
2019-12-03 05:59:14,944 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-12-03 05:59:14,944 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x7661A06E (thread 1764)
2019-12-03 05:59:14,944 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x004E003C.
2019-12-03 05:59:14,960 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x182e17db (at 0x004E003C).
2019-12-03 05:59:14,960 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x004E0000 already exists for thread 1764 (process 1912), skipping.
2019-12-03 05:59:14,960 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x004E0000.
2019-12-03 05:59:14,976 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x755CCFBC (thread 1764)
2019-12-03 05:59:14,976 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x004E0000.
2019-12-03 05:59:14,976 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x004E0000 already exists for thread 1764 (process 1912), skipping.
2019-12-03 05:59:14,992 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x4e0000: 0xe8.
2019-12-03 05:59:15,006 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-12-03 05:59:15,023 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x755CCFBC (thread 1764)
2019-12-03 05:59:15,023 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x004E003C.
2019-12-03 05:59:15,023 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xf6335756 (at 0x004E003C).
2019-12-03 05:59:15,023 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x004E0000 already exists for thread 1764 (process 1912), skipping.
2019-12-03 05:59:15,038 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x004E0000.
2019-12-03 05:59:15,038 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004E0000 (thread 1764)
2019-12-03 05:59:15,038 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x004E0000 (allocation base 0x004E0000).
2019-12-03 05:59:15,053 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x004E0000, size 0x10000).
2019-12-03 05:59:15,053 [root] DEBUG: DumpPEsInRange: Scanning range 0x4e0000 - 0x4f0000.
2019-12-03 05:59:15,053 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x4e053f
2019-12-03 05:59:15,053 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-12-03 05:59:15,069 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x004E053F.
2019-12-03 05:59:15,069 [root] INFO: Added new CAPE file to list with path: C:\WPvYbYp\CAPE\1912_3002521815591532122019
2019-12-03 05:59:15,069 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0xf000.
2019-12-03 05:59:15,069 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4e073f-0x4f0000.
2019-12-03 05:59:15,069 [root] DEBUG: ShellcodeExecCallback: PE image(s) detected and dumped.
2019-12-03 05:59:15,069 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x4e0000 - 0x4f0000.
2019-12-03 05:59:15,069 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x004E0000.
2019-12-03 05:59:15,069 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x004E003C.
2019-12-03 05:59:15,069 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x004E0000.
2019-12-03 05:59:15,101 [root] DEBUG: set_caller_info: Adding region at 0x004E0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-12-03 05:59:15,101 [root] DEBUG: set_caller_info: Caller at 0x004E0115 in tracked regions.
2019-12-03 05:59:15,115 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:15,131 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:15,148 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959859e+00.
2019-12-03 05:59:15,148 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x004E0000.
2019-12-03 05:59:15,148 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:15,148 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:15,163 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959859e+00.
2019-12-03 05:59:15,163 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x004E0000.
2019-12-03 05:59:15,163 [root] DEBUG: ProtectionHandler: Adding region at 0x004F1000 to tracked regions.
2019-12-03 05:59:15,163 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x004F1000) returned 0x00000000.
2019-12-03 05:59:15,178 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2019-12-03 05:59:15,178 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x004F1000) -> AllocationBase 0x004F0000 RegionSize 0x53248.
2019-12-03 05:59:15,178 [root] DEBUG: AddTrackedRegion: EntryPoint 0xc983, Entropy 5.472111e+00
2019-12-03 05:59:15,194 [root] DEBUG: AddTrackedRegion: New region at 0x004F0000 size 0xd000 added to tracked regions.
2019-12-03 05:59:15,194 [root] DEBUG: ProtectionHandler: Address: 0x004F1000 (alloc base 0x004F0000), NumberOfBytesToProtect: 0xca00, NewAccessProtection: 0x20
2019-12-03 05:59:15,194 [root] DEBUG: ProtectionHandler: Increased region size at 0x004F1000 to 0xda00.
2019-12-03 05:59:15,194 [root] DEBUG: ProtectionHandler: New code detected at (0x004F0000), scanning for PE images.
2019-12-03 05:59:15,210 [root] DEBUG: DumpPEsInRange: Scanning range 0x4f0000 - 0x4fda00.
2019-12-03 05:59:15,226 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x4f0000
2019-12-03 05:59:15,226 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x004F0000
2019-12-03 05:59:15,240 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 05:59:15,240 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x004F0000.
2019-12-03 05:59:15,240 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000C983.
2019-12-03 05:59:15,240 [root] INFO: Added new CAPE file to list with path: C:\WPvYbYp\CAPE\1912_20148504281559532122019
2019-12-03 05:59:15,240 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xec00.
2019-12-03 05:59:15,256 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4f0200-0x4fda00.
2019-12-03 05:59:15,256 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x004F0000.
2019-12-03 05:59:15,256 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x4f0000 - 0x4fda00.
2019-12-03 05:59:15,256 [root] DEBUG: set_caller_info: Adding region at 0x004F0000 to caller regions list (ntdll::memcpy).
2019-12-03 05:59:15,256 [root] DEBUG: set_caller_info: Caller at 0x004FC9AE in tracked regions.
2019-12-03 05:59:15,256 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:15,256 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:15,256 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959859e+00.
2019-12-03 05:59:15,256 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x004E0000.
2019-12-03 05:59:15,256 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x004F0000.
2019-12-03 05:59:19,967 [root] DEBUG: DLL loaded at 0x76BF0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-12-03 05:59:19,999 [root] DEBUG: DLL loaded at 0x74CD0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-12-03 05:59:19,999 [root] DEBUG: DLL loaded at 0x77090000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-12-03 05:59:20,015 [root] DEBUG: DLL loaded at 0x768D0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-12-03 05:59:20,015 [root] DEBUG: DLL loaded at 0x75940000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-12-03 05:59:20,029 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-12-03 05:59:20,029 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-12-03 05:59:20,029 [root] DEBUG: DLL unloaded from 0x759C0000.
2019-12-03 05:59:20,108 [root] DEBUG: DLL loaded at 0x74F90000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-12-03 05:59:20,108 [root] DEBUG: DLL loaded at 0x75970000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-12-03 05:59:20,217 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1728
2019-12-03 05:59:20,217 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-12-03 05:59:20,217 [lib.api.process] INFO: 64-bit DLL to inject is C:\hxonwzw\dll\oSYRvY.dll, loader C:\hxonwzw\bin\VGkDJOSD.exe
2019-12-03 05:59:20,233 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PkcyzMW.
2019-12-03 05:59:20,233 [root] DEBUG: Loader: Injecting process 1728 (thread 0) with C:\hxonwzw\dll\oSYRvY.dll.
2019-12-03 05:59:20,233 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed.
2019-12-03 05:59:20,233 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 05:59:20,233 [root] DEBUG: Process dumps disabled.
2019-12-03 05:59:20,233 [root] INFO: Disabling sleep skipping.
2019-12-03 05:59:20,374 [root] WARNING: Unable to place hook on LockResource
2019-12-03 05:59:20,388 [root] WARNING: Unable to hook LockResource
2019-12-03 05:59:20,608 [root] DEBUG: Debugger initialised.
2019-12-03 05:59:20,608 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 1728 at 0x0000000074AE0000, image base 0x00000000FF750000, stack from 0x00000000067D2000-0x00000000067E0000
2019-12-03 05:59:20,608 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2019-12-03 05:59:20,608 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FF750000) returned 0x0000000000000000.
2019-12-03 05:59:20,622 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2019-12-03 05:59:20,622 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FF750000) -> AllocationBase 0x00000000FF750000 RegionSize 0x4096.
2019-12-03 05:59:20,732 [root] DEBUG: AddTrackedRegion: EntryPoint 0x2b790, Entropy 5.860769e+00
2019-12-03 05:59:20,732 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FF750000 size 0x1000 added to tracked regions.
2019-12-03 05:59:20,732 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-12-03 05:59:20,732 [root] INFO: Added new process to list with pid: 1728
2019-12-03 05:59:20,732 [root] INFO: Monitor successfully loaded in process with pid 1728.
2019-12-03 05:59:20,732 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-12-03 05:59:20,732 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-12-03 05:59:20,732 [root] DEBUG: Successfully injected DLL C:\hxonwzw\dll\oSYRvY.dll.
2019-12-03 05:59:20,950 [root] DEBUG: DLL unloaded from 0x74BD0000.
2019-12-03 05:59:20,950 [root] DEBUG: DLL loaded at 0x74E90000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-12-03 05:59:21,043 [root] DEBUG: DLL loaded at 0x74AD0000: C:\Windows\system32\mssprxy (0xc000 bytes).
2019-12-03 05:59:21,107 [root] DEBUG: DLL unloaded from 0x766D0000.
2019-12-03 05:59:21,138 [root] DEBUG: DLL unloaded from 0x74AD0000.
2019-12-03 05:59:21,138 [root] DEBUG: DLL unloaded from 0x759C0000.
2019-12-03 05:59:21,388 [root] INFO: Announced starting service "compontitle"
2019-12-03 05:59:21,388 [root] INFO: Attaching to Service Control Manager (services.exe - pid 464)
2019-12-03 05:59:21,388 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-12-03 05:59:21,388 [lib.api.process] INFO: 64-bit DLL to inject is C:\hxonwzw\dll\oSYRvY.dll, loader C:\hxonwzw\bin\VGkDJOSD.exe
2019-12-03 05:59:21,388 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PkcyzMW.
2019-12-03 05:59:21,403 [root] DEBUG: Loader: Injecting process 464 (thread 0) with C:\hxonwzw\dll\oSYRvY.dll.
2019-12-03 05:59:21,403 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 684, handle 0x84
2019-12-03 05:59:21,403 [root] DEBUG: Process image base: 0x00000000FF330000
2019-12-03 05:59:21,403 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2019-12-03 05:59:21,403 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2019-12-03 05:59:21,418 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 05:59:21,418 [root] DEBUG: Process dumps disabled.
2019-12-03 05:59:21,434 [root] INFO: Disabling sleep skipping.
2019-12-03 05:59:21,450 [root] WARNING: Unable to place hook on LockResource
2019-12-03 05:59:21,466 [root] WARNING: Unable to hook LockResource
2019-12-03 05:59:21,466 [root] DEBUG: Debugger initialised.
2019-12-03 05:59:21,480 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 464 at 0x0000000074AE0000, image base 0x00000000FF330000, stack from 0x0000000002CF6000-0x0000000002D00000
2019-12-03 05:59:21,496 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2019-12-03 05:59:21,512 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FF330000) returned 0x0000000000000000.
2019-12-03 05:59:21,512 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2019-12-03 05:59:21,512 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FF330000) -> AllocationBase 0x00000000FF330000 RegionSize 0x4096.
2019-12-03 05:59:21,543 [root] DEBUG: AddTrackedRegion: EntryPoint 0x13310, Entropy 6.074146e+00
2019-12-03 05:59:21,543 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FF330000 size 0x1000 added to tracked regions.
2019-12-03 05:59:21,559 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-12-03 05:59:21,575 [root] INFO: Added new process to list with pid: 464
2019-12-03 05:59:21,575 [root] INFO: Monitor successfully loaded in process with pid 464.
2019-12-03 05:59:21,589 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2019-12-03 05:59:21,605 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2019-12-03 05:59:21,605 [root] DEBUG: Successfully injected DLL C:\hxonwzw\dll\oSYRvY.dll.
2019-12-03 05:59:22,651 [root] INFO: Announced 32-bit process name: compontitle.exe pid: 832
2019-12-03 05:59:22,651 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-12-03 05:59:22,651 [lib.api.process] INFO: 32-bit DLL to inject is C:\hxonwzw\dll\JbUzyn.dll, loader C:\hxonwzw\bin\LBmuqlb.exe
2019-12-03 05:59:22,667 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PkcyzMW.
2019-12-03 05:59:22,667 [root] DEBUG: Loader: Injecting process 832 (thread 1836) with C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:22,667 [root] DEBUG: Process image base: 0x00400000
2019-12-03 05:59:22,667 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:22,667 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00451000 - 0x77A00000
2019-12-03 05:59:22,667 [root] DEBUG: InjectDllViaIAT: Allocated 0xf5c bytes for new import table at 0x00460000.
2019-12-03 05:59:22,667 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-12-03 05:59:22,681 [root] DEBUG: Successfully injected DLL C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:22,681 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 832
2019-12-03 05:59:22,759 [root] INFO: Announced 32-bit process name: compontitle.exe pid: 832
2019-12-03 05:59:22,759 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-12-03 05:59:22,759 [lib.api.process] INFO: 32-bit DLL to inject is C:\hxonwzw\dll\JbUzyn.dll, loader C:\hxonwzw\bin\LBmuqlb.exe
2019-12-03 05:59:22,759 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PkcyzMW.
2019-12-03 05:59:22,759 [root] DEBUG: Loader: Injecting process 832 (thread 1836) with C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:22,759 [root] DEBUG: Process image base: 0x00400000
2019-12-03 05:59:22,792 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:22,792 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-12-03 05:59:22,792 [root] DEBUG: Successfully injected DLL C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:22,792 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 832
2019-12-03 05:59:22,822 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 05:59:22,822 [root] DEBUG: Process dumps disabled.
2019-12-03 05:59:22,854 [root] INFO: Disabling sleep skipping.
2019-12-03 05:59:22,869 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-12-03 05:59:22,869 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77a00000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x77a5124a, Wow64PrepareForException: 0x0
2019-12-03 05:59:22,869 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x3f0000
2019-12-03 05:59:22,869 [root] DEBUG: Debugger initialised.
2019-12-03 05:59:22,884 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 832 at 0x74eb0000, image base 0x400000, stack from 0x286000-0x290000
2019-12-03 05:59:22,884 [root] DEBUG: Commandline: C:\Windows\System32\"C:\Windows\SysWOW64\compontitle.exe".
2019-12-03 05:59:22,884 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00400000) returned 0x00000000.
2019-12-03 05:59:22,901 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2019-12-03 05:59:22,901 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00400000) -> AllocationBase 0x00400000 RegionSize 0x4096.
2019-12-03 05:59:22,915 [root] DEBUG: AddTrackedRegion: EntryPoint 0x14e0, Entropy 5.957643e+00
2019-12-03 05:59:22,915 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions.
2019-12-03 05:59:22,931 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-12-03 05:59:22,947 [root] INFO: Added new process to list with pid: 832
2019-12-03 05:59:22,947 [root] INFO: Monitor successfully loaded in process with pid 832.
2019-12-03 05:59:22,947 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1000
2019-12-03 05:59:22,979 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x19000, NewAccessProtection: 0x40
2019-12-03 05:59:22,979 [root] DEBUG: ProtectionHandler: Increased region size at 0x00401000 to 0x1a000.
2019-12-03 05:59:22,979 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00401000 to 0x40.
2019-12-03 05:59:22,979 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.958176e+00.
2019-12-03 05:59:22,979 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1a000
2019-12-03 05:59:22,979 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x19000, NewAccessProtection: 0x40
2019-12-03 05:59:22,993 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.958188e+00.
2019-12-03 05:59:22,993 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1a000
2019-12-03 05:59:22,993 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x19000, NewAccessProtection: 0x80
2019-12-03 05:59:23,009 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00401000 to 0x80.
2019-12-03 05:59:23,026 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.958182e+00.
2019-12-03 05:59:23,026 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1a000
2019-12-03 05:59:23,026 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x1000, NewAccessProtection: 0x20
2019-12-03 05:59:23,040 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00401000 to 0x20.
2019-12-03 05:59:23,056 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.958182e+00.
2019-12-03 05:59:23,118 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\SysWOW64\CRYPTSP (0x16000 bytes).
2019-12-03 05:59:23,118 [root] DEBUG: DLL loaded at 0x755B0000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-12-03 05:59:23,134 [root] DEBUG: DLL loaded at 0x74EA0000: C:\Windows\SysWOW64\profapi (0xb000 bytes).
2019-12-03 05:59:23,134 [root] DEBUG: DLL loaded at 0x75820000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-12-03 05:59:23,134 [root] DEBUG: DLL loaded at 0x76C80000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-12-03 05:59:23,305 [root] DEBUG: Allocation: 0x00A20000 - 0x00A30000, size: 0x10000, protection: 0x40.
2019-12-03 05:59:23,322 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:23,322 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:23,322 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959729e+00.
2019-12-03 05:59:23,322 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00A20000, size: 0x10000.
2019-12-03 05:59:23,352 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00A20000) returned 0x00000000.
2019-12-03 05:59:23,368 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2019-12-03 05:59:23,368 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00A20000) -> AllocationBase 0x00A20000 RegionSize 0x65536.
2019-12-03 05:59:23,384 [root] DEBUG: AddTrackedRegion: New region at 0x00A20000 size 0x10000 added to tracked regions.
2019-12-03 05:59:23,400 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00A20000, TrackedRegion->RegionSize: 0x10000, thread 1836
2019-12-03 05:59:23,400 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x00A20000 and Type=0x1.
2019-12-03 05:59:23,400 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1836 type 1 at address 0x00A20000, size 2 with Callback 0x74eb7510.
2019-12-03 05:59:23,400 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00A20000
2019-12-03 05:59:23,415 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x00A2003C and Type=0x1.
2019-12-03 05:59:23,415 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1836 type 1 at address 0x00A2003C, size 4 with Callback 0x74eb71a0.
2019-12-03 05:59:23,415 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x00A2003C
2019-12-03 05:59:23,415 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00A20000 (size 0x10000).
2019-12-03 05:59:23,430 [root] DEBUG: DLL unloaded from 0x77BE0000.
2019-12-03 05:59:23,430 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x7661A05F (thread 1836)
2019-12-03 05:59:23,430 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00A20000.
2019-12-03 05:59:23,447 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x00A20000 and Type=0x0.
2019-12-03 05:59:23,477 [root] DEBUG: BaseAddressWriteCallback: byte written to 0xa20000: 0x95.
2019-12-03 05:59:23,493 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-12-03 05:59:23,493 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x7661A06E (thread 1836)
2019-12-03 05:59:23,493 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x00A2003C.
2019-12-03 05:59:23,493 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x182e17db (at 0x00A2003C).
2019-12-03 05:59:23,493 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x00A20000 already exists for thread 1836 (process 832), skipping.
2019-12-03 05:59:23,493 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00A20000.
2019-12-03 05:59:23,493 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x755CCFBC (thread 1836)
2019-12-03 05:59:23,493 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00A20000.
2019-12-03 05:59:23,509 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x00A20000 already exists for thread 1836 (process 832), skipping.
2019-12-03 05:59:23,509 [root] DEBUG: BaseAddressWriteCallback: byte written to 0xa20000: 0xe8.
2019-12-03 05:59:23,539 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-12-03 05:59:23,539 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x755CCFBC (thread 1836)
2019-12-03 05:59:23,539 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x00A2003C.
2019-12-03 05:59:23,555 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xf6335756 (at 0x00A2003C).
2019-12-03 05:59:23,555 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x00A20000 already exists for thread 1836 (process 832), skipping.
2019-12-03 05:59:23,555 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00A20000.
2019-12-03 05:59:23,572 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00A20000 (thread 1836)
2019-12-03 05:59:23,572 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x00A20000 (allocation base 0x00A20000).
2019-12-03 05:59:23,572 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x00A20000, size 0x10000).
2019-12-03 05:59:23,586 [root] DEBUG: DumpPEsInRange: Scanning range 0xa20000 - 0xa30000.
2019-12-03 05:59:23,586 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xa2053f
2019-12-03 05:59:23,586 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-12-03 05:59:23,586 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00A2053F.
2019-12-03 05:59:23,618 [root] INFO: Added new CAPE file to list with path: C:\WPvYbYp\CAPE\832_182001372123591532122019
2019-12-03 05:59:23,634 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0xf000.
2019-12-03 05:59:23,650 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xa2073f-0xa30000.
2019-12-03 05:59:23,650 [root] DEBUG: ShellcodeExecCallback: PE image(s) detected and dumped.
2019-12-03 05:59:23,650 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xa20000 - 0xa30000.
2019-12-03 05:59:23,664 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x00A20000.
2019-12-03 05:59:23,664 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x00A2003C.
2019-12-03 05:59:23,664 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x00A20000.
2019-12-03 05:59:23,664 [root] DEBUG: set_caller_info: Adding region at 0x00A20000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-12-03 05:59:23,680 [root] DEBUG: set_caller_info: Caller at 0x00A20115 in tracked regions.
2019-12-03 05:59:23,680 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:23,680 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:23,696 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959729e+00.
2019-12-03 05:59:23,727 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00A20000.
2019-12-03 05:59:23,727 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:23,727 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:23,743 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959729e+00.
2019-12-03 05:59:23,759 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00A20000.
2019-12-03 05:59:23,773 [root] DEBUG: ProtectionHandler: Adding region at 0x02681000 to tracked regions.
2019-12-03 05:59:23,773 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x02681000) returned 0x00000000.
2019-12-03 05:59:23,789 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2019-12-03 05:59:23,805 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x02681000) -> AllocationBase 0x02680000 RegionSize 0x53248.
2019-12-03 05:59:23,805 [root] DEBUG: AddTrackedRegion: EntryPoint 0xc983, Entropy 5.505955e+00
2019-12-03 05:59:23,821 [root] DEBUG: AddTrackedRegion: New region at 0x02680000 size 0xd000 added to tracked regions.
2019-12-03 05:59:23,851 [root] DEBUG: ProtectionHandler: Address: 0x02681000 (alloc base 0x02680000), NumberOfBytesToProtect: 0xca00, NewAccessProtection: 0x20
2019-12-03 05:59:23,868 [root] DEBUG: ProtectionHandler: Increased region size at 0x02681000 to 0xda00.
2019-12-03 05:59:23,868 [root] DEBUG: ProtectionHandler: New code detected at (0x02680000), scanning for PE images.
2019-12-03 05:59:23,868 [root] DEBUG: DumpPEsInRange: Scanning range 0x2680000 - 0x268da00.
2019-12-03 05:59:23,868 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x2680000
2019-12-03 05:59:23,884 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x02680000
2019-12-03 05:59:23,884 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 05:59:23,884 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x02680000.
2019-12-03 05:59:23,898 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000C983.
2019-12-03 05:59:23,914 [root] INFO: Added new CAPE file to list with path: C:\WPvYbYp\CAPE\832_14949242982359532122019
2019-12-03 05:59:23,914 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xec00.
2019-12-03 05:59:23,930 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2680200-0x268da00.
2019-12-03 05:59:23,946 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x02680000.
2019-12-03 05:59:23,946 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2680000 - 0x268da00.
2019-12-03 05:59:23,946 [root] DEBUG: set_caller_info: Adding region at 0x02680000 to caller regions list (ntdll::memcpy).
2019-12-03 05:59:23,946 [root] DEBUG: set_caller_info: Caller at 0x0268C9AE in tracked regions.
2019-12-03 05:59:23,961 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:23,961 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:23,961 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959729e+00.
2019-12-03 05:59:23,976 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00A20000.
2019-12-03 05:59:23,993 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02680000.
2019-12-03 05:59:23,993 [root] INFO: Announced 32-bit process name: compontitle.exe pid: 1892
2019-12-03 05:59:23,993 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-12-03 05:59:23,993 [lib.api.process] INFO: 32-bit DLL to inject is C:\hxonwzw\dll\JbUzyn.dll, loader C:\hxonwzw\bin\LBmuqlb.exe
2019-12-03 05:59:23,993 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PkcyzMW.
2019-12-03 05:59:23,993 [root] DEBUG: Loader: Injecting process 1892 (thread 568) with C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:24,007 [root] DEBUG: Process image base: 0x00400000
2019-12-03 05:59:24,023 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:24,023 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00451000 - 0x77A00000
2019-12-03 05:59:24,023 [root] DEBUG: InjectDllViaIAT: Allocated 0xf5c bytes for new import table at 0x00460000.
2019-12-03 05:59:24,039 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-12-03 05:59:24,039 [root] DEBUG: Successfully injected DLL C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:24,039 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1892
2019-12-03 05:59:24,039 [root] DEBUG: DLL unloaded from 0x00400000.
2019-12-03 05:59:24,039 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-12-03 05:59:24,039 [root] INFO: Announced 32-bit process name: compontitle.exe pid: 1892
2019-12-03 05:59:24,039 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-12-03 05:59:24,039 [lib.api.process] INFO: 32-bit DLL to inject is C:\hxonwzw\dll\JbUzyn.dll, loader C:\hxonwzw\bin\LBmuqlb.exe
2019-12-03 05:59:24,055 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PkcyzMW.
2019-12-03 05:59:24,055 [root] DEBUG: Loader: Injecting process 1892 (thread 568) with C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:24,055 [root] DEBUG: Process image base: 0x00400000
2019-12-03 05:59:24,071 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:24,071 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-12-03 05:59:24,071 [root] DEBUG: Successfully injected DLL C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 05:59:24,071 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1892
2019-12-03 05:59:24,071 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 832).
2019-12-03 05:59:24,071 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:24,071 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 05:59:24,071 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:24,071 [root] DEBUG: Process dumps disabled.
2019-12-03 05:59:24,071 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959729e+00.
2019-12-03 05:59:24,071 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00A20000.
2019-12-03 05:59:24,071 [root] INFO: Disabling sleep skipping.
2019-12-03 05:59:24,071 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02680000.
2019-12-03 05:59:24,085 [root] DEBUG: DLL unloaded from 0x77780000.
2019-12-03 05:59:24,085 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-12-03 05:59:24,085 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 832).
2019-12-03 05:59:24,085 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77a00000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x77a5124a, Wow64PrepareForException: 0x0
2019-12-03 05:59:24,085 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:24,085 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x2c0000
2019-12-03 05:59:24,085 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:24,085 [root] DEBUG: Debugger initialised.
2019-12-03 05:59:24,085 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959600e+00.
2019-12-03 05:59:24,085 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 1892 at 0x74eb0000, image base 0x400000, stack from 0x286000-0x290000
2019-12-03 05:59:24,085 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00A20000.
2019-12-03 05:59:24,085 [root] DEBUG: Commandline: C:\Windows\System32\--ce2bae20.
2019-12-03 05:59:24,085 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02680000.
2019-12-03 05:59:24,085 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00400000) returned 0x00000000.
2019-12-03 05:59:24,085 [root] INFO: Notified of termination of process with pid 832.
2019-12-03 05:59:24,085 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2019-12-03 05:59:24,085 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 464).
2019-12-03 05:59:24,085 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00400000) -> AllocationBase 0x00400000 RegionSize 0x4096.
2019-12-03 05:59:24,101 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2019-12-03 05:59:24,101 [root] DEBUG: AddTrackedRegion: EntryPoint 0x14e0, Entropy 5.957643e+00
2019-12-03 05:59:24,101 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF330000.
2019-12-03 05:59:24,101 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions.
2019-12-03 05:59:24,101 [root] DEBUG: ProcessImageBase: EP 0x0000000000013310 image base 0x00000000FF330000 size 0x0 entropy 6.074391e+00.
2019-12-03 05:59:24,101 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-12-03 05:59:24,101 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1496.
2019-12-03 05:59:24,101 [root] INFO: Added new process to list with pid: 1892
2019-12-03 05:59:24,101 [root] INFO: Monitor successfully loaded in process with pid 1892.
2019-12-03 05:59:24,101 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1912).
2019-12-03 05:59:24,101 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:24,101 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1000
2019-12-03 05:59:24,101 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:24,101 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x19000, NewAccessProtection: 0x40
2019-12-03 05:59:24,101 [root] DEBUG: ProtectionHandler: Increased region size at 0x00401000 to 0x1a000.
2019-12-03 05:59:24,101 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959859e+00.
2019-12-03 05:59:24,118 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00401000 to 0x40.
2019-12-03 05:59:24,118 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x004E0000.
2019-12-03 05:59:24,118 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x004F0000.
2019-12-03 05:59:24,118 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.958128e+00.
2019-12-03 05:59:24,118 [root] DEBUG: DLL unloaded from 0x74BD0000.
2019-12-03 05:59:24,118 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1a000
2019-12-03 05:59:24,118 [root] DEBUG: DLL unloaded from 0x77780000.
2019-12-03 05:59:24,118 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x19000, NewAccessProtection: 0x40
2019-12-03 05:59:24,118 [root] DEBUG: DLL unloaded from 0x74F90000.
2019-12-03 05:59:24,118 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.958141e+00.
2019-12-03 05:59:24,118 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1912).
2019-12-03 05:59:24,118 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1a000
2019-12-03 05:59:24,118 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:24,118 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x19000, NewAccessProtection: 0x80
2019-12-03 05:59:24,132 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:24,132 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00401000 to 0x80.
2019-12-03 05:59:24,132 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959733e+00.
2019-12-03 05:59:24,132 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.958134e+00.
2019-12-03 05:59:24,132 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x004E0000.
2019-12-03 05:59:24,132 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1a000
2019-12-03 05:59:24,132 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x004F0000.
2019-12-03 05:59:24,132 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x1000, NewAccessProtection: 0x20
2019-12-03 05:59:24,132 [root] INFO: Notified of termination of process with pid 1912.
2019-12-03 05:59:24,132 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00401000 to 0x20.
2019-12-03 05:59:24,132 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.958134e+00.
2019-12-03 05:59:24,196 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\SysWOW64\CRYPTSP (0x16000 bytes).
2019-12-03 05:59:24,196 [root] DEBUG: DLL loaded at 0x755B0000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-12-03 05:59:24,210 [root] DEBUG: DLL loaded at 0x74E90000: C:\Windows\SysWOW64\profapi (0xb000 bytes).
2019-12-03 05:59:24,210 [root] DEBUG: Allocation: 0x00460000 - 0x00470000, size: 0x10000, protection: 0x40.
2019-12-03 05:59:24,210 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:24,210 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:24,210 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959736e+00.
2019-12-03 05:59:24,210 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00460000, size: 0x10000.
2019-12-03 05:59:24,226 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00460000) returned 0x00000000.
2019-12-03 05:59:24,226 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2019-12-03 05:59:24,226 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00460000) -> AllocationBase 0x00460000 RegionSize 0x65536.
2019-12-03 05:59:24,226 [root] DEBUG: AddTrackedRegion: New region at 0x00460000 size 0x10000 added to tracked regions.
2019-12-03 05:59:24,226 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00460000, TrackedRegion->RegionSize: 0x10000, thread 568
2019-12-03 05:59:24,226 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x00460000 and Type=0x1.
2019-12-03 05:59:24,226 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 568 type 1 at address 0x00460000, size 2 with Callback 0x74eb7510.
2019-12-03 05:59:24,226 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00460000
2019-12-03 05:59:24,226 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x0046003C and Type=0x1.
2019-12-03 05:59:24,242 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 568 type 1 at address 0x0046003C, size 4 with Callback 0x74eb71a0.
2019-12-03 05:59:24,242 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0046003C
2019-12-03 05:59:24,242 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00460000 (size 0x10000).
2019-12-03 05:59:24,242 [root] DEBUG: DLL unloaded from 0x77BE0000.
2019-12-03 05:59:24,242 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x7661A05F (thread 568)
2019-12-03 05:59:24,242 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00460000.
2019-12-03 05:59:24,242 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x00460000 and Type=0x0.
2019-12-03 05:59:24,242 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x460000: 0x95.
2019-12-03 05:59:24,242 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-12-03 05:59:24,257 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x7661A06E (thread 568)
2019-12-03 05:59:24,257 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0046003C.
2019-12-03 05:59:24,257 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x182e17db (at 0x0046003C).
2019-12-03 05:59:24,257 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x00460000 already exists for thread 568 (process 1892), skipping.
2019-12-03 05:59:24,257 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00460000.
2019-12-03 05:59:24,257 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x755CCFBC (thread 568)
2019-12-03 05:59:24,257 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00460000.
2019-12-03 05:59:24,257 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x00460000 already exists for thread 568 (process 1892), skipping.
2019-12-03 05:59:24,257 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x460000: 0xe8.
2019-12-03 05:59:24,273 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-12-03 05:59:24,273 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x755CCFBC (thread 568)
2019-12-03 05:59:24,273 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0046003C.
2019-12-03 05:59:24,273 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xf6335756 (at 0x0046003C).
2019-12-03 05:59:24,273 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x00460000 already exists for thread 568 (process 1892), skipping.
2019-12-03 05:59:24,273 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00460000.
2019-12-03 05:59:24,273 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00460000 (thread 568)
2019-12-03 05:59:24,273 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x00460000 (allocation base 0x00460000).
2019-12-03 05:59:24,273 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x00460000, size 0x10000).
2019-12-03 05:59:24,289 [root] DEBUG: DumpPEsInRange: Scanning range 0x460000 - 0x470000.
2019-12-03 05:59:24,289 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x46053f
2019-12-03 05:59:24,289 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2019-12-03 05:59:24,289 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x0046053F.
2019-12-03 05:59:24,289 [root] INFO: Added new CAPE file to list with path: C:\WPvYbYp\CAPE\1892_114519845924591532122019
2019-12-03 05:59:24,289 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0xf000.
2019-12-03 05:59:24,305 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x46073f-0x470000.
2019-12-03 05:59:24,305 [root] DEBUG: ShellcodeExecCallback: PE image(s) detected and dumped.
2019-12-03 05:59:24,305 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x460000 - 0x470000.
2019-12-03 05:59:24,305 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x00460000.
2019-12-03 05:59:24,305 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x0046003C.
2019-12-03 05:59:24,305 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x00460000.
2019-12-03 05:59:24,305 [root] DEBUG: set_caller_info: Adding region at 0x00460000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-12-03 05:59:24,305 [root] DEBUG: set_caller_info: Caller at 0x00460115 in tracked regions.
2019-12-03 05:59:24,305 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:24,319 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:24,319 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959736e+00.
2019-12-03 05:59:24,319 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00460000.
2019-12-03 05:59:24,319 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:24,319 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:24,319 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959736e+00.
2019-12-03 05:59:24,319 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00460000.
2019-12-03 05:59:24,319 [root] DEBUG: ProtectionHandler: Adding region at 0x027E1000 to tracked regions.
2019-12-03 05:59:24,319 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x027E1000) returned 0x00000000.
2019-12-03 05:59:24,335 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2019-12-03 05:59:24,335 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x027E1000) -> AllocationBase 0x027E0000 RegionSize 0x53248.
2019-12-03 05:59:24,335 [root] DEBUG: AddTrackedRegion: EntryPoint 0xc983, Entropy 5.505690e+00
2019-12-03 05:59:24,335 [root] DEBUG: AddTrackedRegion: New region at 0x027E0000 size 0xd000 added to tracked regions.
2019-12-03 05:59:24,335 [root] DEBUG: ProtectionHandler: Address: 0x027E1000 (alloc base 0x027E0000), NumberOfBytesToProtect: 0xca00, NewAccessProtection: 0x20
2019-12-03 05:59:24,335 [root] DEBUG: ProtectionHandler: Increased region size at 0x027E1000 to 0xda00.
2019-12-03 05:59:24,335 [root] DEBUG: ProtectionHandler: New code detected at (0x027E0000), scanning for PE images.
2019-12-03 05:59:24,335 [root] DEBUG: DumpPEsInRange: Scanning range 0x27e0000 - 0x27eda00.
2019-12-03 05:59:24,351 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x27e0000
2019-12-03 05:59:24,351 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x027E0000
2019-12-03 05:59:24,351 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 05:59:24,351 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x027E0000.
2019-12-03 05:59:24,351 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000C983.
2019-12-03 05:59:24,367 [root] INFO: Added new CAPE file to list with path: C:\WPvYbYp\CAPE\1892_2768953602459532122019
2019-12-03 05:59:24,367 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xec00.
2019-12-03 05:59:24,367 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x27e0200-0x27eda00.
2019-12-03 05:59:24,367 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x027E0000.
2019-12-03 05:59:24,367 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x27e0000 - 0x27eda00.
2019-12-03 05:59:24,367 [root] DEBUG: set_caller_info: Adding region at 0x027E0000 to caller regions list (ntdll::memcpy).
2019-12-03 05:59:24,367 [root] DEBUG: set_caller_info: Caller at 0x027EC9AE in tracked regions.
2019-12-03 05:59:24,367 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 05:59:24,367 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 05:59:24,382 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959736e+00.
2019-12-03 05:59:24,382 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00460000.
2019-12-03 05:59:24,382 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x027E0000.
2019-12-03 05:59:37,891 [root] DEBUG: DLL loaded at 0x75820000: C:\Windows\syswow64\crypt32 (0x11d000 bytes).
2019-12-03 05:59:37,891 [root] DEBUG: DLL loaded at 0x76C80000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-12-03 05:59:38,016 [root] DEBUG: DLL loaded at 0x77610000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2019-12-03 05:59:38,500 [root] DEBUG: DLL loaded at 0x77120000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-12-03 05:59:38,687 [root] DEBUG: DLL loaded at 0x772A0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-12-03 05:59:38,719 [root] DEBUG: DLL loaded at 0x76BF0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2019-12-03 05:59:38,905 [root] DEBUG: DLL loaded at 0x74E50000: C:\Windows\SysWOW64\userenv (0x17000 bytes).
2019-12-03 05:59:38,905 [root] DEBUG: DLL loaded at 0x74EA0000: C:\Windows\SysWOW64\wtsapi32 (0xd000 bytes).
2019-12-03 05:59:43,430 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2019-12-03 05:59:44,053 [root] DEBUG: DLL loaded at 0x74F90000: C:\Windows\SysWOW64\ntmarta (0x21000 bytes).
2019-12-03 05:59:44,164 [root] DEBUG: DLL loaded at 0x75970000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-12-03 05:59:44,164 [root] DEBUG: DLL loaded at 0x774A0000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2019-12-03 05:59:44,226 [root] DEBUG: DLL loaded at 0x77020000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-12-03 05:59:44,256 [root] DEBUG: DLL loaded at 0x75190000: C:\Windows\SysWOW64\dnsapi (0x44000 bytes).
2019-12-03 05:59:44,319 [root] DEBUG: DLL loaded at 0x74E70000: C:\Windows\SysWOW64\iphlpapi (0x1c000 bytes).
2019-12-03 05:59:44,335 [root] DEBUG: DLL loaded at 0x74CA0000: C:\Windows\SysWOW64\WINNSI (0x7000 bytes).
2019-12-03 05:59:44,522 [root] DEBUG: DLL unloaded from 0x76C90000.
2019-12-03 05:59:44,538 [root] DEBUG: DLL loaded at 0x77BB0000: C:\Windows\syswow64\Normaliz (0x3000 bytes).
2019-12-03 05:59:44,710 [root] DEBUG: DLL loaded at 0x74C40000: C:\Windows\SysWOW64\RASAPI32 (0x52000 bytes).
2019-12-03 05:59:44,710 [root] DEBUG: DLL loaded at 0x74C20000: C:\Windows\SysWOW64\rasman (0x15000 bytes).
2019-12-03 05:59:44,819 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\SysWOW64\rtutils (0xd000 bytes).
2019-12-03 05:59:44,834 [root] DEBUG: DLL unloaded from 0x74C40000.
2019-12-03 05:59:44,911 [root] DEBUG: DLL unloaded from 0x74C20000.
2019-12-03 05:59:44,911 [root] DEBUG: DLL loaded at 0x74C00000: C:\Windows\SysWOW64\sensapi (0x6000 bytes).
2019-12-03 05:59:44,911 [root] DEBUG: DLL unloaded from 0x77120000.
2019-12-03 05:59:44,927 [root] DEBUG: DLL loaded at 0x75210000: C:\Windows\system32\NLAapi (0x10000 bytes).
2019-12-03 05:59:44,927 [root] DEBUG: DLL loaded at 0x75200000: C:\Windows\system32\napinsp (0x10000 bytes).
2019-12-03 05:59:44,927 [root] DEBUG: DLL loaded at 0x751E0000: C:\Windows\system32\pnrpnsp (0x12000 bytes).
2019-12-03 05:59:44,927 [root] DEBUG: DLL loaded at 0x75570000: C:\Windows\System32\mswsock (0x3c000 bytes).
2019-12-03 05:59:44,944 [root] DEBUG: DLL loaded at 0x75180000: C:\Windows\System32\winrnr (0x8000 bytes).
2019-12-03 05:59:44,959 [root] DEBUG: DLL loaded at 0x75560000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-12-03 05:59:44,959 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-12-03 05:59:44,959 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\SysWOW64\rasadhlp (0x6000 bytes).
2019-12-03 05:59:45,022 [root] DEBUG: DLL loaded at 0x74AA0000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-12-03 05:59:45,365 [root] DEBUG: DLL loaded at 0x77090000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-12-03 05:59:45,552 [root] DEBUG: DLL loaded at 0x74A40000: C:\Windows\System32\netprofm (0x5a000 bytes).
2019-12-03 05:59:45,926 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\SysWOW64\RpcRtRemote (0xe000 bytes).
2019-12-03 05:59:46,315 [root] DEBUG: DLL loaded at 0x74A20000: C:\Windows\SysWOW64\DHCPCSVC (0x12000 bytes).
2019-12-03 05:59:46,315 [root] DEBUG: DLL loaded at 0x74A10000: C:\Windows\SysWOW64\dhcpcsvc6 (0xd000 bytes).
2019-12-03 05:59:46,315 [root] DEBUG: DLL unloaded from 0x74E70000.
2019-12-03 05:59:46,315 [root] DEBUG: DLL unloaded from 0x74A20000.
2019-12-03 05:59:48,594 [root] DEBUG: DLL unloaded from 0x77120000.
2019-12-03 05:59:54,178 [root] DEBUG: DLL unloaded from 0x76C90000.
2019-12-03 05:59:58,717 [root] DEBUG: DLL unloaded from 0x76EC0000.
2019-12-03 05:59:58,717 [root] DEBUG: DLL unloaded from 0x74A40000.
2019-12-03 05:59:58,733 [root] DEBUG: DLL unloaded from 0x77120000.
2019-12-03 05:59:59,186 [root] DEBUG: DLL unloaded from 0x76C90000.
2019-12-03 06:00:01,073 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1764.
2019-12-03 06:00:01,073 [root] DEBUG: DLL unloaded from 0x0000000077A00000.
2019-12-03 06:00:06,595 [root] DEBUG: DLL unloaded from 0x000007FEFE0A0000.
2019-12-03 06:00:25,315 [root] DEBUG: Allocation: 0x035C0000 - 0x03609000, size: 0x49000, protection: 0x40.
2019-12-03 06:00:25,315 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 06:00:25,315 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 06:00:25,332 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959736e+00.
2019-12-03 06:00:25,332 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00460000.
2019-12-03 06:00:25,332 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x027E0000.
2019-12-03 06:00:25,332 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x035C0000, size: 0x49000.
2019-12-03 06:00:25,332 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x035C0000) returned 0x00000000.
2019-12-03 06:00:25,362 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2019-12-03 06:00:25,362 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x035C0000) -> AllocationBase 0x035C0000 RegionSize 0x299008.
2019-12-03 06:00:25,362 [root] DEBUG: AddTrackedRegion: New region at 0x035C0000 size 0x49000 added to tracked regions.
2019-12-03 06:00:25,362 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x035C0000, TrackedRegion->RegionSize: 0x49000, thread 568
2019-12-03 06:00:25,362 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x00460000 to 0x035C0000.
2019-12-03 06:00:25,378 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x035C0000 and Type=0x1.
2019-12-03 06:00:25,378 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 568 type 1 at address 0x035C0000, size 2 with Callback 0x74eb7510.
2019-12-03 06:00:25,378 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x035C0000
2019-12-03 06:00:25,378 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x035C003C and Type=0x1.
2019-12-03 06:00:25,378 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 568 type 1 at address 0x035C003C, size 4 with Callback 0x74eb71a0.
2019-12-03 06:00:25,378 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x035C003C
2019-12-03 06:00:25,394 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x035C0000 (size 0x49000).
2019-12-03 06:00:25,394 [root] DEBUG: DLL unloaded from 0x77BE0000.
2019-12-03 06:00:25,394 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x76619B60 (thread 568)
2019-12-03 06:00:25,394 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x035C0000.
2019-12-03 06:00:25,394 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-12-03 06:00:25,394 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x035C0000: 0x035C0000 0x035C003C 0x00000000 0x00000000
2019-12-03 06:00:25,394 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (1) at 0x035C003C already exists for thread 568 (process 1892), skipping.
2019-12-03 06:00:25,410 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x35c003c (EIP = 0x76619b60)
2019-12-03 06:00:25,410 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x35c0000: 0x4d.
2019-12-03 06:00:25,410 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-12-03 06:00:25,410 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x76619B60 (thread 568)
2019-12-03 06:00:25,410 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x035C003C.
2019-12-03 06:00:25,410 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x035C0000: 0x035C0000 0x035C003C 0x00000000 0x00000000
2019-12-03 06:00:25,410 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x2, Address=0x035C00C8 and Type=0x1.
2019-12-03 06:00:25,410 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x4, Address=0x035C00D8 and Type=0x1.
2019-12-03 06:00:25,426 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x035C00D8.
2019-12-03 06:00:25,426 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x76619B60 (thread 568)
2019-12-03 06:00:25,426 [root] DEBUG: MagicWriteCallback: Breakpoint 0 at Address 0x035C00C8.
2019-12-03 06:00:25,426 [root] DEBUG: GetHookCallerBase: thread 568 (handle 0xcc), return address 0x027E152D, allocation base 0x027E0000.
2019-12-03 06:00:25,426 [root] DEBUG: MagicWriteCallback: Not in a hooked function, setting callback in enter_hook() to catch next hook (return address 0x027E0000).
2019-12-03 06:00:25,440 [root] DEBUG: MagicWriteCallback: Valid magic value but entry point still empty, leaving breakpoint intact.
2019-12-03 06:00:25,440 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x76619B60 (thread 568)
2019-12-03 06:00:25,440 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x035C00D8.
2019-12-03 06:00:25,440 [root] DEBUG: GetHookCallerBase: thread 568 (handle 0xcc), return address 0x027E152D, allocation base 0x027E0000.
2019-12-03 06:00:25,440 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x035C00C8: 0x035C00C8 0x035C003C 0x035C00D8 0x00000000
2019-12-03 06:00:25,440 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x1, Address=0x035C78F0 and Type=0x1.
2019-12-03 06:00:25,440 [root] DEBUG: AddressOfEPWriteCallback: set write bp on AddressOfEntryPoint location 0x035C78F0.
2019-12-03 06:00:25,457 [root] DEBUG: AddressOfEPWriteCallback executed successfully.
2019-12-03 06:00:25,457 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x76619B60 (thread 568)
2019-12-03 06:00:25,457 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x035C78F0.
2019-12-03 06:00:25,457 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x035C78F0 and Type=0x0.
2019-12-03 06:00:25,457 [root] DEBUG: EntryPointWriteCallback: Execution bp 0 set on EntryPoint address 0x035C78F0.
2019-12-03 06:00:25,457 [root] DEBUG: EntryPointWriteCallback: DEBUG: NumberOfSections 4, SizeOfHeaders 0x1a8.
2019-12-03 06:00:25,457 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x035C78F0: 0x035C78F0 0x035C003C 0x035C00D8 0x00000000
2019-12-03 06:00:25,471 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x1, Address=0x036085FF and Type=0x1.
2019-12-03 06:00:25,471 [root] DEBUG: EntryPointWriteCallback: Set write breakpoint on final section, last byte: 0x00000000
2019-12-03 06:00:25,471 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1520.
2019-12-03 06:00:25,471 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (0) at 0x036085FF already exists for thread 1520 (process 1892), skipping.
2019-12-03 06:00:25,471 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (1) at 0x035C003C already exists for thread 1520 (process 1892), skipping.
2019-12-03 06:00:25,471 [root] DEBUG: SetThreadBreakpoint: An identical breakpoint (2) at 0x035C00D8 already exists for thread 1520 (process 1892), skipping.
2019-12-03 06:00:25,487 [root] DEBUG: set_caller_info: Adding region at 0x035C0000 to caller regions list (ntdll::NtCreateEvent).
2019-12-03 06:00:25,487 [root] DEBUG: DLL unloaded from 0x76C90000.
2019-12-03 06:00:25,487 [root] DEBUG: set_caller_info: Caller at 0x035CD3FE in tracked regions.
2019-12-03 06:00:25,487 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 06:00:25,487 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 06:00:25,487 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959736e+00.
2019-12-03 06:00:25,487 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00460000.
2019-12-03 06:00:25,487 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x027E0000.
2019-12-03 06:00:25,487 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x035C0000.
2019-12-03 06:00:25,503 [root] DEBUG: DumpPEsInRange: Scanning range 0x35c0000 - 0x3609000.
2019-12-03 06:00:25,503 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x35c0000
2019-12-03 06:00:25,503 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 06:00:25,503 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x035C0000.
2019-12-03 06:00:25,503 [root] DEBUG: DumpProcess: Module entry point VA is 0x000078F0.
2019-12-03 06:00:25,519 [root] DEBUG: set_caller_info: Adding region at 0x009F0000 to caller regions list (kernel32::GetSystemTime).
2019-12-03 06:00:25,519 [root] DEBUG: ExtractionCallback: hooked call to kernel32::GetSystemTime from within tracked region (from hook) at 0x00DC9B0B.
2019-12-03 06:00:25,519 [root] DEBUG: DumpPEsInRange: Scanning range 0x35c0000 - 0x3609000.
2019-12-03 06:00:25,519 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x35c0000
2019-12-03 06:00:25,519 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 06:00:25,519 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x035C0000.
2019-12-03 06:00:25,535 [root] DEBUG: DumpProcess: Module entry point VA is 0x000078F0.
2019-12-03 06:00:25,535 [root] INFO: Added new CAPE file to list with path: C:\WPvYbYp\CAPE\1892_127459416225311632122019
2019-12-03 06:00:25,549 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x45e00.
2019-12-03 06:00:25,549 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x35c0200-0x3609000.
2019-12-03 06:00:25,549 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x035C0000 - 0x03609000.
2019-12-03 06:00:25,549 [root] DEBUG: ProcessTrackedRegion: Found and dumped PE image(s) in range 0x035C0000 - 0x03609000.
2019-12-03 06:00:25,549 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x35c0000 - 0x3609000.
2019-12-03 06:00:25,565 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x036085FF.
2019-12-03 06:00:25,565 [root] DEBUG: DLL unloaded from 0x77BE0000.
2019-12-03 06:00:25,565 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x035C003C.
2019-12-03 06:00:25,565 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x035C00D8.
2019-12-03 06:00:25,582 [root] INFO: Added new CAPE file to list with path: C:\WPvYbYp\CAPE\1892_32673665025311632122019
2019-12-03 06:00:25,582 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x45e00.
2019-12-03 06:00:25,596 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x35c0200-0x3609000.
2019-12-03 06:00:25,596 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x035C0000 - 0x03609000.
2019-12-03 06:00:25,596 [root] DEBUG: ProcessTrackedRegion: Found and dumped PE image(s) in range 0x035C0000 - 0x03609000.
2019-12-03 06:00:25,596 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x35c0000 - 0x3609000.
2019-12-03 06:00:25,612 [root] DEBUG: Allocation: 0x02A10000 - 0x02A2E000, size: 0x1e000, protection: 0x40.
2019-12-03 06:00:25,612 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 06:00:25,612 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 06:00:25,612 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959736e+00.
2019-12-03 06:00:25,612 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00460000.
2019-12-03 06:00:25,628 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x027E0000.
2019-12-03 06:00:25,628 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x035C0000.
2019-12-03 06:00:25,628 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x02A10000, size: 0x1e000.
2019-12-03 06:00:25,628 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x02A10000) returned 0x00000000.
2019-12-03 06:00:25,628 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2019-12-03 06:00:25,628 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x02A10000) -> AllocationBase 0x02A10000 RegionSize 0x122880.
2019-12-03 06:00:25,644 [root] DEBUG: AddTrackedRegion: New region at 0x02A10000 size 0x1e000 added to tracked regions.
2019-12-03 06:00:25,644 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x02A10000, TrackedRegion->RegionSize: 0x1e000, thread 1520
2019-12-03 06:00:25,644 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x035C0000 to 0x02A10000.
2019-12-03 06:00:25,644 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0x1c8, Size=0x2, Address=0x02A10000 and Type=0x1.
2019-12-03 06:00:25,644 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1520 type 1 at address 0x02A10000, size 2 with Callback 0x74eb7510.
2019-12-03 06:00:25,644 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x02A10000
2019-12-03 06:00:25,660 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0x1c8, Size=0x4, Address=0x02A1003C and Type=0x1.
2019-12-03 06:00:25,660 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1520 type 1 at address 0x02A1003C, size 4 with Callback 0x74eb71a0.
2019-12-03 06:00:25,660 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x02A1003C
2019-12-03 06:00:25,660 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x02A10000 (size 0x1e000).
2019-12-03 06:00:25,660 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x76619B60 (thread 1520)
2019-12-03 06:00:25,674 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02A10000.
2019-12-03 06:00:25,674 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2019-12-03 06:00:25,674 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x02A10000: 0x02A10000 0x02A1003C 0x00000000 0x00000000
2019-12-03 06:00:25,674 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (1) at 0x02A1003C already exists for thread 1520 (process 1892), skipping.
2019-12-03 06:00:25,674 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x2a1003c (EIP = 0x76619b60)
2019-12-03 06:00:25,690 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2a10000: 0x4d.
2019-12-03 06:00:25,690 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2019-12-03 06:00:25,690 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x76619B60 (thread 1520)
2019-12-03 06:00:25,690 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02A1003C.
2019-12-03 06:00:25,690 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x02A10000: 0x02A10000 0x02A1003C 0x00000000 0x00000000
2019-12-03 06:00:25,706 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x2, Address=0x02A100F8 and Type=0x1.
2019-12-03 06:00:25,706 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x4, Address=0x02A10108 and Type=0x1.
2019-12-03 06:00:25,706 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x02A10108.
2019-12-03 06:00:25,721 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x76619B60 (thread 1520)
2019-12-03 06:00:25,721 [root] DEBUG: MagicWriteCallback: Breakpoint 0 at Address 0x02A100F8.
2019-12-03 06:00:25,721 [root] DEBUG: GetHookCallerBase: thread 1520 (handle 0x1c8), return address 0x035C1A51, allocation base 0x035C0000.
2019-12-03 06:00:25,721 [root] DEBUG: MagicWriteCallback: Not in a hooked function, setting callback in enter_hook() to catch next hook (return address 0x035C0000).
2019-12-03 06:00:25,737 [root] DEBUG: MagicWriteCallback: Valid magic value but entry point still empty, leaving breakpoint intact.
2019-12-03 06:00:25,737 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x76619B60 (thread 1520)
2019-12-03 06:00:25,737 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x02A10108.
2019-12-03 06:00:25,737 [root] DEBUG: GetHookCallerBase: thread 1520 (handle 0x1c8), return address 0x035C1A51, allocation base 0x035C0000.
2019-12-03 06:00:25,737 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x02A100F8: 0x02A100F8 0x02A1003C 0x02A10108 0x00000000
2019-12-03 06:00:25,753 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x1, Address=0x02A15CB8 and Type=0x1.
2019-12-03 06:00:25,753 [root] DEBUG: AddressOfEPWriteCallback: set write bp on AddressOfEntryPoint location 0x02A15CB8.
2019-12-03 06:00:25,753 [root] DEBUG: AddressOfEPWriteCallback executed successfully.
2019-12-03 06:00:25,753 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x76619B60 (thread 1520)
2019-12-03 06:00:25,753 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x02A15CB8.
2019-12-03 06:00:25,769 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x02A15CB8 and Type=0x0.
2019-12-03 06:00:25,769 [root] DEBUG: EntryPointWriteCallback: Execution bp 0 set on EntryPoint address 0x02A15CB8.
2019-12-03 06:00:25,769 [root] DEBUG: EntryPointWriteCallback: DEBUG: NumberOfSections 4, SizeOfHeaders 0x1d8.
2019-12-03 06:00:25,769 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x02A15CB8: 0x02A15CB8 0x02A1003C 0x02A10108 0x00000000
2019-12-03 06:00:25,769 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x1, Address=0x02A2DFFF and Type=0x1.
2019-12-03 06:00:25,783 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x68a1 in capemon caught accessing 0x2a2e000 (expected in memory scans), passing to next handler.
2019-12-03 06:00:26,674 [root] DEBUG: DLL unloaded from 0x000007FEFF920000.
2019-12-03 06:00:26,688 [root] INFO: Announced starting service "WerSvc"
2019-12-03 06:00:26,704 [root] INFO: Announced 64-bit process name: svchost.exe pid: 1628
2019-12-03 06:00:26,704 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-12-03 06:00:26,720 [lib.api.process] INFO: 64-bit DLL to inject is C:\hxonwzw\dll\oSYRvY.dll, loader C:\hxonwzw\bin\VGkDJOSD.exe
2019-12-03 06:00:26,720 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PkcyzMW.
2019-12-03 06:00:26,720 [root] DEBUG: Loader: Injecting process 1628 (thread 1868) with C:\hxonwzw\dll\oSYRvY.dll.
2019-12-03 06:00:26,736 [root] DEBUG: Process image base: 0x00000000FF680000
2019-12-03 06:00:26,736 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hxonwzw\dll\oSYRvY.dll.
2019-12-03 06:00:26,736 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00000000FF68B000 - 0x000007FEFFD20000
2019-12-03 06:00:26,736 [root] DEBUG: InjectDllViaIAT: Allocated 0x20c bytes for new import table at 0x00000000FF690000.
2019-12-03 06:00:26,736 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-12-03 06:00:26,736 [root] DEBUG: Successfully injected DLL C:\hxonwzw\dll\oSYRvY.dll.
2019-12-03 06:00:26,752 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1628
2019-12-03 06:00:26,752 [root] INFO: Announced 64-bit process name: svchost.exe pid: 1628
2019-12-03 06:00:26,752 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-12-03 06:00:26,752 [lib.api.process] INFO: 64-bit DLL to inject is C:\hxonwzw\dll\oSYRvY.dll, loader C:\hxonwzw\bin\VGkDJOSD.exe
2019-12-03 06:00:26,766 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PkcyzMW.
2019-12-03 06:00:26,766 [root] DEBUG: Loader: Injecting process 1628 (thread 1868) with C:\hxonwzw\dll\oSYRvY.dll.
2019-12-03 06:00:26,766 [root] DEBUG: Process image base: 0x00000000FF680000
2019-12-03 06:00:26,782 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hxonwzw\dll\oSYRvY.dll.
2019-12-03 06:00:26,782 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-12-03 06:00:26,782 [root] DEBUG: Successfully injected DLL C:\hxonwzw\dll\oSYRvY.dll.
2019-12-03 06:00:26,782 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1628
2019-12-03 06:00:26,798 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 06:00:26,798 [root] DEBUG: Process dumps disabled.
2019-12-03 06:00:26,798 [root] INFO: Disabling sleep skipping.
2019-12-03 06:00:26,813 [root] WARNING: Unable to place hook on LockResource
2019-12-03 06:00:26,813 [root] WARNING: Unable to hook LockResource
2019-12-03 06:00:26,813 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-12-03 06:00:26,829 [root] DEBUG: Debugger initialised.
2019-12-03 06:00:26,829 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 1628 at 0x0000000074AE0000, image base 0x00000000FF680000, stack from 0x00000000000C5000-0x00000000000D0000
2019-12-03 06:00:26,829 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k WerSvcGroup.
2019-12-03 06:00:26,829 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FF680000) returned 0x0000000000000000.
2019-12-03 06:00:26,845 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2019-12-03 06:00:26,845 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FF680000) -> AllocationBase 0x00000000FF680000 RegionSize 0x4096.
2019-12-03 06:00:26,845 [root] DEBUG: AddTrackedRegion: EntryPoint 0x246c, Entropy 3.653807e+00
2019-12-03 06:00:26,861 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FF680000 size 0x1000 added to tracked regions.
2019-12-03 06:00:26,861 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-12-03 06:00:26,861 [root] INFO: Added new process to list with pid: 1628
2019-12-03 06:00:26,875 [root] INFO: Monitor successfully loaded in process with pid 1628.
2019-12-03 06:00:26,875 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1680.
2019-12-03 06:00:26,875 [root] DEBUG: DLL unloaded from 0x0000000077A00000.
2019-12-03 06:00:26,907 [root] DEBUG: DLL loaded at 0x000007FEFB1E0000: c:\windows\system32\wersvc (0x18000 bytes).
2019-12-03 06:00:26,907 [root] DEBUG: DLL unloaded from 0x000007FEFB1E0000.
2019-12-03 06:00:26,923 [root] DEBUG: CreateThread: Initialising breakpoints for thread 728.
2019-12-03 06:00:26,923 [root] DEBUG: DLL unloaded from 0x0000000077A00000.
2019-12-03 06:00:26,938 [root] DEBUG: DLL loaded at 0x000007FEF7F40000: C:\Windows\System32\faultrep (0x5c000 bytes).
2019-12-03 06:00:26,953 [root] DEBUG: DLL loaded at 0x000007FEF9B90000: C:\Windows\System32\wer (0x7c000 bytes).
2019-12-03 06:00:26,970 [root] DEBUG: DLL loaded at 0x000007FEFEB90000: C:\Windows\system32\SHELL32 (0xd88000 bytes).
2019-12-03 06:00:26,970 [root] DEBUG: DLL loaded at 0x000007FEFD910000: C:\Windows\System32\profapi (0xf000 bytes).
2019-12-03 06:00:26,986 [root] DEBUG: DLL loaded at 0x000007FEFCCA0000: C:\Windows\System32\USERENV (0x1e000 bytes).
2019-12-03 06:00:27,016 [root] INFO: Announced 32-bit process name: WerFault.exe pid: 1452
2019-12-03 06:00:27,032 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-12-03 06:00:27,032 [lib.api.process] INFO: 32-bit DLL to inject is C:\hxonwzw\dll\JbUzyn.dll, loader C:\hxonwzw\bin\LBmuqlb.exe
2019-12-03 06:00:27,032 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PkcyzMW.
2019-12-03 06:00:27,032 [root] DEBUG: Loader: Injecting process 1452 (thread 1700) with C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 06:00:27,032 [root] DEBUG: Process image base: 0x006C0000
2019-12-03 06:00:27,032 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 06:00:27,048 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0071B000 - 0x77A00000
2019-12-03 06:00:27,048 [root] DEBUG: InjectDllViaIAT: Allocated 0x23c bytes for new import table at 0x00720000.
2019-12-03 06:00:27,048 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-12-03 06:00:27,048 [root] DEBUG: Successfully injected DLL C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 06:00:27,048 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1452
2019-12-03 06:00:27,048 [root] DEBUG: DLL loaded at 0x000007FEFD7E0000: C:\Windows\system32\apphelp (0x57000 bytes).
2019-12-03 06:00:27,095 [root] INFO: Announced 32-bit process name: WerFault.exe pid: 1452
2019-12-03 06:00:27,095 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-12-03 06:00:27,095 [lib.api.process] INFO: 32-bit DLL to inject is C:\hxonwzw\dll\JbUzyn.dll, loader C:\hxonwzw\bin\LBmuqlb.exe
2019-12-03 06:00:27,109 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PkcyzMW.
2019-12-03 06:00:27,109 [root] DEBUG: Loader: Injecting process 1452 (thread 1700) with C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 06:00:27,109 [root] DEBUG: Process image base: 0x006C0000
2019-12-03 06:00:27,109 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 06:00:27,109 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-12-03 06:00:27,125 [root] DEBUG: Successfully injected DLL C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 06:00:27,125 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1452
2019-12-03 06:00:27,125 [root] DEBUG: DLL unloaded from 0x000007FEF7F40000.
2019-12-03 06:00:27,203 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 06:00:27,203 [root] DEBUG: Process dumps disabled.
2019-12-03 06:00:27,220 [root] INFO: Disabling sleep skipping.
2019-12-03 06:00:27,220 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-12-03 06:00:27,220 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77a00000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x77a5124a, Wow64PrepareForException: 0x0
2019-12-03 06:00:27,220 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x170000
2019-12-03 06:00:27,220 [root] DEBUG: Debugger initialised.
2019-12-03 06:00:27,220 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 1452 at 0x74eb0000, image base 0x6c0000, stack from 0x2a6000-0x2b0000
2019-12-03 06:00:27,312 [root] DEBUG: Commandline: C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 880.
2019-12-03 06:00:27,312 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x006C0000) returned 0x00000000.
2019-12-03 06:00:27,328 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2019-12-03 06:00:27,328 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x006C0000) -> AllocationBase 0x006C0000 RegionSize 0x4096.
2019-12-03 06:00:27,421 [root] DEBUG: AddTrackedRegion: EntryPoint 0x80c7, Entropy 6.517554e+00
2019-12-03 06:00:27,421 [root] DEBUG: AddTrackedRegion: New region at 0x006C0000 size 0x1000 added to tracked regions.
2019-12-03 06:00:27,421 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-12-03 06:00:27,421 [root] INFO: Added new process to list with pid: 1452
2019-12-03 06:00:27,421 [root] INFO: Monitor successfully loaded in process with pid 1452.
2019-12-03 06:00:27,453 [root] DEBUG: DLL loaded at 0x74990000: C:\Windows\SysWOW64\VERSION (0x9000 bytes).
2019-12-03 06:00:27,453 [root] DEBUG: DLL unloaded from 0x76B10000.
2019-12-03 06:00:27,453 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1900.
2019-12-03 06:00:27,469 [root] DEBUG: DLL unloaded from 0x77BE0000.
2019-12-03 06:00:27,733 [root] DEBUG: DLL unloaded from 0x74A40000.
2019-12-03 06:00:27,828 [root] DEBUG: DLL loaded at 0x746F0000: C:\Windows\SysWOW64\dbgeng (0x29d000 bytes).
2019-12-03 06:00:27,858 [root] DEBUG: DLL loaded at 0x74600000: C:\Windows\SysWOW64\dbghelp (0xeb000 bytes).
2019-12-03 06:00:27,937 [root] DEBUG: DLL unloaded from 0x76C90000.
2019-12-03 06:00:28,686 [root] DEBUG: DLL unloaded from 0x74600000.
2019-12-03 06:00:28,701 [root] DEBUG: DLL loaded at 0x74C00000: C:\Windows\SysWOW64\SensApi (0x6000 bytes).
2019-12-03 06:00:28,747 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-12-03 06:00:28,779 [root] DEBUG: DLL unloaded from 0x76C90000.
2019-12-03 06:00:28,811 [root] DEBUG: DLL unloaded from 0x77BE0000.
2019-12-03 06:00:28,811 [root] INFO: Sample attempted to remap module 'C:\Windows\SysWOW64\ntdll.dll' at 0x02A30000, returning original module address instead: 0x77BE0000
2019-12-03 06:00:28,811 [root] DEBUG: DLL loaded at 0x000007FEF7E40000: C:\Windows\System32\faultrep (0x5c000 bytes).
2019-12-03 06:00:28,842 [root] INFO: Announced 32-bit process name: WerFault.exe pid: 1916
2019-12-03 06:00:28,842 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-12-03 06:00:28,842 [lib.api.process] INFO: 32-bit DLL to inject is C:\hxonwzw\dll\JbUzyn.dll, loader C:\hxonwzw\bin\LBmuqlb.exe
2019-12-03 06:00:28,950 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PkcyzMW.
2019-12-03 06:00:28,950 [root] DEBUG: Loader: Injecting process 1916 (thread 808) with C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 06:00:28,950 [root] DEBUG: Process image base: 0x006C0000
2019-12-03 06:00:28,967 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 06:00:28,967 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x0071B000 - 0x77A00000
2019-12-03 06:00:28,967 [root] DEBUG: InjectDllViaIAT: Allocated 0x23c bytes for new import table at 0x00720000.
2019-12-03 06:00:28,982 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-12-03 06:00:28,982 [root] DEBUG: Successfully injected DLL C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 06:00:28,982 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1916
2019-12-03 06:00:28,982 [root] INFO: Announced 32-bit process name: WerFault.exe pid: 1916
2019-12-03 06:00:28,982 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2019-12-03 06:00:28,997 [lib.api.process] INFO: 32-bit DLL to inject is C:\hxonwzw\dll\JbUzyn.dll, loader C:\hxonwzw\bin\LBmuqlb.exe
2019-12-03 06:00:29,059 [root] DEBUG: DLL unloaded from 0x000007FEF7E40000.
2019-12-03 06:00:29,059 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PkcyzMW.
2019-12-03 06:00:29,075 [root] DEBUG: Loader: Injecting process 1916 (thread 808) with C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 06:00:29,075 [root] DEBUG: Process image base: 0x006C0000
2019-12-03 06:00:29,075 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 06:00:29,075 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2019-12-03 06:00:29,075 [root] DEBUG: Successfully injected DLL C:\hxonwzw\dll\JbUzyn.dll.
2019-12-03 06:00:29,075 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1916
2019-12-03 06:00:29,092 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 06:00:29,092 [root] DEBUG: Process dumps disabled.
2019-12-03 06:00:29,092 [root] INFO: Disabling sleep skipping.
2019-12-03 06:00:29,107 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1892).
2019-12-03 06:00:29,107 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-12-03 06:00:29,107 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 06:00:29,107 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77a00000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x77a5124a, Wow64PrepareForException: 0x0
2019-12-03 06:00:29,107 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2019-12-03 06:00:29,107 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0xc0000
2019-12-03 06:00:29,107 [root] DEBUG: ProcessImageBase: EP 0x000014E0 image base 0x00400000 size 0x0 entropy 5.959736e+00.
2019-12-03 06:00:29,107 [root] DEBUG: Debugger initialised.
2019-12-03 06:00:29,107 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00460000.
2019-12-03 06:00:29,107 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 1916 at 0x74eb0000, image base 0x6c0000, stack from 0x236000-0x240000
2019-12-03 06:00:29,107 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x027E0000.
2019-12-03 06:00:29,122 [root] DEBUG: Commandline: C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 420.
2019-12-03 06:00:29,122 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x035C0000.
2019-12-03 06:00:29,122 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x006C0000) returned 0x00000000.
2019-12-03 06:00:29,122 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02A10000.
2019-12-03 06:00:29,122 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2019-12-03 06:00:29,122 [root] DEBUG: DumpPEsInRange: Scanning range 0x2a10000 - 0x2a2e000.
2019-12-03 06:00:29,122 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x006C0000) -> AllocationBase 0x006C0000 RegionSize 0x4096.
2019-12-03 06:00:29,122 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x2a10000
2019-12-03 06:00:29,122 [root] DEBUG: AddTrackedRegion: EntryPoint 0x80c7, Entropy 6.517560e+00
2019-12-03 06:00:29,122 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 06:00:29,122 [root] DEBUG: AddTrackedRegion: New region at 0x006C0000 size 0x1000 added to tracked regions.
2019-12-03 06:00:29,122 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x02A10000.
2019-12-03 06:00:29,138 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2019-12-03 06:00:29,138 [root] INFO: Added new process to list with pid: 1916
2019-12-03 06:00:29,138 [root] DEBUG: DumpProcess: Module entry point VA is 0x00005CB8.
2019-12-03 06:00:29,138 [root] INFO: Monitor successfully loaded in process with pid 1916.
2019-12-03 06:00:29,138 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1916).
2019-12-03 06:00:29,154 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 06:00:29,154 [root] INFO: Added new CAPE file to list with path: C:\WPvYbYp\CAPE\1892_101608032624461632122019
2019-12-03 06:00:29,154 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x006C0000.
2019-12-03 06:00:29,154 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x5200.
2019-12-03 06:00:29,154 [root] DEBUG: ProcessImageBase: EP 0x000080C7 image base 0x006C0000 size 0x0 entropy 6.517870e+00.
2019-12-03 06:00:29,154 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2a10200-0x2a2e000.
2019-12-03 06:00:29,154 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1916).
2019-12-03 06:00:29,154 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x02A10000 - 0x02A2E000.
2019-12-03 06:00:29,154 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2019-12-03 06:00:29,170 [root] DEBUG: ProcessTrackedRegion: Found and dumped PE image(s) in range 0x02A10000 - 0x02A2E000.
2019-12-03 06:00:29,170 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x006C0000.
2019-12-03 06:00:29,170 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2a10000 - 0x2a2e000.
2019-12-03 06:00:29,170 [root] DEBUG: ProcessImageBase: EP 0x000080C7 image base 0x006C0000 size 0x0 entropy 6.517870e+00.
2019-12-03 06:00:29,170 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x02A2DFFF.
2019-12-03 06:00:29,170 [root] INFO: Notified of termination of process with pid 1916.
2019-12-03 06:00:29,170 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x02A1003C.
2019-12-03 06:00:29,170 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1628).
2019-12-03 06:00:29,170 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x02A10108.
2019-12-03 06:00:29,170 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2019-12-03 06:00:29,170 [root] INFO: Notified of termination of process with pid 1892.
2019-12-03 06:00:29,170 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF680000.
2019-12-03 06:00:29,184 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 1892).
2019-12-03 06:00:29,184 [root] DEBUG: ProcessImageBase: EP 0x000000000000246C image base 0x00000000FF680000 size 0x0 entropy 3.675683e+00.
2019-12-03 06:00:29,184 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1680.
2019-12-03 06:00:29,184 [root] WARNING: Unable to open termination event for pid 1452.
2019-12-03 06:00:29,279 [root] INFO: Process with pid 1452 has terminated
2019-12-03 06:00:30,651 [root] DEBUG: DLL unloaded from 0x000007FEFB1E0000.
2019-12-03 06:02:29,086 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1488.
2019-12-03 06:02:29,102 [root] DEBUG: DLL unloaded from 0x0000000077A00000.
2019-12-03 06:02:29,134 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1628).
2019-12-03 06:02:29,134 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2019-12-03 06:02:29,134 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF680000.
2019-12-03 06:02:29,148 [root] DEBUG: ProcessImageBase: EP 0x000000000000246C image base 0x00000000FF680000 size 0x0 entropy 3.675683e+00.
2019-12-03 06:02:29,164 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1680.
2019-12-03 06:02:29,164 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 728.
2019-12-03 06:02:29,180 [root] DEBUG: DLL unloaded from 0x000007FEFEB60000.
2019-12-03 06:02:29,196 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1628).
2019-12-03 06:02:29,226 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2019-12-03 06:02:29,226 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF680000.
2019-12-03 06:02:29,243 [root] DEBUG: ProcessImageBase: EP 0x000000000000246C image base 0x00000000FF680000 size 0x0 entropy 3.675683e+00.
2019-12-03 06:02:29,243 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1680.
2019-12-03 06:02:29,243 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 728.
2019-12-03 06:02:29,243 [root] INFO: Notified of termination of process with pid 1628.
2019-12-03 06:02:34,765 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-12-03 06:02:34,765 [root] INFO: Created shutdown mutex.
2019-12-03 06:02:35,779 [lib.api.process] INFO: Terminate event set for process 1728
2019-12-03 06:02:35,795 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 1728).
2019-12-03 06:02:35,795 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2019-12-03 06:02:35,795 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF750000.
2019-12-03 06:02:35,811 [root] DEBUG: ProcessImageBase: EP 0x000000000002B790 image base 0x00000000FF750000 size 0x0 entropy 5.860779e+00.
2019-12-03 06:02:35,811 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1400.
2019-12-03 06:02:35,842 [lib.api.process] INFO: Termination confirmed for process 1728
2019-12-03 06:02:35,842 [root] INFO: Terminate event set for process 1728.
2019-12-03 06:02:35,842 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1728
2019-12-03 06:02:35,842 [root] INFO: Terminating process 1728 before shutdown.
2019-12-03 06:02:35,857 [root] INFO: Waiting for process 1728 to exit.
2019-12-03 06:02:36,858 [root] INFO: Shutting down package.
2019-12-03 06:02:36,858 [root] INFO: Stopping auxiliary modules.
2019-12-03 06:02:36,858 [root] INFO: Finishing auxiliary modules.
2019-12-03 06:02:36,858 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-12-03 06:02:36,868 [root] WARNING: File at path "C:\WPvYbYp\debugger" does not exist, skip.
2019-12-03 06:02:36,868 [root] INFO: Analysis completed.

MalScore

10.0

Emotet

Machine

Name Label Manager Started On Shutdown On
target-04 target-04 ESX 2019-12-03 05:59:09 2019-12-03 06:02:50

File Details

File Name nonmanual.exe
File Size 371397 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 4a19c0efa79d514e9003f0fb5abfa93d
SHA1 87c3ebe34ff049e02b24305cf7b6df0dda502a3b
SHA256 d3717429ba31832577c8a24fe89a4be77aa9198f351fa5a2911c95b20c4e9e39
SHA512 d9dfba254ec7ac780e75126c317e559288b28dc8882bd8b5e1e12dae9fdc41c9a9f5db1be3a6fc8c24651aac01d5552678ddfb0e8b3a776d13fea37f6ba1a463
CRC32 42BA7649
Ssdeep 6144:uyojDQSFZbS+pzaSKSa0/fUnt0vJgk2TBsGhw2/K6786TEnCAIpi9MxipEl7BuHh:MDQSzDq0mTMbGW
TrID
  • 61.7% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 14.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 10.0% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 4.5% (.EXE) OS/2 Executable (generic) (2029/13)
  • 4.4% (.EXE) Generic Win/DOS Executable (2002/3)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
At least one process apparently crashed during execution
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 864 trigged the Yara rule 'Emotet'
Hit: PID 1892 trigged the Yara rule 'HeavensGate'
Possible date expiration check, exits too soon after checking local time
process: compontitle.exe, PID 832
Mimics the system's user agent string for its own requests
Dynamic (imported) function loading detected
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptDeriveKey
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: KERNELBASE.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptDeriveKey
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: propsys.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/PSCreatePropertyStoreFromObject
DynamicLoader: propsys.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PropVariantToBuffer
DynamicLoader: propsys.dll/PropVariantToUInt64
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: propsys.dll/InitPropVariantFromBuffer
DynamicLoader: ADVAPI32.dll/GetNamedSecurityInfoW
DynamicLoader: ADVAPI32.dll/TreeSetNamedSecurityInfoW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: KERNELBASE.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptDeriveKey
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: KERNELBASE.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptDeriveKey
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptDuplicateHash
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptDecrypt
DynamicLoader: CRYPTSP.dll/CryptVerifySignatureW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: wersvc.dll/ServiceMain
DynamicLoader: wersvc.dll/SvchostPushServiceGlobals
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: faultrep.dll/WerpInitiateCrashReporting
DynamicLoader: wer.dll/WerpCreateMachineStore
DynamicLoader: SHELL32.dll/SHGetFolderPathEx
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: profapi.dll/
DynamicLoader: USERENV.dll/CreateEnvironmentBlock
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: USERENV.dll/DestroyEnvironmentBlock
DynamicLoader: faultrep.dll/WerpInitiateCrashReporting
DynamicLoader: wer.dll/WerpCreateMachineStore
DynamicLoader: USERENV.dll/CreateEnvironmentBlock
DynamicLoader: faultrep.dll/WerpInitiateCrashReporting
DynamicLoader: USERENV.dll/DestroyEnvironmentBlock
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: IMM32.dll/ImmDisableIME
DynamicLoader: PSAPI.DLL/GetModuleFileNameExW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: wer.dll/WerpCreateIntegratorReportId
DynamicLoader: wer.dll/WerReportCreate
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: wer.dll/WerpSetIntegratorReportId
DynamicLoader: wer.dll/WerReportSetParameter
DynamicLoader: dbgeng.dll/DebugCreate
DynamicLoader: ntdll.dll/CsrGetProcessId
DynamicLoader: ntdll.dll/DbgBreakPoint
DynamicLoader: ntdll.dll/DbgPrint
DynamicLoader: ntdll.dll/DbgPrompt
DynamicLoader: ntdll.dll/DbgUiConvertStateChangeStructure
DynamicLoader: ntdll.dll/DbgUiGetThreadDebugObject
DynamicLoader: ntdll.dll/DbgUiIssueRemoteBreakin
DynamicLoader: ntdll.dll/DbgUiSetThreadDebugObject
DynamicLoader: ntdll.dll/NtAllocateVirtualMemory
DynamicLoader: ntdll.dll/NtClose
DynamicLoader: ntdll.dll/NtCreateDebugObject
DynamicLoader: ntdll.dll/NtCreateFile
DynamicLoader: ntdll.dll/NtDebugActiveProcess
DynamicLoader: ntdll.dll/NtDebugContinue
DynamicLoader: ntdll.dll/NtFreeVirtualMemory
DynamicLoader: ntdll.dll/NtOpenProcess
DynamicLoader: ntdll.dll/NtOpenThread
DynamicLoader: ntdll.dll/NtQueryInformationProcess
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQueryMutant
DynamicLoader: ntdll.dll/NtQueryObject
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtRemoveProcessDebug
DynamicLoader: ntdll.dll/NtResumeThread
DynamicLoader: ntdll.dll/NtSetInformationDebugObject
DynamicLoader: ntdll.dll/NtSetInformationProcess
DynamicLoader: ntdll.dll/NtSystemDebugControl
DynamicLoader: ntdll.dll/NtWaitForDebugEvent
DynamicLoader: ntdll.dll/RtlAnsiStringToUnicodeString
DynamicLoader: ntdll.dll/RtlCreateProcessParameters
DynamicLoader: ntdll.dll/RtlCreateUserProcess
DynamicLoader: ntdll.dll/RtlDestroyProcessParameters
DynamicLoader: ntdll.dll/RtlDosPathNameToNtPathName_U
DynamicLoader: ntdll.dll/RtlFindMessage
DynamicLoader: ntdll.dll/RtlFreeHeap
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/RtlGetFunctionTableListHead
DynamicLoader: ntdll.dll/RtlGetUnloadEventTrace
DynamicLoader: ntdll.dll/RtlGetUnloadEventTraceEx
DynamicLoader: ntdll.dll/RtlInitAnsiString
DynamicLoader: ntdll.dll/RtlInitUnicodeString
DynamicLoader: ntdll.dll/RtlTryEnterCriticalSection
DynamicLoader: ntdll.dll/RtlUnicodeStringToAnsiString
DynamicLoader: ntdll.dll/NtOpenProcessToken
DynamicLoader: ntdll.dll/NtOpenThreadToken
DynamicLoader: ntdll.dll/NtQueryInformationToken
DynamicLoader: kernel32.dll/CloseProfileUserMapping
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/DebugActiveProcessStop
DynamicLoader: kernel32.dll/DebugBreak
DynamicLoader: kernel32.dll/DebugBreakProcess
DynamicLoader: kernel32.dll/DebugSetProcessKillOnExit
DynamicLoader: kernel32.dll/Module32First
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/Module32Next
DynamicLoader: kernel32.dll/Module32NextW
DynamicLoader: kernel32.dll/OpenThread
DynamicLoader: kernel32.dll/Process32First
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/Process32Next
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/ProcessIdToSessionId
DynamicLoader: kernel32.dll/SetProcessShutdownParameters
DynamicLoader: kernel32.dll/Thread32First
DynamicLoader: kernel32.dll/Thread32Next
DynamicLoader: kernel32.dll/GetTimeZoneInformation
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/Wow64GetThreadSelectorEntry
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: ADVAPI32.dll/CreateServiceA
DynamicLoader: ADVAPI32.dll/CreateServiceW
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/EnumServicesStatusExA
DynamicLoader: ADVAPI32.dll/EnumServicesStatusExW
DynamicLoader: ADVAPI32.dll/GetEventLogInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenSCManagerA
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/OpenServiceA
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/StartServiceA
DynamicLoader: ADVAPI32.dll/StartServiceW
DynamicLoader: ADVAPI32.dll/GetSidSubAuthority
DynamicLoader: ADVAPI32.dll/GetSidSubAuthorityCount
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeExW
DynamicLoader: VERSION.dll/GetFileVersionInfoExW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: dbghelp.dll/DebugExtensionInitialize
DynamicLoader: dbghelp.dll/WinDbgExtensionDllInit
DynamicLoader: dbghelp.dll/ExtensionApiVersion
DynamicLoader: dbghelp.dll/CheckVersion
DynamicLoader: wer.dll/WerpSetDynamicParameter
DynamicLoader: wer.dll/WerReportAddDump
DynamicLoader: wer.dll/WerpSetCallBack
DynamicLoader: wer.dll/WerReportSetUIOption
DynamicLoader: wer.dll/WerpAddRegisteredDataToReport
DynamicLoader: wer.dll/WerReportSubmit
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetThreadDesktop
DynamicLoader: USER32.dll/GetUserObjectInformationW
DynamicLoader: SensApi.dll/IsNetworkAlive
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: USER32.dll/CharUpperW
DynamicLoader: wer.dll/WerpAddAppCompatData
DynamicLoader: apphelp.dll/SdbGetFileAttributes
DynamicLoader: apphelp.dll/SdbFormatAttribute
DynamicLoader: apphelp.dll/SdbFreeFileAttributes
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: IMM32.dll/ImmDisableIME
Performs HTTP requests potentially not found in PCAP.
url: 144.76.56.36:8080/img/stubs/balloon/
url: 165.227.156.155:443/sess/guids/odbc/
url: 165.227.156.155:443/splash/
url: 78.47.106.72:8080/cab/enabled/odbc/
CAPE extracted potentially suspicious content
nonmanual.exe: Emotet Payload: 32-bit executable
nonmanual.exe: [{u'strings': [u'{ 33 C0 21 05 4C 25 41 00 A3 48 25 41 00 39 05 70 F3 40 00 74 18 40 A3 48 25 41 00 83 3C C5 70 F3 40 00 00 75 F0 51 E8 FD BE FF FF 59 C3 }', u'{ 6A 13 68 01 00 01 00 FF 15 0C 02 41 00 85 C0 }'], u'meta': {u'cape_type': u'Emotet Payload', u'description': u'Emotet Payload', u'author': u'kevoreilly'}, u'addresses': {u'snippet6': 21716L, u'snippet2': 5037L}, u'name': u'Emotet'}]
nonmanual.exe: Emotet Payload
nonmanual.exe: [{u'strings': [u'{ 33 C0 21 05 4C 25 41 00 A3 48 25 41 00 39 05 70 F3 40 00 74 18 40 A3 48 25 41 00 83 3C C5 70 F3 40 00 00 75 F0 51 E8 FD BE FF FF 59 C3 }', u'{ 6A 13 68 01 00 01 00 FF 15 0C 02 41 00 85 C0 }'], u'meta': {u'cape_type': u'Emotet Payload', u'description': u'Emotet Payload', u'author': u'kevoreilly'}, u'addresses': {u'snippet6': 21716L, u'snippet2': 5037L}, u'name': u'Emotet'}]
compontitle.exe: Extracted PE Image: 32-bit DLL
compontitle.exe: Extracted PE Image: 32-bit executable
HTTP traffic contains suspicious features which may be indicative of malware related traffic
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://165.227.156.155:443/sess/guids/odbc/
suspicious_request: http://165.227.156.155:443/splash/
Performs some HTTP requests
url: http://165.227.156.155:443/sess/guids/odbc/
url: http://165.227.156.155:443/splash/
The binary contains an unknown PE section name indicative of packing
unknown section: name: /4, entropy: 1.96, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_8BYTES, raw_size: 0x00000400, virtual_size: 0x00000358
unknown section: name: /19, entropy: 6.10, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES, raw_size: 0x0000da00, virtual_size: 0x0000d972
unknown section: name: /31, entropy: 4.67, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES, raw_size: 0x00002000, virtual_size: 0x00001ffc
unknown section: name: /45, entropy: 5.74, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES, raw_size: 0x00002200, virtual_size: 0x000020d5
unknown section: name: /57, entropy: 4.70, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_4BYTES, raw_size: 0x00000c00, virtual_size: 0x00000bc4
unknown section: name: /70, entropy: 4.28, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES, raw_size: 0x00000400, virtual_size: 0x0000031c
unknown section: name: /81, entropy: 3.51, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES, raw_size: 0x00001a00, virtual_size: 0x000019f2
unknown section: name: /92, entropy: 2.55, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES, raw_size: 0x00000800, virtual_size: 0x00000608
The binary likely contains encrypted or compressed data.
section: name: .data, entropy: 6.87, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_32BYTES, raw_size: 0x00014200, virtual_size: 0x00014020
Deletes its original binary from disk
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Windows\SysWOW64\compontitle.exe:Zone.Identifier
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: services.exe (464) called API GetSystemTimeAsFileTime 1006326 times
Installs itself for autorun at Windows startup
service name: compontitle
service path: "C:\Windows\SysWOW64\compontitle.exe"
Installs itself for autorun at Windows startup
service name: compontitle
service path: "C:\Windows\SysWOW64\compontitle.exe"
CAPE detected the Emotet malware family
Creates a copy of itself
copy: C:\Windows\SysWOW64\compontitle.exe
Drops a binary and executes it
binary: C:\Windows\SysWOW64\compontitle.exe
Anomalous binary characteristics
anomaly: Actual checksum does not match that reported in PE header

Screenshots


Hosts

Direct IP Country Name
Y 78.47.106.72 [VT] Germany
Y 165.227.156.155 [VT] Germany
Y 144.76.56.36 [VT] Germany

DNS

No domains contacted.


Summary

C:\
C:\Users\user\AppData\Local\Temp\nonmanual.exe
C:\Windows\SysWOW64\grphexa.exe
C:\Windows\
C:\Windows\SysWOW64\
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\compontitle.exe
C:\Users
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
\??\MountPointManager
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows
C:\Windows\SysWOW64
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Users\user\AppData\Local\
C:\Windows\SysWOW64\compontitle.exe:Zone.Identifier
C:\Users\user\AppData\Local\Microsoft\Windows\Burn
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
C:\Windows\Temp
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\Temp\D105.tmp
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\ProgramData\Microsoft\Windows\WER\ReportQueue
C:\Windows\WindowsShell.Manifest
C:\Windows\SysWOW64\en-US\faultrep.dll.mui
C:\Windows\SysWOW64\winxp\triage.ini
C:\Windows\SysWOW64\WINXP
C:\Windows\SysWOW64\winext
C:\Windows\SysWOW64\winext\arcade
C:\Windows\SysWOW64\pri
C:\Windows\System32
C:\Windows\System32\
C:\Windows\System32\wbem
C:\Windows\System32\wbem\
C:\Windows\System32\WindowsPowerShell\v1.0
C:\Windows\System32\WindowsPowerShell\v1.0\
C:\Windows\SysWOW64\WINXP\dbghelp.dll
C:\Windows\SysWOW64\winext\dbghelp.dll
C:\Windows\SysWOW64\winext\arcade\dbghelp.dll
C:\Windows\SysWOW64\pri\dbghelp.dll
C:\Windows\SysWOW64\dbghelp.dll
C:\Windows\SysWOW64\WINXP\ext.dll
C:\Windows\SysWOW64\winext\ext.dll
C:\Windows\SysWOW64\winext\arcade\ext.dll
C:\Windows\SysWOW64\pri\ext.dll
C:\Windows\SysWOW64\ext.dll
C:\Windows\System32\ext.dll
C:\Windows\ext.dll
C:\Windows\System32\wbem\ext.dll
C:\Windows\System32\WindowsPowerShell\v1.0\ext.dll
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\SysWOW64\WINXP\exts.dll
C:\Windows\SysWOW64\winext\exts.dll
C:\Windows\SysWOW64\winext\arcade\exts.dll
C:\Windows\SysWOW64\pri\exts.dll
C:\Windows\SysWOW64\exts.dll
C:\Windows\System32\exts.dll
C:\Windows\exts.dll
C:\Windows\System32\wbem\exts.dll
C:\Windows\System32\WindowsPowerShell\v1.0\exts.dll
C:\Windows\SysWOW64\WINXP\uext.dll
C:\Windows\SysWOW64\winext\uext.dll
C:\Windows\SysWOW64\winext\arcade\uext.dll
C:\Windows\SysWOW64\pri\uext.dll
C:\Windows\SysWOW64\uext.dll
C:\Windows\System32\uext.dll
C:\Windows\uext.dll
C:\Windows\System32\wbem\uext.dll
C:\Windows\System32\WindowsPowerShell\v1.0\uext.dll
C:\Windows\SysWOW64\WINXP\ntsdexts.dll
C:\Windows\SysWOW64\winext\ntsdexts.dll
C:\Windows\SysWOW64\winext\arcade\ntsdexts.dll
C:\Windows\SysWOW64\pri\ntsdexts.dll
C:\Windows\SysWOW64\ntsdexts.dll
C:\Windows\System32\ntsdexts.dll
C:\Windows\ntsdexts.dll
C:\Windows\System32\wbem\ntsdexts.dll
C:\Windows\System32\WindowsPowerShell\v1.0\ntsdexts.dll
C:\Windows\SysWOW64\en-US\wer.dll.mui
C:\Windows\Temp\
C:\Windows\Temp\WERDD35.tmp
C:\Windows\Temp\WERDD35.tmp.appcompat.txt
C:\Windows\System32\*
C:\Windows\System32\kernel32.dll
C:\Windows\SysWOW64\kernel32.dll
C:\Windows\SysWOW64\en-US\kernel32.dll.mui
C:\Windows\System32\ntdll.dll
C:\Windows\SysWOW64\ntdll.dll
C:\Windows\SysWOW64\en-US\ntdll.dll.mui
C:\Users\user\AppData\Local\Temp\nonmanual.exe
C:\Windows\SysWOW64\shell32.dll
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Windows
C:\Users\user\AppData\Local\Temp
C:\Users\user\AppData\Local\Microsoft\Windows\Burn
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Windows\SysWOW64\compontitle.exe
C:\Windows\Temp\D105.tmp
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\WindowsShell.Manifest
C:\Windows\SysWOW64\en-US\faultrep.dll.mui
C:\Windows\SysWOW64\winxp\triage.ini
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\SysWOW64\en-US\wer.dll.mui
C:\Windows\Temp\WERDD35.tmp
C:\Windows\Temp\WERDD35.tmp.appcompat.txt
C:\Windows\System32
C:\Windows\System32\kernel32.dll
C:\Windows\SysWOW64\en-US\kernel32.dll.mui
C:\Windows\System32\ntdll.dll
C:\Windows\SysWOW64\en-US\ntdll.dll.mui
C:\Windows\SysWOW64\compontitle.exe
C:\Windows\Temp\WERDD35.tmp.appcompat.txt
C:\Windows\SysWOW64\grphexa.exe
C:\Users\user\AppData\Local\Temp\nonmanual.exe
C:\Windows\SysWOW64\compontitle.exe:Zone.Identifier
C:\Windows\Temp\D105.tmp
C:\Windows\Temp\WERDD35.tmp
C:\Windows\Temp\WERDD35.tmp.appcompat.txt
HKEY_CURRENT_USER
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\nonmanual.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_CLASSES_ROOT\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice
HKEY_CLASSES_ROOT\exefile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\OverrideFileSystemProperties
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_CLASSES_ROOT\ExplorerCLSIDFlags\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\PropertyHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\nonmanual.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\nonmanual.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{000214F9-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Interval
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Shuffle
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\AnimationDuration
HKEY_LOCAL_MACHINE\Control Panel\Personalization\Desktop Slideshow
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Flags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\compontitle
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\compontitle\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\compontitle\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\compontitle\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\compontitle\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsiproxy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsiproxy\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsi
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsi\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NlaSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NlaSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofm
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofm\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\RequiredPrivileges
HKEY_USERS\.DEFAULT\Control Panel\Desktop
HKEY_USERS\.DEFAULT\Control Panel\Desktop\SmoothScroll
HKEY_USERS\.DEFAULT\Control Panel\International
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\EnableFileTracing
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\FileTracingMask
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\EnableConsoleTracing
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\ConsoleTracingMask
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\MaxFileSize
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\FileDirectory
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\EnableFileTracing
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\FileTracingMask
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\EnableConsoleTracing
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\ConsoleTracingMask
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\MaxFileSize
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WerSvcGroup
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wersvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceMain
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ServiceTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\NoReflection
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PropertyBag
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\LastCrashSelfReportTime
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\NoReflection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Escalation
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\WMR
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\B7873E5B
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TraceFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Debug
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Plugins\AppRecorder
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Plugins\FDR\CurrentSession
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\Debug\ExceptionRecord
HKEY_CURRENT_USER\Software\Microsoft\Windiff
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
\xe5\xa9\xa0\xc4\x83EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\CurrentType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MachineID
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Consent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\APPCRASH
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontShowUI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableArchive
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableQueue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceQueue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ExcludedApplications
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DebugApplications
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseSSL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerPortNumber
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseAuthentication
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC\RacWerSampleTime
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceCopyACLWithFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoEncryptOnMove
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Interval
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Shuffle
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\AnimationDuration
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Flags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\compontitle\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\compontitle\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\compontitle\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\compontitle\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsiproxy\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nsi\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NlaSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netprofm\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\RequiredPrivileges
HKEY_USERS\.DEFAULT\Control Panel\Desktop\SmoothScroll
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\EnableFileTracing
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\FileTracingMask
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\EnableConsoleTracing
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\ConsoleTracingMask
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\MaxFileSize
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASAPI32\FileDirectory
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\EnableFileTracing
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\FileTracingMask
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\EnableConsoleTracing
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\ConsoleTracingMask
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\MaxFileSize
\xe7\xa9\xa0\xc3\x9eEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\compontitle_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WerSvcGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceMain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ServiceTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\NoReflection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InitFolderHandler
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\NoReflection
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\LastCrashSelfReportTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\B7873E5B
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TraceFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
\xe5\xa9\xa0\xc4\x83EY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\CurrentType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MachineID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\APPCRASH
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontShowUI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableArchive
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableQueue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceQueue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseSSL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerPortNumber
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseAuthentication
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC\RacWerSampleTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\LastCrashSelfReportTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Debug
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\Debug\ExceptionRecord
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernelbase.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.ProcessIdToSessionId
imm32.dll.ImmCreateContext
imm32.dll.ImmDestroyContext
imm32.dll.ImmNotifyIME
imm32.dll.ImmAssociateContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetContext
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmSetCompositionStringA
imm32.dll.ImmGetCompositionStringW
imm32.dll.ImmSetCompositionStringW
imm32.dll.ImmSetCandidateWindow
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptDeriveKey
cryptsp.dll.CryptEncrypt
kernel32.dll.IsProcessorFeaturePresent
oleaut32.dll.#200
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
comctl32.dll.#385
comctl32.dll.#320
comctl32.dll.#324
comctl32.dll.#323
ole32.dll.CreateBindCtx
ole32.dll.CoTaskMemAlloc
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoTaskMemFree
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoGetMalloc
comctl32.dll.#328
comctl32.dll.#334
oleaut32.dll.#2
ole32.dll.CoCreateInstance
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#332
comctl32.dll.#386
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetEntriesInAclW
ntmarta.dll.GetMartaExtensionInterface
advapi32.dll.SetSecurityDescriptorDacl
advapi32.dll.IsTextUnicode
comctl32.dll.#338
comctl32.dll.#339
shell32.dll.#102
advapi32.dll.OpenThreadToken
propsys.dll.PSLookupPropertyHandlerCLSID
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
propsys.dll.PSCreatePropertyStoreFromObject
propsys.dll.#417
propsys.dll.PropVariantToStringAlloc
ole32.dll.PropVariantClear
propsys.dll.PSCreateMemoryPropertyStore
propsys.dll.PropVariantToBuffer
propsys.dll.PropVariantToUInt64
propsys.dll.PropVariantToBoolean
propsys.dll.InitPropVariantFromBuffer
advapi32.dll.GetNamedSecurityInfoW
advapi32.dll.TreeSetNamedSecurityInfoW
ole32.dll.CoUninitialize
comctl32.dll.#329
comctl32.dll.#388
comctl32.dll.#321
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.#500
comctl32.dll.#387
comctl32.dll.#327
advapi32.dll.UnregisterTraceGuids
cryptsp.dll.CryptReleaseContext
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptGenKey
cryptsp.dll.CryptDuplicateHash
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
iphlpapi.dll.GetAdaptersAddresses
dhcpcsvc.dll.DhcpRequestParams
cryptsp.dll.CryptDecrypt
cryptsp.dll.CryptVerifySignatureW
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
wersvc.dll.ServiceMain
wersvc.dll.SvchostPushServiceGlobals
advapi32.dll.RegGetValueW
sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
faultrep.dll.WerpInitiateCrashReporting
wer.dll.WerpCreateMachineStore
shell32.dll.SHGetFolderPathEx
ole32.dll.StringFromGUID2
profapi.dll.#104
userenv.dll.CreateEnvironmentBlock
sechost.dll.ConvertSidToStringSidW
sspicli.dll.GetUserNameExW
userenv.dll.DestroyEnvironmentBlock
lpk.dll.LpkEditControl
imm32.dll.ImmDisableIME
psapi.dll.GetModuleFileNameExW
version.dll.GetFileVersionInfoSizeW
wer.dll.WerpCreateIntegratorReportId
wer.dll.WerReportCreate
advapi32.dll.OpenProcessToken
wer.dll.WerpSetIntegratorReportId
wer.dll.WerReportSetParameter
dbgeng.dll.DebugCreate
ntdll.dll.CsrGetProcessId
ntdll.dll.DbgBreakPoint
ntdll.dll.DbgPrint
ntdll.dll.DbgPrompt
ntdll.dll.DbgUiConvertStateChangeStructure
ntdll.dll.DbgUiGetThreadDebugObject
ntdll.dll.DbgUiIssueRemoteBreakin
ntdll.dll.DbgUiSetThreadDebugObject
ntdll.dll.NtAllocateVirtualMemory
ntdll.dll.NtClose
ntdll.dll.NtCreateDebugObject
ntdll.dll.NtCreateFile
ntdll.dll.NtDebugActiveProcess
ntdll.dll.NtDebugContinue
ntdll.dll.NtFreeVirtualMemory
ntdll.dll.NtOpenProcess
ntdll.dll.NtOpenThread
ntdll.dll.NtQueryInformationProcess
ntdll.dll.NtQueryInformationThread
ntdll.dll.NtQueryMutant
ntdll.dll.NtQueryObject
ntdll.dll.NtQuerySystemInformation
ntdll.dll.NtRemoveProcessDebug
ntdll.dll.NtResumeThread
ntdll.dll.NtSetInformationDebugObject
ntdll.dll.NtSetInformationProcess
ntdll.dll.NtSystemDebugControl
ntdll.dll.NtWaitForDebugEvent
ntdll.dll.RtlAnsiStringToUnicodeString
ntdll.dll.RtlCreateProcessParameters
ntdll.dll.RtlCreateUserProcess
ntdll.dll.RtlDestroyProcessParameters
ntdll.dll.RtlDosPathNameToNtPathName_U
ntdll.dll.RtlFindMessage
ntdll.dll.RtlFreeHeap
ntdll.dll.RtlFreeUnicodeString
ntdll.dll.RtlGetUnloadEventTrace
ntdll.dll.RtlGetUnloadEventTraceEx
ntdll.dll.RtlInitAnsiString
ntdll.dll.RtlInitUnicodeString
ntdll.dll.RtlTryEnterCriticalSection
ntdll.dll.RtlUnicodeStringToAnsiString
ntdll.dll.NtOpenProcessToken
ntdll.dll.NtOpenThreadToken
ntdll.dll.NtQueryInformationToken
kernel32.dll.CloseProfileUserMapping
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.DebugActiveProcessStop
kernel32.dll.DebugBreak
kernel32.dll.DebugBreakProcess
kernel32.dll.DebugSetProcessKillOnExit
kernel32.dll.Module32First
kernel32.dll.Module32FirstW
kernel32.dll.Module32Next
kernel32.dll.Module32NextW
kernel32.dll.OpenThread
kernel32.dll.Process32First
kernel32.dll.Process32FirstW
kernel32.dll.Process32Next
kernel32.dll.Process32NextW
kernel32.dll.SetProcessShutdownParameters
kernel32.dll.Thread32First
kernel32.dll.Thread32Next
kernel32.dll.GetTimeZoneInformation
kernel32.dll.DuplicateHandle
kernel32.dll.Wow64GetThreadSelectorEntry
advapi32.dll.CloseServiceHandle
advapi32.dll.ControlService
advapi32.dll.CreateServiceA
advapi32.dll.CreateServiceW
advapi32.dll.DeleteService
advapi32.dll.EnumServicesStatusExA
advapi32.dll.EnumServicesStatusExW
advapi32.dll.GetEventLogInformation
advapi32.dll.GetTokenInformation
advapi32.dll.LookupAccountSidW
advapi32.dll.OpenSCManagerA
advapi32.dll.OpenSCManagerW
advapi32.dll.OpenServiceA
advapi32.dll.OpenServiceW
advapi32.dll.StartServiceA
advapi32.dll.StartServiceW
advapi32.dll.GetSidSubAuthority
advapi32.dll.GetSidSubAuthorityCount
version.dll.GetFileVersionInfoSizeExW
version.dll.GetFileVersionInfoExW
dbghelp.dll.WinDbgExtensionDllInit
dbghelp.dll.ExtensionApiVersion
wer.dll.WerpSetDynamicParameter
wer.dll.WerReportAddDump
wer.dll.WerpSetCallBack
wer.dll.WerReportSetUIOption
wer.dll.WerpAddRegisteredDataToReport
wer.dll.WerReportSubmit
user32.dll.LoadStringW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.CheckTokenMembership
advapi32.dll.FreeSid
user32.dll.GetProcessWindowStation
user32.dll.GetThreadDesktop
user32.dll.GetUserObjectInformationW
sensapi.dll.IsNetworkAlive
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.NdrClientCall2
user32.dll.CharUpperW
wer.dll.WerpAddAppCompatData
apphelp.dll.SdbGetFileAttributes
apphelp.dll.SdbFormatAttribute
apphelp.dll.SdbFreeFileAttributes
--f4134209
C:\Users\user\AppData\Local\Temp\nonmanual.exe --f4134209
"C:\Windows\SysWOW64\compontitle.exe"
C:\Windows\System32\svchost.exe -k WerSvcGroup
--ce2bae20
C:\Windows\SysWOW64\compontitle.exe --ce2bae20
C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 880
C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 420
gcc-shmem-tdm2-use_fc_key
gcc-shmem-tdm2-sjlj_once
gcc-shmem-tdm2-once_global_shmem
gcc-shmem-tdm2-once_obj_shmem
gcc-shmem-tdm2-mutex_global_shmem
gcc-shmem-tdm2-_pthread_tls_once_shmem
gcc-shmem-tdm2-_pthread_tls_shmem
gcc-shmem-tdm2-mtx_pthr_locked_shmem
gcc-shmem-tdm2-mutex_global_static_shmem
gcc-shmem-tdm2-mxattr_recursive_shmem
gcc-shmem-tdm2-pthr_root_shmem
gcc-shmem-tdm2-idListCnt_shmem
gcc-shmem-tdm2-idListMax_shmem
gcc-shmem-tdm2-idList_shmem
gcc-shmem-tdm2-idListNextId_shmem
gcc-shmem-tdm2-fc_key
gcc-shmem-tdm2-_pthread_key_lock_shmem
gcc-shmem-tdm2-_pthread_cancelling_shmem
gcc-shmem-tdm2-cond_locked_shmem_rwlock
gcc-shmem-tdm2-rwl_global_shmem
gcc-shmem-tdm2-_pthread_key_sch_shmem
gcc-shmem-tdm2-_pthread_key_max_shmem
gcc-shmem-tdm2-_pthread_key_dest_shmem
Global\IA4889F95
Global\MA4889F95
IESQMMUTEX_0_208
Local\WERReportingForProcess1892
Global\33ac04b1-1592-11ea-9e9a-000c29a3241b
compontitle
compontitle
WerSvc

PE Information

Image Base 0x00400000
Entry Point 0x004014e0
Reported Checksum 0x000622e7
Actual Checksum 0x00064f16
Minimum OS Version 4.0
Compile Time 2019-11-14 21:05:36
Import Hash 4151de9accf118d99670f695f3c0da21

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x000182b8 0x00018400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_16BYTES 5.98
.data 0x0001a000 0x00014020 0x00014200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_32BYTES 6.87
.rdata 0x0002f000 0x0000325c 0x00003400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_32BYTES 5.44
.bss 0x00033000 0x00000498 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_32BYTES 0.00
.idata 0x00034000 0x00000e34 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 4.91
.CRT 0x00035000 0x00000038 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 0.31
.tls 0x00036000 0x00000020 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 0.22
.rsrc 0x00037000 0x000004f0 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE|IMAGE_SCN_ALIGN_4BYTES 2.88
/4 0x00038000 0x00000358 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_8BYTES 1.96
/19 0x00039000 0x0000d972 0x0000da00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES 6.10
/31 0x00047000 0x00001ffc 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES 4.67
/45 0x00049000 0x000020d5 0x00002200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES 5.74
/57 0x0004c000 0x00000bc4 0x00000c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_4BYTES 4.70
/70 0x0004d000 0x0000031c 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES 4.28
/81 0x0004e000 0x000019f2 0x00001a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES 3.51
/92 0x00050000 0x00000608 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ|IMAGE_SCN_ALIGN_1BYTES 2.55

Overlay

Offset 0x00046a00
Size 0x000140c5

Imports

Library ADVAPI32.dll:
0x434284 SetFileSecurityW
Library COMDLG32.DLL:
0x43428c ChooseColorA
Library GDI32.dll:
0x434294 CreateSolidBrush
Library KERNEL32.dll:
0x43429c AddAtomA
0x4342a0 CloseHandle
0x4342a4 CreateEventA
0x4342a8 CreateMutexA
0x4342ac CreateSemaphoreA
0x4342b4 DuplicateHandle
0x4342bc FindAtomA
0x4342c0 GetAtomNameA
0x4342c4 GetCurrentProcess
0x4342c8 GetCurrentProcessId
0x4342cc GetCurrentThread
0x4342d0 GetCurrentThreadId
0x4342d8 GetLastError
0x4342e0 GetStartupInfoA
0x4342e8 GetThreadContext
0x4342ec GetThreadPriority
0x4342f0 GetTickCount
0x434300 InterlockedExchange
0x434314 ReleaseMutex
0x434318 ReleaseSemaphore
0x43431c ResetEvent
0x434320 ResumeThread
0x434324 SetEvent
0x434328 SetLastError
0x434330 SetThreadContext
0x434334 SetThreadPriority
0x43433c Sleep
0x434340 SuspendThread
0x434344 TerminateProcess
0x434348 TlsAlloc
0x43434c TlsGetValue
0x434350 TlsSetValue
0x43435c VirtualProtect
0x434360 VirtualQuery
0x434368 WaitForSingleObject
0x43436c WinExec
Library msvcrt.dll:
0x434374 __dllonexit
0x434378 __getmainargs
0x43437c __initenv
0x434380 __lconv_init
0x434384 __set_app_type
0x434388 __setusermatherr
0x43438c _acmdln
0x434390 _amsg_exit
0x434394 _beginthreadex
0x434398 _cexit
0x43439c _endthreadex
0x4343a0 _fmode
0x4343a4 _ftime
0x4343a8 _initterm
0x4343ac _iob
0x4343b0 _lock
0x4343b4 _onexit
0x4343b8 _setjmp3
0x4343bc _unlock
0x4343c0 _write
0x4343c4 abort
0x4343c8 calloc
0x4343cc exit
0x4343d0 fclose
0x4343d4 fopen
0x4343d8 fprintf
0x4343dc fputc
0x4343e0 fputs
0x4343e4 free
0x4343e8 fwrite
0x4343ec longjmp
0x4343f0 malloc
0x4343f4 memcmp
0x4343f8 memcpy
0x4343fc memmove
0x434400 memset
0x434404 printf
0x434408 realloc
0x43440c signal
0x434410 sprintf
0x434414 strcmp
0x434418 strlen
0x43441c strncmp
0x434420 vfprintf
Library USER32.dll:
0x434428 CreateWindowExA
0x43442c DefWindowProcA
0x434430 DialogBoxParamA
0x434434 DispatchMessageA
0x434438 EnableWindow
0x43443c EndDialog
0x434440 GetDlgItem
0x434444 GetDlgItemInt
0x434448 GetDlgItemTextA
0x43444c GetMessageA
0x434450 IsDlgButtonChecked
0x434454 LoadCursorA
0x434458 LoadIconA
0x43445c PostQuitMessage
0x434460 RedrawWindow
0x434464 RegisterClassA
0x434468 SendDlgItemMessageA
0x43446c SendMessageA
0x434470 ShowWindow
0x434474 TranslateMessage

.text
P`.data
.rdata
`@.bss
.idata
.rsrc
@B/19
0B/70
D$$plA
D$@`wA
K1Z~.
WS_BORDER
WS_CAPTION
WS_CHILD
WS_CHILDWINDOW
WS_CLIPCHILDREN
WS_CLIPSIBLINGS
WS_DISABLED
WS_DLGFRAME
WS_GROUP
WS_HSCROLL
WS_ICONIC
WS_MAXIMIZE
WS_MAXIMIZEBOX
WS_MINIMIZE
WS_MINIMIZEBOX
WS_OVERLAPPED
WS_OVERLAPPEDWINDOW
WS_POPUP
WS_POPUPWINDOW
WS_SIZEBOX
WS_SYSMENU
WS_TABSTOP
WS_THICKFRAME
WS_TILED
WS_TILEDWINDOW
WS_VISIBLE
WS_VSCROLL
IDI_APPLICATION
IDI_ASTERISK
IDI_ERROR
IDI_EXCLAMATION
IDI_HAND
IDI_INFORMATION
IDI_QUESTION
IDI_WARNING
IDI_WINLOGO
IDC_APPSTARTING
IDC_ARROW
IDC_CROSS
IDC_HAND
IDC_HELP
IDC_IBEAM
IDC_ICON
IDC_NO
IDC_SIZE
IDC_SIZEALL
IDC_SIZENESW
IDC_SIZENS
IDC_SIZENWSE
IDC_SIZEWE
IDC_UPARROW
IDC_WAIT
Snippet.txt
WindowClass
Window = CreateWindow( "WindowClass", "%s",
CW_USDEFAULT,
NULL, NULL, Instance, 0);
Notepad Snippet.txt
std::exception
std::bad_exception
eh_globals
__gnu_cxx::__concurrence_lock_error
__gnu_cxx::__concurrence_unlock_error
__terminate_handler_sh
__unexpected_handler_sh
terminate called after throwing an instance of '
what():
_GLOBAL_
(anonymous namespace)
string literal
[abi:
{default arg#
JArray
vtable for
VTT for
construction vtable for
typeinfo for
typeinfo name for
typeinfo fn for
non-virtual thunk to
virtual thunk to
covariant return thunk to
java Class for
guard variable for
TLS init function for
TLS wrapper function for
reference temporary #
for
hidden alias for
transaction clone for
non-transaction clone for
_Sat
_Accum
_Fract
operator
operator
false
java resource
decltype (
{parm#
global constructors keyed to
global destructors keyed to
{lambda(
{unnamed type#
[clone
restrict
volatile
const
complex
imaginary
__vector(
std::allocator
allocator
std::basic_string
basic_string
std::string
std::basic_string<char, std::char_traits<char>, std::allocator<char> >
std::istream
std::basic_istream<char, std::char_traits<char> >
basic_istream
std::ostream
std::basic_ostream<char, std::char_traits<char> >
basic_ostream
std::iostream
std::basic_iostream<char, std::char_traits<char> >
basic_iostream
alignof
const_cast
delete[]
dynamic_cast
delete
operator""
new[]
reinterpret_cast
static_cast
sizeof
throw
throw
signed char
boolean
double
long double
float
__float128
unsigned char
unsigned int
unsigned
unsigned long
__int128
unsigned __int128
short
unsigned short
wchar_t
long long
unsigned long long
decimal32
decimal64
decimal128
char16_t
char32_t
decltype(nullptr)
Unknown error
Argument domain error (DOMAIN)
Argument singularity (SIGN)
Overflow range error (OVERFLOW)
The result is too small to be represented (UNDERFLOW)
Total loss of significance (TLOSS)
Partial loss of significance (PLOSS)
Address %p has no image-section
VirtualQuery failed for %d bytes at address %p
VirtualProtect failed with code 0x%x
use_fc_key
fc_key
sjlj_once
fc_static
idListCnt_shmem
idList_shmem
once_global_shmem
once_obj_shmem
idListMax_shmem
idListNextId_shmem
mtx_pthr_locked_shmem
pthr_root_shmem
pthr_last_shmem
_pthread_tls_shmem
_pthread_tls_once_shmem
_pthread_key_dest_shmem
_pthread_cancelling_shmem
_pthread_concur_shmem
_pthread_key_lock_shmem
_pthread_key_max_shmem
_pthread_key_sch_shmem
dummy_concurrency_level_shmem
mutex_global_shmem
c:/crossdev/src/winpthreads-svn6233/src/mutex.c
(m_->valid == LIFE_MUTEX) && (m_->busy > 0)
mutex_global_static_shmem
mxattr_recursive_shmem
mxattr_errorcheck_shmem
spin_locked_shmem
rwl_global_shmem
c:/crossdev/src/winpthreads-svn6233/src/rwlock.c
(((rwlock_t *)*rwl)->valid == LIFE_RWLOCK) && (((rwlock_t *)*rwl)->busy > 0)
cond_locked_shmem_rwlock
cond_locked_shmem_cond
N10__cxxabiv115__forced_unwindE
N10__cxxabiv117__class_type_infoE
N10__cxxabiv119__foreign_exceptionE
N10__cxxabiv120__si_class_type_infoE
N9__gnu_cxx24__concurrence_lock_errorE
N9__gnu_cxx26__concurrence_unlock_errorE
St13bad_exception
St9exception
St9type_info
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (tdm64-2) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
SetFileSecurityW
ChooseColorA
CreateSolidBrush
AddAtomA
CloseHandle
CreateEventA
CreateMutexA
CreateSemaphoreA
DeleteCriticalSection
DuplicateHandle
EnterCriticalSection
FindAtomA
GetAtomNameA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetHandleInformation
GetLastError
GetProcessAffinityMask
GetStartupInfoA
GetSystemTimeAsFileTime
GetThreadContext
GetThreadPriority
GetTickCount
InitializeCriticalSection
InterlockedCompareExchange
InterlockedDecrement
InterlockedExchange
InterlockedExchangeAdd
InterlockedIncrement
LeaveCriticalSection
QueryPerformanceCounter
ReleaseMutex
ReleaseSemaphore
ResetEvent
ResumeThread
SetEvent
SetLastError
SetProcessAffinityMask
SetThreadContext
SetThreadPriority
SetUnhandledExceptionFilter
Sleep
SuspendThread
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TryEnterCriticalSection
UnhandledExceptionFilter
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WinExec
__dllonexit
__getmainargs
__initenv
__lconv_init
__set_app_type
__setusermatherr
_acmdln
_amsg_exit
_beginthreadex
_cexit
_endthreadex
_fmode
_ftime
_initterm
_lock
_onexit
_setjmp3
_unlock
_write
abort
calloc
fclose
fopen
fprintf
fputc
fputs
fwrite
longjmp
malloc
memcmp
memcpy
memmove
memset
printf
realloc
signal
sprintf
strcmp
strlen
strncmp
vfprintf
CreateWindowExA
DefWindowProcA
DialogBoxParamA
DispatchMessageA
EnableWindow
EndDialog
GetDlgItem
GetDlgItemInt
GetDlgItemTextA
GetMessageA
IsDlgButtonChecked
LoadCursorA
LoadIconA
PostQuitMessage
RedrawWindow
RegisterClassA
SendDlgItemMessageA
SendMessageA
ShowWindow
TranslateMessage
ADVAPI32.dll
COMDLG32.DLL
GDI32.dll
KERNEL32.dll
msvcrt.dll
USER32.dll
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/crtexe.c
size_t
unsigned int
uintptr_t
wchar_t
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
_EXCEPTION_RECORD
ExceptionCode
ExceptionFlags
ExceptionAddress
NumberParameters
ExceptionInformation
_CONTEXT
ContextFlags
FloatSave
SegGs
SegFs
SegEs
SegDs
SegCs
EFlags
SegSs
ExtendedRegisters
WINBOOL
DWORD
float
LPBYTE
signed char
short int
long long unsigned int
LONG_PTR
ULONG_PTR
PVOID
LPSTR
PLONG
HANDLE
ULONGLONG
EXCEPTION_ROUTINE
PEXCEPTION_ROUTINE
_FLOATING_SAVE_AREA
ControlWord
StatusWord
TagWord
ErrorOffset
ErrorSelector
DataOffset
DataSelector
RegisterArea
Cr0NpxState
FLOATING_SAVE_AREA
CONTEXT
PCONTEXT
EXCEPTION_RECORD
PEXCEPTION_RECORD
_EXCEPTION_POINTERS
ContextRecord
_EXCEPTION_REGISTRATION_RECORD
Handler
handler
FiberData
Version
_NT_TIB
ExceptionList
StackBase
StackLimit
SubSystemTib
ArbitraryUserPointer
NT_TIB
PNT_TIB
_IMAGE_DOS_HEADER
e_magic
e_cblp
e_crlc
e_cparhdr
e_minalloc
e_maxalloc
e_csum
e_lfarlc
e_ovno
e_res
e_oemid
e_oeminfo
e_res2
e_lfanew
IMAGE_DOS_HEADER
PIMAGE_DOS_HEADER
_IMAGE_FILE_HEADER
Machine
NumberOfSections
TimeDateStamp
PointerToSymbolTable
NumberOfSymbols
SizeOfOptionalHeader
Characteristics
IMAGE_FILE_HEADER
_IMAGE_DATA_DIRECTORY
VirtualAddress
IMAGE_DATA_DIRECTORY
_IMAGE_OPTIONAL_HEADER
Magic
BaseOfData
IMAGE_OPTIONAL_HEADER32
PIMAGE_OPTIONAL_HEADER32
_IMAGE_OPTIONAL_HEADER64
Magic
PIMAGE_OPTIONAL_HEADER64
_IMAGE_NT_HEADERS
Signature
FileHeader
OptionalHeader
PIMAGE_NT_HEADERS32
PIMAGE_NT_HEADERS
PIMAGE_TLS_CALLBACK
HINSTANCE__
unused
HINSTANCE
PTOP_LEVEL_EXCEPTION_FILTER
LPTOP_LEVEL_EXCEPTION_FILTER
_STARTUPINFOA
lpReserved
lpDesktop
lpTitle
dwXSize
dwYSize
dwXCountChars
dwYCountChars
dwFillAttribute
dwFlags
wShowWindow
cbReserved2
lpReserved2
hStdInput
hStdOutput
hStdError
STARTUPINFOA
STARTUPINFO
double
long double
_invalid_parameter_handler
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
_PVFV
_PIFV
newmode
_startupinfo
__uninitialized
__initializing
__initialized
_exception
retval
_TCHAR
__readfsdword
!Offset
#_TEB
$NtCurrentTeb
%duplicate_ppstrings
'__mingw_invalidParameterHandler
(expression
(function
(file
(line
(pReserved
)check_managed_app
"pDOSHeader
"pPEHeader
"pNTHeader32
"pNTHeader64
*pre_c_init
'pre_cpp_init
*__tmainCRTStartup
4lpszCommandLine
5StartupInfo
4inDoubleQuote
4lock_free
4fiberid
4nested
>WinMainCRTStartup
>mainCRTStartup
5argc
5argv
5envp
5argret
5mainret
5managedapp
5has_cctor
5startinfo
A__globallocalestatus
A_imp___fmode
A_dowildcard
A_newmode
A_imp____initenv
A_imp___acmdln
A__native_startup_state
A__native_startup_lock
CA_image_base__
A_imp___commode
A_fmode
A__xi_a
A__xi_z
A__xc_a
A__xc_z
A__dyn_tls_init_callback
A__onexitbegin
A__onexitend
Amingw_app_type
E__mingw_winmain_hInstance
E__mingw_winmain_lpCmdLine
E__mingw_winmain_nShowCmd
A__mingw_oldexcpt_handler
Emingw_pcinit
Emingw_pcppinit
A_MINGW_INSTALL_DEBUG_MATHERR
Fmingw_initltsdrot_force
Fmingw_initltsdyn_force
Fmingw_initltssuo_force
Fmingw_initcharmax
G__set_app_type
H_encode_pointer
I_setargv
G__mingw_setusermatherr
H__getmainargs
Hstrlen
Jmalloc
Kmemcpy
L_pei386_runtime_relocator
\H_set_invalid_parameter_handler
L_fpreset
)L__main
LHmain
L_cexit
7G_amsg_exit
G_initterm
Mexit
L__security_init_cookie
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/tlssup.c
unsigned int
uintptr_t
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
ULONG
WINBOOL
DWORD
float
LPVOID
signed char
short int
long long unsigned int
ULONG_PTR
PVOID
HANDLE
PIMAGE_TLS_CALLBACK
_IMAGE_TLS_DIRECTORY32
StartAddressOfRawData
EndAddressOfRawData
AddressOfIndex
AddressOfCallBacks
SizeOfZeroFill
Characteristics
IMAGE_TLS_DIRECTORY32
IMAGE_TLS_DIRECTORY
_PVFV
__dyn_tls_init
pfunc
__dyn_tls_dtor
__dyn_tls_init@12
__tlregdtor
__xd_a
__xd_z
_tls_index
_tls_start
_tls_end
__xl_a
__xl_z
_tls_used
_CRT_MT
__dyn_tls_init_callback
__xl_c
__xl_d
mingw_initltsdrot_force
mingw_initltsdyn_force
mingw_initltssuo_force
__mingw_TLScallback
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/charmax.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
float
signed char
short int
long long unsigned int
double
long double
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
_PIFV
my_lconv_init
mingw_initcharmax
_charmax
__mingw_pinit
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/mingw_helpers.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
float
signed char
short int
long long unsigned int
double
long double
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
_decode_pointer
codedptr
_encode_pointer
mingw_app_type
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/xtxtmode.c
_fmode
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/atonexit.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
float
signed char
short int
long long unsigned int
_onexit_t
double
long double
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
_PVFV
mingw_onexit
onexitbegin
onexitend
retval
atexit
__onexitbegin
__onexitend
_imp___onexit
_decode_pointer
_lock
__dllonexit
_encode_pointer
_unlock
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/_newmode.c
_newmode
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/wildcard.c
_dowildcard
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/natstart.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
float
signed char
short int
long long unsigned int
double
long double
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
__uninitialized
__initializing
__initialized
__native_startup_state
__native_startup_lock
__native_dllmain_reason
__native_vcclrit_reason
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/crt_handler.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
_EXCEPTION_RECORD
ExceptionCode
ExceptionFlags
ExceptionAddress
NumberParameters
ExceptionInformation
_CONTEXT
ContextFlags
FloatSave
SegGs
SegFs
SegEs
SegDs
SegCs
EFlags
SegSs
ExtendedRegisters
DWORD
float
signed char
short int
long long unsigned int
ULONG_PTR
PVOID
_FLOATING_SAVE_AREA
ControlWord
StatusWord
TagWord
ErrorOffset
ErrorSelector
DataOffset
DataSelector
RegisterArea
Cr0NpxState
FLOATING_SAVE_AREA
CONTEXT
PCONTEXT
EXCEPTION_RECORD
PEXCEPTION_RECORD
_EXCEPTION_POINTERS
ContextRecord
EXCEPTION_POINTERS
PTOP_LEVEL_EXCEPTION_FILTER
LPTOP_LEVEL_EXCEPTION_FILTER
double
long double
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
__p_sig_fn_t
_gnu_exception_handler
_gnu_exception_handler@4
exception_data
old_handler
action
reset_fpu
__mingw_oldexcpt_handler
signal
_fpreset
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/cinitexe.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
_PVFV
__xi_a
__xi_z
__xc_a
__xc_z
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/dllargv.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
float
signed char
short int
long long unsigned int
double
long double
_setargv
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/merr.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
float
signed char
short int
long long unsigned int
double
long double
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
_iobuf
_base
_flag
_file
_charbuf
_bufsiz
_tmpfname
_exception
retval
fUserMathErr
__mingw_raise_matherr
__mingw_setusermatherr
_matherr
pexcept
stUserMathErr
_imp___iob
__setusermatherr
fprintf
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/pseudo-reloc.c
__gnuc_va_list
__builtin_va_list
va_list
size_t
unsigned int
ptrdiff_t
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
DWORD
float
PBYTE
LPBYTE
LPVOID
signed char
short int
long long unsigned int
ULONG_PTR
SIZE_T
PVOID
_MEMORY_BASIC_INFORMATION
BaseAddress
AllocationBase
AllocationProtect
RegionSize
State
Protect
MEMORY_BASIC_INFORMATION
PhysicalAddress
VirtualSize
_IMAGE_SECTION_HEADER
VirtualAddress
SizeOfRawData
PointerToRawData
PointerToRelocations
PointerToLinenumbers
NumberOfRelocations
NumberOfLinenumbers
Characteristics
PIMAGE_SECTION_HEADER
double
long double
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
_iobuf
_base
_flag
_file
_charbuf
_bufsiz
_tmpfname
addend
target
runtime_pseudo_reloc_item_v1
target
flags
runtime_pseudo_reloc_item_v2
magic1
magic2
version
runtime_pseudo_reloc_v2
old_protect
sec_start
__write_memory
oldprot
call_unprotect
do_pseudo_reloc
start
addr_imp
reldata
reloc_target
v2_hdr
newval
__report_error
#mark_section_writable
$addr
#restore_modified_sections
%oldprot
/_pei386_runtime_relocator
0was_init
1mSecs
the_secs
maxSections
8_imp___iob
8__RUNTIME_PSEUDO_RELOC_LIST__
8__RUNTIME_PSEUDO_RELOC_LIST_END__
8_image_base__
9__builtin_fwrite
fwrite
;vfprintf
<abort
=__mingw_GetSectionForAddress
>_GetPEImageBase
?memcpy
>__mingw_GetSectionCount
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/CRT_fp10.c
_fpreset
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/gccmain.c
unsigned int
ptrdiff_t
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
float
signed char
short int
long long unsigned int
double
long double
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
func_ptr
__do_global_dtors
__do_global_ctors
nptrs
__main
initialized
__CTOR_LIST__
__DTOR_LIST__
atexit
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/crt0_c.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
DWORD
float
signed char
short int
long long unsigned int
LPSTR
HINSTANCE__
unused
HINSTANCE
double
long double
flags
cmdline
__mingw_winmain_hInstance
__mingw_winmain_lpCmdLine
__mingw_winmain_nShowCmd
WinMain
WinMain@16
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/gs_support.c
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
double
float
long double
_EXCEPTION_RECORD
ExceptionCode
ExceptionFlags
ExceptionAddress
NumberParameters
ExceptionInformation
_CONTEXT
ContextFlags
FloatSave
SegGs
SegFs
SegEs
SegDs
SegCs
EFlags
SegSs
ExtendedRegisters
DWORD
signed char
short int
long long unsigned int
UINT_PTR
ULONG_PTR
PVOID
LONGLONG
LowPart
LowPart
_LARGE_INTEGER
QuadPart
LARGE_INTEGER
_FLOATING_SAVE_AREA
ControlWord
StatusWord
TagWord
ErrorOffset
ErrorSelector
DataOffset
DataSelector
RegisterArea
Cr0NpxState
FLOATING_SAVE_AREA
CONTEXT
PCONTEXT
EXCEPTION_RECORD
PEXCEPTION_RECORD
_EXCEPTION_POINTERS
ContextRecord
EXCEPTION_POINTERS
_FILETIME
dwLowDateTime
dwHighDateTime
FILETIME
NTSTATUS
ft_scalar
ft_struct
__security_init_cookie
cookie
systime
perfctr
__report_gsfailure
StackCookie
cookie
GS_ExceptionRecord
GS_ContextRecord
GS_ExceptionPointers
__security_cookie
__security_cookie_complement
!abort
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/tlsmcrt.c
_CRT_MT
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/tlsthrd.c
size_t
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
WINBOOL
DWORD
float
LPVOID
signed char
short int
long long unsigned int
ULONG_PTR
HANDLE
_LIST_ENTRY
Flink
Blink
LIST_ENTRY
_RTL_CRITICAL_SECTION_DEBUG
CreatorBackTraceIndex
CriticalSection
ProcessLocksList
EntryCount
ContentionCount
Flags
CreatorBackTraceIndexHigh
SpareWORD
_RTL_CRITICAL_SECTION
DebugInfo
LockCount
RecursionCount
OwningThread
LockSemaphore
SpinCount
PRTL_CRITICAL_SECTION_DEBUG
RTL_CRITICAL_SECTION
CRITICAL_SECTION
double
long double
__mingwthr_key_t
__mingwthr_key
__mingwthr_run_key_dtors
value
___w64_mingwthr_add_key_dtor
new_key
___w64_mingwthr_remove_key_dtor
prev_key
cur_key
__mingw_TLScallback
hDllHandle
reason
reserved
__mingwthr_cs
__mingwthr_cs_init
key_dtor_list
calloc
!free
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/pseudo-reloc-list.c
__RUNTIME_PSEUDO_RELOC_LIST_END__
__RUNTIME_PSEUDO_RELOC_LIST__
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt/pesect.c
size_t
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
WINBOOL
DWORD
float
PBYTE
LPVOID
signed char
short int
long long unsigned int
LONG_PTR
ULONG_PTR
DWORD_PTR
_IMAGE_DOS_HEADER
e_magic
e_cblp
e_crlc
e_cparhdr
e_minalloc
e_maxalloc
e_csum
e_lfarlc
e_ovno
e_res
e_oemid
e_oeminfo
e_res2
e_lfanew
IMAGE_DOS_HEADER
PIMAGE_DOS_HEADER
_IMAGE_FILE_HEADER
Machine
NumberOfSections
PointerToSymbolTable
NumberOfSymbols
SizeOfOptionalHeader
IMAGE_FILE_HEADER
_IMAGE_DATA_DIRECTORY
IMAGE_DATA_DIRECTORY
_IMAGE_OPTIONAL_HEADER
Magic
MajorLinkerVersion
MinorLinkerVersion
SizeOfCode
SizeOfInitializedData
SizeOfUninitializedData
AddressOfEntryPoint
BaseOfCode
BaseOfData
ImageBase
SectionAlignment
FileAlignment
MajorOperatingSystemVersion
MinorOperatingSystemVersion
MajorImageVersion
MinorImageVersion
MajorSubsystemVersion
MinorSubsystemVersion
Win32VersionValue
SizeOfImage
SizeOfHeaders
CheckSum
Subsystem
DllCharacteristics
SizeOfStackReserve
SizeOfStackCommit
SizeOfHeapReserve
SizeOfHeapCommit
LoaderFlags
NumberOfRvaAndSizes
DataDirectory
IMAGE_OPTIONAL_HEADER32
PIMAGE_OPTIONAL_HEADER32
PIMAGE_OPTIONAL_HEADER
_IMAGE_NT_HEADERS
Signature
FileHeader
OptionalHeader
IMAGE_NT_HEADERS32
PIMAGE_NT_HEADERS32
IMAGE_NT_HEADERS
PIMAGE_NT_HEADERS
PhysicalAddress
VirtualSize
_IMAGE_SECTION_HEADER
SizeOfRawData
PointerToRawData
PointerToRelocations
PointerToLinenumbers
NumberOfRelocations
NumberOfLinenumbers
PIMAGE_SECTION_HEADER
OriginalFirstThunk
_IMAGE_IMPORT_DESCRIPTOR
ForwarderChain
FirstThunk
IMAGE_IMPORT_DESCRIPTOR
PIMAGE_IMPORT_DESCRIPTOR
double
long double
_ValidateImageBase
pDOSHeader
pOptHeader
_FindPESection
_FindPESectionByName
pName
__mingw_GetSectionForAddress
__mingw_GetSectionCount
_FindPESectionExec
_GetPEImageBase
_IsNonwritableInCurrentImage
pTarget
&rvaTarget
__mingw_enum_import_library_names
&importDesc
&importsStartRVA
)_image_base__
*strlen
,strncmp
../../../../../../src/gcc-4.8.1/libgcc/config/i386/cygwin.S
c:\crossdev\gccmaster\build-tdm64\gcc\x86_64-w64-mingw32\32\libgcc
GNU AS 2.23.2
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -O2 -O2 -fbuilding-libgcc -fno-stack-protector -fexceptions
../../../../../../src/gcc-4.8.1/libgcc/unwind-sjlj.c
c:\crossdev\gccmaster\build-tdm64\gcc\x86_64-w64-mingw32\32\libgcc
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
double
float
long double
short int
ix86_tune_indices
X86_TUNE_USE_LEAVE
X86_TUNE_PUSH_MEMORY
X86_TUNE_ZERO_EXTEND_WITH_AND
X86_TUNE_UNROLL_STRLEN
X86_TUNE_BRANCH_PREDICTION_HINTS
X86_TUNE_DOUBLE_WITH_ADD
X86_TUNE_USE_SAHF
X86_TUNE_MOVX
X86_TUNE_PARTIAL_REG_STALL
X86_TUNE_PARTIAL_FLAG_REG_STALL
X86_TUNE_LCP_STALL
X86_TUNE_USE_HIMODE_FIOP
X86_TUNE_USE_SIMODE_FIOP
X86_TUNE_USE_MOV0
X86_TUNE_USE_CLTD
X86_TUNE_USE_XCHGB
X86_TUNE_SPLIT_LONG_MOVES
X86_TUNE_READ_MODIFY_WRITE
X86_TUNE_READ_MODIFY
X86_TUNE_PROMOTE_QIMODE
X86_TUNE_FAST_PREFIX
X86_TUNE_SINGLE_STRINGOP
X86_TUNE_QIMODE_MATH
X86_TUNE_HIMODE_MATH
X86_TUNE_PROMOTE_QI_REGS
X86_TUNE_PROMOTE_HI_REGS
X86_TUNE_SINGLE_POP
X86_TUNE_DOUBLE_POP
X86_TUNE_SINGLE_PUSH
X86_TUNE_DOUBLE_PUSH
X86_TUNE_INTEGER_DFMODE_MOVES
X86_TUNE_PARTIAL_REG_DEPENDENCY
X86_TUNE_SSE_PARTIAL_REG_DEPENDENCY
X86_TUNE_SSE_UNALIGNED_LOAD_OPTIMAL
X86_TUNE_SSE_UNALIGNED_STORE_OPTIMAL
X86_TUNE_SSE_PACKED_SINGLE_INSN_OPTIMAL
X86_TUNE_SSE_SPLIT_REGS
X86_TUNE_SSE_TYPELESS_STORES
X86_TUNE_SSE_LOAD0_BY_PXOR
X86_TUNE_MEMORY_MISMATCH_STALL
X86_TUNE_PROLOGUE_USING_MOVE
X86_TUNE_EPILOGUE_USING_MOVE
X86_TUNE_SHIFT1
X86_TUNE_USE_FFREEP
X86_TUNE_INTER_UNIT_MOVES
X86_TUNE_INTER_UNIT_CONVERSIONS
X86_TUNE_FOUR_JUMP_LIMIT
X86_TUNE_SCHEDULE
X86_TUNE_USE_BT
X86_TUNE_USE_INCDEC
X86_TUNE_PAD_RETURNS
X86_TUNE_PAD_SHORT_FUNCTION
X86_TUNE_EXT_80387_CONSTANTS
X86_TUNE_AVOID_VECTOR_DECODE
X86_TUNE_PROMOTE_HIMODE_IMUL
X86_TUNE_SLOW_IMUL_IMM32_MEM
X86_TUNE_SLOW_IMUL_IMM8
X86_TUNE_MOVE_M1_VIA_OR
X86_TUNE_NOT_UNPAIRABLE
X86_TUNE_NOT_VECTORMODE
X86_TUNE_USE_VECTOR_FP_CONVERTS
X86_TUNE_USE_VECTOR_CONVERTS
X86_TUNE_FUSE_CMP_AND_BRANCH
X86_TUNE_OPT_AGU
X86_TUNE_VECTORIZE_DOUBLE
X86_TUNE_SOFTWARE_PREFETCHING_BENEFICIAL
X86_TUNE_AVX128_OPTIMAL
X86_TUNE_REASSOC_INT_TO_PARALLEL
X86_TUNE_REASSOC_FP_TO_PARALLEL
X86_TUNE_GENERAL_REGS_SSE_SPILL
X86_TUNE_AVOID_MEM_OPND_FOR_CMOVE
X86_TUNE_LAST
ix86_arch_indices
X86_ARCH_CMOV
X86_ARCH_CMPXCHG
X86_ARCH_CMPXCHG8B
X86_ARCH_XADD
X86_ARCH_BSWAP
X86_ARCH_LAST
_Unwind_Word
_Unwind_Ptr
_Unwind_Exception_Class
long long unsigned int
_URC_NO_REASON
_URC_FOREIGN_EXCEPTION_CAUGHT
_URC_FATAL_PHASE2_ERROR
_URC_FATAL_PHASE1_ERROR
_URC_NORMAL_STOP
_URC_END_OF_STACK
_URC_HANDLER_FOUND
_URC_INSTALL_CONTEXT
_URC_CONTINUE_UNWIND
_Unwind_Reason_Code
_Unwind_Exception_Cleanup_Fn
_Unwind_Exception
exception_class
exception_cleanup
private_1
private_2
_Unwind_Action
_Unwind_Stop_Fn
_Unwind_Context
_Unwind_Trace_Fn
_Unwind_Personality_Fn
pthread_once_t
pthread_key_t
__gthread_key_t
__gthread_once_t
SjLj_Function_Context
call_site
_Unwind_FrameState
uw_update_context
__gthread_active_p
uw_frame_state_for
uw_identify_context
__shmem_grabber_use_fc_key
__shmem_grabber_fc_key
__gthread_key_create
__key
__dtor
__shmem_grabber_sjlj_once
__gthread_once
__once
__func
fc_key_init_once
__gthread_setspecific
__key
__ptr
__shmem_grabber_fc_static
_Unwind_SjLj_SetContext
uw_install_context
current
target
__gthread_getspecific
__key
_Unwind_SjLj_Unregister
uw_advance_context
uw_init_context
__shmem_init_use_fc_key
"temp
__shmem_init_sjlj_once
#temp
$fc_key_init
*_Unwind_RaiseException_Phase2
/match_handler
*_Unwind_ForcedUnwind_Phase2
/stop
/stop_code
/action
_Unwind_SjLj_Register
<_Unwind_GetGR
!index
<_Unwind_GetCFA
_Unwind_SetGR
!index
<_Unwind_GetIP
<_Unwind_GetIPInfo
!ip_before_insn
_Unwind_SetIP
<_Unwind_GetLanguageSpecificData
<_Unwind_GetRegionStart
<_Unwind_FindEnclosingFunction
>_Unwind_GetDataRelBase
>_Unwind_GetTextRelBase
@_Unwind_SjLj_GetContext
<_Unwind_SjLj_RaiseException
<_Unwind_SjLj_ForcedUnwind
!stop
_Unwind_SjLj_Resume
<_Unwind_SjLj_Resume_or_Rethrow
E_Unwind_DeleteException
>_Unwind_Backtrace
Ftrace
Ftrace_argument
J__shmem_ptr_fc_static
J__shmem_ptr_fc_key
J__shmem_ptr_use_fc_key
J__shmem_ptr_sjlj_once
Kpthread_key_create
L__shmem_grab
Mabort
Kpthread_once
Kpthread_setspecific
Npthread_getspecific
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -O2 -O2 -fbuilding-libgcc -fno-stack-protector -fno-exceptions
../../../../../../src/gcc-4.8.1/libgcc/../libgcc/config/i386/shmem-win32.c
c:\crossdev\gccmaster\build-tdm64\gcc\x86_64-w64-mingw32\32\libgcc
size_t
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
DWORD
float
signed char
short int
long long unsigned int
HANDLE
__w32sp_trap
get_ptr_from_atom
name_buf
name_buf_len
ptr_offset
ptr_len
__shmem_grab
initfunc
prefix_len
name_len
ptr_len
full_atom_name
hmutex
shared_mem
shmem_version_prefix
malloc
free
!memset
strlen
"memcpy
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -O2 -O2 -fbuilding-libgcc -fno-stack-protector
../../../../../../src/gcc-4.8.1/libgcc/libgcc2.c
c:\crossdev\gccmaster\build-tdm64\gcc\x86_64-w64-mingw32\32\libgcc
unsigned int
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
double
float
long double
short int
ix86_tune_indices
X86_TUNE_USE_LEAVE
X86_TUNE_PUSH_MEMORY
X86_TUNE_ZERO_EXTEND_WITH_AND
X86_TUNE_UNROLL_STRLEN
X86_TUNE_BRANCH_PREDICTION_HINTS
X86_TUNE_DOUBLE_WITH_ADD
X86_TUNE_USE_SAHF
X86_TUNE_MOVX
X86_TUNE_PARTIAL_REG_STALL
X86_TUNE_PARTIAL_FLAG_REG_STALL
X86_TUNE_LCP_STALL
X86_TUNE_USE_HIMODE_FIOP
X86_TUNE_USE_SIMODE_FIOP
X86_TUNE_USE_MOV0
X86_TUNE_USE_CLTD
X86_TUNE_USE_XCHGB
X86_TUNE_SPLIT_LONG_MOVES
X86_TUNE_READ_MODIFY_WRITE
X86_TUNE_READ_MODIFY
X86_TUNE_PROMOTE_QIMODE
X86_TUNE_FAST_PREFIX
X86_TUNE_SINGLE_STRINGOP
X86_TUNE_QIMODE_MATH
X86_TUNE_HIMODE_MATH
X86_TUNE_PROMOTE_QI_REGS
X86_TUNE_PROMOTE_HI_REGS
X86_TUNE_SINGLE_POP
X86_TUNE_DOUBLE_POP
X86_TUNE_SINGLE_PUSH
X86_TUNE_DOUBLE_PUSH
X86_TUNE_INTEGER_DFMODE_MOVES
X86_TUNE_PARTIAL_REG_DEPENDENCY
X86_TUNE_SSE_PARTIAL_REG_DEPENDENCY
X86_TUNE_SSE_UNALIGNED_LOAD_OPTIMAL
X86_TUNE_SSE_UNALIGNED_STORE_OPTIMAL
X86_TUNE_SSE_PACKED_SINGLE_INSN_OPTIMAL
X86_TUNE_SSE_SPLIT_REGS
X86_TUNE_SSE_TYPELESS_STORES
X86_TUNE_SSE_LOAD0_BY_PXOR
X86_TUNE_MEMORY_MISMATCH_STALL
X86_TUNE_PROLOGUE_USING_MOVE
X86_TUNE_EPILOGUE_USING_MOVE
X86_TUNE_SHIFT1
X86_TUNE_USE_FFREEP
X86_TUNE_INTER_UNIT_MOVES
X86_TUNE_INTER_UNIT_CONVERSIONS
X86_TUNE_FOUR_JUMP_LIMIT
X86_TUNE_SCHEDULE
X86_TUNE_USE_BT
X86_TUNE_USE_INCDEC
X86_TUNE_PAD_RETURNS
X86_TUNE_PAD_SHORT_FUNCTION
X86_TUNE_EXT_80387_CONSTANTS
X86_TUNE_AVOID_VECTOR_DECODE
X86_TUNE_PROMOTE_HIMODE_IMUL
X86_TUNE_SLOW_IMUL_IMM32_MEM
X86_TUNE_SLOW_IMUL_IMM8
X86_TUNE_MOVE_M1_VIA_OR
X86_TUNE_NOT_UNPAIRABLE
X86_TUNE_NOT_VECTORMODE
X86_TUNE_USE_VECTOR_FP_CONVERTS
X86_TUNE_USE_VECTOR_CONVERTS
X86_TUNE_FUSE_CMP_AND_BRANCH
X86_TUNE_OPT_AGU
X86_TUNE_VECTORIZE_DOUBLE
X86_TUNE_SOFTWARE_PREFETCHING_BENEFICIAL
X86_TUNE_AVX128_OPTIMAL
X86_TUNE_REASSOC_INT_TO_PARALLEL
X86_TUNE_REASSOC_FP_TO_PARALLEL
X86_TUNE_GENERAL_REGS_SSE_SPILL
X86_TUNE_AVOID_MEM_OPND_FOR_CMOVE
X86_TUNE_LAST
ix86_arch_indices
X86_ARCH_CMOV
X86_ARCH_CMPXCHG
X86_ARCH_CMPXCHG8B
X86_ARCH_XADD
X86_ARCH_BSWAP
X86_ARCH_LAST
signed char
long long unsigned int
complex float
complex double
complex long double
__float128
__unknown__
func_ptr
__CTOR_LIST__
__DTOR_LIST__
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/misc/mingw_matherr.c
_MINGW_INSTALL_DEBUG_MATHERR
GNU C 4.8.1 -m32 -mtune=generic -march=x86-64 -g -O2 -std=gnu99
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/misc/invalid_parameter_handler.c
unsigned int
uintptr_t
wchar_t
short unsigned int
long int
long long int
sizetype
long unsigned int
unsigned char
float
signed char
short int
long long unsigned int
LONG_PTR
PVOID
PLONG
double
long double
tagCOINITBASE
COINITBASE_MULTITHREADED
VARENUM
VT_EMPTY
VT_NULL
VT_I2
VT_I4
VT_R4
VT_R8
VT_CY
VT_DATE
VT_BSTR
VT_DISPATCH
VT_ERROR
VT_BOOL
VT_VARIANT
VT_UNKNOWN
VT_DECIMAL
VT_I1
VT_UI1
VT_UI2
VT_UI4
VT_I8
VT_UI8
VT_INT
VT_UINT
VT_VOID
VT_HRESULT
VT_PTR
VT_SAFEARRAY
VT_CARRAY
VT_USERDEFINED
VT_LPSTR
VT_LPWSTR
VT_RECORD
VT_INT_PTR
VT_UINT_PTR
VT_FILETIME
VT_BLOB
VT_STREAM
VT_STORAGE
VT_STREAMED_OBJECT
VT_STORED_OBJECT
VT_BLOB_OBJECT
VT_CF
VT_CLSID
VT_VERSIONED_STREAM
VT_BSTR_BLOB
VT_VECTOR
VT_ARRAY
VT_BYREF
VT_RESERVED
VT_ILLEGAL
VT_ILLEGALMASKED
VT_TYPEMASK
mingw_get_invalid_parameter_handler
mingw_set_invalid_parameter_handler
new_handler
handler
_imp___set_invalid_parameter_handler
_imp___get_invalid_parameter_handler
mingw_getsp.S
h:\crossdev\gccmaster\build-tdm64\runtime\mingw-w64-crt
GNU AS 2.23.2
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include/psdk_inc
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/include
crtexe.c
intrin-impl.h
_mingw.h
winnt.h
minwindef.h
basetsd.h
errhandlingapi.h
processthreadsapi.h
stdlib.h
combaseapi.h
wtypes.h
internal.h
math.h
tchar.h
ctype.h
string.h
process.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
tlssup.c
_mingw.h
minwindef.h
basetsd.h
winnt.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/include
charmax.c
combaseapi.h
wtypes.h
internal.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
mingw_helpers.c
combaseapi.h
wtypes.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
xtxtmode.c
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/include
atonexit.c
combaseapi.h
wtypes.h
stdlib.h
internal.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
_newmode.c
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
wildcard.c
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/include
combaseapi.h
wtypes.h
natstart.c
internal.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
crt_handler.c
winnt.h
minwindef.h
basetsd.h
errhandlingapi.h
combaseapi.h
wtypes.h
signal.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
cinitexe.c
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
dllargv.c
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/include
merr.c
combaseapi.h
wtypes.h
internal.h
math.h
stdio.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
pseudo-reloc.c
vadefs.h
_mingw.h
minwindef.h
basetsd.h
winnt.h
combaseapi.h
wtypes.h
stdio.h
<built-in>
stdlib.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
CRT_fp10.c
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
gccmain.c
combaseapi.h
wtypes.h
_mingw.h
stdlib.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
crt0_c.c
minwindef.h
winnt.h
winbase.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
gs_support.c
winnt.h
minwindef.h
basetsd.h
stdlib.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
tlsmcrt.c
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
tlsthrd.c
_mingw.h
minwindef.h
basetsd.h
winnt.h
minwinbase.h
stdlib.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
pseudo-reloc-list.c
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/crt
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
pesect.c
_mingw.h
minwindef.h
basetsd.h
winnt.h
string.h
../../../../../../src/gcc-4.8.1/libgcc/config/i386
cygwin.S
../../../../../../src/gcc-4.8.1/libgcc
../../../../../../src/gcc-4.8.1/libgcc/../gcc/config/i386
c:/mingw64tdm/x86_64-w64-mingw32/include
unwind-sjlj.c
./gthr-default.h
unwind.inc
i386.h
./unwind.h
pthread.h
shmem.h
stdlib.h
O-=eK\
../../../../../../src/gcc-4.8.1/libgcc/../libgcc/config/i386
c:/mingw64tdm/x86_64-w64-mingw32/include
shmem-win32.c
_mingw.h
minwindef.h
winnt.h
malloc.h
string.h
../../../../../../src/gcc-4.8.1/libgcc/../gcc/config/i386
../../../../../../src/gcc-4.8.1/libgcc
i386.h
libgcc2.c
gbl-ctors.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/misc
mingw_matherr.c
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/misc
h:/crossdev/gccmaster/host-toolchain-tdm64/x86_64-w64-mingw32/include
invalid_parameter_handler.c
_mingw.h
basetsd.h
winnt.h
combaseapi.h
wtypes.h
h:/crossdev/src/mingw-w64-v3-svn/mingw-w64-crt/misc
mingw_getsp.S
mingw_getsp.S
Subsystem
CheckSum
SizeOfImage
BaseOfCode
SectionAlignment
MinorSubsystemVersion
DataDirectory
SizeOfStackCommit
ImageBase
SizeOfCode
MajorLinkerVersion
SizeOfHeapReserve
SizeOfInitializedData
SizeOfStackReserve
SizeOfHeapCommit
MinorLinkerVersion
__enative_startup_state
SizeOfUninitializedData
AddressOfEntryPoint
MajorSubsystemVersion
SizeOfHeaders
MajorOperatingSystemVersion
FileAlignment
NumberOfRvaAndSizes
ExceptionRecord
DllCharacteristics
MinorImageVersion
MinorOperatingSystemVersion
LoaderFlags
Win32VersionValue
MajorImageVersion
hDllHandle
lpreserved
dwReason
__enative_startup_state
ExceptionRecord
sSecInfo
ExceptionRecord
HighPart
pSection
TimeDateStamp
pNTHeader
Characteristics
pImageBase
VirtualAddress
iSection
stop_argument
cur_context
personality
this_context
context
.file
crtexe.c
_envp
_argv
_argc
_argret
.text
.data
.file
crtbegin.c
.text
.data
.file
source.cpp
.text
.data
.rdata
.file
eh_personality.cc
.text
.data
.rdata
.file
eh_exception.cc
.text
.data
.rdata
.file
class_type_info.cc
.text
.data
.file
.text
.data
.file
eh_call.cc
.text
.data
.file
eh_terminate.cc
.text
.data
.file
eh_catch.cc
.text
.data
.file
eh_globals.cc
.text
.data
.rdata
.file
eh_throw.cc
.text
.data
.file
eh_alloc.cc
.text
.data
.rdata
.ctors
.file
del_op.cc
__ZdlPv
.text
.data
.file
pure.cc
.text
.data
.rdata
.file
tinfo.cc
.text
.data
.file
eh_term_handler.cc
.text
.data
.rdata
.file
eh_unex_handler.cc
.text
.data
.rdata
.file
vterminate.cc
.text
.data
.rdata
.file
eh_type.cc
.text
.data
.file
cp-demangle.c
_d_name
_d_type
.text
.data
.rdata
.file
tlssup.c
___xd_a
___xd_z
.text
.data
.CRT$XLD$
.CRT$XLC
.rdata
.CRT$XDZ4
.CRT$XDA0
.CRT$XLZ,
.file
charmax.c
.text
.data
.file
mingw_helpers.c
.text
.data
.file
xtxtmode.c
.text
.data
.file
atonexit.c
_atexit
.text
.data
.file
_newmode.c
.text
.data
.file
wildcard.c
.text
.data
.file
natstart.c
.text
.data
.file
crt_handler.c
.text
.data
.file
cinitexe.c
.text
.data
.CRT$XCA
.file
dllargv.c
.text
.data
.file
merr.c
.text
.data
.rdata
.file
pseudo-reloc.c
.text
.data
.rdata
.file
CRT_fp10.c
.text
.data
.file
gccmain.c
___main
.text
.data
.file
crt0_c.c
_main
.text
.data
.file
gs_support.c
.text
.data
.rdata
.file
tlsmcrt.c
.text
.data
.file
tlsthrd.c
.text
.data
.file
.text
.data
.file
pesect.c
.text
.data
.file
.text
.data
.file
unwind-sjlj.c
.text
.data
.rdata
.file
shmem-win32.c
.text
.data
.file
libgcc2.c
.text
.data
.file
mingw_matherr.c
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.file
.text
.data
.text
.data
.text
.data
.text
.data
.idata$4
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.idata$5
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.file
hname
fthunk
.text
.data
.idata$2P
.file
.text
.data
.file
thread.c
.text
.data
.rdata
.CRT$XLF(
.file
mutex.c
.text
.data
.rdata
.file
shmem.c
.text
.data
.file
spinlock.c
.text
.data
.rdata
.file
rwlock.c
.text
.data
.rdata
.file
misc.c
.text
.data
.file
cond.c
.text
.data
.rdata
.file
hname
fthunk
.text
.data
.idata$2(
.file
.text
.data
.file
hname
fthunk
.text
.data
.file
.text
.data
.file
hname
fthunk
.text
.data
.idata$2
.file
.text
.data
.file
hname
fthunk
.text
.data
.idata$2d
.file
.text
.data
.text
.data
.idata$4
.text
.data
.idata$5
.text
.data
.text
.data
.text
.data
.file
hname
fthunk
.text
.data
.idata$2<
.file
.text
.data
.file
mingw_getsp.S
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.file
crtend.c
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.idata$7
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.idata$7
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.text
.data
.idata$7
.text
.data
.text
.data
.text
.data
.text
.data
.rdata
.rsrc
__cexit
___xi_a
_free
_strcmp
___xl_c
___xl_f
___xl_z
_fputc
_fputs
__ftime
__dll__
_fwrite
___xc_a
_memcpy
_memset
___xl_a
___xl_d
_fopen
_calloc
__fmode
__lock
___xc_z
__end__
_rawData
_signal
_malloc
_fclose
_memcmp
_abort
___xi_z
_write
_strlen
_exit
_printf
_Sleep@4
.debug_aranges
.debug_info
.debug_abbrev
.debug_line
.debug_frame
.debug_str
.debug_loc
.debug_ranges
___mingw_invalidParameterHandler
_pre_c_init
_managedapp
_pre_cpp_init
_startinfo
___tmainCRTStartup
_has_cctor
_WinMainCRTStartup
_mainCRTStartup
.CRT$XCAA
.CRT$XIAA
.debug_info
.debug_abbrev
.debug_loc
.debug_aranges
.debug_ranges
.debug_line
.debug_str
.rdata$zzz
.debug_frame
___readfsdword
__Z5crc32Ph
__Z11RC4_set_keyP10rc4_key_stiPKh
__Z3RC4P10rc4_key_stjPKhPh
__Z10encode_rc4PcmPw
__Z8_wstrlenPw
__Z22GetProcAddressWithHashm
__Z18_Crypt_DecryptDataPhmS_
__Z19xxDFadwetagcvFFbnMIv
__Z10WindowProcP6HWND__jjl@16
__Z14WndTestDlgProcP6HWND__jjl@16
__ZZ14WndTestDlgProcP6HWND__jjlE15BackgroundColor
__ZZ14WndTestDlgProcP6HWND__jjlE12CustomColors
__ZZ14WndTestDlgProcP6HWND__jjlE5Color
_WinMain@16
.gcc_except_table
__ZL12read_sleb128PKhPl
__ZL16get_adjusted_ptrPKSt9type_infoS1_PPv
__ZL28read_encoded_value_with_basehjPKhPj
__ZL15get_ttype_entryP16lsda_header_infom
__ZL20check_exception_specP16lsda_header_infoPKSt9type_infoPvl
__ZL21base_of_encoded_valuehP15_Unwind_Context
__ZL17parse_lsda_headerP15_Unwind_ContextPKhP16lsda_header_info
___gxx_personality_sj0
.rdata$_ZTIN10__cxxabiv115__forced_unwindE
.rdata$_ZTIN10__cxxabiv119__foreign_exceptionE
___cxa_call_unexpected
.rdata$_ZTISt13bad_exception
.rdata$_ZTSN10__cxxabiv115__forced_unwindE
.rdata$_ZTISt9exception
.rdata$_ZTSSt9exception
.rdata$_ZTSSt13bad_exception
.rdata$_ZTSN10__cxxabiv119__foreign_exceptionE
.text$_ZL12read_sleb128PKhPl
.text$_ZL16get_adjusted_ptrPKSt9type_infoS1_PPv
.text$_ZL28read_encoded_value_with_basehjPKhPj
.text$_ZL15get_ttype_entryP16lsda_header_infom
.text$_ZL20check_exception_specP16lsda_header_infoPKSt9type_infoPvl
.text$_ZL21base_of_encoded_valuehP15_Unwind_Context
.text$_ZL17parse_lsda_headerP15_Unwind_ContextPKhP16lsda_header_info
.text$__gxx_personality_sj0
.text$__cxa_call_unexpected
__ZNSt9exceptionD2Ev
.rdata$_ZTVSt9exception
__ZNSt9exceptionD1Ev
__ZNSt13bad_exceptionD2Ev
__ZNSt13bad_exceptionD1Ev
__ZN10__cxxabiv115__forced_unwindD2Ev
.rdata$_ZTVN10__cxxabiv115__forced_unwindE
__ZN10__cxxabiv115__forced_unwindD1Ev
__ZN10__cxxabiv119__foreign_exceptionD2Ev
.rdata$_ZTVN10__cxxabiv119__foreign_exceptionE
__ZN10__cxxabiv119__foreign_exceptionD1Ev
__ZNKSt9exception4whatEv
__ZNKSt13bad_exception4whatEv
__ZNSt9exceptionD0Ev
__ZNSt13bad_exceptionD0Ev
__ZN10__cxxabiv115__forced_unwindD0Ev
__ZN10__cxxabiv119__foreign_exceptionD0Ev
.rdata$_ZTVSt13bad_exception
.text$_ZNSt9exceptionD2Ev
.text$_ZNSt13bad_exceptionD2Ev
.text$_ZN10__cxxabiv115__forced_unwindD2Ev
.text$_ZN10__cxxabiv119__foreign_exceptionD2Ev
.text$_ZNKSt9exception4whatEv
.text$_ZNKSt13bad_exception4whatEv
.text$_ZNSt9exceptionD0Ev
.text$_ZNSt13bad_exceptionD0Ev
.text$_ZN10__cxxabiv115__forced_unwindD0Ev
.text$_ZN10__cxxabiv119__foreign_exceptionD0Ev
__ZNK10__cxxabiv117__class_type_info11__do_upcastEPKS0_PPv
__ZNK10__cxxabiv117__class_type_info20__do_find_public_srcEiPKvPKS0_S2_
__ZN10__cxxabiv117__class_type_infoD2Ev
.rdata$_ZTVN10__cxxabiv117__class_type_infoE
__ZN10__cxxabiv117__class_type_infoD1Ev
__ZN10__cxxabiv117__class_type_infoD0Ev
__ZNK10__cxxabiv117__class_type_info11__do_upcastEPKS0_PKvRNS0_15__upcast_resultE
__ZNK10__cxxabiv117__class_type_info10__do_catchEPKSt9type_infoPPvj
__ZNK10__cxxabiv117__class_type_info12__do_dyncastEiNS0_10__sub_kindEPKS0_PKvS3_S5_RNS0_16__dyncast_resultE
.rdata$_ZTISt9type_info
.rdata$_ZTSSt9type_info
.rdata$_ZTSN10__cxxabiv117__class_type_infoE
.rdata$_ZTIN10__cxxabiv117__class_type_infoE
.text$_ZNK10__cxxabiv117__class_type_info11__do_upcastEPKS0_PPv
.text$_ZNK10__cxxabiv117__class_type_info20__do_find_public_srcEiPKvPKS0_S2_
.text$_ZN10__cxxabiv117__class_type_infoD2Ev
.text$_ZN10__cxxabiv117__class_type_infoD0Ev
.text$_ZNK10__cxxabiv117__class_type_info11__do_upcastEPKS0_PKvRNS0_15__upcast_resultE
.text$_ZNK10__cxxabiv117__class_type_info10__do_catchEPKSt9type_infoPPvj
.text$_ZNK10__cxxabiv117__class_type_info12__do_dyncastEiNS0_10__sub_kindEPKS0_PKvS3_S5_RNS0_16__dyncast_resultE
__ZN10__cxxabiv120__si_class_type_infoD2Ev
.rdata$_ZTVN10__cxxabiv120__si_class_type_infoE
__ZN10__cxxabiv120__si_class_type_infoD1Ev
__ZN10__cxxabiv120__si_class_type_infoD0Ev
__ZNK10__cxxabiv120__si_class_type_info20__do_find_public_srcEiPKvPKNS_17__class_type_infoES2_
__ZNK10__cxxabiv120__si_class_type_info12__do_dyncastEiNS_17__class_type_info10__sub_kindEPKS1_PKvS4_S6_RNS1_16__dyncast_resultE
__ZNK10__cxxabiv120__si_class_type_info11__do_upcastEPKNS_17__class_type_infoEPKvRNS1_15__upcast_resultE
.rdata$_ZTSN10__cxxabiv120__si_class_type_infoE
.rdata$_ZTIN10__cxxabiv120__si_class_type_infoE
.text$_ZN10__cxxabiv120__si_class_type_infoD2Ev
.text$_ZN10__cxxabiv120__si_class_type_infoD0Ev
.text$_ZNK10__cxxabiv120__si_class_type_info20__do_find_public_srcEiPKvPKNS_17__class_type_infoES2_
.text$_ZNK10__cxxabiv120__si_class_type_info12__do_dyncastEiNS_17__class_type_info10__sub_kindEPKS1_PKvS4_S6_RNS1_16__dyncast_resultE
.text$_ZNK10__cxxabiv120__si_class_type_info11__do_upcastEPKNS_17__class_type_infoEPKvRNS1_15__upcast_resultE
si_class_type_info.cc
___cxa_call_terminate
.text$__cxa_call_terminate
__ZN10__cxxabiv111__terminateEPFvvE
__ZSt9terminatev
__ZN10__cxxabiv112__unexpectedEPFvvE
__ZSt10unexpectedv
__ZSt13set_terminatePFvvE
__ZSt14set_unexpectedPFvvE
.text$_ZN10__cxxabiv111__terminateEPFvvE
.text$_ZSt9terminatev
.text$_ZN10__cxxabiv112__unexpectedEPFvvE
.text$_ZSt10unexpectedv
.text$_ZSt13set_terminatePFvvE
.text$_ZSt14set_unexpectedPFvvE
___cxa_get_exception_ptr
___cxa_begin_catch
___cxa_end_catch
__ZSt18uncaught_exceptionv
.text$__cxa_get_exception_ptr
.text$__cxa_begin_catch
.text$__cxa_end_catch
.text$_ZSt18uncaught_exceptionv
__ZL15eh_globals_dtorPv
___shmem_init_init
__Z26__shmem_grabber_eh_globalsv
__Z20__shmem_grabber_initv
___cxa_get_globals_fast
___cxa_get_globals
.text$_ZL15eh_globals_dtorPv
.text$__shmem_init_init
.text$_Z26__shmem_grabber_eh_globalsv
.text$_Z20__shmem_grabber_initv
.text$__cxa_get_globals_fast
.text$__cxa_get_globals
.data$__shmem_ptr_init
.data$__shmem_ptr_eh_globals
__ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception
___cxa_throw
___cxa_rethrow
.text$_ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception
.text$__cxa_throw
.text$__cxa_rethrow
.text$_ZNK9__gnu_cxx24__concurrence_lock_error4whatEv
__ZNK9__gnu_cxx24__concurrence_lock_error4whatEv
.text$_ZNK9__gnu_cxx26__concurrence_unlock_error4whatEv
__ZNK9__gnu_cxx26__concurrence_unlock_error4whatEv
.text$_ZN9__gnu_cxx26__concurrence_unlock_errorD1Ev
__ZN9__gnu_cxx26__concurrence_unlock_errorD1Ev
.rdata$_ZTVN9__gnu_cxx26__concurrence_unlock_errorE
.text$_ZN9__gnu_cxx24__concurrence_lock_errorD1Ev
__ZN9__gnu_cxx24__concurrence_lock_errorD1Ev
.rdata$_ZTVN9__gnu_cxx24__concurrence_lock_errorE
.text$_ZN9__gnu_cxx26__concurrence_unlock_errorD0Ev
__ZN9__gnu_cxx26__concurrence_unlock_errorD0Ev
.text$_ZN9__gnu_cxx24__concurrence_lock_errorD0Ev
__ZN9__gnu_cxx24__concurrence_lock_errorD0Ev
.text$_ZN9__gnu_cxx30__throw_concurrence_lock_errorEv
__ZN9__gnu_cxx30__throw_concurrence_lock_errorEv
.rdata$_ZTIN9__gnu_cxx24__concurrence_lock_errorE
.text$_ZN9__gnu_cxx32__throw_concurrence_unlock_errorEv
__ZN9__gnu_cxx32__throw_concurrence_unlock_errorEv
.rdata$_ZTIN9__gnu_cxx26__concurrence_unlock_errorE
__ZN12_GLOBAL__N_115emergency_mutexE
__ZL14emergency_used
__ZL16emergency_buffer
___cxa_free_exception
___cxa_allocate_dependent_exception
__ZL15dependents_used
__ZL17dependents_buffer
___cxa_free_dependent_exception
__GLOBAL__sub_I___cxa_allocate_exception
.rdata$_ZTSN9__gnu_cxx24__concurrence_lock_errorE
.rdata$_ZTSN9__gnu_cxx26__concurrence_unlock_errorE
___cxa_allocate_exception
.text$__cxa_allocate_exception
.text$__cxa_free_exception
.text$__cxa_allocate_dependent_exception
.text$__cxa_free_dependent_exception
.text.startup._GLOBAL__sub_I___cxa_allocate_exception
.data$_ZN12_GLOBAL__N_115emergency_mutexE
.data$_ZL15dependents_used
.data$_ZL17dependents_buffer
.data$_ZL14emergency_used
.data$_ZL16emergency_buffer
.text$_ZdlPv
___cxa_pure_virtual
___cxa_deleted_virtual
.text$__cxa_pure_virtual
.text$__cxa_deleted_virtual
__ZNSt9type_infoD2Ev
.rdata$_ZTVSt9type_info
__ZNSt9type_infoD1Ev
__ZNKSt9type_info14__is_pointer_pEv
__ZNKSt9type_info15__is_function_pEv
__ZNKSt9type_info11__do_upcastEPKN10__cxxabiv117__class_type_infoEPPv
__ZNSt9type_infoD0Ev
__ZNKSt9type_infoeqERKS_
__ZNKSt9type_info10__do_catchEPKS_PPvj
.text$_ZNSt9type_infoD2Ev
.text$_ZNKSt9type_info14__is_pointer_pEv
.text$_ZNKSt9type_info15__is_function_pEv
.text$_ZNKSt9type_info11__do_upcastEPKN10__cxxabiv117__class_type_infoEPPv
.text$_ZNSt9type_infoD0Ev
.text$_ZNKSt9type_infoeqERKS_
.text$_ZNKSt9type_info10__do_catchEPKS_PPvj
___shmem_init___terminate_handler_sh
__ZN10__cxxabiv138__shmem_grabber___terminate_handler_shEv
.text$__shmem_init___terminate_handler_sh
.text$_ZN10__cxxabiv138__shmem_grabber___terminate_handler_shEv
.data$_ZN10__cxxabiv134__shmem_ptr___terminate_handler_shE
___shmem_init___unexpected_handler_sh
__ZN10__cxxabiv139__shmem_grabber___unexpected_handler_shEv
.text$__shmem_init___unexpected_handler_sh
.text$_ZN10__cxxabiv139__shmem_grabber___unexpected_handler_shEv
.data$_ZN10__cxxabiv135__shmem_ptr___unexpected_handler_shE
__ZN9__gnu_cxx27__verbose_terminate_handlerEv
__ZZN9__gnu_cxx27__verbose_terminate_handlerEvE11terminating
.text$_ZN9__gnu_cxx27__verbose_terminate_handlerEv
.data$_ZZN9__gnu_cxx27__verbose_terminate_handlerEvE11terminating
___cxa_current_exception_type
.text$__cxa_current_exception_type
_d_make_comp
_d_make_name
_d_cv_qualifiers
_d_ref_qualifier
_d_clone_suffix
_d_substitution
_standard_subs
_d_append_char
_d_number.isra.0
_d_number_component
_d_compact_number
_d_template_param
_d_discriminator
_d_source_name
_d_call_offset
_d_lookup_template_argument.isra.6
_d_find_pack
_d_growable_string_callback_adapter
_d_expr_primary
_d_template_args
_cplus_demangle_builtin_types
_d_parmlist
_d_bare_function_type
_d_encoding
_d_operator_name
_cplus_demangle_operators
_d_unqualified_name
_d_expression
_d_exprlist
_d_append_string
_d_print_comp.part.10
_d_print_comp
_d_print_mod
_d_print_mod_list
_d_print_array_type.isra.9
_d_print_function_type.isra.11
_d_print_cast.isra.12
_d_print_expr_op
_d_print_subexpr
_d_demangle_callback.constprop.16
___cxa_demangle
___gcclibcxx_demangle_callback
___dyn_tls_dtor@12
___dyn_tls_init@12
___tlregdtor
_my_lconv_init
__decode_pointer
__encode_pointer
_mingw_onexit
__gnu_exception_handler@4
__setargv
___mingw_raise_matherr
_stUserMathErr
___mingw_setusermatherr
__matherr
_CSWTCH.5
___report_error
___write_memory.part.0
_maxSections
_the_secs
__pei386_runtime_relocator
_was_init.60223
__fpreset
___do_global_dtors
___do_global_ctors
_initialized
.text.startup
___security_init_cookie
.data$__security_cookie
.data$__security_cookie_complement
___report_gsfailure
_GS_ContextRecord
_GS_ExceptionRecord
_GS_ExceptionPointers
___mingwthr_run_key_dtors.part.0
___mingwthr_cs
_key_dtor_list
____w64_mingwthr_add_key_dtor
___mingwthr_cs_init
____w64_mingwthr_remove_key_dtor
___mingw_TLScallback
pseudo-reloc-list.c
__ValidateImageBase.part.0
__ValidateImageBase
__FindPESection
__FindPESectionByName
___mingw_GetSectionForAddress
___mingw_GetSectionCount
__FindPESectionExec
__GetPEImageBase
__IsNonwritableInCurrentImage
___mingw_enum_import_library_names
___shmem_init_use_fc_key
___shmem_init_sjlj_once
_fc_key_init
__Unwind_RaiseException_Phase2
_fc_key_init_once
_uw_install_context.isra.3
__Unwind_ForcedUnwind_Phase2
___shmem_grabber_fc_static
___shmem_grabber_fc_key
___shmem_grabber_use_fc_key
___shmem_grabber_sjlj_once
__Unwind_SjLj_Register
__Unwind_SjLj_Unregister
__Unwind_GetGR
__Unwind_GetCFA
__Unwind_SetGR
__Unwind_GetIP
__Unwind_GetIPInfo
__Unwind_SetIP
__Unwind_GetLanguageSpecificData
__Unwind_GetRegionStart
__Unwind_FindEnclosingFunction
__Unwind_GetDataRelBase
__Unwind_GetTextRelBase
__Unwind_SjLj_RaiseException
__Unwind_SjLj_ForcedUnwind
__Unwind_SjLj_Resume
__Unwind_SjLj_Resume_or_Rethrow
__Unwind_DeleteException
__Unwind_Backtrace
_get_ptr_from_atom
___shmem_grab
_mingw_get_invalid_parameter_handler
_mingw_set_invalid_parameter_handler
invalid_parameter_handler.c
___shmem_winpthreads_init__pthread_tls_shmem
___shmem_winpthreads_init__pthread_key_lock_shmem
___shmem_winpthreads_init_mtx_pthr_locked_shmem
___shmem_winpthreads_init_once_global_shmem
_once_global_shmem_init
___pthread_get_pointer
_enterOnceObject
_leaveOnceObject
__pthread_once_cleanup
___pthread_register_pointer
_pop_pthread_mem
_pthread_tls_init
_push_pthread_mem.part.0
__pthread_once_raw.part.1.constprop.4
___pthread_self_lite
___shmem_winpthreads_grabber__pthread_key_dest_shmem
___shmem_winpthreads_grabber__pthread_cancelling_shmem
___shmem_winpthreads_grabber__pthread_concur_shmem
___shmem_winpthreads_grabber__pthread_tls_once_shmem
___shmem_winpthreads_grabber__pthread_tls_shmem
___shmem_winpthreads_grabber__pthread_key_lock_shmem
___shmem_winpthreads_grabber__pthread_key_max_shmem
___shmem_winpthreads_grabber__pthread_key_sch_shmem
___shmem_winpthreads_grabber_pthr_root_shmem
___shmem_winpthreads_grabber_pthr_last_shmem
___shmem_winpthreads_grabber_mtx_pthr_locked_shmem
___shmem_winpthreads_grabber_idList_shmem
___shmem_winpthreads_grabber_idListCnt_shmem
___shmem_winpthreads_grabber_idListMax_shmem
___shmem_winpthreads_grabber_idListNextId_shmem
___pth_gpointer_locked
__pthread_cleanup_dest.part.2
___dyn_tls_pthread@12
_pthread_create_wrapper
_thread_print_set
_print_state
_thread_print
___shmem_winpthreads_grabber_once_obj_shmem
___shmem_winpthreads_grabber_once_global_shmem
_pthread_timechange_handler_np
_pthread_num_processors_np
_pthread_set_num_processors_np
_pthread_once
_pthread_key_create
_pthread_key_delete
_pthread_getspecific
_pthread_setspecific
_pthread_equal
__pthread_cleanup_dest
_pthread_self
_pthread_getevent
_pthread_gethandle
_pthread_getclean
_pthread_get_concurrency
_pthread_set_concurrency
_pthread_exit
___pthread_shallcancel
__pthread_setnobreak
__pthread_invoke_cancel
_test_cancel_locked
_pthread_testcancel
_pthread_delay_np
_pthread_delay_np_ms
_pthread_cancel
_pthread_kill
__pthread_get_state
__pthread_set_state
_pthread_attr_init
_pthread_attr_destroy
_pthread_attr_setdetachstate
_pthread_attr_getdetachstate
_pthread_attr_setinheritsched
_pthread_attr_getinheritsched
_pthread_attr_setscope
_pthread_attr_getscope
_pthread_attr_getstackaddr
_pthread_attr_setstackaddr
_pthread_attr_getstacksize
_pthread_attr_setstacksize
_pthread_setcancelstate
_pthread_setcanceltype
_pthread_create
_pthread_join
__pthread_tryjoin
_pthread_detach
___shmem_winpthreads_grabber_dummy_concurrency_level_shmem
_pthread_getconcurrency
_pthread_setconcurrency
___shmem_winpthreads_init_mutex_global_shmem
_mutex_global_shmem_init
___shmem_winpthreads_init_mutex_global_static_shmem
_mutex_global_static_shmem_init
___shmem_winpthreads_init_mxattr_recursive_shmem
___shmem_winpthreads_init_mxattr_errorcheck_shmem
_mutex_ref_unlock
_mutex_ref_init
_mutex_ref_destroy
__mutex_trylock.isra.0
_mutex_unref.isra.1
___shmem_winpthreads_grabber_mutex_global_shmem
___shmem_winpthreads_grabber_mutex_global_static_shmem
_mutex_print_set
_mutex_print
___shmem_winpthreads_grabber_mxattr_recursive_shmem
___shmem_winpthreads_grabber_mxattr_errorcheck_shmem
_pthread_mutex_unlock
_pthread_mutex_init
_mutex_static_init
_mutex_ref
_pthread_mutex_lock_intern
_pthread_mutex_lock
_pthread_mutex_timedlock
_pthread_mutex_trylock
_pthread_mutex_destroy
_pthread_mutexattr_init
_pthread_mutexattr_destroy
_pthread_mutexattr_gettype
_pthread_mutexattr_settype
_pthread_mutexattr_getpshared
_pthread_mutexattr_setpshared
_pthread_mutexattr_getprotocol
_pthread_mutexattr_setprotocol
_pthread_mutexattr_getprioceiling
_pthread_mutexattr_setprioceiling
___shmem_winpthreads_grab
___shmem_winpthreads_init_spin_locked_shmem
_spin_locked_shmem_init
___shmem_winpthreads_grabber_spin_locked_shmem
_pthread_spin_init
__spin_lite_trylock
__spin_lite_unlock
__spin_lite_lock
_pthread_spin_destroy
_pthread_spin_lock
_pthread_spin_trylock
_pthread_spin_unlock
___shmem_winpthreads_init_rwl_global_shmem
_rwl_global_shmem_init
___shmem_winpthreads_init_cond_locked_shmem_rwlock
_cond_locked_shmem_init
_rwl_ref_unlock
_rwl_ref_destroy
_rwlock_gain_both_locks
_rwlock_free_both_locks
_st_cancelwrite
_rwl_unref
___shmem_winpthreads_grabber_rwl_global_shmem
_rwl_print_set
_rwl_print
___shmem_winpthreads_grabber_cond_locked_shmem_rwlock
_pthread_rwlock_init
_rwlock_static_init
_rwl_ref.isra.0
_pthread_rwlock_destroy
_pthread_rwlock_rdlock
_pthread_rwlock_timedrdlock
_pthread_rwlock_tryrdlock
_pthread_rwlock_trywrlock
_pthread_rwlock_unlock
_pthread_rwlock_wrlock
_pthread_rwlock_timedwrlock
_pthread_rwlockattr_destroy
_pthread_rwlockattr_init
_pthread_rwlockattr_getpshared
_pthread_rwlockattr_setpshared
__pthread_time_in_ms
__pthread_time_in_ms_from_timespec
__pthread_rel_time_in_ms
___shmem_winpthreads_init_cond_locked_shmem_cond
_do_sema_b_release
_cond_print_set
_cond_print
___shmem_winpthreads_grabber_cond_locked_shmem_cond
_pthread_condattr_destroy
_pthread_condattr_init
_pthread_condattr_getpshared
_pthread_condattr_getclock
_pthread_condattr_setclock
___pthread_clock_nanosleep
_pthread_condattr_setpshared
_pthread_cond_init
_cond_static_init
_do_sema_b_wait_intern
_do_sema_b_wait
_pthread_cond_destroy
_pthread_cond_signal
_pthread_cond_broadcast
_pthread_cond_wait
_cleanup_wait
_pthread_cond_timedwait
_mingw_getsp
.rdata_runtime_pseudo_reloc
_ShowWindow@8
_VirtualProtect@16
_GetThreadPriority@4
___RUNTIME_PSEUDO_RELOC_LIST__
_SetLastError@4
__imp__GetThreadContext@8
__head_lib32_libuser32_a
_SetEvent@4
__ZTIN10__cxxabiv115__forced_unwindE
_QueryPerformanceCounter@4
__imp__CloseHandle@4
__data_start__
___DTOR_LIST__
__lib32_libuser32_a_iname
___shmem_ptr_eh_globals
__imp__VirtualProtect@16
___shmem_ptr_init
__imp___acmdln
___setusermatherr
__ZTVN10__cxxabiv119__foreign_exceptionE
__ZTVSt9exception
_UnhandledExceptionFilter@4
__imp___onexit
__imp__GetLastError@0
__ZTIN10__cxxabiv119__foreign_exceptionE
_SetUnhandledExceptionFilter@4
_CreateMutexA@12
__imp__VirtualQuery@12
__imp__TlsSetValue@8
__setjmp3
__imp__CreateWindowExA@48
_GetProcessAffinityMask@12
___shmem_ptr_fc_static
__imp___ftime
___tls_start__
___native_startup_lock
__ZTVN9__gnu_cxx26__concurrence_unlock_errorE
__lib32_libadvapi32_a_iname
__imp__TlsGetValue@4
__imp__InterlockedExchange@8
___shmem_winpthreads_ptr_rwl_global_shmem
__imp__FindAtomA@4
__ZTVSt13bad_exception
_GetHandleInformation@8
__imp__InitializeCriticalSection@4
_DeleteCriticalSection@4
__rt_psrelocs_start
__imp__abort
__imp__GetDlgItem@8
__dll_characteristics__
__imp__SendDlgItemMessageA@20
__size_of_stack_commit__
__imp___fmode
___shmem_winpthreads_ptr_dummy_concurrency_level_shmem
__imp__WinExec@8
___shmem_ptr_use_fc_key
___shmem_winpthreads_ptr__pthread_tls_shmem
__size_of_stack_reserve__
__major_subsystem_version__
___crt_xl_start__
__lib32_libcomdlg32_a_iname
_AddAtomA@4
__newmode
__imp__RegisterClassA@4
___crt_xi_start__
__imp___amsg_exit
___crt_xi_end__
__imp__CreateSemaphoreA@16
_LoadCursorA@8
__ZTSSt9type_info
___shmem_winpthreads_ptr_mxattr_recursive_shmem
_GetLastError@0
__imp__QueryPerformanceCounter@4
_TranslateMessage@4
_ChooseColorA@4
_CreateSemaphoreA@16
_VirtualQuery@12
__imp__TranslateMessage@4
___shmem_ptr_fc_key
_mingw_initltsdrot_force
_DuplicateHandle@28
__imp__WaitForMultipleObjects@16
__imp___iob
__dowildcard
__imp__InterlockedDecrement@4
__imp__strncmp
___shmem_winpthreads_ptr_idListCnt_shmem
_DefWindowProcA@16
__bss_start__
___shmem_winpthreads_ptr__pthread_key_lock_shmem
__imp__fputc
___RUNTIME_PSEUDO_RELOC_LIST_END__
__imp__write
__imp__CreateEventA@16
__head_lib32_libgdi32_a
__size_of_heap_commit__
__imp__SetThreadPriority@8
_IsDlgButtonChecked@8
___onexitend
__imp__GetCurrentProcess@0
___shmem_winpthreads_ptr__pthread_key_max_shmem
__imp__DispatchMessageA@4
__ZTVSt9type_info
_mingw_pcinit
_CreateSolidBrush@4
__imp__InterlockedExchangeAdd@8
_SendDlgItemMessageA@20
___crt_xp_start__
_CreateEventA@16
_ResumeThread@4
__imp__GetDlgItemTextA@16
__ZN10__cxxabiv134__shmem_ptr___terminate_handler_shE
__MINGW_INSTALL_DEBUG_MATHERR
__imp__EnableWindow@8
__beginthreadex
___crt_xp_end__
__imp__signal
__minor_os_version__
__imp__CreateMutexA@12
_TryEnterCriticalSection@4
_LoadIconA@8
_GetTickCount@0
__image_base__
__imp__GetHandleInformation@8
__imp__exit
__section_alignment__
__imp__memmove
___shmem_winpthreads_ptr_mxattr_errorcheck_shmem
___shmem_winpthreads_ptr_mtx_pthr_locked_shmem
_SuspendThread@4
__imp___endthreadex
__imp__GetStartupInfoA@4
_WaitForMultipleObjects@16
_SetThreadContext@8
__IAT_end__
__imp____lconv_init
_GetDlgItemTextA@16
__RUNTIME_PSEUDO_RELOC_LIST__
__imp__EndDialog@8
__imp___beginthreadex
__endthreadex
__tls_start
__imp__SetProcessAffinityMask@8
___shmem_winpthreads_ptr__pthread_tls_once_shmem
___native_startup_state
__ZTVN10__cxxabiv115__forced_unwindE
_GetCurrentThread@0
___shmem_ptr_sjlj_once
__data_end__
___getmainargs
__CTOR_LIST__
___onexitbegin
__imp__ResumeThread@4
___set_app_type
_TlsAlloc@0
__imp__sprintf
__charmax
___shmem_winpthreads_ptr__pthread_key_sch_shmem
_GetMessageA@16
___mingw_winmain_lpCmdLine
__bss_end__
__imp__ReleaseSemaphore@12
_CreateWindowExA@48
__imp__RedrawWindow@16
__imp__WaitForSingleObject@8
__imp__IsDlgButtonChecked@8
___security_cookie_complement
___crt_xc_end__
_GlobalInstance
__lib32_libgdi32_a_iname
__imp___setjmp3
__tls_index
__ZTSN10__cxxabiv120__si_class_type_infoE
__imp__GetTickCount@0
__ZTIN10__cxxabiv117__class_type_infoE
__imp___set_invalid_parameter_handler
__ZTSN10__cxxabiv119__foreign_exceptionE
___crt_xc_start__
__imp__SetFileSecurityW@12
__imp__SetLastError@4
__imp__GetMessageA@16
___shmem_winpthreads_ptr__pthread_key_dest_shmem
___shmem_winpthreads_ptr_idListNextId_shmem
__imp__SuspendThread@4
__lib32_libkernel32_a_iname
___CTOR_LIST__
__imp__GetCurrentProcessId@0
__ZTSN9__gnu_cxx26__concurrence_unlock_errorE
_mingw_app_type
_PostQuitMessage@4
__imp__GetAtomNameA@12
__initterm
_DispatchMessageA@4
___shmem_winpthreads_ptr_cond_locked_shmem_rwlock
__imp__TerminateProcess@8
__rt_psrelocs_size
___shmem_winpthreads_ptr__pthread_concur_shmem
_GetStartupInfoA@4
___shmem_winpthreads_ptr_cond_locked_shmem_cond
_WaitForSingleObject@8
_GetCurrentProcessId@0
__imp____dllonexit
__imp__SendMessageA@16
__imp__memcpy
__ZTSN10__cxxabiv117__class_type_infoE
__imp__strcmp
__ZTSN10__cxxabiv115__forced_unwindE
__file_alignment__
__ZTVN9__gnu_cxx24__concurrence_lock_errorE
__imp___unlock
__head_lib32_libmsvcrt_a
__imp__SetThreadContext@8
__imp__LeaveCriticalSection@4
__imp__GetDlgItemInt@16
__imp__malloc
_SetThreadPriority@8
___shmem_winpthreads_ptr__pthread_cancelling_shmem
__imp__memcmp
___mingw_pinit
__major_os_version__
__lib32_libmsvcrt_a_iname
_ReleaseMutex@4
_CloseHandle@4
___shmem_winpthreads_ptr_spin_locked_shmem
__imp__DialogBoxParamA@20
__imp__realloc
__imp__GetThreadPriority@4
_GetDlgItem@8
__IAT_start__
___shmem_winpthreads_ptr_idListMax_shmem
__tls_end
__imp____initenv
__ZTIN9__gnu_cxx26__concurrence_unlock_errorE
__imp___get_invalid_parameter_handler
___dllonexit
__imp__InterlockedIncrement@4
__imp___lock
__DTOR_LIST__
__imp__fprintf
_TerminateProcess@8
_EnterCriticalSection@4
_ReleaseSemaphore@12
__imp__memset
__imp__fclose
__ZTSN9__gnu_cxx24__concurrence_lock_errorE
_GetThreadContext@8
___shmem_winpthreads_ptr_mutex_global_shmem
__imp___initterm
_GetCurrentThreadId@0
__size_of_heap_reserve__
___crt_xt_start__
__imp__TryEnterCriticalSection@4
__imp__SetEvent@4
___ImageBase
__subsystem__
__imp__strlen
__imp__fputs
__imp__DuplicateHandle@28
_DialogBoxParamA@20
___mingw_oldexcpt_handler
__ZTSSt13bad_exception
__imp__calloc
___native_vcclrit_reason
__imp__GetSystemTimeAsFileTime@4
_WinExec@8
___lconv_init
__amsg_exit
_SetFileSecurityW@12
__imp__PostQuitMessage@4
__imp__fopen
__imp____getmainargs
___shmem_winpthreads_ptr_mutex_global_static_shmem
___mingw_winmain_nShowCmd
___native_dllmain_reason
___tls_end__
__imp__GetProcessAffinityMask@12
__ZTISt13bad_exception
__ZTIN10__cxxabiv120__si_class_type_infoE
_GetSystemTimeAsFileTime@4
___shmem_winpthreads_ptr_pthr_last_shmem
_mingw_pcppinit
__ZTVN10__cxxabiv117__class_type_infoE
_GetCurrentProcess@0
_SendMessageA@16
_mingw_initltssuo_force
__fu0___set_invalid_parameter_handler
__ZTSSt9exception
_InitializeCriticalSection@4
__imp__free
__imp__SetUnhandledExceptionFilter@4
__major_image_version__
__imp__ResetEvent@4
__loader_flags__
__imp__UnhandledExceptionFilter@4
__imp__ShowWindow@8
_EndDialog@8
__imp__printf
__head_lib32_libkernel32_a
___chkstk_ms
_RedrawWindow@16
__imp__AddAtomA@4
__rt_psrelocs_end
__imp___cexit
__minor_subsystem_version__
__minor_image_version__
__imp__LoadIconA@8
__imp__Sleep@4
__imp__vfprintf
_TlsSetValue@8
_ResetEvent@4
__imp____set_app_type
___mingw_winmain_hInstance
__imp__InterlockedCompareExchange@12
_mingw_initltsdyn_force
___shmem_winpthreads_ptr_once_global_shmem
__imp__GetCurrentThreadId@0
_TlsGetValue@4
__imp__GetCurrentThread@0
__imp__DeleteCriticalSection@4
___security_cookie
__ZTVN10__cxxabiv120__si_class_type_infoE
_LeaveCriticalSection@4
_FindAtomA@4
___shmem_winpthreads_ptr_idList_shmem
_RegisterClassA@4
__head_lib32_libadvapi32_a
_GetDlgItemInt@16
_GetAtomNameA@12
__ZN10__cxxabiv135__shmem_ptr___unexpected_handler_shE
__imp__TlsAlloc@0
__ZTISt9type_info
_SetProcessAffinityMask@8
__RUNTIME_PSEUDO_RELOC_LIST_END__
__head_lib32_libcomdlg32_a
__imp__CreateSolidBrush@4
___dyn_tls_init_callback
__imp__ReleaseMutex@4
__imp__longjmp
__ZTIN9__gnu_cxx24__concurrence_lock_errorE
_mingw_initcharmax
__imp____setusermatherr
___shmem_winpthreads_ptr_once_obj_shmem
__tls_used
__imp__ChooseColorA@4
___crt_xt_end__
___shmem_winpthreads_ptr_pthr_root_shmem
_vfprintf
_EnableWindow@8
__imp__DefWindowProcA@16
__imp__EnterCriticalSection@4
__imp__fwrite
__imp__LoadCursorA@8
__ZTISt9exception
aseSemaphore@12
__imp__memset
__imp__fclose
Window Tester
MS Sans Serif
BUTTON
CW_USEDEFAULT
BUTTON
CW_USEDEFAULT
BUTTON
CW_USEDEFAULT
BUTTON
CW_USEDEFAULT
BUTTON
Caption:
Style(s):
Icon:
Cursor:
X Position:
Y Position:
Width:
Height:
Background Color:
Preview
This file is not on VirusTotal.

Process Tree


nonmanual.exe, PID: 864, Parent PID: 1512
Full Path: C:\Users\user\AppData\Local\Temp\nonmanual.exe
Command Line: "C:\Users\user\AppData\Local\Temp\nonmanual.exe"
nonmanual.exe, PID: 1912, Parent PID: 864
Full Path: C:\Users\user\AppData\Local\Temp\nonmanual.exe
Command Line: --f4134209
explorer.exe, PID: 1728, Parent PID: 1652
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE
services.exe, PID: 464, Parent PID: 376
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
compontitle.exe, PID: 832, Parent PID: 464
Full Path: C:\Windows\SysWOW64\compontitle.exe
Command Line: "C:\Windows\SysWOW64\compontitle.exe"
compontitle.exe, PID: 1892, Parent PID: 832
Full Path: C:\Windows\SysWOW64\compontitle.exe
Command Line: --ce2bae20
svchost.exe, PID: 1628, Parent PID: 464
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\System32\svchost.exe -k WerSvcGroup
WerFault.exe, PID: 1452, Parent PID: 1628
Full Path: C:\Windows\SysWOW64\WerFault.exe
Command Line: C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 880
WerFault.exe, PID: 1916, Parent PID: 1628
Full Path: C:\Windows\SysWOW64\WerFault.exe
Command Line: C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 420

Hosts

Direct IP Country Name
Y 78.47.106.72 [VT] Germany
Y 165.227.156.155 [VT] Germany
Y 144.76.56.36 [VT] Germany

TCP

Source Source Port Destination Destination Port
192.168.35.24 49177 144.76.56.36 8080
192.168.35.24 49179 165.227.156.155 443
192.168.35.24 49178 78.47.106.72 8080

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

URI Data
http://165.227.156.155:443/sess/guids/odbc/
POST /sess/guids/odbc/ HTTP/1.1
Referer: http://165.227.156.155/sess/guids/odbc/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 165.227.156.155:443
Content-Length: 433
Connection: Keep-Alive
Cache-Control: no-cache

v7VPF0FzJ059Yp=fquoqyFPuaWRtLa4fgckDBgAZyntzEbdhqTSfJgonx330Pi5QuI1vynm%2BLkh6erKnoQcZXh8dY3j7c%2B1g%2FaDn7nKhQlNITHJYB8heYMHBWKPdr6Z%2B7fyzCBCV84VgbQGQ7hqzkSEk9gSdcWPC%2BaY4ZjOX4ZaoVpNd86YDii7N%2BUthc6UDM%2BY8KMhu%2FcnWj5AaD27m%2BflGkc1i36WgMkwQ9GJH6mSJx9rF71PFGpl8otH%2B2wjb8prk9VAsu4zQu5oRhSBNgCSNkVJwZFAn9egYUm4faDCqT5fDeFNX7gSmVv90zzOwSQwVToDKWO0vgI0okROc8xLAoqLRZZDlvd7iLwiyJ4aJoJP%2F68SZDUPkY5cm0d0WLGIMyysBOSYC08R9U6sHQ%3D%3D
http://165.227.156.155:443/splash/
POST /splash/ HTTP/1.1
Referer: http://165.227.156.155/splash/
Content-Type: application/x-www-form-urlencoded
DNT: 1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 165.227.156.155:443
Content-Length: 433
Connection: Keep-Alive
Cache-Control: no-cache

mrsK5vvyszk5=a00IT2LnTW9lhpvK5BVpRuGWP266KcoCzs5Vgdv%2FOKaCy3ZA4aM7FgXuNoFxnnebjuaL%2FhqJ%2FzOFfvhd3bHSF0VugQN3yRFBviqQe6TywhfQDHjoTevaxIEE1z%2BSe9hOC1tHVMuRE9nlUXUPMOGBTUvq17HCf1ONU07w2HdUi7LdflAZY6OUsWevQMGu%2BQmAQ6mXaM90mecwGi6hEADFgA4bTTUp8Zejlqwc2h4R1YLdZ0XOYOU9RzDdYC%2FQKRACW%2F94WvJt8esY4u%2B75q9kGpIjr4q%2Bpdm%2FY5JAK3CHVW0yGPl8sBaMj9SLvhwiRUkyiJOFnKgP4izwistso%2BNtLMFMBmFMvU2SuK2xMfBssSl5t5k9%2Btve4pDtS6yW0RHqZzznQg%3D%3D

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name compontitle.exe
Associated Filenames
C:\Windows\SysWOW64\compontitle.exe
File Size 371397 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 4a19c0efa79d514e9003f0fb5abfa93d
SHA1 87c3ebe34ff049e02b24305cf7b6df0dda502a3b
SHA256 d3717429ba31832577c8a24fe89a4be77aa9198f351fa5a2911c95b20c4e9e39
CRC32 42BA7649
Ssdeep 6144:uyojDQSFZbS+pzaSKSa0/fUnt0vJgk2TBsGhw2/K6786TEnCAIpi9MxipEl7BuHh:MDQSzDq0mTMbGW
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name WERDD35.tmp.appcompat.txt
Associated Filenames
C:\Windows\Temp\WERDD35.tmp.appcompat.txt
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Type Emotet Config
RSA public key
-----BEGIN PUBLIC KEY----- MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAKl4M80uy0jcxUiFIaJJyxgHVVnFtCq6 bi6f2xXPh/XUZNyN8UXDe5HzhTc4kwon9MBZffNwFOIc61QfV3K3YzEI/ktcyNqK LS67ONxsVep769QdiVQJXrIaFjMXKz6viwIDAQAB -----END PUBLIC KEY-----
address
144.76.56.36:8080
78.47.106.72:8080
165.227.156.155:443
192.241.255.77:8080
83.136.245.190:8080
91.205.215.66:8080
190.226.44.20:21
186.75.241.230:80
217.160.182.191:8080
190.145.67.134:8090
86.22.221.170:80
149.202.153.252:8080
80.11.163.139:21
181.31.213.158:8080
183.102.238.69:465
186.4.172.5:8080
104.131.44.150:8080
211.63.71.72:8080
31.172.240.91:8080
115.78.95.230:443
138.201.140.110:8080
192.81.213.192:8080
87.230.19.21:8080
186.4.172.5:443
159.65.25.128:8080
104.131.11.150:8080
86.98.64.189:443
92.222.216.44:8080
67.225.179.64:8080
103.39.131.88:80
37.187.2.199:443
31.12.67.62:7080
191.92.209.110:7080
186.4.172.5:20
104.239.175.211:8080
176.31.200.130:8080
37.157.194.134:443
85.104.59.244:20
5.196.74.210:8080
169.239.182.217:8080
178.210.51.222:8080
212.129.24.79:8080
94.205.247.10:80
182.176.132.213:8090
181.57.193.14:80
78.24.219.147:8080
167.99.105.223:7080
87.106.139.101:8080
62.75.187.192:8080
173.249.47.77:8080
200.71.148.138:8080
178.79.161.166:443
87.106.136.232:8080
152.89.236.214:8080
189.209.217.49:80
190.53.135.159:21
45.33.49.124:443
190.211.207.11:443
144.139.247.220:80
181.143.194.138:443
95.128.43.213:8080
46.105.131.87:80
104.236.246.93:8080
173.212.203.26:8080
192.241.220.155:8080
59.103.164.174:80
167.71.10.37:8080
Download
Type Emotet Payload: 32-bit executable
Size 61440 bytes
Virtual Address 0x00620000
Process nonmanual.exe
PID 864
Path C:\Users\user\AppData\Local\Temp\nonmanual.exe
MD5 3cb110afb8640e7077be0a3083509d61
SHA1 cd0a1e08e8a93321041f30a5c4b6667ab1af9524
SHA256 f12290460963924cb134bebdddf9a2b2852b76b101ee795005f377bbdb4c0314
CRC32 6F73273B
Ssdeep 1536:I2JC6yyC5sySGPukvCh1kscmssU359NstQRk13z5Pn2ESrXw5:FJk5ssPuk6km9K5D3g3z5Pp5
Yara None matched
CAPE Yara
  • Emotet
  • Emotet Payload
Download Download ZIP
Type Emotet Payload
Size 60416 bytes
Virtual Address 0x01DA0000
Process nonmanual.exe
PID 864
Path C:\Users\user\AppData\Local\Temp\nonmanual.exe
MD5 3ec59f422a837273d3a9bb2788c688ee
SHA1 6f20618f5b47320b01bd9de8e9c2b5d3b91abd43
SHA256 185947c25d02e319a7551387c2691327eabc3d00874976f034dac04b59c51285
CRC32 A5C71FC2
Ssdeep 1536:82JC6yyC5sySGPukvCh1kscmssU359NstQRk13z5Pn2ESpX:pJk5ssPuk6km9K5D3g3z5P
Yara None matched
CAPE Yara
  • Emotet
  • Emotet Payload
Download Download ZIP
Type Extracted PE Image: 32-bit DLL
Size 286208 bytes
Virtual Address 0x035C0000
Process compontitle.exe
PID 1892
Path C:\Windows\SysWOW64\compontitle.exe
MD5 bc1b050faaa6668cc5d5e7423b646969
SHA1 daed889387100d79b7b8d964a4e7021af8e80d3a
SHA256 f9d8f072b7bbf8924a2cad897adde0760288df0f2462969f89ee12d7f0d16305
CRC32 D11F9AB1
Ssdeep 6144:M8RzrNnKaczZ2j8EOlX9PLcD0uSDviqbswJzSHmtkTMSim:M895vcsFO7lJDdbrJzSGmQx
Yara
  • HeavensGate - Heaven's Gate: Switch from 32-bit to 64-mode
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 32-bit executable
Size 20992 bytes
Virtual Address 0x02A10000
Process compontitle.exe
PID 1892
Path C:\Windows\SysWOW64\compontitle.exe
MD5 e79a2587600ffa8da561fc3ed792b6ef
SHA1 ddd502e8dadbbf9597ab393cb756cf372d836913
SHA256 01ff34ec579eaf0fa9aa8d96927a21b85beb531d5f529abe87ef538b0ac9c6fe
CRC32 40FFF8E5
Ssdeep 384:ZrH+hTk2zABmbprdQ1mVv50J79vy7MqWkz2O+LYkHZDy9c+RvrRAY1K:ZENKmoyR0J79y7+g9VVD4
Yara None matched
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 5.123 seconds )

  • 2.053 BehaviorAnalysis
  • 1.893 CAPE
  • 0.307 Static
  • 0.283 Dropped
  • 0.281 TargetInfo
  • 0.101 TrID
  • 0.098 NetworkAnalysis
  • 0.07 Deduplicate
  • 0.03 Strings
  • 0.005 AnalysisInfo
  • 0.002 Debug

Signatures ( 1.513 seconds )

  • 0.69 antidbg_windows
  • 0.066 decoy_document
  • 0.065 NewtWire Behavior
  • 0.062 api_spamming
  • 0.049 stealth_timeout
  • 0.044 injection_createremotethread
  • 0.043 Doppelganging
  • 0.042 InjectionCreateRemoteThread
  • 0.038 antivm_vbox_window
  • 0.037 lsass_credential_dumping
  • 0.035 injection_runpe
  • 0.033 InjectionProcessHollowing
  • 0.032 antiav_detectreg
  • 0.03 antisandbox_script_timer
  • 0.028 InjectionInterProcess
  • 0.019 infostealer_ftp
  • 0.018 injection_explorer
  • 0.01 antivm_generic_disk
  • 0.009 mimics_filetime
  • 0.008 virus
  • 0.008 infostealer_im
  • 0.008 ransomware_files
  • 0.007 stealth_file
  • 0.007 reads_self
  • 0.007 antianalysis_detectreg
  • 0.007 infostealer_bitcoin
  • 0.007 infostealer_mail
  • 0.006 bootkit
  • 0.006 antidebug_guardpages
  • 0.006 exploit_heapspray
  • 0.006 antiav_detectfile
  • 0.005 antivm_generic_scsi
  • 0.005 hancitor_behavior
  • 0.004 stack_pivot
  • 0.003 shifu_behavior
  • 0.003 persistence_autorun
  • 0.003 antivm_vbox_keys
  • 0.003 ransomware_extensions
  • 0.002 malicious_dynamic_function_loading
  • 0.002 recon_programs
  • 0.002 antivm_generic_services
  • 0.002 antiemu_wine_func
  • 0.002 betabot_behavior
  • 0.002 kibex_behavior
  • 0.002 infostealer_browser_password
  • 0.002 dynamic_function_loading
  • 0.002 vawtrak_behavior
  • 0.002 kovter_behavior
  • 0.002 antianalysis_detectfile
  • 0.002 antivm_vbox_files
  • 0.002 antivm_vmware_keys
  • 0.002 geodo_banking_trojan
  • 0.002 browser_security
  • 0.002 masquerade_process_name
  • 0.002 recon_fingerprint
  • 0.001 tinba_behavior
  • 0.001 uac_bypass_eventvwr
  • 0.001 hawkeye_behavior
  • 0.001 antivm_vbox_libs
  • 0.001 rat_nanocore
  • 0.001 antiav_avast_libs
  • 0.001 rat_luminosity
  • 0.001 exploit_getbasekerneladdress
  • 0.001 exploit_gethaldispatchtable
  • 0.001 ispy_behavior
  • 0.001 cerber_behavior
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vpc_keys
  • 0.001 antivm_xen_keys
  • 0.001 ketrican_regkeys
  • 0.001 modify_proxy
  • 0.001 darkcomet_regkeys
  • 0.001 disables_browser_warn
  • 0.001 modify_uac_prompt

Reporting ( 0.009 seconds )

  • 0.009 CompressResults
Task ID 115357
Mongo ID 5de5fa9fa04cefe70a3b0ab2
Cuckoo release 1.3-CAPE
Delete