CAPE

Detections: AgentTesla


Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2020-01-14 13:36:00 2020-01-14 13:41:01 301 seconds Show Options Show Log
  • Info: The analysis hit the critical timeout, terminating.
route = internet
procdump = 0
2020-01-14 13:36:05,171 [root] INFO: Date set to: 01-14-20, time set to: 13:36:05, timeout set to: 200
2020-01-14 13:36:05,265 [root] DEBUG: Starting analyzer from: C:\ueakpxib
2020-01-14 13:36:05,265 [root] DEBUG: Storing results at: C:\nzkuyO
2020-01-14 13:36:05,265 [root] DEBUG: Pipe server name: \\.\PIPE\kGzJMO
2020-01-14 13:36:05,265 [root] INFO: Analysis package "Extraction" has been specified.
2020-01-14 13:36:09,742 [root] DEBUG: Started auxiliary module Browser
2020-01-14 13:36:09,757 [root] DEBUG: Started auxiliary module Curtain
2020-01-14 13:36:09,757 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-01-14 13:36:14,157 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-01-14 13:36:14,157 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-01-14 13:36:14,157 [root] DEBUG: Started auxiliary module DigiSig
2020-01-14 13:36:14,171 [root] DEBUG: Started auxiliary module Disguise
2020-01-14 13:36:14,171 [root] DEBUG: Started auxiliary module Human
2020-01-14 13:36:14,171 [root] DEBUG: Started auxiliary module Screenshots
2020-01-14 13:36:14,171 [root] DEBUG: Started auxiliary module Sysmon
2020-01-14 13:36:14,187 [root] DEBUG: Started auxiliary module Usage
2020-01-14 13:36:14,187 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2020-01-14 13:36:14,187 [root] INFO: Analyzer: DLL_64 set to Extraction_x64.dll from package modules.packages.Extraction
2020-01-14 13:36:14,234 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE" with arguments "" with pid 2220
2020-01-14 13:36:14,296 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:36:14,312 [lib.api.process] INFO: 32-bit DLL to inject is C:\ueakpxib\dll\XRzEsqPF.dll, loader C:\ueakpxib\bin\JGkxWsN.exe
2020-01-14 13:36:14,405 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kGzJMO.
2020-01-14 13:36:14,405 [root] DEBUG: Loader: Injecting process 2220 (thread 1184) with C:\ueakpxib\dll\XRzEsqPF.dll.
2020-01-14 13:36:14,421 [root] DEBUG: Process image base: 0x00400000
2020-01-14 13:36:14,437 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ueakpxib\dll\XRzEsqPF.dll.
2020-01-14 13:36:14,437 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-01-14 13:36:14,437 [root] DEBUG: Successfully injected DLL C:\ueakpxib\dll\XRzEsqPF.dll.
2020-01-14 13:36:14,437 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2220
2020-01-14 13:36:16,559 [lib.api.process] INFO: Successfully resumed process with pid 2220
2020-01-14 13:36:16,667 [root] INFO: Added new process to list with pid: 2220
2020-01-14 13:36:17,167 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-01-14 13:36:17,167 [root] DEBUG: Process dumps disabled.
2020-01-14 13:36:17,572 [root] INFO: Disabling sleep skipping.
2020-01-14 13:36:17,572 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-01-14 13:36:17,572 [root] INFO: Disabling sleep skipping.
2020-01-14 13:36:17,572 [root] INFO: Disabling sleep skipping.
2020-01-14 13:36:17,572 [root] INFO: Disabling sleep skipping.
2020-01-14 13:36:17,572 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77380000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x773d124a, Wow64PrepareForException: 0x0
2020-01-14 13:36:17,572 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x240000
2020-01-14 13:36:17,588 [root] DEBUG: Debugger initialised.
2020-01-14 13:36:17,588 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 2220 at 0x74790000, image base 0x400000, stack from 0x186000-0x190000
2020-01-14 13:36:17,588 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE".
2020-01-14 13:36:17,588 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00400000) returned 0x00000000.
2020-01-14 13:36:17,588 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:36:17,588 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00400000) -> AllocationBase 0x00400000 RegionSize 0x4096.
2020-01-14 13:36:17,604 [root] DEBUG: AddTrackedRegion: EntryPoint 0x12a4, Entropy 7.106214e+00
2020-01-14 13:36:17,604 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions.
2020-01-14 13:36:17,604 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-01-14 13:36:17,619 [root] INFO: Monitor successfully loaded in process with pid 2220.
2020-01-14 13:36:18,727 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:18,727 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:18,743 [root] DEBUG: ProcessImageBase: EP 0x000012A4 image base 0x00400000 size 0x0 entropy 7.106214e+00.
2020-01-14 13:36:18,759 [root] DEBUG: ProtectionHandler: Adding region at 0x004C0000 to tracked regions.
2020-01-14 13:36:18,773 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x004C0000) returned 0x00000000.
2020-01-14 13:36:18,930 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:36:19,148 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x004C0000) -> AllocationBase 0x004C0000 RegionSize 0x24576.
2020-01-14 13:36:19,148 [root] DEBUG: AddTrackedRegion: New region at 0x004C0000 size 0x6000 added to tracked regions.
2020-01-14 13:36:19,148 [root] DEBUG: ProtectionHandler: Address: 0x004C0000 (alloc base 0x004C0000), NumberOfBytesToProtect: 0x6000, NewAccessProtection: 0x20
2020-01-14 13:36:19,148 [root] DEBUG: ProtectionHandler: New code detected at (0x004C0000), scanning for PE images.
2020-01-14 13:36:19,148 [root] DEBUG: DumpPEsInRange: Scanning range 0x4c0000 - 0x4c6000.
2020-01-14 13:36:19,148 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4c0000-0x4c6000.
2020-01-14 13:36:19,148 [root] DEBUG: DumpPEsInRange: Scanning range 0x4c0000 - 0x4c6000.
2020-01-14 13:36:19,148 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4c0000-0x4c6000.
2020-01-14 13:36:19,164 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x004C0000, TrackedRegion->RegionSize: 0x6000, thread 1184
2020-01-14 13:36:19,164 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xd4, Size=0x2, Address=0x004C0000 and Type=0x1.
2020-01-14 13:36:19,196 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1184 type 1 at address 0x004C0000, size 2 with Callback 0x74797510.
2020-01-14 13:36:19,196 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x004C0000
2020-01-14 13:36:19,196 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xd4, Size=0x4, Address=0x004C003C and Type=0x1.
2020-01-14 13:36:19,210 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1184 type 1 at address 0x004C003C, size 4 with Callback 0x747971a0.
2020-01-14 13:36:19,210 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x004C003C
2020-01-14 13:36:19,210 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x004C0000.
2020-01-14 13:36:19,257 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-01-14 13:36:20,131 [root] DEBUG: ProtectionHandler: Address 0x004C0000 already in tracked region at 0x004C0000, size 0x6000
2020-01-14 13:36:20,131 [root] DEBUG: ProtectionHandler: Address: 0x004C0000 (alloc base 0x004C0000), NumberOfBytesToProtect: 0xa000, NewAccessProtection: 0x20
2020-01-14 13:36:20,131 [root] DEBUG: ProtectionHandler: Increased region size at 0x004C0000 to 0xa000.
2020-01-14 13:36:20,147 [root] DEBUG: ProtectionHandler: New code detected at (0x004C0000), scanning for PE images.
2020-01-14 13:36:20,147 [root] DEBUG: DumpPEsInRange: Scanning range 0x4c0000 - 0x4ca000.
2020-01-14 13:36:20,147 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4c0000-0x4ca000.
2020-01-14 13:36:20,147 [root] DEBUG: DumpPEsInRange: Scanning range 0x4c0000 - 0x4ca000.
2020-01-14 13:36:20,163 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4c0000-0x4ca000.
2020-01-14 13:36:20,163 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x004C0000, TrackedRegion->RegionSize: 0xa000, thread 1184
2020-01-14 13:36:20,163 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xd4, Size=0x2, Address=0x004C0000 and Type=0x1.
2020-01-14 13:36:20,163 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1184 type 1 at address 0x004C0000, size 2 with Callback 0x74797510.
2020-01-14 13:36:20,163 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x004C0000
2020-01-14 13:36:20,194 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xd4, Size=0x4, Address=0x004C003C and Type=0x1.
2020-01-14 13:36:20,240 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1184 type 1 at address 0x004C003C, size 4 with Callback 0x747971a0.
2020-01-14 13:36:20,240 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x004C003C
2020-01-14 13:36:20,256 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x004C0000.
2020-01-14 13:36:21,239 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2020-01-14 13:36:21,316 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-01-14 13:36:23,516 [root] DEBUG: Allocation: 0x01EB0000 - 0x01EBD000, size: 0xd000, protection: 0x40.
2020-01-14 13:36:23,516 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:23,516 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:23,532 [root] DEBUG: ProcessImageBase: EP 0x000012A4 image base 0x00400000 size 0x0 entropy 7.116782e+00.
2020-01-14 13:36:23,532 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x004C0000.
2020-01-14 13:36:23,532 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x01EB0000, size: 0xd000.
2020-01-14 13:36:23,532 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x01EB0000) returned 0x00000000.
2020-01-14 13:36:23,532 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:36:23,532 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x01EB0000) -> AllocationBase 0x01EB0000 RegionSize 0x53248.
2020-01-14 13:36:23,532 [root] DEBUG: AddTrackedRegion: New region at 0x01EB0000 size 0xd000 added to tracked regions.
2020-01-14 13:36:23,532 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x01EB0000, TrackedRegion->RegionSize: 0xd000, thread 1184
2020-01-14 13:36:23,532 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x004C0000 to 0x01EB0000.
2020-01-14 13:36:23,532 [root] DEBUG: DumpPEsInRange: Scanning range 0x4c0000 - 0x4ca000.
2020-01-14 13:36:23,548 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x4c0000-0x4ca000.
2020-01-14 13:36:23,548 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x004C0000 - 0x004CA000.
2020-01-14 13:36:23,609 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2220_179589147223361314212020 successfully created, size 0x10000
2020-01-14 13:36:23,673 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x4c0000
2020-01-14 13:36:23,673 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x004C0000 size 0x10000.
2020-01-14 13:36:23,687 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2220_53268433823361314212020 successfully created, size 0xa000
2020-01-14 13:36:23,782 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2220_53268433823361314212020
2020-01-14 13:36:23,782 [root] DEBUG: DumpRegion: Dumped stack region from 0x004C0000, size 0xa000.
2020-01-14 13:36:23,798 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x004C0000.
2020-01-14 13:36:23,798 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x4c0000 - 0x4ca000.
2020-01-14 13:36:23,798 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xd4, Size=0x2, Address=0x01EB0000 and Type=0x1.
2020-01-14 13:36:23,798 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1184 type 1 at address 0x01EB0000, size 2 with Callback 0x74797510.
2020-01-14 13:36:23,798 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x01EB0000
2020-01-14 13:36:23,798 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xd4, Size=0x4, Address=0x01EB003C and Type=0x1.
2020-01-14 13:36:23,798 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1184 type 1 at address 0x01EB003C, size 4 with Callback 0x747971a0.
2020-01-14 13:36:23,812 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x01EB003C
2020-01-14 13:36:23,812 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x01EB0000 (size 0xd000).
2020-01-14 13:36:30,755 [root] DEBUG: DLL unloaded from 0x77560000.
2020-01-14 13:36:30,770 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0046EEE9 (thread 1184)
2020-01-14 13:36:30,770 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x01EB003C.
2020-01-14 13:36:30,770 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xccdd9983 (at 0x01EB003C).
2020-01-14 13:36:30,770 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x01EB0000 and Type=0x0.
2020-01-14 13:36:30,770 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x01EB0000.
2020-01-14 13:36:30,786 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0046EEE9 (thread 1184)
2020-01-14 13:36:30,786 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x01EB0000.
2020-01-14 13:36:30,786 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x01EB0000 already exists for thread 1184 (process 2220), skipping.
2020-01-14 13:36:30,786 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1eb0000: 0x41.
2020-01-14 13:36:30,786 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-01-14 13:36:30,786 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x01EB0000 (thread 1184)
2020-01-14 13:36:30,786 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x01EB0000 (allocation base 0x01EB0000).
2020-01-14 13:36:30,802 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x01EB0000, size 0xd000).
2020-01-14 13:36:30,832 [root] DEBUG: DumpPEsInRange: Scanning range 0x1eb0000 - 0x1ebd000.
2020-01-14 13:36:30,832 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1eb0000-0x1ebd000.
2020-01-14 13:36:30,832 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2220_89813456830561714212020 successfully created, size 0xd000
2020-01-14 13:36:30,864 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2220_89813456830561714212020
2020-01-14 13:36:30,864 [root] DEBUG: ShellcodeExecCallback: successfully dumped memory range at 0x01EB0000 (size 0xd000).
2020-01-14 13:36:30,864 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1eb0000 - 0x1ebd000.
2020-01-14 13:36:30,864 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x01EB0000.
2020-01-14 13:36:30,864 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x01EB003C.
2020-01-14 13:36:30,864 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x01EB0000.
2020-01-14 13:36:30,864 [root] DEBUG: set_caller_info: Adding region at 0x01EB0000 to caller regions list (kernel32::SetErrorMode).
2020-01-14 13:36:30,864 [root] DEBUG: set_caller_info: Caller at 0x01EB5128 in tracked regions.
2020-01-14 13:36:30,864 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:30,864 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:30,880 [root] DEBUG: ProcessImageBase: EP 0x000012A4 image base 0x00400000 size 0x0 entropy 7.116782e+00.
2020-01-14 13:36:30,941 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x004C0000.
2020-01-14 13:36:30,941 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01EB0000.
2020-01-14 13:36:32,970 [root] DEBUG: DLL loaded at 0x75B20000: C:\Windows\syswow64\shell32 (0xc4a000 bytes).
2020-01-14 13:36:33,407 [root] INFO: Announced 32-bit process name: RFQ_NO__.EXE pid: 2984
2020-01-14 13:36:33,407 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:36:33,407 [lib.api.process] INFO: 32-bit DLL to inject is C:\ueakpxib\dll\XRzEsqPF.dll, loader C:\ueakpxib\bin\JGkxWsN.exe
2020-01-14 13:36:33,437 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kGzJMO.
2020-01-14 13:36:33,437 [root] DEBUG: Loader: Injecting process 2984 (thread 1856) with C:\ueakpxib\dll\XRzEsqPF.dll.
2020-01-14 13:36:33,437 [root] DEBUG: Process image base: 0x00400000
2020-01-14 13:36:33,437 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ueakpxib\dll\XRzEsqPF.dll.
2020-01-14 13:36:33,437 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-01-14 13:36:33,437 [root] DEBUG: Successfully injected DLL C:\ueakpxib\dll\XRzEsqPF.dll.
2020-01-14 13:36:33,437 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2984
2020-01-14 13:36:33,453 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-01-14 13:36:33,500 [root] DEBUG: DLL unloaded from 0x00400000.
2020-01-14 13:36:33,516 [root] INFO: Announced 32-bit process name: RFQ_NO__.EXE pid: 2984
2020-01-14 13:36:33,516 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:36:33,516 [lib.api.process] INFO: 32-bit DLL to inject is C:\ueakpxib\dll\XRzEsqPF.dll, loader C:\ueakpxib\bin\JGkxWsN.exe
2020-01-14 13:36:33,516 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kGzJMO.
2020-01-14 13:36:33,516 [root] DEBUG: Loader: Injecting process 2984 (thread 1856) with C:\ueakpxib\dll\XRzEsqPF.dll.
2020-01-14 13:36:33,516 [root] DEBUG: Process image base: 0x00400000
2020-01-14 13:36:33,516 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ueakpxib\dll\XRzEsqPF.dll.
2020-01-14 13:36:33,516 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-01-14 13:36:33,516 [root] DEBUG: Successfully injected DLL C:\ueakpxib\dll\XRzEsqPF.dll.
2020-01-14 13:36:33,516 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2984
2020-01-14 13:36:33,532 [root] INFO: Announced 32-bit process name: RFQ_NO__.EXE pid: 2984
2020-01-14 13:36:33,532 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:36:33,532 [lib.api.process] INFO: 32-bit DLL to inject is C:\ueakpxib\dll\XRzEsqPF.dll, loader C:\ueakpxib\bin\JGkxWsN.exe
2020-01-14 13:36:33,548 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kGzJMO.
2020-01-14 13:36:33,562 [root] DEBUG: Loader: Injecting process 2984 (thread 1856) with C:\ueakpxib\dll\XRzEsqPF.dll.
2020-01-14 13:36:33,562 [root] DEBUG: Process image base: 0x00400000
2020-01-14 13:36:33,562 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x0046DB91)
2020-01-14 13:36:33,562 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ueakpxib\dll\XRzEsqPF.dll.
2020-01-14 13:36:33,562 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-01-14 13:36:33,578 [root] DEBUG: Successfully injected DLL C:\ueakpxib\dll\XRzEsqPF.dll.
2020-01-14 13:36:33,578 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2984
2020-01-14 13:36:33,578 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2220).
2020-01-14 13:36:33,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:33,578 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-01-14 13:36:33,578 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:33,578 [root] DEBUG: ProcessImageBase: EP 0x000012A4 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-01-14 13:36:33,609 [root] DEBUG: Process dumps disabled.
2020-01-14 13:36:33,609 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x004C0000.
2020-01-14 13:36:33,609 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01EB0000.
2020-01-14 13:36:33,609 [root] INFO: Notified of termination of process with pid 2220.
2020-01-14 13:36:33,609 [root] INFO: Disabling sleep skipping.
2020-01-14 13:36:33,609 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 2220).
2020-01-14 13:36:33,609 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:33,625 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-01-14 13:36:33,625 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:33,625 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77380000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x773d124a, Wow64PrepareForException: 0x0
2020-01-14 13:36:33,625 [root] DEBUG: ProcessImageBase: EP 0x000012A4 image base 0x00400000 size 0x0 entropy 7.116782e+00.
2020-01-14 13:36:33,641 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x270000
2020-01-14 13:36:33,641 [root] DEBUG: Debugger initialised.
2020-01-14 13:36:33,657 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 2984 at 0x74790000, image base 0x400000, stack from 0x186000-0x190000
2020-01-14 13:36:33,657 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE".
2020-01-14 13:36:33,657 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00400000) returned 0x00000000.
2020-01-14 13:36:33,657 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:36:33,687 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00400000) -> AllocationBase 0x00400000 RegionSize 0x4096.
2020-01-14 13:36:33,782 [root] DEBUG: AddTrackedRegion: EntryPoint 0x12a4, Entropy 7.106214e+00
2020-01-14 13:36:33,828 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions.
2020-01-14 13:36:33,828 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-01-14 13:36:33,844 [root] INFO: Added new process to list with pid: 2984
2020-01-14 13:36:33,844 [root] INFO: Monitor successfully loaded in process with pid 2984.
2020-01-14 13:36:34,000 [root] DEBUG: Allocation: 0x003C0000 - 0x003CD000, size: 0xd000, protection: 0x40.
2020-01-14 13:36:34,000 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:34,000 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:34,016 [root] DEBUG: ProcessImageBase: EP 0x000012A4 image base 0x00400000 size 0x0 entropy 7.106214e+00.
2020-01-14 13:36:34,016 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x003C0000, size: 0xd000.
2020-01-14 13:36:34,046 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x003C0000) returned 0x00000000.
2020-01-14 13:36:34,046 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:36:34,094 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x003C0000) -> AllocationBase 0x003C0000 RegionSize 0x53248.
2020-01-14 13:36:34,108 [root] DEBUG: AddTrackedRegion: New region at 0x003C0000 size 0xd000 added to tracked regions.
2020-01-14 13:36:34,125 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x003C0000, TrackedRegion->RegionSize: 0xd000, thread 1856
2020-01-14 13:36:34,140 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x003C0000 and Type=0x1.
2020-01-14 13:36:34,140 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1856 type 1 at address 0x003C0000, size 2 with Callback 0x74797510.
2020-01-14 13:36:34,187 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x003C0000
2020-01-14 13:36:34,203 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x003C003C and Type=0x1.
2020-01-14 13:36:34,217 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1856 type 1 at address 0x003C003C, size 4 with Callback 0x747971a0.
2020-01-14 13:36:34,280 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x003C003C
2020-01-14 13:36:34,296 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x003C0000 (size 0xd000).
2020-01-14 13:36:37,292 [root] DEBUG: DLL unloaded from 0x77560000.
2020-01-14 13:36:37,306 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0046EEE9 (thread 1856)
2020-01-14 13:36:37,354 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003C003C.
2020-01-14 13:36:37,369 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0xccdd9983 (at 0x003C003C).
2020-01-14 13:36:37,509 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x003C0000 and Type=0x0.
2020-01-14 13:36:37,650 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003C0000.
2020-01-14 13:36:37,681 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x0046EEE9 (thread 1856)
2020-01-14 13:36:37,697 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x003C0000.
2020-01-14 13:36:37,697 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x003C0000 already exists for thread 1856 (process 2984), skipping.
2020-01-14 13:36:37,713 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3c0000: 0x41.
2020-01-14 13:36:37,759 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-01-14 13:36:37,822 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x003C0000 (thread 1856)
2020-01-14 13:36:37,868 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x003C0000 (allocation base 0x003C0000).
2020-01-14 13:36:37,884 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x003C0000, size 0xd000).
2020-01-14 13:36:37,900 [root] DEBUG: DumpPEsInRange: Scanning range 0x3c0000 - 0x3cd000.
2020-01-14 13:36:37,900 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3c0000-0x3cd000.
2020-01-14 13:36:37,961 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_111349344437561714212020 successfully created, size 0xd000
2020-01-14 13:36:38,150 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_111349344437561714212020
2020-01-14 13:36:38,150 [root] DEBUG: ShellcodeExecCallback: successfully dumped memory range at 0x003C0000 (size 0xd000).
2020-01-14 13:36:38,164 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3c0000 - 0x3cd000.
2020-01-14 13:36:38,164 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x003C0000.
2020-01-14 13:36:38,164 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x003C003C.
2020-01-14 13:36:38,180 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x003C0000.
2020-01-14 13:36:38,305 [root] DEBUG: set_caller_info: Adding region at 0x003C0000 to caller regions list (kernel32::SetErrorMode).
2020-01-14 13:36:38,305 [root] DEBUG: set_caller_info: Caller at 0x003C5128 in tracked regions.
2020-01-14 13:36:38,351 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:38,446 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:38,461 [root] DEBUG: ProcessImageBase: EP 0x000012A4 image base 0x00400000 size 0x0 entropy 7.106214e+00.
2020-01-14 13:36:38,461 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:40,661 [root] DEBUG: DLL loaded at 0x75B20000: C:\Windows\syswow64\shell32 (0xc4a000 bytes).
2020-01-14 13:36:40,832 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1000
2020-01-14 13:36:40,864 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x1967f, NewAccessProtection: 0x20
2020-01-14 13:36:40,880 [root] DEBUG: ProtectionHandler: Increased region size at 0x00401000 to 0x1a67f.
2020-01-14 13:36:40,911 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00401000 to 0x20.
2020-01-14 13:36:40,941 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy -nan(ind).
2020-01-14 13:36:40,973 [root] DEBUG: ProcessImageBase: Modified entry point (0x0000FFEF) detected at image base 0x00400000 - dumping.
2020-01-14 13:36:40,973 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:36:40,973 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-01-14 13:36:40,973 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000FFEF.
2020-01-14 13:36:40,989 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_95087580940361314212020
2020-01-14 13:36:40,989 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x21c00.
2020-01-14 13:36:41,003 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2392.
2020-01-14 13:36:41,036 [root] DEBUG: DLL loaded at 0x74B60000: C:\Windows\system32\mscoree (0x4a000 bytes).
2020-01-14 13:36:41,036 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:41,036 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:41,051 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.318970e+00.
2020-01-14 13:36:41,082 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:41,098 [root] DEBUG: ProtectionHandler: Adding region at 0x01DC2000 to tracked regions.
2020-01-14 13:36:41,098 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x01DC2000) returned 0x00000000.
2020-01-14 13:36:41,128 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:36:41,128 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x01DC2000) -> AllocationBase 0x01DC0000 RegionSize 0x266240.
2020-01-14 13:36:41,128 [root] DEBUG: AddTrackedRegion: EntryPoint 0x4227e, Entropy 6.116161e+00
2020-01-14 13:36:41,128 [root] DEBUG: AddTrackedRegion: New region at 0x01DC0000 size 0x41000 added to tracked regions.
2020-01-14 13:36:41,160 [root] DEBUG: ProtectionHandler: Address: 0x01DC2000 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x40400, NewAccessProtection: 0x20
2020-01-14 13:36:41,176 [root] DEBUG: ProtectionHandler: Increased region size at 0x01DC2000 to 0x42400.
2020-01-14 13:36:41,191 [root] DEBUG: ProtectionHandler: New code detected at (0x01DC0000), scanning for PE images.
2020-01-14 13:36:41,191 [root] DEBUG: DumpPEsInRange: Scanning range 0x1dc0000 - 0x1e02400.
2020-01-14 13:36:41,191 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x1dc0000
2020-01-14 13:36:41,223 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-01-14 13:36:41,223 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x01DC0000.
2020-01-14 13:36:41,269 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_98633448441361314212020
2020-01-14 13:36:41,301 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x4fc00.
2020-01-14 13:36:41,315 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x1dfbe3e
2020-01-14 13:36:41,315 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-01-14 13:36:41,332 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x01DFBE3E.
2020-01-14 13:36:41,348 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_6340385241361314212020
2020-01-14 13:36:41,378 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x4200.
2020-01-14 13:36:41,378 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1dfc03e-0x1e02400.
2020-01-14 13:36:41,394 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x01DC0000.
2020-01-14 13:36:41,394 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1dc0000 - 0x1e02400.
2020-01-14 13:36:41,394 [root] DEBUG: set_caller_info: Adding region at 0x03670000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-01-14 13:36:41,410 [root] DEBUG: set_caller_info: Adding region at 0x01E60000 to caller regions list (advapi32::RegOpenKeyExW).
2020-01-14 13:36:41,457 [root] DEBUG: set_caller_info: Adding region at 0x00550000 to caller regions list (kernel32::FindFirstFileExW).
2020-01-14 13:36:41,457 [root] DEBUG: DLL loaded at 0x74710000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7b000 bytes).
2020-01-14 13:36:41,487 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:41,487 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:41,487 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321683e+00.
2020-01-14 13:36:41,503 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:41,519 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:41,535 [root] DEBUG: ProtectionHandler: Adding region at 0x204A1388 to tracked regions.
2020-01-14 13:36:41,549 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x204A1388) returned 0x00000000.
2020-01-14 13:36:41,549 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:36:41,565 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x204A1388) -> AllocationBase 0x204A0000 RegionSize 0x4096.
2020-01-14 13:36:41,582 [root] DEBUG: AddTrackedRegion: New region at 0x204A0000 size 0x1000 added to tracked regions.
2020-01-14 13:36:41,582 [root] DEBUG: ProtectionHandler: Address: 0x204A1388 (alloc base 0x204A0000), NumberOfBytesToProtect: 0xa, NewAccessProtection: 0x40
2020-01-14 13:36:41,628 [root] DEBUG: ProtectionHandler: Increased region size at 0x204A1388 to 0x1392.
2020-01-14 13:36:41,644 [root] DEBUG: ProtectionHandler: New code detected at (0x204A0000), scanning for PE images.
2020-01-14 13:36:41,660 [root] DEBUG: DumpPEsInRange: Scanning range 0x204a0000 - 0x204a1392.
2020-01-14 13:36:41,674 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x204a0000-0x204a1392.
2020-01-14 13:36:41,674 [root] DEBUG: DumpPEsInRange: Scanning range 0x204a0000 - 0x204a1392.
2020-01-14 13:36:41,690 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x204a0000-0x204a1392.
2020-01-14 13:36:41,690 [root] DEBUG: ProtectionHandler: Address 0x204A13A0 already in tracked region at 0x204A0000, size 0x1392
2020-01-14 13:36:41,706 [root] DEBUG: ProtectionHandler: Address: 0x204A13A0 (alloc base 0x204A0000), NumberOfBytesToProtect: 0xa, NewAccessProtection: 0x40
2020-01-14 13:36:41,721 [root] DEBUG: ProtectionHandler: Increased region size at 0x204A13A0 to 0x13aa.
2020-01-14 13:36:41,721 [root] DEBUG: ProtectionHandler: New code detected at (0x204A0000), scanning for PE images.
2020-01-14 13:36:41,721 [root] DEBUG: DumpPEsInRange: Scanning range 0x204a0000 - 0x204a13aa.
2020-01-14 13:36:41,737 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x204a0000-0x204a13aa.
2020-01-14 13:36:41,737 [root] DEBUG: DumpPEsInRange: Scanning range 0x204a0000 - 0x204a13aa.
2020-01-14 13:36:41,753 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x204a0000-0x204a13aa.
2020-01-14 13:36:41,769 [root] DEBUG: ProtectionHandler: Address 0x204A13B8 already in tracked region at 0x204A0000, size 0x13aa
2020-01-14 13:36:41,769 [root] DEBUG: ProtectionHandler: Address: 0x204A13B8 (alloc base 0x204A0000), NumberOfBytesToProtect: 0xa, NewAccessProtection: 0x40
2020-01-14 13:36:41,783 [root] DEBUG: ProtectionHandler: Increased region size at 0x204A13B8 to 0x13c2.
2020-01-14 13:36:41,783 [root] DEBUG: ProtectionHandler: New code detected at (0x204A0000), scanning for PE images.
2020-01-14 13:36:41,783 [root] DEBUG: DumpPEsInRange: Scanning range 0x204a0000 - 0x204a13c2.
2020-01-14 13:36:41,783 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x204a0000-0x204a13c2.
2020-01-14 13:36:41,799 [root] DEBUG: DumpPEsInRange: Scanning range 0x204a0000 - 0x204a13c2.
2020-01-14 13:36:41,799 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x204a0000-0x204a13c2.
2020-01-14 13:36:41,815 [root] DEBUG: ProtectionHandler: Address 0x204A13D0 already in tracked region at 0x204A0000, size 0x13c2
2020-01-14 13:36:41,815 [root] DEBUG: ProtectionHandler: Address: 0x204A13D0 (alloc base 0x204A0000), NumberOfBytesToProtect: 0xa, NewAccessProtection: 0x40
2020-01-14 13:36:41,846 [root] DEBUG: ProtectionHandler: Increased region size at 0x204A13D0 to 0x13da.
2020-01-14 13:36:41,846 [root] DEBUG: ProtectionHandler: New code detected at (0x204A0000), scanning for PE images.
2020-01-14 13:36:41,846 [root] DEBUG: DumpPEsInRange: Scanning range 0x204a0000 - 0x204a13da.
2020-01-14 13:36:41,861 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x204a0000-0x204a13da.
2020-01-14 13:36:41,861 [root] DEBUG: DumpPEsInRange: Scanning range 0x204a0000 - 0x204a13da.
2020-01-14 13:36:41,878 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x204a0000-0x204a13da.
2020-01-14 13:36:41,878 [root] DEBUG: ProtectionHandler: Address 0x204A13E8 already in tracked region at 0x204A0000, size 0x13da
2020-01-14 13:36:41,894 [root] DEBUG: ProtectionHandler: Address: 0x204A13E8 (alloc base 0x204A0000), NumberOfBytesToProtect: 0xa, NewAccessProtection: 0x40
2020-01-14 13:36:41,894 [root] DEBUG: ProtectionHandler: Increased region size at 0x204A13E8 to 0x13f2.
2020-01-14 13:36:41,894 [root] DEBUG: ProtectionHandler: New code detected at (0x204A0000), scanning for PE images.
2020-01-14 13:36:41,894 [root] DEBUG: DumpPEsInRange: Scanning range 0x204a0000 - 0x204a13f2.
2020-01-14 13:36:41,908 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x204a0000-0x204a13f2.
2020-01-14 13:36:41,924 [root] DEBUG: DumpPEsInRange: Scanning range 0x204a0000 - 0x204a13f2.
2020-01-14 13:36:41,986 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x204a0000-0x204a13f2.
2020-01-14 13:36:42,017 [root] DEBUG: ProtectionHandler: Address 0x204A1400 already in tracked region at 0x204A0000, size 0x13f2
2020-01-14 13:36:42,017 [root] DEBUG: ProtectionHandler: Address: 0x204A1400 (alloc base 0x204A0000), NumberOfBytesToProtect: 0xa, NewAccessProtection: 0x40
2020-01-14 13:36:42,049 [root] DEBUG: ProtectionHandler: Increased region size at 0x204A1400 to 0x140a.
2020-01-14 13:36:42,065 [root] DEBUG: ProtectionHandler: New code detected at (0x204A0000), scanning for PE images.
2020-01-14 13:36:42,081 [root] DEBUG: DumpPEsInRange: Scanning range 0x204a0000 - 0x204a140a.
2020-01-14 13:36:42,081 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x204a0000-0x204a140a.
2020-01-14 13:36:42,111 [root] DEBUG: DumpPEsInRange: Scanning range 0x204a0000 - 0x204a140a.
2020-01-14 13:36:42,111 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x204a0000-0x204a140a.
2020-01-14 13:36:42,128 [root] DEBUG: DLL loaded at 0x74160000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks (0x5ab000 bytes).
2020-01-14 13:36:42,142 [root] DEBUG: DLL loaded at 0x740C0000: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80 (0x9b000 bytes).
2020-01-14 13:36:42,174 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3000.
2020-01-14 13:36:42,174 [root] DEBUG: Allocation: 0x003EA000 - 0x003EB000, size: 0x1000, protection: 0x40.
2020-01-14 13:36:42,206 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:42,206 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:42,236 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:42,299 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:42,299 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:42,299 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:42,345 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x003EA000, size: 0x1000.
2020-01-14 13:36:42,377 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x003EA000) returned 0x00000000.
2020-01-14 13:36:42,392 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:36:42,424 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x003EA000) -> AllocationBase 0x003E0000 RegionSize 0x4096.
2020-01-14 13:36:42,454 [root] DEBUG: AddTrackedRegion: New region at 0x003E0000 size 0x1000 added to tracked regions.
2020-01-14 13:36:42,470 [root] DEBUG: Allocation: 0x003E2000 - 0x003E3000, size: 0x1000, protection: 0x40.
2020-01-14 13:36:42,486 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:42,517 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:42,579 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:42,579 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:42,579 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:42,627 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:42,641 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:42,674 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x003E0000, size: 0x1000.
2020-01-14 13:36:42,704 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\system32\profapi (0xb000 bytes).
2020-01-14 13:36:42,704 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2784.
2020-01-14 13:36:42,752 [root] DEBUG: DLL loaded at 0x73160000: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni (0xaf8000 bytes).
2020-01-14 13:36:42,752 [root] DEBUG: Allocation: 0x00502000 - 0x00503000, size: 0x1000, protection: 0x40.
2020-01-14 13:36:42,766 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:42,766 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:42,766 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:42,766 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:42,782 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:42,782 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:42,782 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:42,798 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00502000, size: 0x1000.
2020-01-14 13:36:42,829 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00502000) returned 0x00000000.
2020-01-14 13:36:42,829 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:36:42,875 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00502000) -> AllocationBase 0x00500000 RegionSize 0x4096.
2020-01-14 13:36:42,875 [root] DEBUG: AddTrackedRegion: New region at 0x00500000 size 0x1000 added to tracked regions.
2020-01-14 13:36:42,875 [root] DEBUG: set_caller_info: Adding region at 0x20890000 to caller regions list (kernel32::SetErrorMode).
2020-01-14 13:36:42,891 [root] DEBUG: DLL unloaded from 0x76A70000.
2020-01-14 13:36:42,891 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2020-01-14 13:36:42,938 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-01-14 13:36:42,953 [root] DEBUG: Allocation: 0x00503000 - 0x00504000, size: 0x1000, protection: 0x40.
2020-01-14 13:36:42,970 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:42,986 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:43,000 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:43,000 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:43,016 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:43,048 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:43,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:43,109 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:43,157 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00500000, size: 0x1000.
2020-01-14 13:36:43,220 [root] DEBUG: Allocation: 0x0053B000 - 0x0053C000, size: 0x1000, protection: 0x40.
2020-01-14 13:36:43,250 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:43,266 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:43,266 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:43,282 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:43,312 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:43,312 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:43,328 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:43,344 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:43,375 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x0053B000, size: 0x1000.
2020-01-14 13:36:43,407 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x0053B000) returned 0x00000000.
2020-01-14 13:36:43,407 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:36:43,421 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x0053B000) -> AllocationBase 0x00530000 RegionSize 0x4096.
2020-01-14 13:36:43,437 [root] DEBUG: AddTrackedRegion: New region at 0x00530000 size 0x1000 added to tracked regions.
2020-01-14 13:36:43,453 [root] DEBUG: Allocation: 0x00537000 - 0x00538000, size: 0x1000, protection: 0x40.
2020-01-14 13:36:43,453 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:43,453 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:43,469 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:43,484 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:43,516 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:43,546 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:43,609 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:43,609 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:43,655 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:43,671 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00530000, size: 0x1000.
2020-01-14 13:36:43,671 [root] DEBUG: Allocation: 0x00504000 - 0x00506000, size: 0x2000, protection: 0x40.
2020-01-14 13:36:43,733 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:43,733 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:43,750 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:43,812 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:43,905 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:43,905 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:43,921 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:43,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:43,953 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:43,953 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00500000, size: 0x1000.
2020-01-14 13:36:43,953 [root] DEBUG: Allocation: 0x0050C000 - 0x0050D000, size: 0x1000, protection: 0x40.
2020-01-14 13:36:43,967 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:43,983 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:43,983 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:44,000 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:44,015 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:44,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:44,030 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:44,046 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:44,062 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:44,078 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00500000, size: 0x1000.
2020-01-14 13:36:44,187 [root] DEBUG: DLL loaded at 0x74060000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit (0x5b000 bytes).
2020-01-14 13:36:44,326 [root] DEBUG: Allocation: 0x205B0000 - 0x205B1000, size: 0x1000, protection: 0x40.
2020-01-14 13:36:44,358 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:44,374 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:44,390 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:44,451 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:44,499 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:44,499 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:44,513 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:44,529 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:44,529 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:44,529 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x205B0000, size: 0x1000.
2020-01-14 13:36:44,592 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x205B0000) returned 0x00000000.
2020-01-14 13:36:44,592 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:36:44,608 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x205B0000) -> AllocationBase 0x205B0000 RegionSize 0x4096.
2020-01-14 13:36:44,608 [root] DEBUG: AddTrackedRegion: New region at 0x205B0000 size 0x1000 added to tracked regions.
2020-01-14 13:36:44,608 [root] DEBUG: Allocation: 0x205B1000 - 0x205BD000, size: 0xc000, protection: 0x40.
2020-01-14 13:36:44,608 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:44,608 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:44,624 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:44,638 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:44,670 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:44,717 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:44,717 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:44,733 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:44,747 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:44,763 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:36:44,763 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x205B0000, size: 0x1000.
2020-01-14 13:36:44,825 [root] DEBUG: set_caller_info: Adding region at 0x205B0000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-01-14 13:36:44,825 [root] DEBUG: set_caller_info: Caller at 0x205B0090 in tracked regions.
2020-01-14 13:36:44,842 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:44,950 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:44,997 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:44,997 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:45,122 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:45,122 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:45,154 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:45,200 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:45,200 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:45,200 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:36:45,200 [root] DEBUG: DumpPEsInRange: Scanning range 0x205b0000 - 0x205b1000.
2020-01-14 13:36:45,232 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x205b0000-0x205b1000.
2020-01-14 13:36:45,232 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x205B0000 - 0x205B1000.
2020-01-14 13:36:45,232 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_191184339245561714212020 successfully created, size 0x10000
2020-01-14 13:36:45,232 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff2e in capemon caught accessing 0x205bd000 (expected in memory scans), passing to next handler.
2020-01-14 13:36:45,247 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x205b0000
2020-01-14 13:36:45,279 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x205B0000 size 0x10000.
2020-01-14 13:36:45,279 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_45187463045561714212020 successfully created, size 0xd000
2020-01-14 13:36:45,325 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_45187463045561714212020
2020-01-14 13:36:45,325 [root] DEBUG: DumpRegion: Dumped stack region from 0x205B0000, size 0xd000.
2020-01-14 13:36:45,371 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x205B0000.
2020-01-14 13:36:45,418 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x205b0000 - 0x205b1000.
2020-01-14 13:36:45,543 [root] DEBUG: Allocation: 0x205BD000 - 0x205BE000, size: 0x1000, protection: 0x40.
2020-01-14 13:36:45,559 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:45,575 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:45,575 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:45,575 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:45,621 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:45,638 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:45,638 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:45,638 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:45,638 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:45,716 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:36:45,716 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x205B0000, size: 0x1000.
2020-01-14 13:36:45,716 [root] DEBUG: Allocation: 0x0050A000 - 0x0050B000, size: 0x1000, protection: 0x40.
2020-01-14 13:36:45,716 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:45,730 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:45,730 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:45,730 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:45,730 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:45,762 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:45,762 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:45,762 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:45,762 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:45,778 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:36:45,778 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00500000, size: 0x1000.
2020-01-14 13:36:45,778 [root] DEBUG: set_caller_info: Adding region at 0x003E0000 to caller regions list (kernel32::VirtualProtectEx).
2020-01-14 13:36:45,778 [root] DEBUG: set_caller_info: Caller at 0x003EA277 in tracked regions.
2020-01-14 13:36:45,778 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:45,778 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:45,778 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:45,778 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:45,887 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:45,887 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:45,887 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:45,887 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1a50 in capemon caught accessing 0x3e0000 (expected in memory scans), passing to next handler.
2020-01-14 13:36:45,917 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:36:45,917 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:45,917 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:45,917 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:36:45,917 [root] DEBUG: ProtectionHandler: Address 0x01E02262 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:45,934 [root] DEBUG: ProtectionHandler: Address: 0x01E02262 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0xb, NewAccessProtection: 0x40
2020-01-14 13:36:45,934 [root] DEBUG: ProtectionHandler: Updated region protection at 0x01E02262 to 0x40.
2020-01-14 13:36:45,934 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.116135e+00.
2020-01-14 13:36:45,950 [root] DEBUG: ProtectionHandler: Address 0x01DC0178 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:45,950 [root] DEBUG: ProtectionHandler: Address: 0x01DC0178 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-01-14 13:36:45,950 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.116114e+00.
2020-01-14 13:36:45,964 [root] DEBUG: ProtectionHandler: Address 0x01DC01A0 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:45,964 [root] DEBUG: ProtectionHandler: Address: 0x01DC01A0 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-01-14 13:36:45,964 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.116028e+00.
2020-01-14 13:36:45,964 [root] DEBUG: ProtectionHandler: Address 0x01DC01C8 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:45,996 [root] DEBUG: ProtectionHandler: Address: 0x01DC01C8 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-01-14 13:36:45,996 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115931e+00.
2020-01-14 13:36:46,028 [root] DEBUG: ProtectionHandler: Address 0x01DC01F0 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,028 [root] DEBUG: ProtectionHandler: Address: 0x01DC01F0 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-01-14 13:36:46,028 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115844e+00.
2020-01-14 13:36:46,028 [root] DEBUG: ProtectionHandler: Address 0x01DC2008 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,028 [root] DEBUG: ProtectionHandler: Address: 0x01DC2008 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x48, NewAccessProtection: 0x40
2020-01-14 13:36:46,028 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115744e+00.
2020-01-14 13:36:46,028 [root] DEBUG: ProtectionHandler: Address 0x01DED630 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,042 [root] DEBUG: ProtectionHandler: Address: 0x01DED630 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x4, NewAccessProtection: 0x40
2020-01-14 13:36:46,042 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115607e+00.
2020-01-14 13:36:46,042 [root] DEBUG: ProtectionHandler: Address 0x01DED650 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,042 [root] DEBUG: ProtectionHandler: Address: 0x01DED650 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-01-14 13:36:46,059 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115528e+00.
2020-01-14 13:36:46,059 [root] DEBUG: ProtectionHandler: Address 0x01DED658 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,059 [root] DEBUG: ProtectionHandler: Address: 0x01DED658 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x4, NewAccessProtection: 0x40
2020-01-14 13:36:46,059 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115528e+00.
2020-01-14 13:36:46,073 [root] DEBUG: ProtectionHandler: Address 0x01DED65C already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,073 [root] DEBUG: ProtectionHandler: Address: 0x01DED65C (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-01-14 13:36:46,073 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115487e+00.
2020-01-14 13:36:46,105 [root] DEBUG: ProtectionHandler: Address 0x01DED664 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,105 [root] DEBUG: ProtectionHandler: Address: 0x01DED664 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x4, NewAccessProtection: 0x40
2020-01-14 13:36:46,105 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115487e+00.
2020-01-14 13:36:46,105 [root] DEBUG: ProtectionHandler: Address 0x01DED668 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,137 [root] DEBUG: ProtectionHandler: Address: 0x01DED668 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x4, NewAccessProtection: 0x40
2020-01-14 13:36:46,167 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115416e+00.
2020-01-14 13:36:46,167 [root] DEBUG: ProtectionHandler: Address 0x01DED66C already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,198 [root] DEBUG: ProtectionHandler: Address: 0x01DED66C (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x4, NewAccessProtection: 0x40
2020-01-14 13:36:46,230 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115347e+00.
2020-01-14 13:36:46,292 [root] DEBUG: ProtectionHandler: Address 0x01DED670 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,292 [root] DEBUG: ProtectionHandler: Address: 0x01DED670 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-01-14 13:36:46,308 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115347e+00.
2020-01-14 13:36:46,308 [root] DEBUG: ProtectionHandler: Address 0x01DED678 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,308 [root] DEBUG: ProtectionHandler: Address: 0x01DED678 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x4, NewAccessProtection: 0x40
2020-01-14 13:36:46,308 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115347e+00.
2020-01-14 13:36:46,308 [root] DEBUG: ProtectionHandler: Address 0x01DED67C already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,308 [root] DEBUG: ProtectionHandler: Address: 0x01DED67C (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x4, NewAccessProtection: 0x40
2020-01-14 13:36:46,323 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115269e+00.
2020-01-14 13:36:46,323 [root] DEBUG: ProtectionHandler: Address 0x01DED680 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,323 [root] DEBUG: ProtectionHandler: Address: 0x01DED680 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-01-14 13:36:46,323 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115250e+00.
2020-01-14 13:36:46,339 [root] DEBUG: ProtectionHandler: Address 0x01DED688 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,339 [root] DEBUG: ProtectionHandler: Address: 0x01DED688 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x4, NewAccessProtection: 0x40
2020-01-14 13:36:46,339 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115250e+00.
2020-01-14 13:36:46,385 [root] DEBUG: ProtectionHandler: Address 0x01DED68C already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,433 [root] DEBUG: ProtectionHandler: Address: 0x01DED68C (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-01-14 13:36:46,433 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115191e+00.
2020-01-14 13:36:46,448 [root] DEBUG: ProtectionHandler: Address 0x01DED694 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,480 [root] DEBUG: ProtectionHandler: Address: 0x01DED694 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x4, NewAccessProtection: 0x40
2020-01-14 13:36:46,496 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115191e+00.
2020-01-14 13:36:46,496 [root] DEBUG: ProtectionHandler: Address 0x01DED698 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,510 [root] DEBUG: ProtectionHandler: Address: 0x01DED698 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x4, NewAccessProtection: 0x40
2020-01-14 13:36:46,510 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115118e+00.
2020-01-14 13:36:46,526 [root] DEBUG: ProtectionHandler: Address 0x01DED69C already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,526 [root] DEBUG: ProtectionHandler: Address: 0x01DED69C (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-01-14 13:36:46,526 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115100e+00.
2020-01-14 13:36:46,526 [root] DEBUG: ProtectionHandler: Address 0x01DED6A4 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,526 [root] DEBUG: ProtectionHandler: Address: 0x01DED6A4 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x4, NewAccessProtection: 0x40
2020-01-14 13:36:46,542 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115100e+00.
2020-01-14 13:36:46,542 [root] DEBUG: ProtectionHandler: Address 0x01DED6A8 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,558 [root] DEBUG: ProtectionHandler: Address: 0x01DED6A8 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x4, NewAccessProtection: 0x40
2020-01-14 13:36:46,573 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115021e+00.
2020-01-14 13:36:46,573 [root] DEBUG: ProtectionHandler: Address 0x01DED6AC already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,588 [root] DEBUG: ProtectionHandler: Address: 0x01DED6AC (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-01-14 13:36:46,605 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115002e+00.
2020-01-14 13:36:46,605 [root] DEBUG: ProtectionHandler: Address 0x01DED6B4 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,619 [root] DEBUG: ProtectionHandler: Address: 0x01DED6B4 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x4, NewAccessProtection: 0x40
2020-01-14 13:36:46,619 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.115002e+00.
2020-01-14 13:36:46,619 [root] DEBUG: ProtectionHandler: Address 0x01DED6B8 already in tracked region at 0x01DC0000, size 0x42400
2020-01-14 13:36:46,619 [root] DEBUG: ProtectionHandler: Address: 0x01DED6B8 (alloc base 0x01DC0000), NumberOfBytesToProtect: 0x4, NewAccessProtection: 0x40
2020-01-14 13:36:46,619 [root] DEBUG: ProcessImageBase: EP 0x0004227E image base 0x01DC0000 size 0x0 entropy 6.114929e+00.
2020-01-14 13:36:46,635 [root] DEBUG: Allocation: 0x00506000 - 0x00507000, size: 0x1000, protection: 0x40.
2020-01-14 13:36:46,651 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:46,667 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:46,667 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:46,667 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:46,667 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:46,683 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:46,683 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:46,683 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:36:46,683 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:46,683 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:46,683 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:36:46,697 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00500000, size: 0x1000.
2020-01-14 13:36:46,838 [root] DEBUG: Allocation: 0x0052A000 - 0x0052B000, size: 0x1000, protection: 0x40.
2020-01-14 13:36:46,901 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:46,901 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:46,901 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:46,901 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:46,901 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:46,901 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:46,917 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:46,931 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:36:46,963 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:46,963 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:46,963 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:36:46,979 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x0052A000, size: 0x1000.
2020-01-14 13:36:47,042 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x0052A000) returned 0x00000000.
2020-01-14 13:36:47,042 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:36:47,042 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x0052A000) -> AllocationBase 0x00520000 RegionSize 0x4096.
2020-01-14 13:36:47,072 [root] DEBUG: AddTrackedRegion: New region at 0x00520000 size 0x1000 added to tracked regions.
2020-01-14 13:36:47,088 [root] DEBUG: Allocation: 0x00522000 - 0x00523000, size: 0x1000, protection: 0x40.
2020-01-14 13:36:47,088 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:47,088 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:47,134 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:47,134 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:47,134 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:47,134 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:47,197 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:47,197 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:36:47,197 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:47,213 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:47,229 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:36:47,229 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:36:47,229 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00520000, size: 0x1000.
2020-01-14 13:36:47,290 [root] DEBUG: Allocation: 0x203F0000 - 0x203F1000, size: 0x1000, protection: 0x40.
2020-01-14 13:36:47,322 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:47,322 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:47,322 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:47,322 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:47,338 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:47,338 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:47,338 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:47,338 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:36:47,338 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:47,338 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:47,354 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:36:47,354 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:36:47,368 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x203F0000, size: 0x1000.
2020-01-14 13:36:47,368 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x203F0000) returned 0x00000000.
2020-01-14 13:36:47,384 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:36:47,384 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x203F0000) -> AllocationBase 0x203F0000 RegionSize 0x4096.
2020-01-14 13:36:47,384 [root] DEBUG: AddTrackedRegion: New region at 0x203F0000 size 0x1000 added to tracked regions.
2020-01-14 13:36:47,384 [root] DEBUG: Allocation: 0x203F1000 - 0x203F4000, size: 0x3000, protection: 0x40.
2020-01-14 13:36:47,384 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:47,384 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:47,400 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:47,400 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:47,447 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:47,447 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:47,447 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:47,447 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:36:47,447 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:47,447 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:47,493 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:36:47,493 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:36:47,493 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:36:47,493 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x203F0000, size: 0x1000.
2020-01-14 13:36:47,493 [root] DEBUG: set_caller_info: Adding region at 0x203F0000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-01-14 13:36:47,493 [root] DEBUG: set_caller_info: Caller at 0x203F306B in tracked regions.
2020-01-14 13:36:47,509 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:47,540 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:47,540 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:47,540 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:47,540 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:47,540 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:47,555 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:47,618 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1a50 in capemon caught accessing 0x3e0000 (expected in memory scans), passing to next handler.
2020-01-14 13:36:47,618 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:36:47,680 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:47,711 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:47,711 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:36:47,727 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:36:47,727 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:36:47,743 [root] DEBUG: DumpPEsInRange: Scanning range 0x203f0000 - 0x203f1000.
2020-01-14 13:36:47,743 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x203f0000-0x203f1000.
2020-01-14 13:36:47,743 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x203F0000 - 0x203F1000.
2020-01-14 13:36:47,743 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_60750991247561714212020 successfully created, size 0x10000
2020-01-14 13:36:47,759 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff2e in capemon caught accessing 0x203f4000 (expected in memory scans), passing to next handler.
2020-01-14 13:36:47,759 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x203f0000
2020-01-14 13:36:47,759 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x203F0000 size 0x10000.
2020-01-14 13:36:47,759 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_14138736847561714212020 successfully created, size 0x4000
2020-01-14 13:36:47,789 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_14138736847561714212020
2020-01-14 13:36:47,789 [root] DEBUG: DumpRegion: Dumped stack region from 0x203F0000, size 0x4000.
2020-01-14 13:36:47,805 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x203F0000.
2020-01-14 13:36:47,805 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x203f0000 - 0x203f1000.
2020-01-14 13:36:47,836 [root] DEBUG: DLL loaded at 0x74B20000: C:\Windows\system32\bcrypt (0x17000 bytes).
2020-01-14 13:36:47,868 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2980.
2020-01-14 13:36:47,884 [root] DEBUG: DLL unloaded from 0x77560000.
2020-01-14 13:36:47,884 [root] DEBUG: CreateThread: Initialising breakpoints for thread 268.
2020-01-14 13:36:47,930 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:47,930 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:47,946 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:47,946 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:47,977 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:48,009 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:48,009 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:48,009 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:36:48,009 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:48,023 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:48,023 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:36:48,023 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:36:48,023 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:36:48,023 [root] DEBUG: ProtectionHandler: Adding region at 0x22ADE000 to tracked regions.
2020-01-14 13:36:48,023 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 11.
2020-01-14 13:36:48,023 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x22ADE000) returned 0x00000000.
2020-01-14 13:36:48,039 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:36:48,039 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x22ADE000) -> AllocationBase 0x229D0000 RegionSize 0x6594560.
2020-01-14 13:36:48,039 [root] DEBUG: AddTrackedRegion: New region at 0x229D0000 size 0x64a000 added to tracked regions.
2020-01-14 13:36:48,039 [root] DEBUG: ProtectionHandler: Address: 0x22ADE000 (alloc base 0x229D0000), NumberOfBytesToProtect: 0x64a000, NewAccessProtection: 0x40
2020-01-14 13:36:48,039 [root] DEBUG: ProtectionHandler: Increased region size at 0x22ADE000 to 0x758000.
2020-01-14 13:36:48,039 [root] DEBUG: ProtectionHandler: New code detected at (0x229D0000), scanning for PE images.
2020-01-14 13:36:48,039 [root] DEBUG: DumpPEsInRange: Scanning range 0x229d0000 - 0x23128000.
2020-01-14 13:36:48,055 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x229d0000
2020-01-14 13:36:48,071 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:36:48,071 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x229D0000.
2020-01-14 13:36:48,071 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000.
2020-01-14 13:36:48,257 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_21677536948361314212020
2020-01-14 13:36:48,257 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x755c00.
2020-01-14 13:36:48,305 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 256, VirtualSize and SizeOfRawData are zero.
2020-01-14 13:36:48,335 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 718, RVA 0x2a082a14 and size 0x1001.
2020-01-14 13:36:48,351 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 1166, RVA 0x7e260058 and size 0x100.
2020-01-14 13:36:48,351 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 29956, RVA 0x6f040028 and size 0xa000365.
2020-01-14 13:36:48,351 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 16, RVA 0xa581b06 and size 0x736f0206.
2020-01-14 13:36:48,368 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 5, RVA 0x2a8e7b02 and size 0x20a0400.
2020-01-14 13:36:48,368 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 13 of 28422, RVA 0xc5517205 and size 0x1336de0a.
2020-01-14 13:36:48,398 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x229d0200-0x23128000.
2020-01-14 13:36:48,398 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x229D0000.
2020-01-14 13:36:48,414 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x229d0000 - 0x23128000.
2020-01-14 13:36:48,414 [root] DEBUG: ProtectionHandler: Address 0x23128000 already in tracked region at 0x229D0000, size 0x758000
2020-01-14 13:36:48,446 [root] DEBUG: ProtectionHandler: Address: 0x23128000 (alloc base 0x229D0000), NumberOfBytesToProtect: 0x1000, NewAccessProtection: 0x40
2020-01-14 13:36:48,446 [root] DEBUG: ProtectionHandler: Increased region size at 0x23128000 to 0x759000.
2020-01-14 13:36:48,446 [root] DEBUG: ProtectionHandler: New code detected at (0x229D0000), scanning for PE images.
2020-01-14 13:36:48,446 [root] DEBUG: DumpPEsInRange: Scanning range 0x229d0000 - 0x23129000.
2020-01-14 13:36:48,460 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x229d0000
2020-01-14 13:36:48,460 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:36:48,460 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x229D0000.
2020-01-14 13:36:48,460 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000.
2020-01-14 13:36:48,601 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_101870318048361314212020
2020-01-14 13:36:48,617 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x755c00.
2020-01-14 13:36:48,617 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 256, VirtualSize and SizeOfRawData are zero.
2020-01-14 13:36:48,648 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 718, RVA 0x2a082a14 and size 0x1001.
2020-01-14 13:36:48,648 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 1166, RVA 0x7e260058 and size 0x100.
2020-01-14 13:36:48,648 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 29956, RVA 0x6f040028 and size 0xa000365.
2020-01-14 13:36:48,648 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 16, RVA 0xa581b06 and size 0x736f0206.
2020-01-14 13:36:48,664 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 5, RVA 0x2a8e7b02 and size 0x20a0400.
2020-01-14 13:36:48,664 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 13 of 28422, RVA 0xc5517205 and size 0x1336de0a.
2020-01-14 13:36:48,694 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x229d0200-0x23129000.
2020-01-14 13:36:48,694 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x229D0000.
2020-01-14 13:36:48,694 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x229d0000 - 0x23129000.
2020-01-14 13:36:48,694 [root] DEBUG: ProtectionHandler: Address 0x23129000 already in tracked region at 0x229D0000, size 0x759000
2020-01-14 13:36:48,710 [root] DEBUG: ProtectionHandler: Address: 0x23129000 (alloc base 0x229D0000), NumberOfBytesToProtect: 0x43000, NewAccessProtection: 0x40
2020-01-14 13:36:48,710 [root] DEBUG: ProtectionHandler: Increased region size at 0x23129000 to 0x79c000.
2020-01-14 13:36:48,710 [root] DEBUG: ProtectionHandler: New code detected at (0x229D0000), scanning for PE images.
2020-01-14 13:36:48,710 [root] DEBUG: DumpPEsInRange: Scanning range 0x229d0000 - 0x2316c000.
2020-01-14 13:36:48,726 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x229d0000
2020-01-14 13:36:48,742 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:36:48,742 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x229D0000.
2020-01-14 13:36:48,742 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000.
2020-01-14 13:36:48,881 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_142902373448361314212020
2020-01-14 13:36:48,881 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x755c00.
2020-01-14 13:36:48,914 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 256, VirtualSize and SizeOfRawData are zero.
2020-01-14 13:36:48,928 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 718, RVA 0x2a082a14 and size 0x1001.
2020-01-14 13:36:48,928 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 1166, RVA 0x7e260058 and size 0x100.
2020-01-14 13:36:48,928 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 29956, RVA 0x6f040028 and size 0xa000365.
2020-01-14 13:36:48,944 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 16, RVA 0xa581b06 and size 0x736f0206.
2020-01-14 13:36:48,944 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 5, RVA 0x2a8e7b02 and size 0x20a0400.
2020-01-14 13:36:48,992 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 13 of 28422, RVA 0xc5517205 and size 0x1336de0a.
2020-01-14 13:36:49,053 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x229d0200-0x2316c000.
2020-01-14 13:36:49,069 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x229D0000.
2020-01-14 13:36:49,069 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x229d0000 - 0x2316c000.
2020-01-14 13:36:49,069 [root] DEBUG: ProtectionHandler: Address 0x22ADE000 already in tracked region at 0x229D0000, size 0x79c000
2020-01-14 13:36:49,069 [root] DEBUG: ProtectionHandler: Address: 0x22ADE000 (alloc base 0x229D0000), NumberOfBytesToProtect: 0x64a000, NewAccessProtection: 0x20
2020-01-14 13:36:49,085 [root] DEBUG: ProtectionHandler: Updated region protection at 0x22ADE000 to 0x20.
2020-01-14 13:36:49,085 [root] DEBUG: ProtectionHandler: New code detected at (0x229D0000), scanning for PE images.
2020-01-14 13:36:49,115 [root] DEBUG: DumpPEsInRange: Scanning range 0x229d0000 - 0x2316c000.
2020-01-14 13:36:49,131 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x229d0000
2020-01-14 13:36:49,131 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:36:49,148 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x229D0000.
2020-01-14 13:36:49,178 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000.
2020-01-14 13:36:49,413 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_191419112649361314212020
2020-01-14 13:36:49,413 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x755c00.
2020-01-14 13:36:49,427 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 256, VirtualSize and SizeOfRawData are zero.
2020-01-14 13:36:49,569 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 718, RVA 0x2a082a14 and size 0x1001.
2020-01-14 13:36:49,569 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 1166, RVA 0x7e260058 and size 0x100.
2020-01-14 13:36:49,569 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 29956, RVA 0x6f040028 and size 0xa000365.
2020-01-14 13:36:49,569 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 16, RVA 0xa581b06 and size 0x736f0206.
2020-01-14 13:36:49,569 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 5, RVA 0x2a8e7b02 and size 0x20a0400.
2020-01-14 13:36:49,569 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 13 of 28422, RVA 0xc5517205 and size 0x1336de0a.
2020-01-14 13:36:49,677 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x229d0200-0x2316c000.
2020-01-14 13:36:49,677 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x229D0000.
2020-01-14 13:36:49,677 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x229d0000 - 0x2316c000.
2020-01-14 13:36:49,724 [root] DEBUG: DLL loaded at 0x229D0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni (0x79c000 bytes).
2020-01-14 13:36:49,724 [root] DEBUG: DLL loaded at 0x73ED0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni (0x188000 bytes).
2020-01-14 13:36:49,740 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:49,740 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:49,740 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:49,756 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:49,756 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:49,756 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:49,772 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:49,786 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:36:49,802 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:49,802 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:49,802 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:36:49,802 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:36:49,818 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:36:49,818 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:36:49,818 [root] DEBUG: ProtectionHandler: Adding region at 0x2331F000 to tracked regions.
2020-01-14 13:36:49,849 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 12.
2020-01-14 13:36:49,865 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x2331F000) returned 0x00000000.
2020-01-14 13:36:49,895 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:36:49,895 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x2331F000) -> AllocationBase 0x23170000 RegionSize 0x10268672.
2020-01-14 13:36:49,895 [root] DEBUG: AddTrackedRegion: New region at 0x23170000 size 0x9cb000 added to tracked regions.
2020-01-14 13:36:49,895 [root] DEBUG: ProtectionHandler: Address: 0x2331F000 (alloc base 0x23170000), NumberOfBytesToProtect: 0x9cb000, NewAccessProtection: 0x40
2020-01-14 13:36:49,943 [root] DEBUG: ProtectionHandler: Increased region size at 0x2331F000 to 0xb7a000.
2020-01-14 13:36:49,943 [root] DEBUG: ProtectionHandler: New code detected at (0x23170000), scanning for PE images.
2020-01-14 13:36:49,943 [root] DEBUG: DumpPEsInRange: Scanning range 0x23170000 - 0x23cea000.
2020-01-14 13:36:49,959 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x23170000
2020-01-14 13:36:49,990 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:36:50,006 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x23170000.
2020-01-14 13:36:50,006 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000.
2020-01-14 13:36:50,302 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_167989933350361314212020
2020-01-14 13:36:50,318 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb78a00.
2020-01-14 13:36:50,348 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 2816, RVA 0xce000400 and size 0x22d.
2020-01-14 13:36:50,380 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x23735fcf
2020-01-14 13:36:50,395 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x23735FCF
2020-01-14 13:36:50,395 [root] DEBUG: getSectionHeaders: Exception copying section header at 0x23F103A0.
2020-01-14 13:36:50,395 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:36:50,395 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x23735FCF.
2020-01-14 13:36:50,427 [root] DEBUG: getSectionHeaders: Exception copying section header at 0x23F103A0.
2020-01-14 13:36:50,457 [root] DEBUG: DumpProcess: Error - entry point too big: 0x91dd0d17, ignoring.
2020-01-14 13:36:50,457 [root] DEBUG: reBasePEImage: Error, invalid image base 0x23735FCF.
2020-01-14 13:36:50,473 [root] DEBUG: readPeSectionsFromProcess: Failed to relocate image back to header image base 0x6F03020C.
2020-01-14 13:36:50,489 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 44328, RVA 0xa000097 and size 0x7306147a.
2020-01-14 13:36:50,489 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 1043, RVA 0x3060047 and size 0x5280511.
2020-01-14 13:36:50,519 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 2833, RVA 0x28160219 and size 0x60015bb.
2020-01-14 13:36:50,519 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 2833, RVA 0x28160219 and size 0x60015bb.
2020-01-14 13:36:50,566 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x237361cf-0x23cea000.
2020-01-14 13:36:50,582 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x23170000.
2020-01-14 13:36:50,582 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x23170000 - 0x23cea000.
2020-01-14 13:36:50,598 [root] DEBUG: ProtectionHandler: Address 0x23CEA000 already in tracked region at 0x23170000, size 0xb7a000
2020-01-14 13:36:50,598 [root] DEBUG: ProtectionHandler: Address: 0x23CEA000 (alloc base 0x23170000), NumberOfBytesToProtect: 0x1000, NewAccessProtection: 0x40
2020-01-14 13:36:50,614 [root] DEBUG: ProtectionHandler: Increased region size at 0x23CEA000 to 0xb7b000.
2020-01-14 13:36:50,769 [root] DEBUG: ProtectionHandler: New code detected at (0x23170000), scanning for PE images.
2020-01-14 13:36:50,786 [root] DEBUG: DumpPEsInRange: Scanning range 0x23170000 - 0x23ceb000.
2020-01-14 13:36:50,786 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x23170000
2020-01-14 13:36:50,816 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:36:50,832 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x23170000.
2020-01-14 13:36:50,848 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000.
2020-01-14 13:36:51,051 [lib.common.results] ERROR: Exception uploading file C:\nzkuyO\CAPE\2984_167499987250361314212020 to host: [Errno 10053] An established connection was aborted by the software in your host machine
2020-01-14 13:36:51,065 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_167499987250361314212020
2020-01-14 13:36:51,098 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb78a00.
2020-01-14 13:36:51,160 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 2816, RVA 0xce000400 and size 0x22d.
2020-01-14 13:36:51,176 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x23735fcf
2020-01-14 13:36:51,176 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x23735FCF
2020-01-14 13:36:51,190 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0xA37433F7
2020-01-14 13:36:51,190 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x23D847C7
2020-01-14 13:36:51,190 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:36:51,190 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x23735FCF.
2020-01-14 13:36:51,207 [root] DEBUG: DumpProcess: Error - entry point too big: 0x91dd0d17, ignoring.
2020-01-14 13:36:51,207 [root] DEBUG: PeParser: Section 1 size too big: 0x740d2252
2020-01-14 13:36:51,207 [root] DEBUG: DumpProcess: There was a problem reading one or more sections, the dump may be incomplete.
2020-01-14 13:36:51,237 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 44328, RVA 0xa000097 and size 0x7306147a.
2020-01-14 13:36:51,269 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 1043, RVA 0x3060047 and size 0x5280511.
2020-01-14 13:36:51,269 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 2833, RVA 0x28160219 and size 0x60015bb.
2020-01-14 13:36:51,269 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 2833, RVA 0x28160219 and size 0x60015bb.
2020-01-14 13:36:51,332 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x237361cf-0x23ceb000.
2020-01-14 13:36:51,332 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x23170000.
2020-01-14 13:36:51,332 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x23170000 - 0x23ceb000.
2020-01-14 13:36:51,346 [root] DEBUG: ProtectionHandler: Address 0x23CEB000 already in tracked region at 0x23170000, size 0xb7b000
2020-01-14 13:36:51,346 [root] DEBUG: ProtectionHandler: Address: 0x23CEB000 (alloc base 0x23170000), NumberOfBytesToProtect: 0x63000, NewAccessProtection: 0x40
2020-01-14 13:36:51,362 [root] DEBUG: ProtectionHandler: Increased region size at 0x23CEB000 to 0xbde000.
2020-01-14 13:36:51,362 [root] DEBUG: ProtectionHandler: New code detected at (0x23170000), scanning for PE images.
2020-01-14 13:36:51,362 [root] DEBUG: DumpPEsInRange: Scanning range 0x23170000 - 0x23d4e000.
2020-01-14 13:36:51,362 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x23170000
2020-01-14 13:36:51,378 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:36:51,378 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x23170000.
2020-01-14 13:36:51,394 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000.
2020-01-14 13:36:51,753 [lib.common.results] ERROR: Exception uploading file C:\nzkuyO\CAPE\2984_54772669851361314212020 to host: [Errno 10053] An established connection was aborted by the software in your host machine
2020-01-14 13:36:51,753 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_54772669851361314212020
2020-01-14 13:36:51,753 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb78a00.
2020-01-14 13:36:51,831 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 2816, RVA 0xce000400 and size 0x22d.
2020-01-14 13:36:51,845 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x23735fcf
2020-01-14 13:36:51,892 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x23735FCF
2020-01-14 13:36:51,908 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0xA37433F7
2020-01-14 13:36:51,908 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x23D847C7
2020-01-14 13:36:51,924 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:36:51,924 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x23735FCF.
2020-01-14 13:36:51,924 [root] DEBUG: getSectionHeaders: Exception copying section header at 0x23F8F3A8.
2020-01-14 13:36:51,940 [root] DEBUG: DumpProcess: Error - entry point too big: 0x91dd0d17, ignoring.
2020-01-14 13:36:51,940 [root] DEBUG: PeParser: Section 1 size too big: 0x740d2252
2020-01-14 13:36:51,956 [root] DEBUG: DumpProcess: There was a problem reading one or more sections, the dump may be incomplete.
2020-01-14 13:36:51,956 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 44328, RVA 0xa000097 and size 0x7306147a.
2020-01-14 13:36:51,956 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 1043, RVA 0x3060047 and size 0x5280511.
2020-01-14 13:36:51,970 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 2833, RVA 0x28160219 and size 0x60015bb.
2020-01-14 13:36:51,970 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 2833, RVA 0x28160219 and size 0x60015bb.
2020-01-14 13:36:52,065 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x237361cf-0x23d4e000.
2020-01-14 13:36:52,079 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x23170000.
2020-01-14 13:36:52,095 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x23170000 - 0x23d4e000.
2020-01-14 13:36:52,142 [root] DEBUG: ProtectionHandler: Address 0x2331F000 already in tracked region at 0x23170000, size 0xbde000
2020-01-14 13:36:52,190 [root] DEBUG: ProtectionHandler: Address: 0x2331F000 (alloc base 0x23170000), NumberOfBytesToProtect: 0x9cb000, NewAccessProtection: 0x20
2020-01-14 13:36:52,204 [root] DEBUG: ProtectionHandler: Updated region protection at 0x2331F000 to 0x20.
2020-01-14 13:36:52,220 [root] DEBUG: ProtectionHandler: New code detected at (0x23170000), scanning for PE images.
2020-01-14 13:36:52,220 [root] DEBUG: DumpPEsInRange: Scanning range 0x23170000 - 0x23d4e000.
2020-01-14 13:36:52,220 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x23170000
2020-01-14 13:36:52,236 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:36:52,236 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x23170000.
2020-01-14 13:36:52,236 [root] DEBUG: DumpProcess: Module entry point VA is 0x00000000.
2020-01-14 13:36:53,687 [lib.common.results] ERROR: Exception uploading file C:\nzkuyO\CAPE\2984_132743936852361314212020 to host: [Errno 10053] An established connection was aborted by the software in your host machine
2020-01-14 13:36:53,687 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_132743936852361314212020
2020-01-14 13:36:53,717 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xb78a00.
2020-01-14 13:36:54,015 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 2816, RVA 0xce000400 and size 0x22d.
2020-01-14 13:36:54,092 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x23735fcf
2020-01-14 13:36:54,233 [root] DEBUG: DumpImageInCurrentProcess: Disguised PE image (bad MZ and/or PE headers) at 0x23735FCF
2020-01-14 13:36:54,311 [root] DEBUG: getSectionHeaders: Exception copying section header at 0x23F8F3A8.
2020-01-14 13:36:54,358 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x4B76D2FC
2020-01-14 13:36:54,404 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:36:54,436 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x23735FCF.
2020-01-14 13:36:54,436 [root] DEBUG: getSectionHeaders: Exception copying section header at 0x23F8F3A8.
2020-01-14 13:36:54,451 [root] DEBUG: DumpProcess: Module entry point VA is 0x91DD0D17.
2020-01-14 13:36:54,497 [root] DEBUG: PeParser: Section 1 size too big: 0x740d2252
2020-01-14 13:36:54,592 [root] DEBUG: DumpProcess: There was a problem reading one or more sections, the dump may be incomplete.
2020-01-14 13:36:54,622 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 3 of 44328, RVA 0xa000097 and size 0x7306147a.
2020-01-14 13:36:54,622 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 1043, RVA 0x3060047 and size 0x5280511.
2020-01-14 13:36:54,638 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 2833, RVA 0x28160219 and size 0x60015bb.
2020-01-14 13:36:54,638 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 2833, RVA 0x28160219 and size 0x60015bb.
2020-01-14 13:36:54,717 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x237361cf-0x23d4e000.
2020-01-14 13:36:54,717 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x23170000.
2020-01-14 13:36:54,717 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x23170000 - 0x23d4e000.
2020-01-14 13:36:54,763 [root] DEBUG: DLL loaded at 0x23170000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni (0xbde000 bytes).
2020-01-14 13:36:54,779 [root] DEBUG: Allocation: 0x00507000 - 0x00509000, size: 0x2000, protection: 0x40.
2020-01-14 13:36:54,795 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:54,809 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:54,904 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:54,920 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:54,934 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:54,997 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:55,043 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:55,043 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:36:55,059 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:55,091 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:55,091 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:36:55,107 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:36:55,184 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:36:55,200 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:36:55,278 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:36:55,341 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00500000, size: 0x1000.
2020-01-14 13:36:55,355 [root] DEBUG: Allocation: 0x00509000 - 0x0050A000, size: 0x1000, protection: 0x40.
2020-01-14 13:36:55,388 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:55,418 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:55,418 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:55,434 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:55,450 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:55,450 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:55,589 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:55,589 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:36:55,605 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:55,621 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:55,621 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:36:55,653 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:36:55,653 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:36:55,684 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:36:55,730 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:36:55,730 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00500000, size: 0x1000.
2020-01-14 13:36:55,730 [root] DEBUG: Allocation: 0x203F4000 - 0x203F5000, size: 0x1000, protection: 0x40.
2020-01-14 13:36:55,730 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:55,839 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:55,871 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:55,887 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:55,887 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:55,887 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:55,887 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:55,934 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:36:55,948 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:55,980 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:55,980 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:36:55,996 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:36:56,105 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:36:56,105 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:36:56,121 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:36:56,135 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x203F0000, size: 0x1000.
2020-01-14 13:36:56,167 [root] DEBUG: Allocation: 0x00516000 - 0x00517000, size: 0x1000, protection: 0x40.
2020-01-14 13:36:56,183 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:56,183 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:56,183 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:56,213 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:56,246 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:56,246 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:56,246 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:56,260 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:36:56,260 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:56,276 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:56,292 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:36:56,401 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:36:56,433 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:36:56,447 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:36:56,463 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:36:56,572 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00516000, size: 0x1000.
2020-01-14 13:36:56,588 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 13.
2020-01-14 13:36:56,588 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00516000) returned 0x00000000.
2020-01-14 13:36:56,588 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:36:56,588 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00516000) -> AllocationBase 0x00510000 RegionSize 0x4096.
2020-01-14 13:36:56,588 [root] DEBUG: AddTrackedRegion: New region at 0x00510000 size 0x1000 added to tracked regions.
2020-01-14 13:36:56,619 [root] DEBUG: Allocation: 0x0051A000 - 0x0051B000, size: 0x1000, protection: 0x40.
2020-01-14 13:36:56,651 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:56,667 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:56,697 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:56,729 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:56,822 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:56,869 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:56,915 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:56,915 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:36:57,118 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:57,134 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:57,134 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:36:57,150 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:36:57,243 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:36:57,384 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:36:57,400 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:36:57,400 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:36:57,400 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00510000, size: 0x1000.
2020-01-14 13:36:57,415 [root] DEBUG: Allocation: 0x00517000 - 0x00518000, size: 0x1000, protection: 0x40.
2020-01-14 13:36:57,461 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:36:57,664 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:36:57,805 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:36:57,821 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:36:57,836 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:36:57,868 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:36:57,961 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:36:57,993 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:36:57,993 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:36:58,007 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:36:58,055 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:36:58,085 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:36:58,101 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:36:58,148 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:36:58,180 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:36:58,196 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:36:58,196 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00510000, size: 0x1000.
2020-01-14 13:36:58,210 [root] DEBUG: DLL loaded at 0x73D30000: C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni (0x19b000 bytes).
2020-01-14 13:36:58,319 [root] DEBUG: DLL loaded at 0x74B10000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-01-14 13:36:58,319 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2608.
2020-01-14 13:36:58,351 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-01-14 13:36:58,430 [root] DEBUG: DLL loaded at 0x71DA0000: C:\Windows\system32\wbem\wbemdisp (0x31000 bytes).
2020-01-14 13:36:58,539 [root] DEBUG: DLL loaded at 0x71D40000: C:\Windows\system32\wbemcomn (0x5c000 bytes).
2020-01-14 13:36:58,539 [root] DEBUG: DLL loaded at 0x752D0000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-01-14 13:36:58,553 [root] DEBUG: DLL loaded at 0x75850000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-01-14 13:37:06,713 [root] INFO: Stopped WMI Service
2020-01-14 13:37:06,776 [root] INFO: Attaching to DcomLaunch service (pid 568)
2020-01-14 13:37:06,806 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:37:06,806 [lib.api.process] INFO: 64-bit DLL to inject is C:\ueakpxib\dll\cdvcaqcv.dll, loader C:\ueakpxib\bin\EeJAEmpM.exe
2020-01-14 13:37:06,884 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kGzJMO.
2020-01-14 13:37:06,884 [root] DEBUG: Loader: Injecting process 568 (thread 0) with C:\ueakpxib\dll\cdvcaqcv.dll.
2020-01-14 13:37:06,915 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-01-14 13:37:06,977 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-01-14 13:37:07,009 [root] DEBUG: Process dumps disabled.
2020-01-14 13:37:07,025 [root] INFO: Disabling sleep skipping.
2020-01-14 13:37:07,180 [root] WARNING: Unable to place hook on LockResource
2020-01-14 13:37:07,180 [root] WARNING: Unable to hook LockResource
2020-01-14 13:37:07,243 [root] DEBUG: Debugger initialised.
2020-01-14 13:37:07,275 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 568 at 0x0000000071C50000, image base 0x00000000FF8E0000, stack from 0x00000000007F6000-0x0000000000800000
2020-01-14 13:37:07,275 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k DcomLaunch.
2020-01-14 13:37:07,305 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FF8E0000) returned 0x0000000000000000.
2020-01-14 13:37:07,322 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-01-14 13:37:07,322 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FF8E0000) -> AllocationBase 0x00000000FF8E0000 RegionSize 0x4096.
2020-01-14 13:37:07,336 [root] DEBUG: AddTrackedRegion: EntryPoint 0x246c, Entropy 3.676972e+00
2020-01-14 13:37:07,336 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FF8E0000 size 0x1000 added to tracked regions.
2020-01-14 13:37:07,336 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-01-14 13:37:07,336 [root] INFO: Added new process to list with pid: 568
2020-01-14 13:37:07,352 [root] INFO: Monitor successfully loaded in process with pid 568.
2020-01-14 13:37:07,368 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-01-14 13:37:07,368 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-01-14 13:37:07,368 [root] DEBUG: Successfully injected DLL C:\ueakpxib\dll\cdvcaqcv.dll.
2020-01-14 13:37:12,157 [root] INFO: Started WMI Service
2020-01-14 13:37:12,328 [root] INFO: Attaching to WMI service (pid 2996)
2020-01-14 13:37:12,453 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:37:12,470 [lib.api.process] INFO: 64-bit DLL to inject is C:\ueakpxib\dll\cdvcaqcv.dll, loader C:\ueakpxib\bin\EeJAEmpM.exe
2020-01-14 13:37:12,532 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kGzJMO.
2020-01-14 13:37:12,548 [root] DEBUG: Loader: Injecting process 2996 (thread 0) with C:\ueakpxib\dll\cdvcaqcv.dll.
2020-01-14 13:37:12,562 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2148, handle 0x84
2020-01-14 13:37:12,609 [root] DEBUG: Process image base: 0x00000000FF8E0000
2020-01-14 13:37:12,625 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-01-14 13:37:12,625 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-01-14 13:37:12,719 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-01-14 13:37:12,812 [root] DEBUG: Process dumps disabled.
2020-01-14 13:37:12,828 [root] INFO: Disabling sleep skipping.
2020-01-14 13:37:12,969 [root] WARNING: Unable to place hook on LockResource
2020-01-14 13:37:13,094 [root] WARNING: Unable to hook LockResource
2020-01-14 13:37:13,187 [root] DEBUG: Debugger initialised.
2020-01-14 13:37:13,187 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 2996 at 0x0000000071C50000, image base 0x00000000FF8E0000, stack from 0x0000000001576000-0x0000000001580000
2020-01-14 13:37:13,233 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2020-01-14 13:37:13,233 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FF8E0000) returned 0x0000000000000000.
2020-01-14 13:37:13,250 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-01-14 13:37:13,250 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FF8E0000) -> AllocationBase 0x00000000FF8E0000 RegionSize 0x4096.
2020-01-14 13:37:13,374 [root] DEBUG: AddTrackedRegion: EntryPoint 0x246c, Entropy 3.664096e+00
2020-01-14 13:37:13,421 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FF8E0000 size 0x1000 added to tracked regions.
2020-01-14 13:37:13,421 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-01-14 13:37:13,640 [root] INFO: Added new process to list with pid: 2996
2020-01-14 13:37:13,640 [root] INFO: Monitor successfully loaded in process with pid 2996.
2020-01-14 13:37:13,671 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-01-14 13:37:13,671 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-01-14 13:37:13,749 [root] DEBUG: Successfully injected DLL C:\ueakpxib\dll\cdvcaqcv.dll.
2020-01-14 13:37:15,917 [root] DEBUG: DLL loaded at 0x74B00000: C:\Windows\system32\wbem\wbemprox (0xa000 bytes).
2020-01-14 13:37:16,104 [root] DEBUG: DLL loaded at 0x71C30000: C:\Windows\system32\wbem\wmiutils (0x17000 bytes).
2020-01-14 13:37:16,259 [root] DEBUG: DLL loaded at 0x000007FEFA3E0000: C:\Windows\system32\VSSAPI (0x1b0000 bytes).
2020-01-14 13:37:16,259 [root] DEBUG: DLL loaded at 0x000007FEFB3B0000: C:\Windows\system32\ATL (0x19000 bytes).
2020-01-14 13:37:16,292 [root] DEBUG: DLL loaded at 0x000007FEFA3A0000: C:\Windows\system32\VssTrace (0x17000 bytes).
2020-01-14 13:37:16,384 [root] DEBUG: DLL loaded at 0x000007FEFAA30000: C:\Windows\system32\samcli (0x14000 bytes).
2020-01-14 13:37:16,415 [root] DEBUG: DLL loaded at 0x000007FEFBA90000: C:\Windows\system32\SAMLIB (0x1d000 bytes).
2020-01-14 13:37:16,463 [root] DEBUG: DLL loaded at 0x000007FEFAE90000: C:\Windows\system32\netutils (0xc000 bytes).
2020-01-14 13:37:16,479 [root] DEBUG: DLL loaded at 0x000007FEFB340000: C:\Windows\system32\es (0x67000 bytes).
2020-01-14 13:37:16,572 [root] DEBUG: DLL loaded at 0x000007FEFBAE0000: C:\Windows\system32\PROPSYS (0x12c000 bytes).
2020-01-14 13:37:16,634 [root] DEBUG: DLL loaded at 0x000007FEF9840000: C:\Windows\system32\wbem\wbemcore (0x12f000 bytes).
2020-01-14 13:37:16,759 [root] DEBUG: DLL loaded at 0x000007FEF97D0000: C:\Windows\system32\wbem\esscli (0x6f000 bytes).
2020-01-14 13:37:16,790 [root] DEBUG: DLL loaded at 0x000007FEF9C60000: C:\Windows\system32\wbem\FastProx (0xe2000 bytes).
2020-01-14 13:37:16,805 [root] DEBUG: DLL loaded at 0x000007FEF9BE0000: C:\Windows\system32\NTDSAPI (0x27000 bytes).
2020-01-14 13:37:16,852 [root] DEBUG: DLL unloaded from 0x000007FEF9840000.
2020-01-14 13:37:16,868 [root] DEBUG: DLL loaded at 0x000007FEF96B0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2020-01-14 13:37:16,961 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\wbem\wbemsvc (0xf000 bytes).
2020-01-14 13:37:17,072 [root] DEBUG: DLL loaded at 0x71B90000: C:\Windows\system32\wbem\fastprox (0x96000 bytes).
2020-01-14 13:37:17,086 [root] DEBUG: DLL loaded at 0x71B70000: C:\Windows\system32\NTDSAPI (0x18000 bytes).
2020-01-14 13:37:17,102 [root] DEBUG: DLL loaded at 0x000007FEFCD30000: C:\Windows\system32\authZ (0x2f000 bytes).
2020-01-14 13:37:17,134 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1152.
2020-01-14 13:37:17,134 [root] DEBUG: DLL unloaded from 0x0000000077380000.
2020-01-14 13:37:17,227 [root] DEBUG: DLL loaded at 0x000007FEFA5B0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2020-01-14 13:37:17,351 [root] DEBUG: DLL loaded at 0x000007FEF99A0000: C:\Windows\system32\wbem\repdrvfs (0x73000 bytes).
2020-01-14 13:37:17,398 [root] WARNING: File at path "C:\Windows\sysnative\wbem\repository\WRITABLE.TST" does not exist, skip.
2020-01-14 13:37:17,414 [root] DEBUG: DLL loaded at 0x000007FEFCD70000: C:\Windows\system32\Wevtapi (0x6d000 bytes).
2020-01-14 13:37:17,446 [root] DEBUG: DLL unloaded from 0x000007FEFCD70000.
2020-01-14 13:37:17,867 [root] DEBUG: DLL loaded at 0x000007FEF8380000: C:\Windows\system32\wbem\wmiprvsd (0xbc000 bytes).
2020-01-14 13:37:17,914 [root] DEBUG: DLL loaded at 0x000007FEF8360000: C:\Windows\system32\NCObjAPI (0x16000 bytes).
2020-01-14 13:37:18,085 [root] DEBUG: DLL loaded at 0x000007FEF9E00000: C:\Windows\system32\wbem\wbemess (0x7e000 bytes).
2020-01-14 13:37:18,101 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2268.
2020-01-14 13:37:18,101 [root] DEBUG: DLL unloaded from 0x0000000077380000.
2020-01-14 13:37:18,365 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2892.
2020-01-14 13:37:18,381 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2020-01-14 13:37:18,444 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2960.
2020-01-14 13:37:18,460 [root] DEBUG: DLL unloaded from 0x0000000077380000.
2020-01-14 13:37:18,490 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2572.
2020-01-14 13:37:18,490 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2888.
2020-01-14 13:37:18,490 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2060.
2020-01-14 13:37:18,506 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1088.
2020-01-14 13:37:18,522 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2920.
2020-01-14 13:37:18,538 [root] DEBUG: DLL loaded at 0x71B10000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-01-14 13:37:18,538 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2184.
2020-01-14 13:37:18,756 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2272.
2020-01-14 13:37:18,834 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2428.
2020-01-14 13:37:18,849 [root] DEBUG: DLL loaded at 0x71AD0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\bf7e7494e75e32979c7824a07570a8a9\CustomMarshalers.ni (0x3a000 bytes).
2020-01-14 13:37:19,099 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2024.
2020-01-14 13:37:19,131 [root] DEBUG: Allocation: 0x20490000 - 0x20491000, size: 0x1000, protection: 0x40.
2020-01-14 13:37:19,240 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:37:19,270 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:37:19,334 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:37:19,443 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:37:19,505 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:37:19,536 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:37:19,536 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:37:19,536 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:37:19,582 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:37:19,582 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:37:19,598 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:37:19,645 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:37:19,661 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:37:19,677 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:37:19,677 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:37:19,691 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:37:19,707 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x20490000, size: 0x1000.
2020-01-14 13:37:19,802 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 14.
2020-01-14 13:37:19,816 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x20490000) returned 0x00000000.
2020-01-14 13:37:19,816 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:37:19,848 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x20490000) -> AllocationBase 0x20490000 RegionSize 0x4096.
2020-01-14 13:37:19,973 [root] DEBUG: AddTrackedRegion: New region at 0x20490000 size 0x1000 added to tracked regions.
2020-01-14 13:37:20,019 [root] DEBUG: DLL loaded at 0x60350000: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers (0x15000 bytes).
2020-01-14 13:37:20,144 [root] DEBUG: Allocation: 0x20891000 - 0x20892000, size: 0x1000, protection: 0x40.
2020-01-14 13:37:20,176 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:37:20,191 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:37:20,191 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:37:20,237 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:37:20,285 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 2828
2020-01-14 13:37:20,285 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:37:20,315 [root] DEBUG: DLL loaded at 0x000007FEFBAC0000: C:\Windows\system32\wbem\ncprov (0x16000 bytes).
2020-01-14 13:37:20,315 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:37:20,315 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:37:20,315 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:37:20,315 [lib.api.process] INFO: 64-bit DLL to inject is C:\ueakpxib\dll\cdvcaqcv.dll, loader C:\ueakpxib\bin\EeJAEmpM.exe
2020-01-14 13:37:20,362 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:37:20,362 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:37:20,426 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kGzJMO.
2020-01-14 13:37:20,426 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:37:20,440 [root] DEBUG: Loader: Injecting process 2828 (thread 2640) with C:\ueakpxib\dll\cdvcaqcv.dll.
2020-01-14 13:37:20,440 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:37:20,440 [root] DEBUG: Process image base: 0x00000000FF6C0000
2020-01-14 13:37:20,440 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:37:20,440 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ueakpxib\dll\cdvcaqcv.dll.
2020-01-14 13:37:20,440 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:37:20,440 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-01-14 13:37:20,471 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:37:20,471 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1696.
2020-01-14 13:37:20,471 [root] DEBUG: Successfully injected DLL C:\ueakpxib\dll\cdvcaqcv.dll.
2020-01-14 13:37:20,487 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:37:20,487 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2120.
2020-01-14 13:37:20,487 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1840.
2020-01-14 13:37:20,487 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2828
2020-01-14 13:37:20,503 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:37:20,706 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 2828
2020-01-14 13:37:20,706 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:37:20,706 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:37:20,706 [lib.api.process] INFO: 64-bit DLL to inject is C:\ueakpxib\dll\cdvcaqcv.dll, loader C:\ueakpxib\bin\EeJAEmpM.exe
2020-01-14 13:37:20,706 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x20891000, size: 0x1000.
2020-01-14 13:37:20,706 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 15.
2020-01-14 13:37:20,706 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x20891000) returned 0x00000000.
2020-01-14 13:37:20,706 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kGzJMO.
2020-01-14 13:37:20,721 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:37:20,721 [root] DEBUG: Loader: Injecting process 2828 (thread 2640) with C:\ueakpxib\dll\cdvcaqcv.dll.
2020-01-14 13:37:20,721 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x20891000) -> AllocationBase 0x20890000 RegionSize 0x4096.
2020-01-14 13:37:20,721 [root] DEBUG: Process image base: 0x00000000FF6C0000
2020-01-14 13:37:20,721 [root] DEBUG: AddTrackedRegion: New region at 0x20890000 size 0x1000 added to tracked regions.
2020-01-14 13:37:20,769 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ueakpxib\dll\cdvcaqcv.dll.
2020-01-14 13:37:20,769 [root] DEBUG: Allocation: 0x20830000 - 0x20831000, size: 0x1000, protection: 0x40.
2020-01-14 13:37:20,769 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-01-14 13:37:20,769 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:37:20,769 [root] DEBUG: Successfully injected DLL C:\ueakpxib\dll\cdvcaqcv.dll.
2020-01-14 13:37:20,769 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:37:20,769 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2828
2020-01-14 13:37:20,769 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:37:20,783 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-01-14 13:37:20,783 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:37:20,783 [root] DEBUG: Process dumps disabled.
2020-01-14 13:37:20,783 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:37:20,783 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:37:20,783 [root] INFO: Disabling sleep skipping.
2020-01-14 13:37:20,831 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:37:20,831 [root] WARNING: Unable to place hook on LockResource
2020-01-14 13:37:20,831 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:37:20,831 [root] WARNING: Unable to hook LockResource
2020-01-14 13:37:20,831 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:37:20,831 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-01-14 13:37:20,846 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:37:20,846 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:37:20,846 [root] DEBUG: Debugger initialised.
2020-01-14 13:37:20,846 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:37:20,861 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 2828 at 0x0000000071C50000, image base 0x00000000FF6C0000, stack from 0x0000000000140000-0x0000000000150000
2020-01-14 13:37:20,861 [root] DEBUG: Commandline: C:\Windows\sysnative\wbem\wmiprvse.exe -secured -Embedding.
2020-01-14 13:37:20,861 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:37:20,878 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FF6C0000) returned 0x0000000000000000.
2020-01-14 13:37:20,894 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:37:20,908 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:37:20,908 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-01-14 13:37:20,940 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:37:20,940 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FF6C0000) -> AllocationBase 0x00000000FF6C0000 RegionSize 0x4096.
2020-01-14 13:37:20,940 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:37:21,003 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:37:21,003 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x20830000, size: 0x1000.
2020-01-14 13:37:21,017 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 16.
2020-01-14 13:37:21,065 [root] DEBUG: AddTrackedRegion: EntryPoint 0xa9b4, Entropy 5.869568e+00
2020-01-14 13:37:21,081 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x20830000) returned 0x00000000.
2020-01-14 13:37:21,081 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FF6C0000 size 0x1000 added to tracked regions.
2020-01-14 13:37:21,081 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:37:21,081 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-01-14 13:37:21,081 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x20830000) -> AllocationBase 0x20830000 RegionSize 0x4096.
2020-01-14 13:37:21,081 [root] INFO: Added new process to list with pid: 2828
2020-01-14 13:37:21,081 [root] DEBUG: AddTrackedRegion: New region at 0x20830000 size 0x1000 added to tracked regions.
2020-01-14 13:37:21,081 [root] INFO: Monitor successfully loaded in process with pid 2828.
2020-01-14 13:37:21,081 [root] DEBUG: Allocation: 0x20831000 - 0x20832000, size: 0x1000, protection: 0x40.
2020-01-14 13:37:21,081 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:37:21,081 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:37:21,081 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:37:21,095 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:37:21,095 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:37:21,111 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:37:21,190 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\CRYPTBASE (0xf000 bytes).
2020-01-14 13:37:21,190 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:37:21,206 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:37:21,206 [root] DEBUG: DLL loaded at 0x000007FEFC400000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2020-01-14 13:37:21,206 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:37:21,206 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:37:21,206 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2020-01-14 13:37:21,206 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:37:21,206 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:37:21,220 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:37:21,236 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:37:21,236 [root] DEBUG: DLL loaded at 0x000007FEFE640000: C:\Windows\system32\CLBCatQ (0x99000 bytes).
2020-01-14 13:37:21,236 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:37:21,236 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1412.
2020-01-14 13:37:21,236 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:37:21,236 [root] DEBUG: DLL unloaded from 0x0000000077380000.
2020-01-14 13:37:21,236 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:37:21,252 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:37:21,252 [root] DEBUG: DLL loaded at 0x000007FEFA1D0000: C:\Windows\system32\wbem\wbemprox (0xf000 bytes).
2020-01-14 13:37:21,252 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:37:21,267 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x20830000, size: 0x1000.
2020-01-14 13:37:21,267 [root] DEBUG: CreateThread: Initialising breakpoints for thread 112.
2020-01-14 13:37:21,283 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-01-14 13:37:21,299 [root] DEBUG: Allocation: 0x0050B000 - 0x0050C000, size: 0x1000, protection: 0x40.
2020-01-14 13:37:21,315 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:37:21,361 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2020-01-14 13:37:21,377 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:37:21,377 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:37:21,470 [root] DEBUG: DLL loaded at 0x000007FEFD270000: C:\Windows\system32\RpcRtRemote (0x14000 bytes).
2020-01-14 13:37:21,470 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:37:21,486 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:37:21,502 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2128.
2020-01-14 13:37:21,502 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:37:21,502 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:37:21,502 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:37:21,517 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:37:21,517 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:37:21,517 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:37:21,517 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:37:21,517 [root] DEBUG: DLL loaded at 0x000007FEF96B0000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2020-01-14 13:37:21,517 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:37:21,532 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:37:21,579 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:37:21,579 [root] DEBUG: DLL loaded at 0x000007FEFA5B0000: C:\Windows\system32\wbem\wmiutils (0x26000 bytes).
2020-01-14 13:37:21,579 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:37:21,579 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:37:21,579 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:37:21,611 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:37:21,611 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00500000, size: 0x1000.
2020-01-14 13:37:21,861 [root] DEBUG: DLL loaded at 0x000007FEF3BF0000: C:\Windows\system32\wbem\cimwin32 (0x1fa000 bytes).
2020-01-14 13:37:21,907 [root] DEBUG: DLL loaded at 0x000007FEF3E10000: C:\Windows\system32\framedynos (0x4c000 bytes).
2020-01-14 13:37:21,907 [root] DEBUG: DLL loaded at 0x000007FEFB2A0000: C:\Windows\system32\WTSAPI32 (0x11000 bytes).
2020-01-14 13:37:22,359 [root] DEBUG: DLL loaded at 0x0000000071AC0000: C:\Windows\system32\WMI (0x3000 bytes).
2020-01-14 13:37:22,453 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1464.
2020-01-14 13:37:23,421 [root] DEBUG: DLL loaded at 0x719B0000: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\System.Management.ni (0x104000 bytes).
2020-01-14 13:37:23,467 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1488.
2020-01-14 13:37:23,779 [root] DEBUG: Allocation: 0x7EF30000 - 0x7EF80000, size: 0x50000, protection: 0x40.
2020-01-14 13:37:23,842 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:37:23,842 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:37:23,888 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:37:23,888 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:37:23,936 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:37:23,936 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:37:23,982 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:37:23,982 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:37:24,013 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:37:24,263 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:37:24,263 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:37:24,263 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:37:24,309 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:37:24,309 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:37:24,341 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:37:24,418 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:37:24,418 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:37:24,496 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:37:24,543 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:37:24,543 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x7EF30000, size: 0x50000.
2020-01-14 13:37:24,605 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 17.
2020-01-14 13:37:24,638 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x7EF30000) returned 0x00000000.
2020-01-14 13:37:24,653 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:37:24,653 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x7EF30000) -> AllocationBase 0x7EF30000 RegionSize 0x327680.
2020-01-14 13:37:24,871 [root] DEBUG: AddTrackedRegion: New region at 0x7EF30000 size 0x50000 added to tracked regions.
2020-01-14 13:37:24,887 [root] DEBUG: AllocationHandler: Memory reserved but not committed at 0x7EF30000.
2020-01-14 13:37:24,903 [root] DEBUG: Allocation: 0x7EF30000 - 0x7EF31000, size: 0x1000, protection: 0x40.
2020-01-14 13:37:24,964 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:37:25,012 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:37:25,012 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:37:25,059 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:37:25,105 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:37:25,246 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:37:25,246 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:37:25,339 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:37:25,385 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:37:25,448 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:37:25,448 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:37:25,496 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:37:25,542 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:37:25,588 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:37:25,635 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:37:25,683 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:37:25,979 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:37:26,119 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:37:26,134 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:37:26,229 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:37:26,588 [root] DEBUG: AllocationHandler: Previously reserved region 0x7EF30000 - 0x7EF80000, committing at: 0x7EF30000.
2020-01-14 13:37:26,650 [root] DEBUG: Allocation: 0x7EF30000 - 0x7EF31000, size: 0x1000, protection: 0x40.
2020-01-14 13:37:26,743 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:37:26,884 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:37:27,039 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:37:27,101 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:37:27,414 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:37:27,601 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:37:27,694 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:37:27,773 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:37:27,773 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:37:27,867 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:37:27,944 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:37:28,240 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:37:28,240 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:37:28,240 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:37:28,256 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:37:28,272 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:37:28,319 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:37:28,818 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:37:28,865 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:37:28,973 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:37:29,270 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x7EF30000, size: 0x50000.
2020-01-14 13:37:29,536 [root] DEBUG: Allocation: 0x7EF20000 - 0x7EF30000, size: 0x10000, protection: 0x40.
2020-01-14 13:37:29,598 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:37:29,630 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:37:29,832 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:37:29,941 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:37:30,019 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:37:30,410 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:37:30,487 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:37:30,549 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:37:31,220 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:37:31,299 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:37:31,720 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:37:31,845 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:37:31,984 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:37:32,359 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:37:32,405 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:37:32,562 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:37:33,015 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:37:33,374 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:37:33,575 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:37:33,934 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:37:34,138 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x7EF20000, size: 0x10000.
2020-01-14 13:37:34,605 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 18.
2020-01-14 13:37:34,964 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x7EF20000) returned 0x00000000.
2020-01-14 13:37:35,292 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:37:35,494 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x7EF20000) -> AllocationBase 0x7EF20000 RegionSize 0x65536.
2020-01-14 13:37:36,009 [root] DEBUG: AddTrackedRegion: New region at 0x7EF20000 size 0x10000 added to tracked regions.
2020-01-14 13:37:36,040 [root] DEBUG: AllocationHandler: Memory reserved but not committed at 0x7EF20000.
2020-01-14 13:37:36,586 [root] DEBUG: Allocation: 0x7EF20000 - 0x7EF21000, size: 0x1000, protection: 0x40.
2020-01-14 13:37:36,664 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:37:37,071 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:37:37,148 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:37:37,476 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:37:37,710 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:37:38,115 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:37:38,349 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:37:38,911 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:37:39,473 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:37:39,848 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:37:40,096 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:37:40,346 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:37:40,706 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:37:40,815 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:37:41,252 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:37:41,486 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:37:41,641 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:37:42,125 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:37:42,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:37:43,638 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:37:43,966 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:37:44,121 [root] DEBUG: AllocationHandler: Previously reserved region 0x7EF20000 - 0x7EF30000, committing at: 0x7EF20000.
2020-01-14 13:37:44,746 [root] DEBUG: DLL unloaded from 0x0000000071AC0000.
2020-01-14 13:37:44,808 [root] DEBUG: Allocation: 0x003EB000 - 0x003EC000, size: 0x1000, protection: 0x40.
2020-01-14 13:37:45,058 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:37:45,105 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:37:45,494 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:37:45,651 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:37:45,806 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:37:45,900 [root] DEBUG: DLL unloaded from 0x000007FEF9840000.
2020-01-14 13:37:45,900 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:37:45,900 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:37:46,040 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:37:46,414 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:37:46,446 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:37:46,446 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:37:46,493 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:37:46,493 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:37:46,539 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:37:46,539 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:37:46,571 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:37:46,586 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:37:46,634 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:37:46,648 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:37:46,680 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:37:46,696 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:37:46,696 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x003E0000, size: 0x1000.
2020-01-14 13:37:47,055 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2788.
2020-01-14 13:37:47,117 [root] DEBUG: DLL loaded at 0x6A310000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils (0x9000 bytes).
2020-01-14 13:37:47,132 [root] DEBUG: Allocation: 0x23EA0000 - 0x23EA1000, size: 0x1000, protection: 0x40.
2020-01-14 13:37:47,164 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:37:47,164 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:37:47,210 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:37:47,210 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:37:47,242 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:37:47,242 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:37:47,398 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:37:47,694 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:37:47,740 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:37:47,740 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:37:47,740 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:37:47,788 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:37:47,835 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:37:47,835 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:37:47,881 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:37:48,006 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:37:48,052 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:37:48,052 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:37:48,084 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:37:48,131 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:37:48,177 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:37:48,286 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x23EA0000, size: 0x1000.
2020-01-14 13:37:48,427 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 19.
2020-01-14 13:37:48,459 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x23EA0000) returned 0x00000000.
2020-01-14 13:37:48,490 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:37:48,677 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x23EA0000) -> AllocationBase 0x23EA0000 RegionSize 0x4096.
2020-01-14 13:37:48,677 [root] DEBUG: AddTrackedRegion: New region at 0x23EA0000 size 0x1000 added to tracked regions.
2020-01-14 13:37:48,707 [root] DEBUG: Allocation: 0x23EA1000 - 0x23EA2000, size: 0x1000, protection: 0x40.
2020-01-14 13:37:48,723 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:37:48,723 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:37:48,786 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:37:49,052 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:37:49,082 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:37:49,082 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:37:49,082 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:37:49,130 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:37:49,394 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:37:49,426 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:37:49,473 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:37:49,535 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:37:49,582 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:37:49,582 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:37:49,628 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:37:49,628 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:37:49,676 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:37:49,676 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:37:49,721 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:37:50,315 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:37:50,315 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:37:50,579 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:37:50,627 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x23EA0000, size: 0x1000.
2020-01-14 13:37:50,657 [root] DEBUG: Allocation: 0x23EA2000 - 0x23EA3000, size: 0x1000, protection: 0x40.
2020-01-14 13:37:50,674 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:37:50,674 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:37:50,720 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:37:50,767 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:37:50,799 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:37:50,799 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:37:50,845 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:37:50,845 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:37:50,891 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:37:50,891 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:37:50,938 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:37:51,002 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:37:51,032 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:37:51,125 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:37:51,236 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:37:51,484 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:37:51,594 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:37:51,796 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:37:51,921 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:37:51,953 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:37:51,983 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:37:51,983 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:37:52,030 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x23EA0000, size: 0x1000.
2020-01-14 13:37:52,125 [root] DEBUG: Allocation: 0x23EA3000 - 0x23EA4000, size: 0x1000, protection: 0x40.
2020-01-14 13:37:52,217 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:37:52,437 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:37:52,437 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:37:52,483 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:37:52,529 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:37:52,529 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:37:52,562 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:37:52,592 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:37:52,608 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:37:52,608 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:37:52,686 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:37:52,796 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:37:52,858 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:37:52,858 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:37:52,936 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:37:53,186 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:37:53,200 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:37:53,200 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:37:53,200 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:37:53,247 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:37:53,325 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:37:53,357 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:37:53,388 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x23EA0000, size: 0x1000.
2020-01-14 13:37:53,404 [root] DEBUG: set_caller_info: Adding region at 0x23EA0000 to caller regions list (ole32::CoCreateInstance).
2020-01-14 13:37:53,450 [root] DEBUG: set_caller_info: Caller at 0x23EA35AF in tracked regions.
2020-01-14 13:37:53,684 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:37:53,684 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:37:53,732 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:37:53,778 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:37:53,778 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:37:53,871 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:37:53,871 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:37:54,323 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1a50 in capemon caught accessing 0x3e0000 (expected in memory scans), passing to next handler.
2020-01-14 13:37:54,448 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:37:54,496 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:37:54,512 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:37:54,542 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:37:54,542 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:37:54,589 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:37:54,589 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:37:54,635 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:37:54,635 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:37:54,683 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:37:54,683 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:37:54,698 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:37:54,730 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:37:54,776 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:37:54,933 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:37:55,104 [root] DEBUG: DumpPEsInRange: Scanning range 0x23ea0000 - 0x23ea1000.
2020-01-14 13:37:55,135 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x23ea0000-0x23ea1000.
2020-01-14 13:37:55,493 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x23EA0000 - 0x23EA1000.
2020-01-14 13:37:55,526 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_7238186843521814212020 successfully created, size 0x10000
2020-01-14 13:37:55,572 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff2e in capemon caught accessing 0x23ea4000 (expected in memory scans), passing to next handler.
2020-01-14 13:37:55,572 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x23ea0000
2020-01-14 13:37:55,618 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x23EA0000 size 0x10000.
2020-01-14 13:37:55,790 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_14051884373521814212020 successfully created, size 0x4000
2020-01-14 13:37:55,852 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_14051884373521814212020
2020-01-14 13:37:55,852 [root] DEBUG: DumpRegion: Dumped stack region from 0x23EA0000, size 0x4000.
2020-01-14 13:37:55,915 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x23EA0000.
2020-01-14 13:37:55,930 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x23ea0000 - 0x23ea1000.
2020-01-14 13:37:55,993 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2840.
2020-01-14 13:37:56,227 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2508.
2020-01-14 13:37:56,336 [root] DEBUG: set_caller_info: Adding region at 0x00500000 to caller regions list (msvcrt::memcpy).
2020-01-14 13:37:56,384 [root] DEBUG: set_caller_info: Caller at 0x0050BF2F in tracked regions.
2020-01-14 13:37:56,384 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:37:56,476 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:37:56,601 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:37:56,944 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:37:57,117 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:37:57,117 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:37:57,178 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:37:57,178 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1a50 in capemon caught accessing 0x3e0000 (expected in memory scans), passing to next handler.
2020-01-14 13:37:57,178 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:37:57,210 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:37:57,273 [root] DEBUG: DumpPEsInRange: Scanning range 0x500000 - 0x501000.
2020-01-14 13:37:57,288 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x500000-0x501000.
2020-01-14 13:37:57,335 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00500000 - 0x00501000.
2020-01-14 13:37:57,365 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_14541592713741814212020 successfully created, size 0x10000
2020-01-14 13:37:57,460 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff2e in capemon caught accessing 0x501000 (expected in memory scans), passing to next handler.
2020-01-14 13:37:57,460 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x500000
2020-01-14 13:37:57,476 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00500000 size 0x10000.
2020-01-14 13:37:57,490 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_14859306403741814212020 successfully created, size 0x1000
2020-01-14 13:37:57,615 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_14859306403741814212020
2020-01-14 13:37:57,615 [root] DEBUG: DumpRegion: Dumped stack region from 0x00500000, size 0x1000.
2020-01-14 13:37:57,663 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00500000.
2020-01-14 13:37:57,663 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x500000 - 0x501000.
2020-01-14 13:37:57,694 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:37:57,834 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:37:57,944 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:37:57,959 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:37:58,006 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:37:58,006 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:37:58,161 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:37:58,365 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:37:58,380 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:37:58,380 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:37:58,411 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:37:58,457 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:37:58,505 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:37:58,832 [root] DEBUG: CreateThread: Initialising breakpoints for thread 3016.
2020-01-14 13:37:58,894 [root] DEBUG: DLL unloaded from 0x0000000077380000.
2020-01-14 13:37:58,941 [root] DEBUG: CreateThread: Initialising breakpoints for thread 512.
2020-01-14 13:37:58,941 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2560.
2020-01-14 13:38:06,289 [root] DEBUG: DLL unloaded from 0x76A70000.
2020-01-14 13:38:08,098 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2020-01-14 13:38:08,318 [root] DEBUG: DLL loaded at 0x000007FEFA990000: C:\Windows\System32\perfos (0xb000 bytes).
2020-01-14 13:38:13,980 [root] DEBUG: Allocation: 0x23E50000 - 0x23E51000, size: 0x1000, protection: 0x40.
2020-01-14 13:38:14,012 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:38:14,012 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:38:14,167 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:38:14,198 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:38:14,230 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:38:14,230 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:38:14,292 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:38:14,292 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:38:14,355 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:38:14,355 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:38:14,542 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:38:14,542 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:38:14,558 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:38:14,558 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:38:14,605 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:38:14,605 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:38:14,651 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:38:14,651 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:38:14,697 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:38:14,869 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:38:15,040 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:38:15,165 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:38:15,243 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x23E50000, size: 0x1000.
2020-01-14 13:38:15,259 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 20.
2020-01-14 13:38:15,306 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x23E50000) returned 0x00000000.
2020-01-14 13:38:15,306 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:38:15,352 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x23E50000) -> AllocationBase 0x23E50000 RegionSize 0x4096.
2020-01-14 13:38:15,352 [root] DEBUG: AddTrackedRegion: New region at 0x23E50000 size 0x1000 added to tracked regions.
2020-01-14 13:38:15,400 [root] DEBUG: set_caller_info: Adding region at 0x23E50000 to caller regions list (ntdll::NtDuplicateObject).
2020-01-14 13:38:15,415 [root] DEBUG: set_caller_info: Caller at 0x23E50108 in tracked regions.
2020-01-14 13:38:15,477 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:38:15,650 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:38:15,664 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:38:15,852 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:38:15,898 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:38:15,898 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:38:15,946 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:38:15,946 [root] DEBUG: DumpPEsInRange: Scanning range 0x23e50000 - 0x23e51000.
2020-01-14 13:38:16,039 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x23e50000-0x23e51000.
2020-01-14 13:38:16,071 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x23E50000 - 0x23E51000.
2020-01-14 13:38:16,148 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_14117208813661814212020 successfully created, size 0x10000
2020-01-14 13:38:16,148 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff2e in capemon caught accessing 0x23e51000 (expected in memory scans), passing to next handler.
2020-01-14 13:38:16,196 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x23e50000
2020-01-14 13:38:16,196 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x23E50000 size 0x10000.
2020-01-14 13:38:16,210 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_8790740523661814212020 successfully created, size 0x1000
2020-01-14 13:38:16,476 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_8790740523661814212020
2020-01-14 13:38:16,539 [root] DEBUG: DumpRegion: Dumped stack region from 0x23E50000, size 0x1000.
2020-01-14 13:38:16,539 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x23E50000.
2020-01-14 13:38:16,539 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x23e50000 - 0x23e51000.
2020-01-14 13:38:16,539 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1a50 in capemon caught accessing 0x3e0000 (expected in memory scans), passing to next handler.
2020-01-14 13:38:16,585 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:38:16,601 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:38:16,632 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:38:16,632 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:38:16,678 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:38:16,678 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:38:16,678 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:38:16,678 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:38:16,678 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:38:16,726 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:38:17,101 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:38:17,131 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:38:17,147 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:38:17,147 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:38:17,194 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:38:17,194 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:38:17,256 [root] DEBUG: Allocation: 0x203F5000 - 0x203F6000, size: 0x1000, protection: 0x40.
2020-01-14 13:38:17,256 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:38:17,319 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:38:17,319 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:38:17,365 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:38:17,381 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:38:17,724 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:38:17,740 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:38:17,786 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:38:17,786 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:38:17,834 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:38:17,834 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:38:17,881 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:38:17,881 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:38:17,881 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:38:17,881 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:38:17,881 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:38:17,881 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:38:17,990 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:38:17,990 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:38:18,036 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:38:18,036 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:38:18,082 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:38:18,082 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:38:18,115 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x203F0000, size: 0x1000.
2020-01-14 13:38:18,130 [root] DEBUG: Allocation: 0x203F6000 - 0x203F7000, size: 0x1000, protection: 0x40.
2020-01-14 13:38:18,161 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:38:18,161 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:38:18,161 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:38:18,177 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:38:18,207 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:38:18,207 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:38:18,239 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:38:18,380 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:38:18,582 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:38:18,753 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:38:18,785 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:38:18,785 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:38:18,816 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:38:19,378 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:38:19,378 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:38:19,378 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:38:19,378 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:38:19,378 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:38:19,424 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:38:19,424 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:38:19,471 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:38:19,471 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:38:19,519 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:38:19,519 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x203F0000, size: 0x1000.
2020-01-14 13:38:35,601 [root] DEBUG: Allocation: 0x003E3000 - 0x003E4000, size: 0x1000, protection: 0x40.
2020-01-14 13:38:35,601 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:38:35,601 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:38:35,601 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:38:35,648 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:38:35,648 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:38:35,648 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:38:35,648 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:38:35,805 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:38:36,023 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:38:36,069 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:38:36,069 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:38:36,085 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:38:36,132 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:38:36,164 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:38:36,631 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:38:36,710 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:38:36,724 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:38:36,740 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:38:36,740 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:38:36,740 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:38:36,740 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:38:36,788 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:38:36,788 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:38:36,835 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x003E0000, size: 0x1000.
2020-01-14 13:38:36,881 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2160.
2020-01-14 13:38:36,881 [root] DEBUG: DLL unloaded from 0x77560000.
2020-01-14 13:38:37,318 [root] DEBUG: CreateThread: Initialising breakpoints for thread 784.
2020-01-14 13:38:37,318 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2012.
2020-01-14 13:38:37,473 [root] DEBUG: Allocation: 0x20491000 - 0x20492000, size: 0x1000, protection: 0x40.
2020-01-14 13:38:37,473 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:38:37,520 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:38:37,536 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:38:37,677 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:38:37,677 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:38:37,723 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:38:37,723 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:38:37,770 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:38:37,802 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:38:38,253 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:38:38,457 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:38:38,457 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:38:38,473 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1760.
2020-01-14 13:38:38,473 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:38:38,487 [root] DEBUG: Allocation: 0x203F7000 - 0x203F8000, size: 0x1000, protection: 0x40.
2020-01-14 13:38:38,487 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:38:38,487 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:38:38,487 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:38:38,503 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:38:38,519 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:38:38,644 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:38:38,660 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:38:38,660 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:38:38,660 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:38:38,660 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:38:38,660 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:38:38,660 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:38:38,660 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:38:38,674 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:38:38,674 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:38:38,674 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:38:38,674 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:38:38,690 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:38:38,690 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:38:38,690 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x20490000, size: 0x1000.
2020-01-14 13:38:38,690 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:38:38,690 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:38:38,799 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:38:39,236 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:38:39,315 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:38:39,315 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:38:39,361 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:38:39,361 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:38:39,408 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:38:39,408 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:38:39,454 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:38:39,454 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:38:39,549 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:38:39,549 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2052.
2020-01-14 13:38:39,549 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:38:39,704 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1344.
2020-01-14 13:38:39,704 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x203F0000, size: 0x1000.
2020-01-14 13:38:39,704 [root] DEBUG: DLL unloaded from 0x000007FEFDF10000.
2020-01-14 13:38:39,704 [root] DEBUG: Allocation: 0x203F8000 - 0x203FB000, size: 0x3000, protection: 0x40.
2020-01-14 13:38:39,720 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:38:39,766 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:38:39,766 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:38:39,877 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:38:40,032 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:38:40,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:38:40,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:38:40,125 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:38:40,125 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:38:40,173 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:38:40,173 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:38:40,203 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:38:40,250 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:38:40,828 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:38:40,844 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:38:40,844 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:38:40,844 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:38:40,891 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:38:40,891 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:38:40,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:38:40,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:38:40,983 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:38:40,983 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:38:41,030 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x203F0000, size: 0x1000.
2020-01-14 13:38:41,030 [root] DEBUG: Allocation: 0x203FB000 - 0x203FC000, size: 0x1000, protection: 0x40.
2020-01-14 13:38:41,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:38:41,078 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:38:41,203 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:38:41,280 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:38:41,374 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:38:41,421 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:38:41,592 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:38:41,592 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:38:41,638 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:38:41,638 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:38:41,686 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:38:41,686 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:38:41,733 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:38:41,733 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:38:41,826 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:38:42,029 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:38:42,200 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:38:42,513 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:38:42,559 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:38:42,559 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:38:42,607 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:38:42,607 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:38:42,746 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:38:42,778 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x203F0000, size: 0x1000.
2020-01-14 13:38:42,871 [root] DEBUG: DLL loaded at 0x74D90000: C:\Windows\system32\shfolder (0x5000 bytes).
2020-01-14 13:38:42,918 [root] DEBUG: Allocation: 0x00535000 - 0x00536000, size: 0x1000, protection: 0x40.
2020-01-14 13:38:42,950 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:38:42,950 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:38:43,028 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:38:43,028 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:38:43,028 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:38:43,028 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:38:43,028 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:38:43,028 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:38:43,089 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:38:43,184 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:38:43,198 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:38:43,198 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:38:43,198 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:38:43,198 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:38:43,198 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:38:43,198 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:38:43,198 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:38:43,198 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:38:43,323 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:38:43,323 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:38:43,371 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:38:43,371 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:38:43,371 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:38:43,371 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00530000, size: 0x1000.
2020-01-14 13:38:43,417 [root] DEBUG: Allocation: 0x203FC000 - 0x203FD000, size: 0x1000, protection: 0x40.
2020-01-14 13:38:43,417 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:38:43,464 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:38:43,979 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:38:43,994 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:38:43,994 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:38:43,994 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:38:43,994 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:38:44,026 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:38:44,072 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:38:44,119 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:38:44,119 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:38:44,134 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:38:44,134 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:38:44,167 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:38:44,167 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:38:44,197 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:38:44,197 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:38:44,244 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:38:44,244 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:38:44,447 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:38:44,447 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:38:44,540 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:38:44,540 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:38:44,588 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x203F0000, size: 0x1000.
2020-01-14 13:38:44,884 [root] DEBUG: Allocation: 0x20492000 - 0x20493000, size: 0x1000, protection: 0x40.
2020-01-14 13:38:44,930 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:38:44,930 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:38:44,977 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:38:44,977 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:38:44,977 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:38:44,993 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:38:45,071 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:38:45,071 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:38:45,071 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:38:45,086 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:38:45,118 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:38:45,148 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:38:45,196 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:38:45,226 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:38:45,289 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:38:45,305 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:38:45,368 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:38:45,523 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:38:45,571 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:38:45,571 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:38:45,617 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:38:45,632 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:38:45,694 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:38:46,085 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x20490000, size: 0x1000.
2020-01-14 13:38:47,505 [root] DEBUG: Allocation: 0x203FD000 - 0x203FF000, size: 0x2000, protection: 0x40.
2020-01-14 13:38:47,661 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:38:48,301 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:38:48,346 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:38:48,378 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:38:48,378 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:38:48,440 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:38:48,440 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:38:48,487 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:38:48,535 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:38:48,612 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:38:48,612 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:38:48,658 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:38:48,658 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:38:48,706 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:38:48,706 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:38:48,753 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:38:48,799 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:38:48,861 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:38:48,908 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:38:48,970 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:38:49,017 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:38:49,017 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:38:49,017 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:38:49,065 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x203F0000, size: 0x1000.
2020-01-14 13:38:49,127 [root] DEBUG: DLL loaded at 0x60340000: C:\Windows\Microsoft.NET\Framework\v2.0.50727\culture (0x8000 bytes).
2020-01-14 13:38:49,158 [root] DEBUG: DLL unloaded from 0x60340000.
2020-01-14 13:38:49,174 [root] DEBUG: Allocation: 0x20493000 - 0x20494000, size: 0x1000, protection: 0x40.
2020-01-14 13:38:49,204 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:38:49,204 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:38:49,252 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:38:49,252 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:38:49,549 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:38:49,563 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:38:49,595 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:38:49,627 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:38:49,875 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:38:50,109 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:38:50,187 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:38:50,187 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:38:50,234 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:38:50,234 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:38:50,282 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:38:50,282 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:38:50,328 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:38:50,328 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:38:50,328 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:38:50,344 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:38:50,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:38:50,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:38:50,905 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:38:50,905 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x20490000, size: 0x1000.
2020-01-14 13:38:51,154 [root] DEBUG: Allocation: 0x0052C000 - 0x0052D000, size: 0x1000, protection: 0x40.
2020-01-14 13:38:51,154 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:38:51,201 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:38:51,201 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:38:51,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:38:51,421 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:38:51,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:38:51,483 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:38:51,561 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:38:51,576 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:38:51,670 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:38:51,670 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:38:51,717 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:38:51,717 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:38:51,763 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:38:51,763 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:38:51,811 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:38:51,811 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:38:51,857 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:38:52,434 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:38:52,450 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:38:52,450 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:38:52,480 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:38:52,480 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:38:52,528 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00520000, size: 0x1000.
2020-01-14 13:38:52,528 [root] DEBUG: Allocation: 0x20494000 - 0x20495000, size: 0x1000, protection: 0x40.
2020-01-14 13:38:52,528 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:38:52,528 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:38:52,605 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:38:52,948 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:38:52,996 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:38:52,996 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:38:52,996 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:38:53,012 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:38:53,026 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:38:53,026 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:38:53,042 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:38:53,059 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:38:53,073 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:38:53,073 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:38:53,105 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:38:53,105 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:38:53,105 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:38:53,105 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:38:53,105 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:38:53,105 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:38:53,105 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:38:53,105 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:38:53,151 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:38:53,151 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x20490000, size: 0x1000.
2020-01-14 13:38:53,151 [root] DEBUG: Allocation: 0x0050D000 - 0x0050E000, size: 0x1000, protection: 0x40.
2020-01-14 13:38:53,151 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:38:53,151 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:38:53,167 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:38:53,167 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:38:53,167 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:38:53,198 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:38:53,276 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:38:53,276 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:38:53,276 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:38:53,323 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:38:53,371 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:38:53,401 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:38:53,401 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:38:53,401 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:38:53,401 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:38:53,635 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:38:53,651 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:38:53,651 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:38:53,651 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:38:53,667 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:38:53,713 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:38:53,713 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:38:53,713 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:38:53,744 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x00500000, size: 0x1000.
2020-01-14 13:38:54,072 [root] DEBUG: DLL loaded at 0x70F30000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2020-01-14 13:38:54,602 [root] DEBUG: DLL loaded at 0x74D50000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2020-01-14 13:38:54,602 [root] DEBUG: DLL loaded at 0x76BD0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-01-14 13:38:54,650 [root] DEBUG: DLL loaded at 0x70D90000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2020-01-14 13:38:54,680 [root] DEBUG: DLL loaded at 0x74D20000: C:\Windows\system32\MLANG (0x2e000 bytes).
2020-01-14 13:38:55,335 [root] DEBUG: DLL loaded at 0x75370000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-01-14 13:38:55,539 [root] DEBUG: DLL loaded at 0x75530000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2020-01-14 13:38:55,913 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2020-01-14 13:38:55,928 [root] DEBUG: DLL loaded at 0x768B0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-01-14 13:38:56,256 [root] DEBUG: Allocation: 0x203FF000 - 0x20400000, size: 0x1000, protection: 0x40.
2020-01-14 13:38:56,335 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:38:56,427 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:38:56,490 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:38:56,599 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:38:56,709 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:38:56,802 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:38:56,802 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:38:56,848 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:38:56,848 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:38:56,895 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:38:56,895 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:38:56,927 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:38:56,959 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:38:56,973 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:38:56,973 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:38:57,130 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:38:57,130 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:38:57,255 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:38:57,614 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:38:57,676 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:38:57,723 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:38:57,753 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:38:57,862 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:38:57,878 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x203F0000, size: 0x1000.
2020-01-14 13:38:57,910 [root] DEBUG: DLL loaded at 0x74D10000: C:\Windows\system32\vaultcli (0xc000 bytes).
2020-01-14 13:38:57,940 [root] DEBUG: Allocation: 0x23E51000 - 0x23E52000, size: 0x1000, protection: 0x40.
2020-01-14 13:38:57,940 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:38:58,128 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:38:58,190 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:38:58,207 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:38:58,207 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:38:58,207 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:38:58,285 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:38:58,315 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:38:58,315 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:38:58,362 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:38:58,362 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:38:58,408 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:38:58,408 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:38:58,456 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:38:58,456 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:38:58,533 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:38:58,581 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:38:58,658 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:38:58,658 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:38:58,706 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:38:58,706 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:38:58,706 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:38:58,706 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:38:58,753 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x23E50000, size: 0x1000.
2020-01-14 13:38:58,753 [root] DEBUG: DLL unloaded from 0x751E0000.
2020-01-14 13:38:59,859 [root] INFO: Announced starting service "VaultSvc"
2020-01-14 13:38:59,859 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2020-01-14 13:39:00,046 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:39:00,046 [lib.api.process] INFO: 64-bit DLL to inject is C:\ueakpxib\dll\cdvcaqcv.dll, loader C:\ueakpxib\bin\EeJAEmpM.exe
2020-01-14 13:39:00,749 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kGzJMO.
2020-01-14 13:39:00,999 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\ueakpxib\dll\cdvcaqcv.dll.
2020-01-14 13:39:01,046 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 528, handle 0x84
2020-01-14 13:39:01,154 [root] DEBUG: Process image base: 0x00000000FFAB0000
2020-01-14 13:39:01,154 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-01-14 13:39:01,592 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-01-14 13:39:01,638 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-01-14 13:39:01,684 [root] DEBUG: Process dumps disabled.
2020-01-14 13:39:01,700 [root] INFO: Disabling sleep skipping.
2020-01-14 13:39:01,747 [root] WARNING: Unable to place hook on LockResource
2020-01-14 13:39:01,747 [root] WARNING: Unable to hook LockResource
2020-01-14 13:39:02,496 [root] DEBUG: Debugger initialised.
2020-01-14 13:39:02,512 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 460 at 0x0000000071C50000, image base 0x00000000FFAB0000, stack from 0x00000000010A6000-0x00000000010B0000
2020-01-14 13:39:02,528 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2020-01-14 13:39:02,528 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FFAB0000) returned 0x0000000000000000.
2020-01-14 13:39:02,542 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-01-14 13:39:02,542 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FFAB0000) -> AllocationBase 0x00000000FFAB0000 RegionSize 0x4096.
2020-01-14 13:39:02,839 [root] DEBUG: AddTrackedRegion: EntryPoint 0x13310, Entropy 6.074223e+00
2020-01-14 13:39:02,839 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FFAB0000 size 0x1000 added to tracked regions.
2020-01-14 13:39:02,855 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-01-14 13:39:02,855 [root] INFO: Added new process to list with pid: 460
2020-01-14 13:39:02,855 [root] INFO: Monitor successfully loaded in process with pid 460.
2020-01-14 13:39:03,026 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-01-14 13:39:03,308 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-01-14 13:39:03,308 [root] DEBUG: Successfully injected DLL C:\ueakpxib\dll\cdvcaqcv.dll.
2020-01-14 13:39:04,461 [root] INFO: Announced 64-bit process name: lsass.exe pid: 3068
2020-01-14 13:39:04,477 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:39:04,477 [lib.api.process] INFO: 64-bit DLL to inject is C:\ueakpxib\dll\cdvcaqcv.dll, loader C:\ueakpxib\bin\EeJAEmpM.exe
2020-01-14 13:39:04,509 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kGzJMO.
2020-01-14 13:39:04,555 [root] DEBUG: Loader: Injecting process 3068 (thread 2152) with C:\ueakpxib\dll\cdvcaqcv.dll.
2020-01-14 13:39:04,555 [root] DEBUG: Process image base: 0x00000000FF460000
2020-01-14 13:39:04,555 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ueakpxib\dll\cdvcaqcv.dll.
2020-01-14 13:39:04,555 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-01-14 13:39:04,555 [root] DEBUG: Successfully injected DLL C:\ueakpxib\dll\cdvcaqcv.dll.
2020-01-14 13:39:04,555 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3068
2020-01-14 13:39:04,555 [root] INFO: Announced 64-bit process name: lsass.exe pid: 3068
2020-01-14 13:39:04,555 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:39:04,555 [lib.api.process] INFO: 64-bit DLL to inject is C:\ueakpxib\dll\cdvcaqcv.dll, loader C:\ueakpxib\bin\EeJAEmpM.exe
2020-01-14 13:39:04,648 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kGzJMO.
2020-01-14 13:39:04,680 [root] DEBUG: Loader: Injecting process 3068 (thread 2152) with C:\ueakpxib\dll\cdvcaqcv.dll.
2020-01-14 13:39:05,101 [root] DEBUG: Process image base: 0x00000000FF460000
2020-01-14 13:39:06,319 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ueakpxib\dll\cdvcaqcv.dll.
2020-01-14 13:39:06,349 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-01-14 13:39:06,411 [root] DEBUG: Successfully injected DLL C:\ueakpxib\dll\cdvcaqcv.dll.
2020-01-14 13:39:06,411 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 3068
2020-01-14 13:39:06,443 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-01-14 13:39:06,459 [root] DEBUG: Process dumps disabled.
2020-01-14 13:39:06,865 [root] INFO: Disabling sleep skipping.
2020-01-14 13:39:06,989 [root] WARNING: Unable to place hook on LockResource
2020-01-14 13:39:07,005 [root] WARNING: Unable to hook LockResource
2020-01-14 13:39:07,036 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-01-14 13:39:07,066 [root] DEBUG: Debugger initialised.
2020-01-14 13:39:07,098 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 3068 at 0x0000000071C50000, image base 0x00000000FF460000, stack from 0x00000000001D4000-0x00000000001E0000
2020-01-14 13:39:07,161 [root] DEBUG: Commandline: C:\Windows\sysnative\lsass.exe.
2020-01-14 13:39:07,815 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FF460000) returned 0x0000000000000000.
2020-01-14 13:39:07,846 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-01-14 13:39:07,894 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FF460000) -> AllocationBase 0x00000000FF460000 RegionSize 0x4096.
2020-01-14 13:39:07,957 [root] DEBUG: AddTrackedRegion: EntryPoint 0x1850, Entropy 3.685763e+00
2020-01-14 13:39:08,096 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FF460000 size 0x1000 added to tracked regions.
2020-01-14 13:39:08,174 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-01-14 13:39:08,565 [root] INFO: Added new process to list with pid: 3068
2020-01-14 13:39:08,611 [root] INFO: Monitor successfully loaded in process with pid 3068.
2020-01-14 13:39:36,473 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 460).
2020-01-14 13:39:36,473 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-01-14 13:39:36,473 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FFAB0000.
2020-01-14 13:39:36,473 [root] DEBUG: ProcessImageBase: EP 0x0000000000013310 image base 0x00000000FFAB0000 size 0x0 entropy 6.074451e+00.
2020-01-14 13:39:36,489 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2124.
2020-01-14 13:39:36,489 [root] INFO: Notified of termination of process with pid 3068.
2020-01-14 13:39:36,519 [root] DEBUG: Allocation: 0x24220000 - 0x24221000, size: 0x1000, protection: 0x40.
2020-01-14 13:39:36,519 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 3068).
2020-01-14 13:39:36,551 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:39:36,614 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:39:36,723 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:39:36,753 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:39:36,753 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:39:36,769 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:39:36,769 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:39:36,769 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:39:36,769 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:39:36,785 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:39:36,785 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:39:36,785 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:39:36,785 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:39:36,785 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:39:36,801 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:39:36,801 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:39:36,801 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:39:36,801 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:39:36,940 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:39:36,957 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:39:37,035 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:39:37,065 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:39:37,160 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:39:37,160 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x24220000, size: 0x1000.
2020-01-14 13:39:37,285 [root] DEBUG: AddTrackedRegion: DEBUG Warning - number of tracked regions 21.
2020-01-14 13:39:37,285 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x24220000) returned 0x00000000.
2020-01-14 13:39:37,299 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:39:37,424 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x24220000) -> AllocationBase 0x24220000 RegionSize 0x4096.
2020-01-14 13:39:37,486 [root] DEBUG: AddTrackedRegion: New region at 0x24220000 size 0x1000 added to tracked regions.
2020-01-14 13:39:37,503 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2020-01-14 13:39:37,519 [root] INFO: Created shutdown mutex.
2020-01-14 13:39:37,533 [root] DEBUG: Allocation: 0x24221000 - 0x24222000, size: 0x1000, protection: 0x40.
2020-01-14 13:39:37,533 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:39:37,565 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:39:37,581 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:39:37,581 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:39:37,642 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:39:37,658 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:39:37,658 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:39:37,674 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:39:37,674 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:39:37,674 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:39:37,690 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:39:37,690 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:39:37,690 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:39:37,690 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:39:37,736 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:39:37,736 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:39:37,736 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:39:37,736 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:39:37,815 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:39:37,815 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:39:37,908 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:39:38,157 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:39:38,220 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:39:38,220 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x24220000.
2020-01-14 13:39:38,266 [root] DEBUG: AllocationHandler: New allocation already in tracked region list: 0x24220000, size: 0x1000.
2020-01-14 13:39:38,266 [root] DEBUG: set_caller_info: Adding region at 0x24220000 to caller regions list (kernel32::SetErrorMode).
2020-01-14 13:39:38,345 [root] DEBUG: set_caller_info: Caller at 0x24221118 in tracked regions.
2020-01-14 13:39:38,391 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:39:38,969 [lib.api.process] INFO: Terminate event set for process 2984
2020-01-14 13:39:38,969 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 2984).
2020-01-14 13:39:38,969 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:39:38,969 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:39:38,969 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:39:38,984 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:39:38,984 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:39:38,984 [root] DEBUG: ProcessImageBase: EP 0x0000FFEF image base 0x00400000 size 0x0 entropy 3.321663e+00.
2020-01-14 13:39:38,984 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:39:38,984 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-01-14 13:39:38,984 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:39:39,000 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01DC0000.
2020-01-14 13:39:39,000 [root] DEBUG: DumpPEsInRange: Scanning range 0x204a0000 - 0x204a140a.
2020-01-14 13:39:39,016 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x204A0000.
2020-01-14 13:39:39,078 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x204a0000-0x204a140a.
2020-01-14 13:39:39,078 [root] DEBUG: DumpPEsInRange: Scanning range 0x204a0000 - 0x204a140a.
2020-01-14 13:39:39,078 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x204A0000 - 0x204A140A.
2020-01-14 13:39:39,078 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x204a0000-0x204a140a.
2020-01-14 13:39:39,094 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_21172304864942014212020 successfully created, size 0x10000
2020-01-14 13:39:39,094 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x204A0000 - 0x204A140A.
2020-01-14 13:39:39,109 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff2e in capemon caught accessing 0x204a6000 (expected in memory scans), passing to next handler.
2020-01-14 13:39:39,109 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_44174020639391314212020 successfully created, size 0x10000
2020-01-14 13:39:39,125 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x204a0000
2020-01-14 13:39:39,125 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x204a0000
2020-01-14 13:39:39,312 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x204A0000 size 0x10000.
2020-01-14 13:39:39,358 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x204A0000 size 0x10000.
2020-01-14 13:39:39,358 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_21292387844952014212020 successfully created, size 0x1000
2020-01-14 13:39:39,375 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_96228873239391314212020 successfully created, size 0x1000
2020-01-14 13:39:39,391 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_21292387844952014212020
2020-01-14 13:39:39,391 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_96228873239391314212020
2020-01-14 13:39:39,405 [root] DEBUG: DumpRegion: Dumped stack region from 0x204A0000, size 0x1000.
2020-01-14 13:39:39,405 [root] DEBUG: DumpRegion: Dumped stack region from 0x204A0000, size 0x1000.
2020-01-14 13:39:39,405 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x204A0000.
2020-01-14 13:39:39,405 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x204A0000.
2020-01-14 13:39:39,405 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x204a0000 - 0x204a140a.
2020-01-14 13:39:39,405 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x204a0000 - 0x204a140a.
2020-01-14 13:39:39,405 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:39:39,421 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-01-14 13:39:39,421 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1a50 in capemon caught accessing 0x3e0000 (expected in memory scans), passing to next handler.
2020-01-14 13:39:39,421 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:39:39,421 [root] DEBUG: ScanForNonZero: Exception occured reading memory address 0x3e0000
2020-01-14 13:39:39,421 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:39:39,421 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00500000.
2020-01-14 13:39:39,421 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:39:39,421 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00530000.
2020-01-14 13:39:39,421 [root] DEBUG: DumpPEsInRange: Scanning range 0x530000 - 0x531000.
2020-01-14 13:39:39,421 [root] DEBUG: DumpPEsInRange: Scanning range 0x530000 - 0x531000.
2020-01-14 13:39:39,437 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x530000-0x531000.
2020-01-14 13:39:39,437 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x530000-0x531000.
2020-01-14 13:39:39,437 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00530000 - 0x00531000.
2020-01-14 13:39:39,437 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00530000 - 0x00531000.
2020-01-14 13:39:39,437 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_9611191624952014212020 successfully created, size 0x10000
2020-01-14 13:39:39,437 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_209374848539391314212020 successfully created, size 0x10000
2020-01-14 13:39:39,437 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff2e in capemon caught accessing 0x531000 (expected in memory scans), passing to next handler.
2020-01-14 13:39:39,437 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x530000
2020-01-14 13:39:39,453 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x530000
2020-01-14 13:39:39,453 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00530000 size 0x10000.
2020-01-14 13:39:39,453 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00530000 size 0x10000.
2020-01-14 13:39:39,453 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_127142367139391314212020 successfully created, size 0x1000
2020-01-14 13:39:39,608 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_7950324294952014212020 successfully created, size 0x1000
2020-01-14 13:39:39,608 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_127142367139391314212020
2020-01-14 13:39:39,655 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_7950324294952014212020
2020-01-14 13:39:39,703 [root] DEBUG: DumpRegion: Dumped stack region from 0x00530000, size 0x1000.
2020-01-14 13:39:39,703 [root] DEBUG: DumpRegion: Dumped stack region from 0x00530000, size 0x1000.
2020-01-14 13:39:39,703 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00530000.
2020-01-14 13:39:39,703 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00530000.
2020-01-14 13:39:39,703 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x530000 - 0x531000.
2020-01-14 13:39:39,703 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x530000 - 0x531000.
2020-01-14 13:39:39,717 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:39:39,717 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:39:39,717 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x205B0000.
2020-01-14 13:39:39,717 [root] DEBUG: DumpPEsInRange: Scanning range 0x520000 - 0x521000.
2020-01-14 13:39:39,717 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00520000.
2020-01-14 13:39:39,733 [root] DEBUG: DumpPEsInRange: Scanning range 0x520000 - 0x521000.
2020-01-14 13:39:39,733 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x520000-0x521000.
2020-01-14 13:39:39,733 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x520000-0x521000.
2020-01-14 13:39:39,733 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00520000 - 0x00521000.
2020-01-14 13:39:39,796 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00520000 - 0x00521000.
2020-01-14 13:39:40,076 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_83661755639391314212020 successfully created, size 0x10000
2020-01-14 13:39:40,171 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_11163089164952014212020 successfully created, size 0x10000
2020-01-14 13:39:40,171 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x520000
2020-01-14 13:39:40,171 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff2e in capemon caught accessing 0x521000 (expected in memory scans), passing to next handler.
2020-01-14 13:39:40,186 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x520000
2020-01-14 13:39:40,249 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00520000 size 0x10000.
2020-01-14 13:39:40,342 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_15436596440391314212020 successfully created, size 0x1000
2020-01-14 13:39:40,342 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00520000 size 0x10000.
2020-01-14 13:39:40,436 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_2782415975062014212020 successfully created, size 0x1000
2020-01-14 13:39:40,825 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_15436596440391314212020
2020-01-14 13:39:40,841 [root] DEBUG: DumpRegion: Dumped stack region from 0x00520000, size 0x1000.
2020-01-14 13:39:40,841 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00520000.
2020-01-14 13:39:40,857 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x520000 - 0x521000.
2020-01-14 13:39:40,857 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_2782415975062014212020
2020-01-14 13:39:40,857 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:39:40,872 [root] DEBUG: DumpRegion: Dumped stack region from 0x00520000, size 0x1000.
2020-01-14 13:39:40,872 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:39:40,872 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00520000.
2020-01-14 13:39:40,872 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:39:40,872 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x520000 - 0x521000.
2020-01-14 13:39:40,872 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:39:40,872 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x203F0000.
2020-01-14 13:39:40,888 [root] DEBUG: DumpPEsInRange: Scanning range 0x510000 - 0x511000.
2020-01-14 13:39:40,888 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x229D0000.
2020-01-14 13:39:40,888 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x510000-0x511000.
2020-01-14 13:39:40,888 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23170000.
2020-01-14 13:39:40,888 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00510000 - 0x00511000.
2020-01-14 13:39:40,888 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00510000.
2020-01-14 13:39:40,888 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_203230064040391314212020 successfully created, size 0x10000
2020-01-14 13:39:40,888 [root] DEBUG: DumpPEsInRange: Scanning range 0x510000 - 0x511000.
2020-01-14 13:39:40,904 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x510000
2020-01-14 13:39:40,904 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x510000-0x511000.
2020-01-14 13:39:40,904 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00510000 size 0x10000.
2020-01-14 13:39:40,904 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00510000 - 0x00511000.
2020-01-14 13:39:40,950 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_20735429795062014212020 successfully created, size 0x10000
2020-01-14 13:39:40,950 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_172427740040391314212020 successfully created, size 0x1000
2020-01-14 13:39:40,950 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff2e in capemon caught accessing 0x511000 (expected in memory scans), passing to next handler.
2020-01-14 13:39:40,966 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x510000
2020-01-14 13:39:40,966 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_172427740040391314212020
2020-01-14 13:39:40,966 [root] DEBUG: DumpRegion: Dumped stack region from 0x00510000, size 0x1000.
2020-01-14 13:39:40,966 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00510000 size 0x10000.
2020-01-14 13:39:40,966 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00510000.
2020-01-14 13:39:40,982 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_5566448365062014212020 successfully created, size 0x1000
2020-01-14 13:39:40,982 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x510000 - 0x511000.
2020-01-14 13:39:40,982 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:39:40,982 [root] DEBUG: DumpPEsInRange: Scanning range 0x20490000 - 0x20491000.
2020-01-14 13:39:40,996 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x20490000-0x20491000.
2020-01-14 13:39:41,153 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_5566448365062014212020
2020-01-14 13:39:41,325 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x20490000 - 0x20491000.
2020-01-14 13:39:41,325 [root] DEBUG: DumpRegion: Dumped stack region from 0x00510000, size 0x1000.
2020-01-14 13:39:41,387 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00510000.
2020-01-14 13:39:41,387 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_208316290841391314212020 successfully created, size 0x10000
2020-01-14 13:39:41,387 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x20490000
2020-01-14 13:39:41,387 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x510000 - 0x511000.
2020-01-14 13:39:41,418 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x20490000 size 0x10000.
2020-01-14 13:39:41,418 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20490000.
2020-01-14 13:39:41,434 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_58371653041391314212020 successfully created, size 0x5000
2020-01-14 13:39:41,434 [root] DEBUG: DumpPEsInRange: Scanning range 0x20490000 - 0x20491000.
2020-01-14 13:39:41,575 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x20490000-0x20491000.
2020-01-14 13:39:41,575 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_58371653041391314212020
2020-01-14 13:39:41,575 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x20490000 - 0x20491000.
2020-01-14 13:39:41,589 [root] DEBUG: DumpRegion: Dumped stack region from 0x20490000, size 0x5000.
2020-01-14 13:39:41,589 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_15196556125172014212020 successfully created, size 0x10000
2020-01-14 13:39:41,589 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x20490000.
2020-01-14 13:39:41,589 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff2e in capemon caught accessing 0x20495000 (expected in memory scans), passing to next handler.
2020-01-14 13:39:41,605 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x20490000 - 0x20491000.
2020-01-14 13:39:41,605 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x20490000
2020-01-14 13:39:41,605 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:39:41,605 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x20490000 size 0x10000.
2020-01-14 13:39:41,605 [root] DEBUG: DumpPEsInRange: Scanning range 0x20890000 - 0x20891000.
2020-01-14 13:39:41,621 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_19376607865172014212020 successfully created, size 0x5000
2020-01-14 13:39:41,621 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x20890000-0x20891000.
2020-01-14 13:39:41,621 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x20890000 - 0x20891000.
2020-01-14 13:39:41,637 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_11593831741391314212020 successfully created, size 0x40000
2020-01-14 13:39:41,637 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_19376607865172014212020
2020-01-14 13:39:41,637 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x20890000
2020-01-14 13:39:41,637 [root] DEBUG: DumpRegion: Dumped stack region from 0x20490000, size 0x5000.
2020-01-14 13:39:41,667 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x20890000 size 0x40000.
2020-01-14 13:39:41,776 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x20490000.
2020-01-14 13:39:41,776 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_3785704541391314212020 successfully created, size 0x2000
2020-01-14 13:39:41,776 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x20490000 - 0x20491000.
2020-01-14 13:39:41,792 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20890000.
2020-01-14 13:39:41,823 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_3785704541391314212020
2020-01-14 13:39:41,823 [root] DEBUG: DumpRegion: Dumped stack region from 0x20890000, size 0x2000.
2020-01-14 13:39:41,823 [root] DEBUG: DumpPEsInRange: Scanning range 0x20890000 - 0x20891000.
2020-01-14 13:39:41,839 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x20890000-0x20891000.
2020-01-14 13:39:41,839 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x20890000.
2020-01-14 13:39:41,871 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x20890000 - 0x20891000.
2020-01-14 13:39:41,871 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x20890000 - 0x20891000.
2020-01-14 13:39:41,887 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:39:41,887 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_19853987315172014212020 successfully created, size 0x40000
2020-01-14 13:39:41,887 [root] DEBUG: DumpPEsInRange: Scanning range 0x20830000 - 0x20831000.
2020-01-14 13:39:41,887 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff2e in capemon caught accessing 0x20892000 (expected in memory scans), passing to next handler.
2020-01-14 13:39:41,901 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x20830000-0x20831000.
2020-01-14 13:39:41,901 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x20890000
2020-01-14 13:39:41,901 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x20830000 - 0x20831000.
2020-01-14 13:39:41,901 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x20890000 size 0x40000.
2020-01-14 13:39:41,901 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_66483441441391314212020 successfully created, size 0x10000
2020-01-14 13:39:41,933 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_10094770285172014212020 successfully created, size 0x2000
2020-01-14 13:39:41,933 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x20830000
2020-01-14 13:39:41,948 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x20830000 size 0x10000.
2020-01-14 13:39:41,980 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_131468113041391314212020 successfully created, size 0x2000
2020-01-14 13:39:41,980 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_10094770285172014212020
2020-01-14 13:39:41,996 [root] DEBUG: DumpRegion: Dumped stack region from 0x20890000, size 0x2000.
2020-01-14 13:39:41,996 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x20890000.
2020-01-14 13:39:41,996 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x20890000 - 0x20891000.
2020-01-14 13:39:41,996 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x20830000.
2020-01-14 13:39:42,010 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_131468113041391314212020
2020-01-14 13:39:42,010 [root] DEBUG: DumpPEsInRange: Scanning range 0x20830000 - 0x20831000.
2020-01-14 13:39:42,010 [root] DEBUG: DumpRegion: Dumped stack region from 0x20830000, size 0x2000.
2020-01-14 13:39:42,010 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x20830000-0x20831000.
2020-01-14 13:39:42,010 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x20830000.
2020-01-14 13:39:42,010 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x20830000 - 0x20831000.
2020-01-14 13:39:42,026 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_15127124225272014212020 successfully created, size 0x10000
2020-01-14 13:39:42,026 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x20830000 - 0x20831000.
2020-01-14 13:39:42,026 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff2e in capemon caught accessing 0x20832000 (expected in memory scans), passing to next handler.
2020-01-14 13:39:42,042 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:39:42,042 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x20830000
2020-01-14 13:39:42,088 [root] DEBUG: DumpPEsInRange: Scanning range 0x7ef30000 - 0x7ef80000.
2020-01-14 13:39:42,088 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x20830000 size 0x10000.
2020-01-14 13:39:42,183 [root] DEBUG: ScanForDisguisedPE: Exception occured scanning buffer at 0x7ef30fc1
2020-01-14 13:39:42,183 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_9903118065272014212020 successfully created, size 0x2000
2020-01-14 13:39:42,355 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x7EF30000 - 0x7EF80000.
2020-01-14 13:39:42,355 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_150686688842391314212020 successfully created, size 0x50000
2020-01-14 13:39:42,759 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x7ef30000
2020-01-14 13:39:42,759 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_9903118065272014212020
2020-01-14 13:39:42,790 [root] DEBUG: DumpRegion: Dumped stack region from 0x20830000, size 0x2000.
2020-01-14 13:39:42,806 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x20830000.
2020-01-14 13:39:42,806 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x7EF30000 size 0x50000.
2020-01-14 13:39:42,806 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x20830000 - 0x20831000.
2020-01-14 13:39:42,854 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_65075638842391314212020 successfully created, size 0x1000
2020-01-14 13:39:42,854 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF30000.
2020-01-14 13:39:42,868 [root] DEBUG: DumpPEsInRange: Scanning range 0x7ef30000 - 0x7ef80000.
2020-01-14 13:39:42,868 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x1d9a in capemon caught accessing 0x7ef31000 (expected in memory scans), passing to next handler.
2020-01-14 13:39:42,884 [root] DEBUG: ScanForDisguisedPE: Exception occured scanning buffer at 0x7ef30fc1
2020-01-14 13:39:42,931 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_65075638842391314212020
2020-01-14 13:39:42,931 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x7EF30000 - 0x7EF80000.
2020-01-14 13:39:42,947 [root] DEBUG: DumpRegion: Dumped stack region from 0x7EF30000, size 0x1000.
2020-01-14 13:39:42,947 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_8261887192292014212020 successfully created, size 0x50000
2020-01-14 13:39:42,963 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x7EF30000.
2020-01-14 13:39:42,963 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff2e in capemon caught accessing 0x7ef31000 (expected in memory scans), passing to next handler.
2020-01-14 13:39:42,963 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x7ef30000 - 0x7ef80000.
2020-01-14 13:39:42,963 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x7ef30000
2020-01-14 13:39:42,963 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:39:42,979 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x7EF30000 size 0x50000.
2020-01-14 13:39:42,979 [root] DEBUG: DumpPEsInRange: Scanning range 0x7ef20000 - 0x7ef30000.
2020-01-14 13:39:42,979 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_13124353372292014212020 successfully created, size 0x1000
2020-01-14 13:39:42,979 [root] DEBUG: ScanForDisguisedPE: Exception occured scanning buffer at 0x7ef20fc1
2020-01-14 13:39:42,979 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x7EF20000 - 0x7EF30000.
2020-01-14 13:39:42,979 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_60922770842391314212020 successfully created, size 0x10000
2020-01-14 13:39:42,993 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x7ef20000
2020-01-14 13:39:42,993 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_13124353372292014212020
2020-01-14 13:39:42,993 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x7EF20000 size 0x10000.
2020-01-14 13:39:42,993 [root] DEBUG: DumpRegion: Dumped stack region from 0x7EF30000, size 0x1000.
2020-01-14 13:39:43,009 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x7EF30000.
2020-01-14 13:39:43,009 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_65387811243391314212020 successfully created, size 0x1000
2020-01-14 13:39:43,118 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x7ef30000 - 0x7ef80000.
2020-01-14 13:39:43,118 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_65387811243391314212020
2020-01-14 13:39:43,227 [root] DEBUG: DumpRegion: Dumped stack region from 0x7EF20000, size 0x1000.
2020-01-14 13:39:43,227 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x7EF20000.
2020-01-14 13:39:43,305 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:39:43,322 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x7EF20000.
2020-01-14 13:39:43,368 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:39:43,384 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x7ef20000 - 0x7ef30000.
2020-01-14 13:39:43,384 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x24220000.
2020-01-14 13:39:43,384 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23EA0000.
2020-01-14 13:39:43,384 [root] DEBUG: DumpPEsInRange: Scanning range 0x24220000 - 0x24221000.
2020-01-14 13:39:43,400 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x24220000-0x24221000.
2020-01-14 13:39:43,400 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x23E50000.
2020-01-14 13:39:43,400 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x24220000.
2020-01-14 13:39:43,400 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x24220000 - 0x24221000.
2020-01-14 13:39:43,414 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_139424071223102014212020 successfully created, size 0x10000
2020-01-14 13:39:43,414 [root] DEBUG: DumpPEsInRange: Scanning range 0x24220000 - 0x24221000.
2020-01-14 13:39:43,430 [root] DEBUG: CAPEExceptionFilter: Exception 0xc0000005 caught at RVA 0x3ff2e in capemon caught accessing 0x24222000 (expected in memory scans), passing to next handler.
2020-01-14 13:39:43,430 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x24220000-0x24221000.
2020-01-14 13:39:43,430 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x24220000
2020-01-14 13:39:43,447 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x24220000 - 0x24221000.
2020-01-14 13:39:43,447 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x24220000 size 0x10000.
2020-01-14 13:39:43,447 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_30410575543391314212020 successfully created, size 0x10000
2020-01-14 13:39:43,447 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_141329728223102014212020 successfully created, size 0x2000
2020-01-14 13:39:43,447 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x24220000
2020-01-14 13:39:43,461 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x24220000 size 0x10000.
2020-01-14 13:39:43,461 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_141329728223102014212020
2020-01-14 13:39:43,461 [root] DEBUG: DumpMemory: CAPE output file C:\nzkuyO\CAPE\2984_20837897643391314212020 successfully created, size 0x2000
2020-01-14 13:39:43,477 [root] DEBUG: DumpRegion: Dumped stack region from 0x24220000, size 0x2000.
2020-01-14 13:39:43,477 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x24220000.
2020-01-14 13:39:43,493 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_20837897643391314212020
2020-01-14 13:39:43,618 [root] DEBUG: DumpRegion: Dumped stack region from 0x24220000, size 0x2000.
2020-01-14 13:39:43,618 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x24220000 - 0x24221000.
2020-01-14 13:39:43,618 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x24220000.
2020-01-14 13:39:43,634 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x24220000 - 0x24221000.
2020-01-14 13:39:43,711 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1856.
2020-01-14 13:39:43,711 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x41a67f.
2020-01-14 13:39:43,711 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2608.
2020-01-14 13:39:43,726 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2020-01-14 13:39:43,726 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2788.
2020-01-14 13:39:43,726 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:39:43,726 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2840.
2020-01-14 13:39:43,743 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2508.
2020-01-14 13:39:43,743 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-01-14 13:39:43,743 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2160.
2020-01-14 13:39:43,743 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000FFEF.
2020-01-14 13:39:43,743 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2012.
2020-01-14 13:39:43,759 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x41a67f.
2020-01-14 13:39:43,759 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2020-01-14 13:39:44,117 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:39:44,132 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-01-14 13:39:44,132 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000FFEF.
2020-01-14 13:39:44,164 [root] INFO: Added new CAPE file to list with path: C:\nzkuyO\CAPE\2984_185148786324102014212020
2020-01-14 13:39:44,164 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x24000.
2020-01-14 13:39:44,180 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400200-0x41a67f.
2020-01-14 13:39:44,194 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x00400000 - 0x0041A67F.
2020-01-14 13:39:44,194 [lib.api.process] INFO: Termination confirmed for process 2984
2020-01-14 13:39:44,194 [root] DEBUG: ProcessTrackedRegion: Found and dumped PE image(s) in range 0x00400000 - 0x0041A67F.
2020-01-14 13:39:44,194 [root] INFO: Terminate event set for process 2984.
2020-01-14 13:39:44,194 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 2984
2020-01-14 13:39:44,194 [root] INFO: Terminating process 2984 before shutdown.
2020-01-14 13:39:44,210 [root] INFO: Waiting for process 2984 to exit.
2020-01-14 13:39:44,210 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x400000 - 0x41a67f.
2020-01-14 13:39:45,286 [lib.api.process] INFO: Terminate event set for process 2828
2020-01-14 13:39:45,319 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 2828).
2020-01-14 13:39:45,443 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-01-14 13:39:45,552 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF6C0000.
2020-01-14 13:39:45,677 [root] DEBUG: ProcessImageBase: EP 0x000000000000A9B4 image base 0x00000000FF6C0000 size 0x0 entropy 5.873829e+00.
2020-01-14 13:39:45,709 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2128.
2020-01-14 13:39:45,848 [root] DEBUG: Terminate Event: Shutdown complete for process 2828 but failed to inform analyzer.
2020-01-14 13:39:50,638 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2280.
2020-01-14 13:39:50,746 [root] DEBUG: CreateThread: Initialising breakpoints for thread 744.
2020-01-14 13:40:01,012 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2144.

MalScore

10.0

AgentTesla

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2020-01-14 13:36:00 2020-01-14 13:40:57

File Details

File Name RFQ_NO__.EXE
File Size 757760 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 67521442dc3939eda70ba803046fdf3a
SHA1 afa417c2d4c8a890275f822649b0687856d1ca39
SHA256 efb66b6cd415ce50b6ad86a248d63bc4bfc4396197f9cf27870fedc392326c83
SHA512 dd726d58bb5055bc4e2127a25b8230d412512020aab406b26ec4e70f3602660e4133cf636be89efa10ff37f138575389fc7fb779aced01da2d883b8a64bef9b1
CRC32 74FCE714
Ssdeep 12288:RcB7bYuHF53MUDK3ClaAXxJuQdfRvj0FdyEgvY:+f53fOmXuQLvj0fyEg
TrID
  • 88.6% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
  • 4.8% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 2.1% (.EXE) OS/2 Executable (generic) (2029/13)
  • 2.1% (.EXE) Generic Win/DOS Executable (2002/3)
  • 2.1% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2220 trigged the Yara rule 'embedded_win_api'
Hit: PID 2220 trigged the Yara rule 'shellcode_patterns'
Hit: PID 2984 trigged the Yara rule 'AgentTesla'
NtSetInformationThread: attempt to hide thread from debugger
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: kernel32.dll/GetCalendarInfoW
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: shell32.DLL/ShellExecuteW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/CreateProcessInternalW
DynamicLoader: kernel32.dll/GetTempPathW
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: ntdll.dll/NtProtectVirtualMemory
DynamicLoader: ntdll.dll/DbgBreakPoint
DynamicLoader: ntdll.dll/DbgUiRemoteBreakin
DynamicLoader: ntdll.dll/NtSetInformationThread
DynamicLoader: ntdll.dll/NtAllocateVirtualMemory
DynamicLoader: ntdll.dll/NtGetContextThread
DynamicLoader: ntdll.dll/NtSetContextThread
DynamicLoader: USER32.dll/GetCursorPos
DynamicLoader: ntdll.dll/NtResumeThread
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/IsTNT
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: USER32.dll/EnumWindows
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: shell32.DLL/ShellExecuteW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/CreateProcessInternalW
DynamicLoader: kernel32.dll/GetTempPathW
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: ntdll.dll/NtProtectVirtualMemory
DynamicLoader: ntdll.dll/DbgBreakPoint
DynamicLoader: ntdll.dll/DbgUiRemoteBreakin
DynamicLoader: ntdll.dll/NtSetInformationThread
DynamicLoader: ntdll.dll/NtAllocateVirtualMemory
DynamicLoader: ntdll.dll/NtGetContextThread
DynamicLoader: ntdll.dll/NtSetContextThread
DynamicLoader: kernel32.dll/GetStartupInfoW
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/IsBadReadPtr
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/FreeResource
DynamicLoader: kernel32.dll/SizeofResource
DynamicLoader: kernel32.dll/LockResource
DynamicLoader: kernel32.dll/LoadResource
DynamicLoader: kernel32.dll/FindResourceA
DynamicLoader: kernel32.dll/Module32Next
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/Module32First
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/GetCommandLineA
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/HeapSize
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/UnhandledExceptionFilter
DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/GetConsoleCP
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/TlsFree
DynamicLoader: kernel32.dll/InterlockedIncrement
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/InterlockedDecrement
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/SetHandleCount
DynamicLoader: kernel32.dll/GetFileType
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/RtlUnwind
DynamicLoader: kernel32.dll/FreeEnvironmentStringsA
DynamicLoader: kernel32.dll/GetEnvironmentStrings
DynamicLoader: kernel32.dll/FreeEnvironmentStringsW
DynamicLoader: kernel32.dll/GetEnvironmentStringsW
DynamicLoader: kernel32.dll/QueryPerformanceCounter
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/GetCPInfo
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/GetOEMCP
DynamicLoader: kernel32.dll/IsValidCodePage
DynamicLoader: kernel32.dll/CompareStringA
DynamicLoader: kernel32.dll/CompareStringW
DynamicLoader: kernel32.dll/SetEnvironmentVariableA
DynamicLoader: kernel32.dll/WriteConsoleA
DynamicLoader: kernel32.dll/GetConsoleOutputCP
DynamicLoader: kernel32.dll/WriteConsoleW
DynamicLoader: kernel32.dll/SetStdHandle
DynamicLoader: kernel32.dll/GetLocaleInfoA
DynamicLoader: kernel32.dll/LCMapStringA
DynamicLoader: kernel32.dll/LCMapStringW
DynamicLoader: kernel32.dll/GetStringTypeA
DynamicLoader: kernel32.dll/GetStringTypeW
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: mscoree.dll/_CorExeMain
DynamicLoader: mscoree.dll/CLRCreateInstance
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: mscoree.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/CLRCreateInstance
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: kernel32.dll/GetCurrentPackageId
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: msvcrt.dll/_set_error_mode
DynamicLoader: msvcrt.dll/?set_terminate@@YAP6AXXZP6AXXZ@Z
DynamicLoader: msvcrt.dll/_get_terminate
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: mscoree.dll/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: mscorwks.dll/SetLoadedByMscoree
DynamicLoader: mscorwks.dll/_CorExeMain
DynamicLoader: mscorwks.dll/GetCLRFunction
DynamicLoader: ADVAPI32.dll/RegisterTraceGuidsW
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/GetTraceLoggerHandle
DynamicLoader: ADVAPI32.dll/GetTraceEnableLevel
DynamicLoader: ADVAPI32.dll/GetTraceEnableFlags
DynamicLoader: ADVAPI32.dll/TraceEvent
DynamicLoader: mscoree.dll/IEE
DynamicLoader: mscoreei.dll/IEE_RetAddr
DynamicLoader: mscoreei.dll/IEE
DynamicLoader: mscorwks.dll/IEE
DynamicLoader: mscoree.dll/GetStartupFlags
DynamicLoader: mscoreei.dll/GetStartupFlags_RetAddr
DynamicLoader: mscoreei.dll/GetStartupFlags
DynamicLoader: mscoree.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetHostConfigurationFile_RetAddr
DynamicLoader: mscoreei.dll/GetHostConfigurationFile
DynamicLoader: mscoreei.dll/GetCORVersion_RetAddr
DynamicLoader: mscoreei.dll/GetCORVersion
DynamicLoader: mscoree.dll/GetCORSystemDirectory
DynamicLoader: mscoreei.dll/GetCORSystemDirectory_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: kernel32.dll/SetThreadStackGuarantee
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/AddVectoredContinueHandler
DynamicLoader: kernel32.dll/RemoveVectoredContinueHandler
DynamicLoader: ADVAPI32.dll/ConvertSidToStringSidW
DynamicLoader: shell32.DLL/SHGetFolderPathW
DynamicLoader: kernel32.dll/FlushProcessWriteBuffers
DynamicLoader: kernel32.dll/GetWriteWatch
DynamicLoader: kernel32.dll/ResetWriteWatch
DynamicLoader: kernel32.dll/CreateMemoryResourceNotification
DynamicLoader: kernel32.dll/QueryMemoryResourceNotification
DynamicLoader: mscoree.dll/_CorExeMain
DynamicLoader: mscoree.dll/_CorImageUnloading
DynamicLoader: mscoree.dll/_CorValidateImage
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: kernel32.dll/QueryActCtxW
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetVersionEx
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/GetFullPathName
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: ADVAPI32.dll/CryptAcquireContextA
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptGetHashParam
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptVerifySignatureA
DynamicLoader: ADVAPI32.dll/CryptSignHashA
DynamicLoader: ADVAPI32.dll/CryptGetProvParam
DynamicLoader: ADVAPI32.dll/CryptGetUserKey
DynamicLoader: ADVAPI32.dll/CryptEnumProvidersA
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: mscorjit.dll/getJit
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: bcrypt.dll/BCryptGetFipsAlgorithmMode
DynamicLoader: kernel32.dll/GetEnvironmentVariable
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/lstrlen
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetFileAttributesEx
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoGetObjectContext
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/MkParseDisplayName
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName
DynamicLoader: ole32.dll/BindMoniker
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: SXS.DLL/SxsLookupClrGuid
DynamicLoader: kernel32.dll/ReleaseActCtx
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mscoreei.dll/_CorDllMain_RetAddr
DynamicLoader: mscoreei.dll/_CorDllMain
DynamicLoader: mscoree.dll/GetTokenForVTableEntry
DynamicLoader: mscoree.dll/SetTargetForVTableEntry
DynamicLoader: mscoree.dll/GetTargetForVTableEntry
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTokenForVTableEntry
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/SetTargetForVTableEntry
DynamicLoader: mscoreei.dll/GetTargetForVTableEntry_RetAddr
DynamicLoader: mscoreei.dll/GetTargetForVTableEntry
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: OLEAUT32.dll/VariantInit
DynamicLoader: OLEAUT32.dll/VariantClear
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/CreateEvent
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: ole32.dll/IIDFromString
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: kernel32.dll/LoadLibrary
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: wminet_utils.dll/ResetSecurity
DynamicLoader: wminet_utils.dll/SetSecurity
DynamicLoader: wminet_utils.dll/BlessIWbemServices
DynamicLoader: wminet_utils.dll/BlessIWbemServicesObject
DynamicLoader: wminet_utils.dll/GetPropertyHandle
DynamicLoader: wminet_utils.dll/WritePropertyValue
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/VerifyClientKey
DynamicLoader: wminet_utils.dll/GetQualifierSet
DynamicLoader: wminet_utils.dll/Get
DynamicLoader: wminet_utils.dll/Put
DynamicLoader: wminet_utils.dll/Delete
DynamicLoader: wminet_utils.dll/GetNames
DynamicLoader: wminet_utils.dll/BeginEnumeration
DynamicLoader: wminet_utils.dll/Next
DynamicLoader: wminet_utils.dll/EndEnumeration
DynamicLoader: wminet_utils.dll/GetPropertyQualifierSet
DynamicLoader: wminet_utils.dll/Clone
DynamicLoader: wminet_utils.dll/GetObjectText
DynamicLoader: wminet_utils.dll/SpawnDerivedClass
DynamicLoader: wminet_utils.dll/SpawnInstance
DynamicLoader: wminet_utils.dll/CompareTo
DynamicLoader: wminet_utils.dll/GetPropertyOrigin
DynamicLoader: wminet_utils.dll/InheritsFrom
DynamicLoader: wminet_utils.dll/GetMethod
DynamicLoader: wminet_utils.dll/PutMethod
DynamicLoader: wminet_utils.dll/DeleteMethod
DynamicLoader: wminet_utils.dll/BeginMethodEnumeration
DynamicLoader: wminet_utils.dll/NextMethod
DynamicLoader: wminet_utils.dll/EndMethodEnumeration
DynamicLoader: wminet_utils.dll/GetMethodQualifierSet
DynamicLoader: wminet_utils.dll/GetMethodOrigin
DynamicLoader: wminet_utils.dll/QualifierSet_Get
DynamicLoader: wminet_utils.dll/QualifierSet_Put
DynamicLoader: wminet_utils.dll/QualifierSet_Delete
DynamicLoader: wminet_utils.dll/QualifierSet_GetNames
DynamicLoader: wminet_utils.dll/QualifierSet_BeginEnumeration
DynamicLoader: wminet_utils.dll/QualifierSet_Next
DynamicLoader: wminet_utils.dll/QualifierSet_EndEnumeration
DynamicLoader: wminet_utils.dll/GetCurrentApartmentType
DynamicLoader: wminet_utils.dll/GetDemultiplexedStub
DynamicLoader: wminet_utils.dll/CreateInstanceEnumWmi
DynamicLoader: wminet_utils.dll/CreateClassEnumWmi
DynamicLoader: wminet_utils.dll/ExecQueryWmi
DynamicLoader: wminet_utils.dll/ExecNotificationQueryWmi
DynamicLoader: wminet_utils.dll/PutInstanceWmi
DynamicLoader: wminet_utils.dll/PutClassWmi
DynamicLoader: wminet_utils.dll/CloneEnumWbemClassObject
DynamicLoader: wminet_utils.dll/ConnectServerWmi
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: OLEAUT32.dll/SysStringLen
DynamicLoader: kernel32.dll/ZeroMemory
DynamicLoader: kernel32.dll/ZeroMemoryA
DynamicLoader: kernel32.dll/RtlZeroMemory
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: kernel32.dll/GetComputerName
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/GetModuleHandle
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetCurrentProcessIdW
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtQuerySystemInformationW
DynamicLoader: kernel32.dll/CreateDirectory
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/CopyFile
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: ADVAPI32.dll/RegSetValueEx
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: kernel32.dll/DeleteFile
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CreateIoCompletionPort
DynamicLoader: kernel32.dll/PostQueuedCompletionStatus
DynamicLoader: ntdll.dll/NtQueryInformationThread
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtGetCurrentProcessorNumber
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: USER32.dll/GetLastInputInfo
DynamicLoader: shfolder.dll/SHGetFolderPath
DynamicLoader: shfolder.dll/SHGetFolderPathW
DynamicLoader: kernel32.dll/FindFirstFile
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/CreateFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: mscoreei.dll/LoadLibraryShim_RetAddr
DynamicLoader: mscoreei.dll/LoadLibraryShim
DynamicLoader: culture.dll/ConvertLangIdToCultureName
DynamicLoader: MLANG.dll/
DynamicLoader: WININET.dll/FindFirstUrlCacheEntryA
DynamicLoader: kernel32.dll/SetFileInformationByHandle
DynamicLoader: shell32.DLL/SHGetFolderPathW
DynamicLoader: vaultcli.dll/VaultEnumerateVaults
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: VSSAPI.DLL/CreateWriter
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ADVAPI32.dll/LookupAccountNameW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: samcli.dll/NetLocalGroupGetMembers
DynamicLoader: SAMLIB.dll/SamConnect
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: SAMLIB.dll/SamOpenDomain
DynamicLoader: SAMLIB.dll/SamLookupNamesInDomain
DynamicLoader: SAMLIB.dll/SamOpenAlias
DynamicLoader: SAMLIB.dll/SamFreeMemory
DynamicLoader: SAMLIB.dll/SamCloseHandle
DynamicLoader: SAMLIB.dll/SamGetMembersInAlias
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/StringFromCLSID
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: PROPSYS.dll/VariantToPropVariant
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeObjectAccessAuditEvent2
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeAuditEvent
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcBindingCreateW
DynamicLoader: RPCRT4.dll/RpcBindingBind
DynamicLoader: RPCRT4.dll/I_RpcMapWin32Status
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: ADVAPI32.dll/EventWrite
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: kernel32.dll/RegSetValueExW
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: wmisvc.dll/IsImproperShutdownDetected
DynamicLoader: Wevtapi.dll/EvtRender
DynamicLoader: Wevtapi.dll/EvtNext
DynamicLoader: Wevtapi.dll/EvtClose
DynamicLoader: Wevtapi.dll/EvtQuery
DynamicLoader: Wevtapi.dll/EvtCreateRenderContext
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcBindingSetOption
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ole32.dll/CoCreateFreeThreadedMarshaler
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: KERNELBASE.dll/InitializeAcl
DynamicLoader: KERNELBASE.dll/AddAce
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: kernel32.dll/IsThreadAFiber
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: kernel32.dll/OpenProcessToken
DynamicLoader: KERNELBASE.dll/GetTokenInformation
DynamicLoader: KERNELBASE.dll/DuplicateTokenEx
DynamicLoader: KERNELBASE.dll/AdjustTokenPrivileges
DynamicLoader: KERNELBASE.dll/AllocateAndInitializeSid
DynamicLoader: KERNELBASE.dll/CheckTokenMembership
DynamicLoader: kernel32.dll/SetThreadToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzInitializeResourceManager
DynamicLoader: authZ.dll/AuthzInitializeContextFromSid
DynamicLoader: authZ.dll/AuthzInitializeContextFromToken
DynamicLoader: authZ.dll/AuthzAccessCheck
DynamicLoader: authZ.dll/AuthzFreeContext
DynamicLoader: authZ.dll/AuthzFreeResourceManager
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetCallContext
DynamicLoader: ole32.dll/CoRevertToSelf
DynamicLoader: ADVAPI32.dll/LogonUserExExW
DynamicLoader: SspiCli.dll/LogonUserExExW
DynamicLoader: ole32.dll/CoImpersonateClient
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoSwitchCallContext
DynamicLoader: ole32.dll/CoCreateGuid
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: wbemcore.dll/Reinitialize
DynamicLoader: kernel32.dll/RegCreateKeyExW
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: ntdll.dll/EtwRegisterTraceGuidsW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: wbemsvc.dll/DllGetClassObject
DynamicLoader: wbemsvc.dll/DllCanUnloadNow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/GetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/SetThreadPreferredUILanguages
DynamicLoader: kernel32.dll/LocaleNameToLCID
DynamicLoader: kernel32.dll/GetLocaleInfoEx
DynamicLoader: kernel32.dll/LCIDToLocaleName
DynamicLoader: kernel32.dll/GetSystemDefaultLocaleName
DynamicLoader: WMI.DLL/WmiQueryAllDataW
DynamicLoader: WMI.DLL/WmiQuerySingleInstanceW
DynamicLoader: WMI.DLL/WmiSetSingleItemW
DynamicLoader: WMI.DLL/WmiSetSingleInstanceW
DynamicLoader: WMI.DLL/WmiExecuteMethodW
DynamicLoader: WMI.DLL/WmiNotificationRegistrationW
DynamicLoader: WMI.DLL/WmiMofEnumerateResourcesW
DynamicLoader: WMI.DLL/WmiFileHandleToInstanceNameW
DynamicLoader: WMI.DLL/WmiDevInstToInstanceNameW
DynamicLoader: WMI.DLL/WmiQueryGuidInformation
DynamicLoader: WMI.DLL/WmiOpenBlock
DynamicLoader: WMI.DLL/WmiCloseBlock
DynamicLoader: WMI.DLL/WmiFreeBuffer
DynamicLoader: WMI.DLL/WmiEnumerateGuids
DynamicLoader: OLEAUT32.dll/
CAPE extracted potentially suspicious content
RFQ_NO__.EXE: Extracted Shellcode
RFQ_NO__.EXE: Extracted Shellcode
RFQ_NO__.EXE: Extracted PE Image: 32-bit executable
RFQ_NO__.EXE: AgentTesla Payload: 32-bit executable
RFQ_NO__.EXE: [{u'strings': [u'IELibrary.dll', u'GetSavedPasswords', u'C:\\Users\\Admin\\Desktop\\IELibrary\\IELibrary\\obj\\Debug\\IELibrary.pdb', u'GetSavedCookies'], u'meta': {u'cape_type': u'AgentTesla Payload', u'description': u'AgentTesla Payload', u'author': u'kevoreilly'}, u'addresses': {u'agt4': 257429L, u'agt1': 256668L, u'agt2': 260058L, u'agt3': 257333L}, u'name': u'AgentTesla'}]
RFQ_NO__.EXE: AgentTesla Payload: 32-bit DLL
RFQ_NO__.EXE: [{u'strings': [u'IELibrary.dll', u'GetSavedPasswords', u'C:\\Users\\Admin\\Desktop\\IELibrary\\IELibrary\\obj\\Debug\\IELibrary.pdb', u'GetSavedCookies'], u'meta': {u'cape_type': u'AgentTesla Payload', u'description': u'AgentTesla Payload', u'author': u'kevoreilly'}, u'addresses': {u'agt4': 12119L, u'agt1': 11358L, u'agt2': 14748L, u'agt3': 12023L}, u'name': u'AgentTesla'}]
RFQ_NO__.EXE: Extracted Shellcode
RFQ_NO__.EXE: Extracted Shellcode
RFQ_NO__.EXE: Extracted PE Image
RFQ_NO__.EXE: Extracted PE Image
RFQ_NO__.EXE: Extracted PE Image
RFQ_NO__.EXE: Extracted PE Image
RFQ_NO__.EXE: Extracted Shellcode
RFQ_NO__.EXE: Extracted Shellcode
RFQ_NO__.EXE: Extracted Shellcode
RFQ_NO__.EXE: Extracted Shellcode
RFQ_NO__.EXE: Extracted Shellcode
RFQ_NO__.EXE: Extracted Shellcode
RFQ_NO__.EXE: Extracted Shellcode
RFQ_NO__.EXE: Extracted Shellcode
RFQ_NO__.EXE: Extracted Shellcode
RFQ_NO__.EXE: Extracted Shellcode
RFQ_NO__.EXE: Extracted Shellcode
RFQ_NO__.EXE: Extracted Shellcode
RFQ_NO__.EXE: Extracted Shellcode
RFQ_NO__.EXE: Extracted Shellcode: 32-bit executable
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.15, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x000b5000, virtual_size: 0x000b4be4
Behavioural detection: Injection (Process Hollowing)
Injection: RFQ_NO__.EXE(2220) -> RFQ_NO__.EXE(2984)
Executed a process and injected code into it, probably while unpacking
Injection: RFQ_NO__.EXE(2220) -> RFQ_NO__.EXE(2984)
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Users\user\AppData\Roaming\MyApp\MyApp.exe:Zone.Identifier
A process attempted to delay the analysis task by a long amount of time.
Process: RFQ_NO__.EXE tried to sleep 4498 seconds, actually delayed analysis time by 0 seconds
Process: WmiPrvSE.exe tried to sleep 302 seconds, actually delayed analysis time by 0 seconds
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: RFQ_NO__.EXE (2984) called API NtYieldExecution 13863 times
Spam: services.exe (460) called API GetSystemTimeAsFileTime 461484 times
Installs itself for autorun at Windows startup
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MyApp
data: C:\Users\user\AppData\Roaming\MyApp\MyApp.exe
CAPE detected the AgentTesla malware family
Checks the CPU name from registry, possibly for anti-virtualization
Creates a copy of itself
copy: C:\Users\user\AppData\Roaming\MyApp\MyApp.exe
Collects information to fingerprint the system

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE.cfg
C:\Windows\sysnative\C_932.NLS
C:\Windows\sysnative\C_949.NLS
C:\Windows\sysnative\C_950.NLS
C:\Windows\sysnative\C_936.NLS
C:\Users\user\AppData\Local\Temp\~DF27B3F280540C6B7A.TMP
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Windows\System32\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE.Local\
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
C:\Windows
C:\Windows\winsxs
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
C:\Windows\System32\l_intl.nls
C:\Users\user\AppData\Local\Temp\RFQ_NO__.INI
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\Globalization\en-gb.nlp
C:\Windows\Globalization\en-us.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
C:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
C:\Windows\System32\wbem\wbemdisp.tlb
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Microsoft.NET\Framework\v2.0.50727\OLEAUT32.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\bf7e7494e75e32979c7824a07570a8a9\CustomMarshalers.ni.dll
C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.INI
C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\oleaut32.DLL
C:\Windows\SysWOW64\stdole2.tlb
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\System.Management.ni.dll
C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.INI
C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\oleaut32.dll
C:\Windows\System32\tzres.dll
C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ntdll.dll
C:\Users\user\AppData\Roaming\MyApp\
C:\Users\user\AppData\Roaming\MyApp
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\MyApp\MyApp.exe
C:\Users\user\AppData\Roaming\MyApp\MyApp.exe:Zone.Identifier
C:\Users\user\AppData\Local\Google\Chrome\User Data\*
C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Users\user\AppData\Roaming\Mozilla\Firefox\logins.json
C:\Users\user\AppData\Roaming\Mozilla\Firefox\signons.sqlite
C:\Windows\assembly\GAC_32\ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources\0.0.0.0_en-US_461d39c4a423da0b
C:\Windows\assembly\GAC_MSIL\ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources\0.0.0.0_en-US_461d39c4a423da0b
C:\Windows\assembly\GAC\ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources\0.0.0.0_en-US_461d39c4a423da0b
C:\Users\user\AppData\Local\Temp\en-US\ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources\ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources.exe
C:\Users\user\AppData\Local\Temp\en-US\ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources\ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Windows\Globalization\en.nlp
C:\Windows\assembly\GAC_32\ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources\0.0.0.0_en_461d39c4a423da0b
C:\Windows\assembly\GAC_MSIL\ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources\0.0.0.0_en_461d39c4a423da0b
C:\Windows\assembly\GAC\ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources\0.0.0.0_en_461d39c4a423da0b
C:\Users\user\AppData\Local\Temp\en\ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources.dll
C:\Users\user\AppData\Local\Temp\en\ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources\ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources.dll
C:\Users\user\AppData\Local\Temp\en\ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources.exe
C:\Users\user\AppData\Local\Temp\en\ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources\ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources.exe
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\user\AppData\Local\Microsoft\Windows\History
C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
C:\Users\user\AppData\Local\Temp\vaultcli.dll
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\plutil.exe
C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
C:\Users\user\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data
C:\Users\user\AppData\Local\Torch\User Data\Default\Login Data
C:\Users\user\AppData\Local\7Star\7Star\User Data\Default\Login Data
C:\Users\user\AppData\Local\Amigo\User Data\Default\Login Data
C:\Users\user\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Login Data
C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data
C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data
C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
C:\Users\user\AppData\Local\Elements Browser\User Data\Default\Login Data
C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data
C:\Users\user\AppData\Local\Kometa\User Data\Default\Login Data
C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data
C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data\Default\Login Data
C:\Users\user\AppData\Local\uCozMedia\Uran\User Data\Default\Login Data
C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data
\??\PIPE\samr
C:\Windows\sysnative\wbem\repository
C:\Windows\sysnative\wbem\Logs
C:\Windows\sysnative\wbem\AutoRecover
C:\Windows\sysnative\wbem\MOF
C:\Windows\sysnative\wbem\repository\INDEX.BTR
C:\Windows\sysnative\wbem\repository\WRITABLE.TST
C:\Windows\sysnative\wbem\repository\MAPPING1.MAP
C:\Windows\sysnative\wbem\repository\MAPPING2.MAP
C:\Windows\sysnative\wbem\repository\MAPPING3.MAP
C:\Windows\sysnative\wbem\repository\OBJECTS.DATA
C:\Windows\sysnative\wbem\repository\WBEM9xUpgd.dat
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\sysnative\wbem\Logs\
\??\WMIDataDevice
C:\Windows\Temp
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\user\AppData\Local\Temp\~DF27B3F280540C6B7A.TMP
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\user\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index149.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
C:\Windows\System32\l_intl.nls
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll
C:\Windows\System32\wbem\wbemdisp.tlb
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\bf7e7494e75e32979c7824a07570a8a9\CustomMarshalers.ni.dll
C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
C:\Windows\SysWOW64\stdole2.tlb
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\System.Management.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils.dll
C:\Windows\System32\tzres.dll
C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
\??\PIPE\samr
C:\Windows\sysnative\wbem\repository\MAPPING1.MAP
C:\Windows\sysnative\wbem\repository\MAPPING2.MAP
C:\Windows\sysnative\wbem\repository\MAPPING3.MAP
C:\Windows\sysnative\wbem\repository\OBJECTS.DATA
C:\Windows\sysnative\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\??\WMIDataDevice
C:\Users\user\AppData\Local\Temp\~DF27B3F280540C6B7A.TMP
C:\Users\user\AppData\Roaming\MyApp\MyApp.exe
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
\??\PIPE\samr
C:\Windows\sysnative\wbem\repository\WRITABLE.TST
C:\Windows\sysnative\wbem\repository\MAPPING1.MAP
C:\Windows\sysnative\wbem\repository\MAPPING2.MAP
C:\Windows\sysnative\wbem\repository\MAPPING3.MAP
C:\Windows\sysnative\wbem\repository\OBJECTS.DATA
C:\Windows\sysnative\wbem\repository\INDEX.BTR
\??\pipe\PIPE_EVENTROOT\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\??\WMIDataDevice
C:\Users\user\AppData\Roaming\MyApp\MyApp.exe:Zone.Identifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\RFQ_NO__.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RFQ_NO__.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\LastModTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1e7882b1\c97d402
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscorjit.dll
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\RFQ_NO__.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\54A065E5
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_CURRENT_USER\Software\Classes\WinMgmts
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSclient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Software\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_CURRENT_USER\Software\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_CLASSES_ROOT\CLSID\{62E522DC-8CF3-40A8-8B2E-37D595651E40}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\809
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\9
HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CLASSES_ROOT\CLSID\{04B83D61-21AE-11D2-8B33-00600806D9B6}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.CustomMarshalers__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\CustomMarshalers,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualC__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\CustomMarshalers.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\CustomMarshalers.ni.dll
HKEY_CLASSES_ROOT\CLSID\{D6BDAFB2-9435-491F-BB87-6AA0F0BC31A2}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\wminet_utils.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\System.Management.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProductId
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MyApp
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
HKEY_CURRENT_USER\Control Panel\International
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.0.0.ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources_en-US_461d39c4a423da0b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\fa635c7\528d10ae
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-120665959-548228820-2376508522-1001\Installer\Assemblies\C:|Users|user|AppData|Local|Temp|RFQ_NO__.EXE
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|user|AppData|Local|Temp|RFQ_NO__.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|user|AppData|Local|Temp|RFQ_NO__.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-120665959-548228820-2376508522-1001\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\culture.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.0.0.ZRQMZAMQXQRFUHLVCYARWFBMLIMRQRZYKGHSLAOI_20190520131250488.resources_en_461d39c4a423da0b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\fa635c7\f817ee3
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeep
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Signature
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
\xeb\xaa\x80\xc7\xaeEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
\xeb\xaa\x80\xc7\xaeEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
\xeb\xaa\x80\xc7\xaeEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheRepair
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePath
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePrefix
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheLimit
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheRepair
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePath
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePrefix
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheLimit
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheRepair
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePath
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePrefix
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheLimit
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheRepair
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePath
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePrefix
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheLimit
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheOptions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheRepair
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CachePath
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CachePrefix
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheLimit
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheOptions
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\Tracing\WMI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\WMI Writer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\system\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\ProcessIdentifier
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\ESS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/subscription
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2
HKEY_LOCAL_MACHINE\software\microsoft\wbem\cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_CLASSES_ROOT\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\InProcServer32
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_CLASSES_ROOT\CLSID\{d63a5850-8f16-11cf-9f47-00aa00bf345c}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\minint
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ProcessID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ContextLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ObjectLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Sink Transmit Buffer Size
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\DefaultRpcStackSize
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\wmiprvse.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\Progid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\6A7AE7C1
HKEY_CURRENT_USER\Control Panel\International\LocaleName
HKEY_CURRENT_USER\Control Panel\International\sCountry
HKEY_CURRENT_USER\Control Panel\International\sList
HKEY_CURRENT_USER\Control Panel\International\sDecimal
HKEY_CURRENT_USER\Control Panel\International\sThousand
HKEY_CURRENT_USER\Control Panel\International\sGrouping
HKEY_CURRENT_USER\Control Panel\International\sNativeDigits
HKEY_CURRENT_USER\Control Panel\International\sCurrency
HKEY_CURRENT_USER\Control Panel\International\sMonDecimalSep
HKEY_CURRENT_USER\Control Panel\International\sMonThousandSep
HKEY_CURRENT_USER\Control Panel\International\sMonGrouping
HKEY_CURRENT_USER\Control Panel\International\sPositiveSign
HKEY_CURRENT_USER\Control Panel\International\sNegativeSign
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat
HKEY_CURRENT_USER\Control Panel\International\sShortTime
HKEY_CURRENT_USER\Control Panel\International\s1159
HKEY_CURRENT_USER\Control Panel\International\s2359
HKEY_CURRENT_USER\Control Panel\International\sShortDate
HKEY_CURRENT_USER\Control Panel\International\sLongDate
HKEY_CURRENT_USER\Control Panel\International\iCountry
HKEY_CURRENT_USER\Control Panel\International\iMeasure
HKEY_CURRENT_USER\Control Panel\International\iPaperSize
HKEY_CURRENT_USER\Control Panel\International\iDigits
HKEY_CURRENT_USER\Control Panel\International\iLZero
HKEY_CURRENT_USER\Control Panel\International\iNegNumber
HKEY_CURRENT_USER\Control Panel\International\NumShape
HKEY_CURRENT_USER\Control Panel\International\iCurrDigits
HKEY_CURRENT_USER\Control Panel\International\iCurrency
HKEY_CURRENT_USER\Control Panel\International\iNegCurr
HKEY_CURRENT_USER\Control Panel\International\iCalendarType
HKEY_CURRENT_USER\Control Panel\International\iFirstDayOfWeek
HKEY_CURRENT_USER\Control Panel\International\iFirstWeekOfYear
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Control Panel\International
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009
HKEY_PERFORMANCE_TEXT\Counter
HKEY_PERFORMANCE_DATA\238
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index149\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\mscorjit.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\7a\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2d382ce6\85\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\1bd7b0d8\87\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\163e1f5e\80\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\1c83327b\86\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\7f3b6ac4\78\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\1b2590b1\7c\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\2bd33e1c\79\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\88\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6f1da7aa\88\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\7b\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\a5cd4db\7e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\2e\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\46ad0879\6f\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\38a3212c\44\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\455bab30\6e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\53bea2b0\2e\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\54A065E5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WINMGMTS\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\109d7e79\357ee49a\44\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3d590c3f\59f3b67b\82\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\357ee49a\7d2df0ec\41\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\CustomMarshalers,2.0.0.0,,b03f5f7f11d50a3a,x86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualC,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\CustomMarshalers.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\CustomMarshalers.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5a8de2c3\2b1a4e4\47\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\73843e06\43a920ef\66\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\141dfd70\6b79efab\43\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\wminet_utils.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\System.Management.ni.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProductId
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MyApp
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\culture.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeep
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Signature
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem
\xeb\xaa\x80\xc7\xaeEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem
\xeb\xaa\x80\xc7\xaeEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CacheLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem
\xeb\xaa\x80\xc7\xaeEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CacheLimit
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheRepair
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePath
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CachePrefix
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheLimit
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\DOMStore\CacheOptions
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheRepair
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePath
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePrefix
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheLimit
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheOptions
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheRepair
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePath
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CachePrefix
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheLimit
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\iecompat\CacheOptions
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheRepair
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePath
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePrefix
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheLimit
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheOptions
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheRepair
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CachePath
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CachePrefix
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheLimit
\xeb\xaa\x80\xc7\xaeEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\PrivacIE:\CacheOptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\SessionEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Level
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AreaFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\Session
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\BufferSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MinimumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumBuffers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\MaximumFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\LogFileMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\FlushTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Tracing\WMI\AgeLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\ActiveWriterStateTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Settings\TornComponentsMax
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000100-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9555-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{609B9557-4FB6-11D1-9971-00C04FBBB345}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\QueryLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\PathLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbThrottlingEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighMaxLimitFactor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbTaskMaxSleep
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold1Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold2Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ArbSystemHighThreshold3Mult
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Unchecked Task Count
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Working Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Build
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\MOF Self-Install Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Default Repository Driver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueCoreFsrepVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Repository Cache Spill Ratio
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckPointValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SnapShotValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\CheckRepositoryOnNextStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NumWriteIdCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Class Cache Item Age (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\NextAutoRecoverFile
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Enable Provider Subsystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{316489BF-65ED-4AF5-AFEC-7BE049340399}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{4341479F-B6BD-457D-8E86-55FA412EAE0D}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{78EF30B6-D6A0-4544-90F6-906117CBB012}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\Scope
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\Locale
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\User
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Client\{F2271F06-C724-4751-B6D7-1CAD69875ED2}\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnableEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssToBeInitialized
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Low Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\High Threshold On Events (B)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Wait On Events (ms)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Merger Query Arbitration Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SetupDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Async Result Queue Size
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\cimv2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\cimv2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerBatchSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ClientCallbackTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\FinalizerQueueThreshold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Max Tasks
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{661FF7F6-F4D1-4593-B59D-4C54C1ECE68B}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D63A5850-8F16-11CF-9F47-00AA00BF345C}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\SecuredHostProviders\ROOT\CIMV2:__Win32Provider.Name="CIMWin32"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Root
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ProcessID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ContextLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ObjectLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Sink Transmit Buffer Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\DefaultRpcStackSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F87137D-0E7C-44D5-8C73-4EFFB68962F2}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\6A7AE7C1
HKEY_CURRENT_USER\Control Panel\International\LocaleName
HKEY_CURRENT_USER\Control Panel\International\sCountry
HKEY_CURRENT_USER\Control Panel\International\sList
HKEY_CURRENT_USER\Control Panel\International\sDecimal
HKEY_CURRENT_USER\Control Panel\International\sThousand
HKEY_CURRENT_USER\Control Panel\International\sGrouping
HKEY_CURRENT_USER\Control Panel\International\sNativeDigits
HKEY_CURRENT_USER\Control Panel\International\sCurrency
HKEY_CURRENT_USER\Control Panel\International\sMonDecimalSep
HKEY_CURRENT_USER\Control Panel\International\sMonThousandSep
HKEY_CURRENT_USER\Control Panel\International\sMonGrouping
HKEY_CURRENT_USER\Control Panel\International\sPositiveSign
HKEY_CURRENT_USER\Control Panel\International\sNegativeSign
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat
HKEY_CURRENT_USER\Control Panel\International\sShortTime
HKEY_CURRENT_USER\Control Panel\International\s1159
HKEY_CURRENT_USER\Control Panel\International\s2359
HKEY_CURRENT_USER\Control Panel\International\sShortDate
HKEY_CURRENT_USER\Control Panel\International\sLongDate
HKEY_CURRENT_USER\Control Panel\International\iCountry
HKEY_CURRENT_USER\Control Panel\International\iMeasure
HKEY_CURRENT_USER\Control Panel\International\iPaperSize
HKEY_CURRENT_USER\Control Panel\International\iDigits
HKEY_CURRENT_USER\Control Panel\International\iLZero
HKEY_CURRENT_USER\Control Panel\International\iNegNumber
HKEY_CURRENT_USER\Control Panel\International\NumShape
HKEY_CURRENT_USER\Control Panel\International\iCurrDigits
HKEY_CURRENT_USER\Control Panel\International\iCurrency
HKEY_CURRENT_USER\Control Panel\International\iNegCurr
HKEY_CURRENT_USER\Control Panel\International\iCalendarType
HKEY_CURRENT_USER\Control Panel\International\iFirstDayOfWeek
HKEY_CURRENT_USER\Control Panel\International\iFirstWeekOfYear
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\Logging
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Control Panel\International\LocaleName
HKEY_PERFORMANCE_TEXT\Counter
HKEY_PERFORMANCE_DATA\238
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MyApp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\LastServiceStart
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Transports\Decoupled\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\CreationTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\MarshaledProxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server\ProcessIdentifier
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\ConfigValueEssNeedsLoading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\List of event-active namespaces
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ESS\//./root/CIMV2\SCM Event Provider
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
oleaut32.dll.OleLoadPictureEx
oleaut32.dll.DispCallFunc
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
kernel32.dll.NlsGetCacheUpdateCount
kernel32.dll.GetCalendarInfoW
kernel32.dll.GetTickCount
kernel32.dll.Sleep
kernel32.dll.TerminateProcess
user32.dll.EnumWindows
kernel32.dll.SetErrorMode
kernel32.dll.SetLastError
kernel32.dll.CloseHandle
shell32.dll.ShellExecuteW
kernel32.dll.WriteFile
kernel32.dll.CreateFileW
kernel32.dll.VirtualProtectEx
kernel32.dll.CreateProcessInternalW
kernel32.dll.GetTempPathW
kernel32.dll.GetLongPathNameW
kernel32.dll.GetFileSize
kernel32.dll.ReadFile
kernel32.dll.ExitThread
kernel32.dll.GetCurrentThread
ntdll.dll.NtProtectVirtualMemory
ntdll.dll.DbgBreakPoint
ntdll.dll.DbgUiRemoteBreakin
ntdll.dll.NtSetInformationThread
ntdll.dll.NtAllocateVirtualMemory
ntdll.dll.NtGetContextThread
ntdll.dll.NtSetContextThread
user32.dll.GetCursorPos
ntdll.dll.NtResumeThread
kernel32.dll.GetExitCodeProcess
kernel32.dll.GetStartupInfoW
kernel32.dll.RaiseException
kernel32.dll.GetLastError
kernel32.dll.IsBadReadPtr
kernel32.dll.VirtualProtect
kernel32.dll.GetProcAddress
kernel32.dll.GetModuleHandleA
kernel32.dll.MultiByteToWideChar
kernel32.dll.lstrlenA
kernel32.dll.WideCharToMultiByte
kernel32.dll.lstrlenW
kernel32.dll.GetModuleFileNameW
kernel32.dll.GetModuleFileNameA
kernel32.dll.LoadLibraryA
kernel32.dll.FreeResource
kernel32.dll.SizeofResource
kernel32.dll.LockResource
kernel32.dll.LoadResource
kernel32.dll.FindResourceA
kernel32.dll.Module32Next
kernel32.dll.Module32First
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.GetCurrentProcessId
kernel32.dll.CreateFileA
kernel32.dll.GetModuleHandleW
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualFree
kernel32.dll.HeapFree
kernel32.dll.GetProcessHeap
kernel32.dll.FreeLibrary
kernel32.dll.HeapAlloc
kernel32.dll.HeapReAlloc
kernel32.dll.GetCommandLineA
kernel32.dll.DeleteCriticalSection
kernel32.dll.LeaveCriticalSection
kernel32.dll.EnterCriticalSection
kernel32.dll.HeapCreate
kernel32.dll.ExitProcess
kernel32.dll.GetStdHandle
kernel32.dll.HeapSize
kernel32.dll.GetCurrentProcess
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.IsDebuggerPresent
kernel32.dll.GetConsoleCP
kernel32.dll.GetConsoleMode
kernel32.dll.TlsGetValue
kernel32.dll.TlsAlloc
kernel32.dll.TlsSetValue
kernel32.dll.TlsFree
kernel32.dll.InterlockedIncrement
kernel32.dll.GetCurrentThreadId
kernel32.dll.InterlockedDecrement
kernel32.dll.FlushFileBuffers
kernel32.dll.SetFilePointer
kernel32.dll.SetHandleCount
kernel32.dll.GetFileType
kernel32.dll.GetStartupInfoA
kernel32.dll.RtlUnwind
kernel32.dll.FreeEnvironmentStringsA
kernel32.dll.GetEnvironmentStrings
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.QueryPerformanceCounter
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.GetCPInfo
kernel32.dll.GetACP
kernel32.dll.GetOEMCP
kernel32.dll.IsValidCodePage
kernel32.dll.CompareStringA
kernel32.dll.CompareStringW
kernel32.dll.SetEnvironmentVariableA
kernel32.dll.WriteConsoleA
kernel32.dll.GetConsoleOutputCP
kernel32.dll.WriteConsoleW
kernel32.dll.SetStdHandle
kernel32.dll.GetLocaleInfoA
kernel32.dll.LCMapStringA
kernel32.dll.LCMapStringW
kernel32.dll.GetStringTypeA
kernel32.dll.GetStringTypeW
kernel32.dll.SetEndOfFile
kernel32.dll.CreateThread
kernel32.dll.TerminateThread
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
mscoree.dll._CorExeMain
mscoree.dll.CLRCreateInstance
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll.CLRCreateInstance
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
msvcrt.dll._set_error_mode
msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.GetSystemWindowsDirectoryW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
mscorwks.dll._CorExeMain
mscorwks.dll.GetCLRFunction
advapi32.dll.RegisterTraceGuidsW
advapi32.dll.UnregisterTraceGuids
advapi32.dll.GetTraceLoggerHandle
advapi32.dll.GetTraceEnableLevel
advapi32.dll.GetTraceEnableFlags
advapi32.dll.TraceEvent
mscoree.dll.IEE
mscoreei.dll.IEE
mscorwks.dll.IEE
mscoree.dll.GetStartupFlags
mscoreei.dll.GetStartupFlags
mscoree.dll.GetHostConfigurationFile
mscoreei.dll.GetHostConfigurationFile
mscoreei.dll.GetCORVersion
mscoree.dll.GetCORSystemDirectory
mscoreei.dll.GetCORSystemDirectory_RetAddr
mscoreei.dll.CreateConfigStream
ntdll.dll.RtlUnwind
kernel32.dll.IsWow64Process
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.AddVectoredContinueHandler
kernel32.dll.RemoveVectoredContinueHandler
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.GetWriteWatch
kernel32.dll.ResetWriteWatch
kernel32.dll.CreateMemoryResourceNotification
kernel32.dll.QueryMemoryResourceNotification
mscoree.dll._CorImageUnloading
mscoree.dll._CorValidateImage
kernel32.dll.QueryActCtxW
ole32.dll.CoGetContextToken
kernel32.dll.GetVersionExW
kernel32.dll.GetFullPathNameW
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptCreateHash
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptHashData
advapi32.dll.CryptGetHashParam
advapi32.dll.CryptImportKey
advapi32.dll.CryptExportKey
advapi32.dll.CryptGenKey
advapi32.dll.CryptGetKeyParam
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptVerifySignatureA
advapi32.dll.CryptSignHashA
advapi32.dll.CryptGetProvParam
advapi32.dll.CryptGetUserKey
advapi32.dll.CryptEnumProvidersA
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyKey
mscorjit.dll.getJit
kernel32.dll.GetUserDefaultUILanguage
bcrypt.dll.BCryptGetFipsAlgorithmMode
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.SwitchToThread
kernel32.dll.lstrlen
kernel32.dll.GetFileAttributesExW
ole32.dll.CreateBindCtx
ole32.dll.CoGetObjectContext
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
ole32.dll.MkParseDisplayName
oleaut32.dll.#2
oleaut32.dll.#6
kernel32.dll.GetThreadPreferredUILanguages
kernel32.dll.SetThreadPreferredUILanguages
kernel32.dll.LocaleNameToLCID
kernel32.dll.GetLocaleInfoEx
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetSystemDefaultLocaleName
ole32.dll.BindMoniker
sxs.dll.SxsOleAut32RedirectTypeLibrary
advapi32.dll.RegOpenKeyW
advapi32.dll.RegEnumKeyW
advapi32.dll.RegQueryValueW
sxs.dll.SxsOleAut32MapConfiguredClsidToReferenceClsid
sxs.dll.SxsLookupClrGuid
kernel32.dll.ReleaseActCtx
oleaut32.dll.#9
oleaut32.dll.#4
oleaut32.dll.#283
oleaut32.dll.#284
mscoreei.dll._CorDllMain
mscoree.dll.GetTokenForVTableEntry
mscoree.dll.SetTargetForVTableEntry
mscoree.dll.GetTargetForVTableEntry
mscoreei.dll.GetTokenForVTableEntry
mscoreei.dll.SetTargetForVTableEntry
mscoreei.dll.GetTargetForVTableEntry
kernel32.dll.LocalAlloc
oleaut32.dll.VariantInit
oleaut32.dll.VariantClear
oleaut32.dll.#7
kernel32.dll.CreateEventW
kernel32.dll.SetEvent
ole32.dll.CoWaitForMultipleHandles
ole32.dll.IIDFromString
wminet_utils.dll.ResetSecurity
wminet_utils.dll.SetSecurity
wminet_utils.dll.BlessIWbemServices
wminet_utils.dll.BlessIWbemServicesObject
wminet_utils.dll.GetPropertyHandle
wminet_utils.dll.WritePropertyValue
wminet_utils.dll.Clone
wminet_utils.dll.VerifyClientKey
wminet_utils.dll.GetQualifierSet
wminet_utils.dll.Get
wminet_utils.dll.Put
wminet_utils.dll.Delete
wminet_utils.dll.GetNames
wminet_utils.dll.BeginEnumeration
wminet_utils.dll.Next
wminet_utils.dll.EndEnumeration
wminet_utils.dll.GetPropertyQualifierSet
wminet_utils.dll.GetObjectText
wminet_utils.dll.SpawnDerivedClass
wminet_utils.dll.SpawnInstance
wminet_utils.dll.CompareTo
wminet_utils.dll.GetPropertyOrigin
wminet_utils.dll.InheritsFrom
wminet_utils.dll.GetMethod
wminet_utils.dll.PutMethod
wminet_utils.dll.DeleteMethod
wminet_utils.dll.BeginMethodEnumeration
wminet_utils.dll.NextMethod
wminet_utils.dll.EndMethodEnumeration
wminet_utils.dll.GetMethodQualifierSet
wminet_utils.dll.GetMethodOrigin
wminet_utils.dll.QualifierSet_Get
wminet_utils.dll.QualifierSet_Put
wminet_utils.dll.QualifierSet_Delete
wminet_utils.dll.QualifierSet_GetNames
wminet_utils.dll.QualifierSet_BeginEnumeration
wminet_utils.dll.QualifierSet_Next
wminet_utils.dll.QualifierSet_EndEnumeration
wminet_utils.dll.GetCurrentApartmentType
wminet_utils.dll.GetDemultiplexedStub
wminet_utils.dll.CreateInstanceEnumWmi
wminet_utils.dll.CreateClassEnumWmi
wminet_utils.dll.ExecQueryWmi
wminet_utils.dll.ExecNotificationQueryWmi
wminet_utils.dll.PutInstanceWmi
wminet_utils.dll.PutClassWmi
wminet_utils.dll.CloneEnumWbemClassObject
wminet_utils.dll.ConnectServerWmi
oleaut32.dll.#500
oleaut32.dll.SysStringLen
kernel32.dll.RtlZeroMemory
kernel32.dll.RegOpenKeyExW
advapi32.dll.GetUserNameW
kernel32.dll.GetComputerNameW
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
user32.dll.RegisterClassW
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
kernel32.dll.DuplicateHandle
user32.dll.CallWindowProcW
user32.dll.RegisterWindowMessageW
advapi32.dll.LookupPrivilegeValueW
advapi32.dll.AdjustTokenPrivileges
ntdll.dll.NtQuerySystemInformation
kernel32.dll.CreateDirectoryW
kernel32.dll.CopyFileW
advapi32.dll.RegSetValueExW
kernel32.dll.DeleteFileW
kernel32.dll.CreateIoCompletionPort
kernel32.dll.PostQueuedCompletionStatus
ntdll.dll.NtQueryInformationThread
ntdll.dll.NtGetCurrentProcessorNumber
user32.dll.GetLastInputInfo
shfolder.dll.SHGetFolderPathW
kernel32.dll.FindFirstFileW
kernel32.dll.FindClose
mscoreei.dll.LoadLibraryShim
culture.dll.ConvertLangIdToCultureName
mlang.dll.#112
wininet.dll.FindFirstUrlCacheEntryA
kernel32.dll.SetFileInformationByHandle
vaultcli.dll.VaultEnumerateVaults
vssapi.dll.CreateWriter
advapi32.dll.LookupAccountNameW
samcli.dll.NetLocalGroupGetMembers
samlib.dll.SamConnect
rpcrt4.dll.NdrClientCall3
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingFree
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
netutils.dll.NetApiBufferFree
ole32.dll.CoCreateGuid
ole32.dll.StringFromCLSID
propsys.dll.VariantToPropVariant
wbemcore.dll.Reinitialize
wbemsvc.dll.DllGetClassObject
wbemsvc.dll.DllCanUnloadNow
authz.dll.AuthzInitializeContextFromToken
authz.dll.AuthzInitializeObjectAccessAuditEvent2
authz.dll.AuthzAccessCheck
authz.dll.AuthzFreeAuditEvent
authz.dll.AuthzFreeContext
authz.dll.AuthzInitializeResourceManager
authz.dll.AuthzFreeResourceManager
rpcrt4.dll.RpcBindingCreateW
rpcrt4.dll.RpcBindingBind
rpcrt4.dll.I_RpcMapWin32Status
advapi32.dll.EventRegister
advapi32.dll.EventUnregister
advapi32.dll.EventWrite
kernel32.dll.RegCloseKey
kernel32.dll.RegSetValueExW
kernel32.dll.RegQueryValueExW
wmisvc.dll.IsImproperShutdownDetected
wevtapi.dll.EvtRender
wevtapi.dll.EvtNext
wevtapi.dll.EvtClose
wevtapi.dll.EvtQuery
wevtapi.dll.EvtCreateRenderContext
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.RpcBindingSetOption
ole32.dll.CoCreateFreeThreadedMarshaler
ole32.dll.CreateStreamOnHGlobal
advapi32.dll.RegCreateKeyExW
cryptsp.dll.CryptReleaseContext
kernelbase.dll.InitializeAcl
kernelbase.dll.AddAce
sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
kernel32.dll.IsThreadAFiber
kernel32.dll.OpenProcessToken
kernelbase.dll.GetTokenInformation
kernelbase.dll.DuplicateTokenEx
kernelbase.dll.AdjustTokenPrivileges
kernelbase.dll.AllocateAndInitializeSid
kernelbase.dll.CheckTokenMembership
kernel32.dll.SetThreadToken
oleaut32.dll.#285
oleaut32.dll.#12
ole32.dll.CLSIDFromString
oleaut32.dll.#286
oleaut32.dll.#17
oleaut32.dll.#20
oleaut32.dll.#19
oleaut32.dll.#25
authz.dll.AuthzInitializeContextFromSid
ole32.dll.CoGetCallContext
ole32.dll.CoRevertToSelf
advapi32.dll.LogonUserExExW
sspicli.dll.LogonUserExExW
ole32.dll.CoImpersonateClient
advapi32.dll.OpenThreadToken
oleaut32.dll.#8
ole32.dll.CoSwitchCallContext
oleaut32.dll.#287
oleaut32.dll.#288
oleaut32.dll.#289
kernel32.dll.RegCreateKeyExW
ntdll.dll.EtwRegisterTraceGuidsW
ntmarta.dll.GetMartaExtensionInterface
oleaut32.dll.#290
wmi.dll.WmiQueryAllDataW
wmi.dll.WmiQuerySingleInstanceW
wmi.dll.WmiSetSingleItemW
wmi.dll.WmiSetSingleInstanceW
wmi.dll.WmiExecuteMethodW
wmi.dll.WmiNotificationRegistrationW
wmi.dll.WmiMofEnumerateResourcesW
wmi.dll.WmiFileHandleToInstanceNameW
wmi.dll.WmiDevInstToInstanceNameW
wmi.dll.WmiQueryGuidInformation
wmi.dll.WmiOpenBlock
wmi.dll.WmiCloseBlock
wmi.dll.WmiFreeBuffer
wmi.dll.WmiEnumerateGuids
"C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE"
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\lsass.exe
Local\MSCTF.Asm.MutexDefault1
Global\CLR_CASOFF_MUTEX
Local\_!MSFTHISTORY!_
Local\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!
Local\c:!users!user!appdata!roaming!microsoft!windows!cookies!
Local\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!
VaultSvc

PE Information

Image Base 0x00400000
Entry Point 0x004012a4
Reported Checksum 0x000c02eb
Actual Checksum 0x000c02eb
Minimum OS Version 4.0
Compile Time 2001-05-11 05:28:25
Import Hash a6cf6e1e444e2b2f6ab6c141bca7c979

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x000b4be4 0x000b5000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.15
.data 0x000b6000 0x000009f0 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x000b7000 0x00001c40 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.88

Imports

Library MSVBVM60.DLL:
0x401000 _CIcos
0x401004 _adj_fptan
0x401008 __vbaHresultCheck
0x40100c __vbaFreeVar
0x401010 __vbaStrVarMove
0x401014 __vbaFreeVarList
0x401018 _adj_fdiv_m64
0x40101c _adj_fprem1
0x401020 None
0x401028 _adj_fdiv_m32
0x40102c __vbaAryDestruct
0x401030 None
0x401034 __vbaObjSet
0x401038 None
0x40103c _adj_fdiv_m16i
0x401040 __vbaObjSetAddref
0x401044 _adj_fdivr_m16i
0x401048 None
0x40104c __vbaFpR8
0x401050 _CIsin
0x401054 __vbaChkstk
0x401058 EVENT_SINK_AddRef
0x401060 __vbaStrCmp
0x401064 __vbaAryConstruct2
0x401068 None
0x40106c _adj_fpatan
0x401070 None
0x401074 EVENT_SINK_Release
0x401078 None
0x40107c _CIsqrt
0x401084 None
0x401088 __vbaExceptHandler
0x40108c _adj_fprem
0x401090 _adj_fdivr_m64
0x401094 None
0x401098 __vbaFPException
0x40109c _CIlog
0x4010a0 None
0x4010a4 __vbaNew2
0x4010a8 _adj_fdiv_m32i
0x4010ac _adj_fdivr_m32i
0x4010b0 __vbaStrCopy
0x4010b4 _adj_fdivr_m32
0x4010b8 None
0x4010bc _adj_fdiv_r
0x4010c0 None
0x4010c4 None
0x4010c8 __vbaVarTstNe
0x4010cc __vbaInStrB
0x4010d0 __vbaVarDup
0x4010d4 None
0x4010d8 _CIatan
0x4010dc __vbaStrMove
0x4010e0 None
0x4010e4 _allmul
0x4010e8 _CItan
0x4010ec _CIexp
0x4010f0 __vbaFreeObj
0x4010f4 __vbaFreeStr

.text
`.data
.rsrc
MSVBVM60.DLL
GESero
Overdrinprosopalgia
Overdrinhornero5
(Q. zq
(/. zP
Overdrinhornero5
OverdrinBosn
P7;Iv-(p
@SRGh
~Un.GGl
Z*bO
Z*bO
b\0_c]#^
qtJ-\;
qtJ-\;
qtJ-\;
qtJ-\;
Label1
OverdrinGOODYSHIP
Label2
Overdrindeathstricken
Label3
OverdrinButylamine
VB5!6&*
jratTA
GESero
GESero
GESero
Overdrinprosopalgia
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Label1
Label2
Label3
OverdrinBosn
Overdrinprosopalgia3
__vbaAryConstruct2
__vbaStrMove
__vbaStrVarMove
__vbaGenerateBoundsError
__vbaVarDup
__vbaFreeStr
__vbaNew2
__vbaStrCmp
__vbaStrCopy
__vbaFreeVar
__vbaObjSetAddref
__vbaHresultCheckObj
__vbaInStrB
__vbaVarTstNe
__vbaFreeObj
__vbaHresultCheck
VBA6.DLL
__vbaAryDestruct
__vbaFpR8
__vbaFreeVarList
__vbaObjSet
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaHresultCheck
__vbaFreeVar
__vbaStrVarMove
__vbaFreeVarList
_adj_fdiv_m64
_adj_fprem1
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
__vbaObjSet
_adj_fdiv_m16i
__vbaObjSetAddref
_adj_fdivr_m16i
__vbaFpR8
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaStrCmp
__vbaAryConstruct2
_adj_fpatan
EVENT_SINK_Release
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
_CIlog
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarTstNe
__vbaInStrB
__vbaVarDup
_CIatan
__vbaStrMove
_allmul
_CItan
_CIexp
__vbaFreeObj
__vbaFreeStr
(Q. zq
(/. zP
12:12:12
KIRKEGANGESROTALINDKALDELSESDAGENESTOMORROWINGANFALDENDESVAASESMONOKROMKOLIKKENEPOXYENTRSKESSTALINISMEQUARTIPAROUSMANKERSLOPERRECOMPUTE
Butterdej7
UROSTHENICFYRMESTERSBRYDSOMDICTATRESSTHINKFULNEDSTIGEGENIPAPBIDERNESTRAVESTIMENTLEADLINERENTENEDSTTELSENNONREQUIRA
Reforgetboswelliansyntetiskebrushfirefremskrednessporlstslikkepindenehumerodigitalneilliapneumotropicflatnosef3
ECODEMEGUILEDATAOVERFRSLENDISAVOUCHINTRANASALWINLESSHASHPIBESCHECKLATONPYRAMIDICALCOMPRIZALREDNINGERNEREPLUNGEDNEUROTISKESMAKKENDEPARKWARDTI
Clearnessesdistraheretcollectedlyperorativehistologiesblokbeskyttelseskoderne
Rainyportionernesgenopstilledriftsplasteretenlargednesstingliestre
WIENERSTIGENSSTA
Duncavocad
DEJTRUGETSHEIMDALRHEOMETERSSCHISMATICALLYPUERPE
RESUNDSFORBINDELSENEXOTERICALLYKORSFSTELSERNEUNDERKBELSERUBE
Stuntingmarsileaceousklumpenabsorptanceskibsmglerenscentreringensjoltingnaivetivetgabardinesinkholderoverweenerbnskrivelse
thoughtsstormsvalernestrygerskersultrainclusiveekstravagerenderoeversketmarginererowwisepaavirknin
Goldenbackspaetzlenonmanilafjlsp9
letlevendeguntherspidslrker
Fldendehjlp8
NOTATIONSTEKNIKKENPROTESTERERUNFORBIDDENLYCOMPUTERCENTRUMTENORSAXOFONCONNECTIONSOLOPGANGENSALPEGLDENSSUPP
Wowwowswarentmentleftmostlignifyinglurifaksstvskysf
ZOOSPERMHYOMENTALPREFRANKUXORIALNEOKAPITALISTISKEPANTOMIMICOPHTHALMOLOGIESDYRENAVNETSSTIRRINGLYUNLOCKABLEOVERIDENTIFYMISTNKENDES
Skrtsbesttelsestiderpilfersjordspekulationernebantamvgtsbokserreag
Helsidensepicieradoptantenkjolekldteafkoloniseringerneuncoherentnessprealgebrahapsende
Landbrugsregnskabernetolvtalsystembreadstitchvadirretrievablenessbladeventyretbygges5
Rundingenglodunreverenceds
Forhandlingsledernondictatorialrepressiveenamellermauriskesmadringernesmonomaniasymposisiumsinterfer3
Irlandskesoscillatorernesarbejdsreglenses
Faringproventforttningerskartoteksopslagmicherhvervslokalescocainistfrankeremalemutetalek2
RETSLGERAADSGENERALPRVENSSONARBEJDETSDOGLIKEOPPUSTNINGSFORSGSOFFICERSHLBLAATRYK
Lowanwheezleloesenergaugesverdensmandskoefficiente8
Aljamiahstegersermowburnimperforationformkravetboatmenbeskjternesforvisningernescykelk4
ensalverendetenurialklavrendechenopodventromesialress
EDITUATEPERVA
Simoniacsconcisetryllestavenscopouthinkningernestabelvrkstyrvoltlatescencepaliliaregistrationhogtiinggrvlingertyes1
Invalidateensformigesfigwormmediusapplikatorersjurisdiktionensdefacerscurvinessdistillatesetterssm3
Udvalgsvrelsersphysicismastigmiasdiallersfejllsningdiscordantpyxidiumknutsondeadlinesauriklerstredivernessensualistrgter
Nonchangeablegawkierkroningermindstemaaletstegosaur4
rimessesuninhibitedlyfiskeretterforestillingskredsenselfenbensdaasensindskudsstnin
Unbodilinessfstningsvrkerbirkepollensocietycirkuleringsdelstenshand
tampurvindmlleprojekternesmetralgialoculicidallyblomsterhandlerefaldlemsgobelinernesanmeldelsersusolidesoblivious
YUCKINGBEJLERSVINGLENDEVOUCHORBLGERAFFINERINGSMALPLACE
greediestgushinessintensivessivning
ANACYCLUSFLUGTSIKRESTCOLORIFI
aarsproduktiontelefonliniensfoshafgangenesmodstaasuppekdtjenest
Livsvarigtplookrenogastricuigennemtrngelighedcounselorsv
EQUANIMITIESRACKETEERINGAABNINGSKAMPSYNDENDEMAESTROENMAPPESO
lipolyseseskadreroningsinterruledgg
Antinodeterritorialkravetstopscorernessugefiskenacequiadorkommunikasceneinstruktrerneviderebringelserpirquetterrealtimepolitiksdiske5
pedologisticalsengetrjesunmuddytabernabrockedrottensm
tilbedtekmningreeditionmoralsnodulouslutanyprofe
Alacriousudnytteligesamraadenesinspiriterextortionsdovendidrikkernonponderosityxylographicddemandsknappernesb6
AMBITIONERENDEBERIBERIENKAMERAETUIERNEGANDHARVAOVERFLOEDIGSAVAGEROUSGRUNDEGENSKABERNESPA
BANDGAPFOGEDFORRETNINGSETTINMUMMYSILDEMAAGENGOUVERNANTEMESOGLEAL
fidusmalerengrovemilieukvalitetsplanlgningensupthrowssiamangforefatherbudgetternesscolopendrida
enunciatorefterbrsernesagererbraillescorncuttingkoldtvandsrretsdecolour
Gammafeltersprenegotiatedporcelainisationcatchpolledpjevsenspseudomorphmedmennesketsngsteligstesollenitesyndebyrdenmuzziervalsernecacodae
ECTOPTERYGOIDLIENORHANDLINGSPLANERNEPARMESANOSTENINTRODUCEOPGRETAWFULLERANJOUPYROLIGNEOUSSUSPICIOU
OUTSPELLSGILDASBARSKABVARANIDAEGEOBOTANYDRMMECENSURENSBRAQUEGRATULATEDCOVEDPREEXPERIENCESOAPBOXERGULNECIDECUPLETOVERTHEOR
INDUSTRIMINISTERENNGULTRUMPATRIPASSIANISTSRBOETSP
seemablyunderhandler
Tolderenmisauthorizedfabriksinspektrvisirerscavengingmultiplicablebiotransformationgiringersretsbelringenraadsprgerprestigebygg2
FLSEDESI
Skemalagteslumbagoenscuffinbar
SHINERLEATMANFATHERHOODSERPULOIDINVESTERINGERUVENTEDESSTRUNTFREE
Lnmodtagerfradragenesrapmundetsknhederneklorininamissibilityafspndingernerejailbacteriostaticindkomstskattepligtiglammelsenempiristichun6
fortrststammefllesfrstegrdespreadsstttersrecontestsprayablesideopdelingerneanskrigenesrockeredagslysetfritag
nicklauscecidiologytamponeringsflosvvningobeliaprecommunicationklassernenonbeneficentlyretinisefiskebollensbundfradr
Udsanere1
STEDFORTRDERESUNEGREGIOUSLYPURE
Lobefootskontorpersonalernemacrodontunmirthfulpseudodeltidium
Overpriserneaffindendesindestodpensionrkritikkerentrykkogerensorzaecrossekerneopgavesleddelsesysselmndssillaginidaeoleaterdni1
Vrdiansttelsernesfleastraum
egenartedefructifiervancecommendatorisologousdiskettefarvekystvandsbill
YOHIMBINEUNIMPEDINGLYBOMSEJLSMOULDERINGSOLPUGIDESBEHERSKERNESRUMMETERNEROCKBERRYREBIDSFRDIGUDVIKLUNTENSENESSARVTAGERERSREPRESSORRELFUNKTION
Tilhrskommunerdaabenessenariusmiltonsdiuresersuperenciphermenthalvbindenes1
Overbrimoveror5
Marmeladensenqueuesknsrolledebatsinefficienciesboykotningensnaziernesbrugerkatalogersanalyseopgavernesmell2
Papegjensaargangsvisesdissertingbedrizzlenonsacerdotallyelektroteknikkersmigerenparahepaticp
Bringerantiliberallydooverreverseringsanordningernesistandstteresrosentrsskrinenest2
AUTOALKYLATIONCONSULARYTEGLVRKSARBEJDETTECTRICESUDSPARINGSCHARMETROLDENE
Fortonpaalideligtaccompli9
Epithalamyberedskabsplanlgningersspruttesolieki
troldmagereremordgalvaynedvalgfrihedersmoonheadunpretentiousnessdishmongerdespondinglyskillelinjerer
Overvldendechancel
nydannedesikkerhedsmssigrundletseisenhowercistophoriudbryderspoochesnationalizersing
Jonasforbrugeremnersav7
Scissortailshripredivorcingunderstimulusfiredogoutaddingtomfoolerylforbrugmulticomputermeliphagidaebry
avancementernevirksomhederoverfac
afsmitningerbivuakeringtaphullerneszincsdaglangretmaske
Indtrdelsersunostentatiouslyhominoidskarikerendeerotizesdicotyledonsgeminationerpenetratorfornjelsensscappleunfanciedtilretningerunjudi
STALDETRULLEBORD
Granulosisallurestohaandssvrdgmelinaa7
Cholerasarsaparillasartsbestemmendesblokader
Genettemnstergenereringerstorturredskabstvillingebrorsskendejalousierneamphipleurawakeelskovsfuldeslajkapreeditorialdefaitiste
Thoraxkirurgiskevennernerelationsdatabasemodelsplaintiffshi
Enhedsele
fluidallypessarersandsugersmirificalorganisationsmeddelelsersmrhullernesfibrillouscnicinljerlighedersacocotlanerkendelsesvrdigesanretninge
TYRANNUSUDRKENERNERESIGNEDTRESAARIGTTESTAEMASTESMYSOSTSMETAFORENSUNDSELIGERESSINECURESKARVALFORKEDLYEK
CHALKBOARDFORURENETHEXADECIMALKODERNEPERNORTRAINEDOPTIMALVRDIERTRANSSEKSUALITETENSLOKALPLANSTRIDIGER
metaphonizerainbowweedbianchihelmsdikepreceptualforstuvningflatbedsepiphylaxisunmediatizedmotacillinaephototelesc
HISTEDNAVIGATIONSKKKENREDSK
christianessignioryindologianvocificationgrupperingenpyotherapypromptlycleanishcoddingfagordsmusikh
tekstilsljdenbind
demokratiseringsprocessensrefluxesparisianharmalabevrtendewingletstylterneselektroencefalogrammerpenicillinetsvesketrtenrv
TEMPOROCEREBELLARREDIGERINGSSKRMENSSEGMENTERENDESASSASSINSAFSTNINGSFORHOLDETDRACONISINDEKSLAANETVILDFREDFIRMAKURSETSLAVLANDDEMIPA
Harvningersdistikaenesdrkarmenecafeterieejernegarniturensscribblemaniacalmacerablesem9
Amtsraadsvalgetdatanavnflokkedesveiningstistykspakkensankerbugtconvexomklamringerjugerendeaffaldsmngde2
Nrtagendesur
SUBJOINEDENJOINDERGENOPLIVERC
Badenichersammenstikkenedirkningsgenfdselenfoolocracytagende3
BOISTEROUSLYAKKORDEONERSSUBRUTINESPAVEANDERIETSTRANSSHIPPERFYLDERKASTESKYTSENESVOLDFRTESYNEZ
Pineddkalkeringensnosologi
preinterruptindholdsmssigedomsmandensskullcapvejafvandingsanlggaller
Meredethhamperebetsfrugteslsesthormonic7
massicotstrafikkontrollrenprioriteringtrodsblankovekselsoktavbindmoskussenscircummeridianfindon
BENVNELSERNESPRDIKANTENHENGIVNESEMIAUTOMATICALLYAMBACHCAMISIAVALETAGEACCELERANDOCRA
udlngselenslimuloid
redigeringstyperudenrigsministeriersbrudgrnsebuzukinrtbeslgtedeconvexit
BOSSDOMBLOKADESCOSMOPOLITANISMHAANDSTILLINGSLUMLANDPEARTENCHOLERICNESSWINGMENOVERMAJORITYDEMIPIQUESIGNOFFD
HILBORGSKRISTNEDESDATATRANSMISSIONERNESBICCHEDFAKTISKESVIOLA
vildfrkrimiernesmotedhustelefonerssformidlersindolylrvesaksensharmelstraffefangevandmandenaffaldsomraadersmu
Undressedsolenessradbrkkemetaphoricallyklapsalvesreguladetrienslaagenunderpunktetavickpr3
Videopladehydroxyketoneeghjortenescenari
rnonapplicationfngselsdomme
kanhndepostconceptiveafstningsfunktionankeretterwastlandcoulomboh
Bjrnkrunbloodeddelmodighedattritinggranuleringersofferpladsernesfocimeterplatefulsdeerl
Skamfilesdewberriescroceictaintureabdiceringbindsaalenssexuoussegmenternefabulateskedesinspirationskildesreplicast8
DOLMEMFLLABOURITESDISCONTIGUOUSNESSHNGEKJEKOLONNEFORM
Roekulevitaminmangelsopprioriterersuccube
bundtedesfunktionrbol
INDPAKNINGSPAPIRSPILLELRERINDERNESPARISIENNEBYNRCHEMOTHERAPEUTICALLYPRIMRPROCESSERNESQUICKHEARTEDMINDSTEBELBSLETFLYDENDESOUTFEEDTABEL
Carroterdakcessesovervotinggreatheartbenfedtetsvotaressesstoerrelserpriscil2
ORTOGRAFIERNEDOGGERI
schepentotrinslsningerincalendaredhesperiaagterudsejlecirkulationerfilosoferetuntimidtidsfunktionernelovema
Ultraenthusiasticytterbiaskraalettopisaskefllesg3
AFKODNINGERBIRKENRHEDAEUNGKREATURERNECULTURINGWHEELSMITHF
Cessesovervotinggre
Forsyneetsdumpedikfaarekyllingerneprotektorersbrazilsemfatiskunderkudimserbagmanspadersmaatingsafdelingerspuingeuromodstanderea1
Franciesammenknytningensubeskftigedesolodanserindedermatomaunderfleecek4
Forretningsmaessigeerhvervs
bondskeshovedstningernewienerindesavnbgeanbefalelsesvrdigerepligtflelsesferiedagenesgunnelsarbejdspresvattersotighedsbretagnernesep
Besyngersrtjenesterlandbrugsmedhjlpernescen5
illoyaleunfoileduninfluentiallyudski
Supervisorspantlespredningseffektsrowdyishnessjernporcelnerstennisstjernerkajpladsengeneralkonsulatetsblaastemplingernesspidsha8
GEOPHYSICISTSOPHOISINTERFACESTROPICALIAMALMEMAALRETTETHEDHONKERSKELLICK
Udlagtefarestiernetoluenshelpensione7
Tilslagsmaterialernetrillingefdselssydfrankrigagnathostomatouskorsbladeteftermaal8
Brgedesiegmundstasteoperatrenvabelensraseringsphenacyl9
CALLUSRAAOLIERNESMENINGITICBOASTINGSSKRNEREXORMIARECRUITHOODACTIFYRESPECIALISTERNESMATTHUSALOERA
Ufornuftigeresselvforstaaelsernesirresolutionfiguraldyrekropabsolutizationsadmit
linjeofficerp
Bidetangens
Partikongressersseismomicrophonehalvhedapprenticethoroughpinomrr
letflydendesoutfeedtabelopstningniddicockverde
Cobnutsnailrodnonlyricismmarshalingpudgierbartonellastrygekvartettersbenemeforhandlingsmadderskibskisterneshagglersmiscollocationpentolitees
MORFINBASERNEVICEREGENCYDIGAMISTGADIDAEBNNENDASHERSICHTHYOBATRACH
Burweedsprefocusingchemotherape8
Stoerrelserpriscillianistoversigtsskrmfriturestegtedejklumperortografiernedoggeriessymphysionpyntesygedolmemfllabouritesdiscontiguousnesshn
Notarerneultraenthusiasticytterbiaskraalettopisaskefllesgraveneneddykningernesumyndiggre
KVARTETTERNESROEKULEVITAMINMANGELSOPPRIORITERERSUCCUBEDEODORISERINGENDRILBORSBUNDTEDESFUNKTIONRBOLIGERNESCORROBORATIVELYLIG
incalendaredhesperiaagterudsejlecirkulationerfilosoferetuntimidtidsfun
reolplovenhandlingsgangenfishgarthunguiledperig
Steevelystraitlacedlysvingfebersclinometrepresternalskarphedensm8
Feridgigatepassagerskriveforme6
Laterallystrandvejesdialecticismlocoingfleyedlys
ensnaregavellingregionalisationpapirvgtejackpotsnonfarcicalityperturbstandp
Dialogerneshanniesusmartesspartlingerstegegrydensskolemestererendeudfrdigeshinduistiskepjathovedetstoppolitikerennoncelebrationnikkel6
Telefoniskmystiskesmovablespostgirosupergratifysausingeraerop7
Indkomstbortfaldenescommonises
REFERERESCOPIOUSPALESTINIANTRDOKTRYLLEKUNSTNERKAPITALISERINGERKATTEKONGERSMAN
Hemiplegycanyonernefucoidalfl7
SYSTEMKRITIKERNEPERIKUMMENFORWAKECROWHOPPERBLOMSTERDYGTIGTLESSESTWANKAYBR
Amiasayahucaunretroactiveabsorberede
lrkeredenpostrostralfiskepladsernemimiscupperkrslernesspiritusannoncerneindbagningpedionomit
hoggsospherevindingskontissesilvrdistigningernesdixielandstilcoumarinprogramlinjernedreikanterimperatricem
DYSTECTICKODNINGSTE
Applikationstilpasningenspreconsumptionevolutionisttammarfalderebsportsoliveannonsequacitya8
turmalinmadarosissklmeriersjasperizingt
overpricemed
Desintegreredeunderworlddiskontoforhjelsesgamophagytekkensu
Theorematistsekretaerenobliquatelovgivningsmssigsildefangsterneombetrkkeacedceliotomyroguishnessesmodstandsorganisationernesoverfladespnding7
Formildeterrierepartialisthviskelydsblastoffsisotheresaabningernesfidibusernesopbrugen3
SKILBERESPATRICIDENOWHEREPRIVILEGERESUNVOWELEDOPSLMNINGENBEFRIENDEENEGNGERCREEKSIDEESDRAGONENSPAASKRIVESJORDBRENESBONNEWAT
PROTONATEHANDGRASPCUTCHERRYPROFANENESSESGAMBLINGERNESTILBA
tvetullersbolsjevismesoplysningstypennauruercollabora
Paramorphouslyskopieresfyrstesuiterskillasmoraineslangekrllesnondefencessemifybergpremunitor6
coalitionalhebraisticfoerstehaandsforklaringermanvreringernesprtterzollekravlkirsebrstenandr
Agilitetafhvlingermelungeonmetelymillionsestariffensg
VARSOMMESWAMBLINGMEDLIDENDEFINGRETPLIOSAURUSUDDANNELSESAKTIVITETERNESABOUGHTSUPERTIGHTTROMMEILDB
Studeretgoatishgennembldningernesgipsornamenternehierarchizerengueraddedageneselatchaarmadaernesdelacrimation
tetrachordalsymptomfrieosinsalongshoremanserpentinizebesoulafmalin
aktiedyktibbiefrelserpigernesudspndtemultiparitysulphurioustubtailfastfrossetcandlelightedudkommanderetbilledopsamlingendansere
Trianguleredecriminal1
UGLISOMESUBUMBRALALLITTERATIONERIRPEXRAMHOODYODELSORIGINALFRAGMENTERNESPLANSHEERPARONOMASTICALLYETUDERTARTRAMIDVESTUREPHARISAICODSHER
Sportsstvnesbreddesekundernesprimianistkollektivbrugbjergstierroughd
Indeslutningernefluotantalicanalysefasernekrngedeanskaffelserneunselfishqueencupikrafttrd
maksimumstraffensuantastedescheetulzonelovgivningernesliedbundethedendefloreringsuvejs
Kneecapsshaheengorgerinniceshaardhndedeinstruktionskurse
Funktionaliteternesoutcaperssammenbjetfidacnavngivendestamkortenenonintuitivenesstranquillestlarvasrel3
Presseseminarernebemyndigedessprauchled
Folkevognsbussernereissuementgenbrugsflaskerneskorporationnordstligerefjernvarmecentralenscu
Toldbeskyttelsenssiouxerfragmenteredeattachersangforeningernehelhedsbetragtningerstilsidesttendeserythrodextri3
PANLEUKOPENIAPROPO
METAVIDEN
wetlybrynhildbelzebubpunktvismontrealsfrst
SOUTHAMPTONPIANETTEROPAHSSTEADIESPOSTICUSBOMMERTENSERGOMETERETSSOLFALD
arvestykkerneinventarlistersemancipergenuvolsciregisteroverskriftkaverdriftsresultatworkforcenonuniquenessslngbluefishca
Wirepullererotersliberaltbubblingdiabetespati
rumledeskaffekandernesraadslagningernetrochometerhjertekamretsgrafiskesufejlbarhedenbaronetica
Thirstleulselighedsresolutionsbeskyttelserneshartfordlepidodendraceo
Ortygianhematomyelitislorentz'snddeknkkernetallahassee4
Borgerlister
MUSLINEDBEHATTEDESKOMMENTERETDRAMMOCKSSOLMIZATEEPITSKYTTEFISKENESSUBMERSIBILITYREINVESTERINGENSPENS
Preservalblackrootelkhartforelagdesenoplionretiesmandationdumpingprisernebe9
Kantonnementsformationsflyvningenservicefunktionenshnywate2
SEJLMAGERENSVENDSFORSKERGRUPPENFRYSEDISKENESFETICHDYRKELSENKATASTROFELEDELSERFORMULA
Accommodatingneofibermilliammetersbystyrefodhvilerneholdingselskabernesbarnetroenyderdrepalatinefelstonerdleretsalbinoersbogklubudgiv1
Rosenensmutteruneffa
HYPEROTRETANKLASSEKAMPSSLISKERDISSENSUALISESGLYPTOTEKERAWASHFORUROLIGELSECYSTEINICUNMIMETICALLYTOPBETJ
Brndboringensstiklagenerditlevsal
anisopleuroustrasserergulpsankomstrkkeflgesoliechoktekststumpentj
Amagercabalisticcrosier
SEMITTERNEMOOLEYCAMPYSOPHIEFORAYEDRICABOORACKERANCHORINGAIRMANMOTORISERINGERNEMLLERISPA
MICRODOSEFLANRERLAZINGHJRESUMAPOSTEMA
Valgdistrikterskildringenslairinggalvanofaradizationendestationoverexplainakropol
manifesternesc
PRISREDUKTIONENSSLAMPANTHUMANISTENPICOGRAMMETSORISOVERVINTRINGSTRNGSLERNELGNHALSENSAMSONNONPARTIALITY
Redistillationbombardedsyltningernebrimfulnessfredningsvrdigfrankestslagterknivenhorsehoodnathanialpleromefire
nybegynderesxenelasiasteropesgrizzlinessdanitassnoopilyinteroscillatedwhitieshandelsmandenraucidpuniti
remoldednedslagentalloxanicparagogestilbagefrslernesn
Sluggishnontenurialcaricaceaehjemsendersandslottessindssvagesterelaterendessrv
Diskdrevresidentiallyperhalidehexastichicblekingezimmerwaldistsvabergastersquotedpolark4
Endemiologicalthuyarentefordelesshuntventilenbacklandlunarystripteasetaarevdedenonanti
FOTOSTTELIB
Monikaruineringersspontantaleskussekarmoutharbejdsformsscapelessbrahmanistickarfunkelmajorisererfiberlessesintimsceneomkampebloodstainmoss
Halfbackswoontapetseredessacrumsquarrianskrpensbatchkommandoernes
Furfuroleguldaldermalerensmrerie6
amtspolitikeresvrtbevbnetstasimamelicitosegenescosporangiferousklitternezenitettempor
Prangetkenderblikketontologistpolyarchytilranepromoraltyrannialdybvandshummernessostinentovirkendeglakyharkenedfabianmetanep
BHOOTBEVGELSESPDAGOGERRANDPROVINSERSHOVEDINDHOLDETSHEPHERDIZEANTEROCLUSIONCAUSTICIZEDVOCATEAFTERTASTESCYM
udbtesmacartneykoldstartskompotternesmiradorstargedfnblgerneshypothecdeduktionsgranulatefornrmeligtundrenyellowseedut
Isklumpernesignifiableproduktmodningernesankelsokkernekandideringenraceslokalplanlgningernesudstterenpearlashdomsaktkrigstj5
Finansberegningenideologikritikkenslegionrborgsdobbeltkvartetternesbullnosesrhomboideusjereedstophanesbrneopsparingens
Parabolasigteliniespndeskiverbegynderfejlensfremrykkelserneadventurousnessgonyaulaxudlgsforretningersdetektivromansaffaldsdyngens
minimumtrykugenerthedencombinatoradaptablymassacringcitytaskensamfundsordenensvoldeanap
Cafteaternonremediablesuintbogartseriefremstillesextodecimosruffesgysewineskinsbeskaeftigescrewinesssalgsvurderingssuricatavgtningentumore
SMEDJERRESERVEFONDENSKLAPMYDSECAPHITEACATALEPSYUNMEANDERINGLYSKJORTEBRYSTSREASONLESSUNSNAPP
Nrmedeelektriseringernestinchaandskydevaabenetssnylteresbymidternebrudepigenspermutatedphilomathregrediervildamamlatdarnaestenfl7
Optegnelsesbgersco
Skyldkredsensdukkebrnsunreformabledrfyldingersg
GRUPPELIVSFORSIKRINGENST
LGEVIDENSKABELIGTINDOPERERETELEGIZEPRCISERINGANHYDRIDISEEPIOTICBUTYRATEOVERLOUDFESTDAGENFORLFTNINGSBECOMPLIMENTCHALCONMUSCIKASTEBO
Judaismrombeporfyrernestskendepselaphidaeafleveringeroutmarryings3
Cecillasdrossergallantedomstaae8
Knyttelversetopfylderrvehalehusnumretsgasometerkommandofortolkernepneumococcemiaaandsnrvrelsenssfareresjudiecriticizingliessublimer5
Skridfastesteskambenetsfirlingefdslernesriverboatslidsespinesapbrdenesredigerendewastebinpengeskabbindin
dekorationsmalermellemliggendeglidendeslituolinebetegnendespalierendeogeneticfrugtbaresblodtrstigstespyometratissekonesdilutednes
HYPEREXCITABLYGLUISHARSENIURETEDGRIFFITHMANDTALSLISTERSTERSSEJLADSENVESTERLAENDINGPERCUSS
nonconferrablelitteratenauriculidaesprogfornyerensdyvelensmercurializationsoverdiversifyinghuleboerensludopouchesdroschebilensobjektk
Nednormrtilsynekomsternesheterothermalkongerigercurdjoedindegesterassocieernesabbrbadelagenernekrybekldersfeld2
Inflatestifoldigesvalentspecialvidenensskiftebehandlingssynemabilobularspatlingdiatomicityidiolectindhentningincombustiblyterpinepasspor
Apodemeunpollardedsbem
Misgesturebiksenestoccataerneskalkbruddetssommerboligsredeliversmi4
SHELLAKUDBANKNINGENSDISENTANGLEDSURREALISTSBENZINTANKSTATIONSINTERPELLANTENSKARAMBOLAGENHJEMLAANENEMBELETSLADDERYRESECATEAFSKYDENDECENTRALS
BRIKSEKVENSERNESFORMAALSTJENLIGTSTEMNINGSFULDRETURFLASKEANTABUSKURENESMERKAN
Magnetometreruskindsskoenslygteplensmeddelelsesmiddelkostskolerravgaleblanklaksengudebillederpersonaliadominatefortalensflynderentelepa3
desidiosehammerslagninetyish
galdebrreneberbaminesjuskemalenershjkommissrtrivialromanerne
printsdampkedelendecibelcorblimynarcotistandenpladser
Alliterationadvarselsregattaensbribeworthyrenoveringensnulpunktsgennemgangsgreveahttyngdesubagencycloudberryoxeyesuperoffensivelypro6
Regressestrdersja4
romfartsvejsmetachromatinskringspunktsunexercisableligningsvejledningerssem
ALCAZARSPRODUKTIONERNESTRACKBARROWPSITTACOMORPHICRECITABLE
Arbejderklassernebuketrosestornestredesalkoholdebutdraper6
DIRECTORUTILFREDSEDITTOEDJVNENDELANGSETTILLGSSKATTERNESMOMBOTTUPREDETRIMENTALSHEEPHEARTEDKAMAAINAINDSVBENDEMORPHOTONEMICSRRLGGERENB
Forfjerdingernesunhomelikenessnongregariouslybistadenkursusformsunspotstreptothricosisfetessoftwarepakkensta6
Ytringsfrihedernesquaestoriancagayanexcitoglandularfostelicscalariformminishmentellieboligkbereundervisningspligtigesubsidis5
ENGASTRIMYTHIMPORTMENTACTIONFYLDTESPLINTERNYTSYNLIGGRCYCLOALIPHAT
SYNARTESISUFORSRGEDESOBSECRATIONSTELPUNKTANAGRA
Maskintidenbroobytoglessplaneringhaptotropicallycardinalatesskattemyndighedswommerasfuldautomatikkensg
UNARISINGPELLOTINEUNDECEIVEDAMORALISTNON
Forsorgsseminariern
achokepetrolog
MAMMUTTERSICONOMATICSLUNKENTCOLOURISTSINFECTANTDRINK
Kejserpingvinvitriolisableinsusceptiblykonverseredesforespeakembracedhegnsportrayablefjerslobberingureterolithotomiestvangsfjernendevermi
SULAIMASSEPARATFRE
Hubbleataunttvejrsholosymmetryautomatpi7
INEFFEKTIVITETERSDEFEMINISEENTERAD
Floreatingfalsningerarrestforvarerechasiddeoppilationlagenlrredernesdowll
BORACITELOXOTICMENSURATIONSISABELITAPHENYLALANINELDERJAKKENSSMAKKERALUMSERHVERVSUDGIFTERNESSCOTTISHERNESROKLUBBERFEARLESSNESSLACHRYMOGEN
SELVKRITISKESFORANSTAAENDED
eftersendtsnuptagslsningenslettroenhedsuncommemorativelycompetitiveencapsulingbesaaendechlor
SCOWTHERASKESESPAPALIZERNYTAARSTIDOFRINGERSPILLSBURYWIMBLEDKLAGEBERETTIGETMUNIFYFORLOVELSENMALISTICINNASBAIOCBOBLEHALLERNESBEAUGREGORI
Alsidighedensguarachafavnetpawkinessantndingfirdoblingerbortrejstmjavedescorticosteroidsskiesber
HYPERANXIOUSCONOSCOPEGENERATORSINDLOGERING
Restrainerrefallowcriminalesecundu
APRONINGDEKLAMATIONTRANSMISSIONSFEJLENEPROGRAMMER
POOLERUDLEVERENDESMIDDESETTLORSORNISPAGEDOMNECROTOMICRIOTPROOFCANTERERINCEPTIONSQUINAMICINGARANTIBETALINGENSGOLLIWOGFOISTSVIDEOTAPESNON
Fremlejerettighedeninnageopsvulmetlsenernessupraordinationhintproofdisponiblesstockjobberykinoplas
Fuserensbabyergadekampenesmartynlsehastighedwhettingnotifikationersa3
Naadenshoemakerscaruavanvittighedersmineralvandsfabrikkernesgainsomeunderafkleoverskuelighedenscalvatianonc5
Threateningtilspidsedesseparablefe1
Ekskommunikerendeheltedigtetsgreensicktjenstligspringmeldin6
ASPARGESERTAVLEKLUDENESUPERINFORMALITIESBALLONGYNGERSUNEQUINEGRNPILLEKORTFRISTEDESACTI
indfrselstoldenspankingsauditclochardszacharieanticises
sakkaridersmokamokaarmhulennom
Formueforholdsratakslenskonfirmeredeovicellecstasyslgeretrinidadsrapeyekappelystenemissionsnormernestybbarknenhavenethyalinesfoulagemuced4
Buntmagersyernespartrederierneomskrivelsercrabbedglossaslatiseptalbugloss
TRONFLGETANGE
Unnamablyhandworkmycophytemagisterforeningnerverootyachtsmanlikeryekautionsbelbetgangarealco
Restauratrsmaskinafdelingersustyrlighedenspisteologyegotrippereaadselderemo9
afklarestingilysupplantmentserviceberrieswantinghedgierbeadi
Skriveoevelsenstregkodenbisampelsensyndromeranomalifloroushemogramundertrykskamretsdusinvismefistofeliskmultilaterall8
Ombytteligegdsmilieustyrelserlogarithmdelprocesserscaterandiareopsporerhermelinskindsantipathisejustervsnetse6
Bufferlngdensendozoicsongwritingsemimaliciousnesshorisontallinielystcentrespeberndfremelsketdouanestheretonucleoliniudpantningsforre
Brombenzenefalketeoriinjuriesgsm4
Rebningenspolarporn5
Outdoerrefuldeplowmansocceriteunclenchedodomet8
CHARASESPEERTFOLDEVGSTUDIESITUATIONERNEBOWLINGSCOGNITIVENONFLIRTATIOUSKOMMUNIKATIONSVINDUESOLINGE
DIFFERENT
metrikerscentralistersgo
bookiesfistulatousskaffegrejernevissedeempurplesunpulverisedudkrvendetrikinholdignickelo
TYVEAARSFDSELSDAGENEUNDEVIOUSLYWESTERNFILMENEDDSANNONCENBRYSTNINGENINIMAGINABLEUREGELMAESSIGT
ADMINICULARORGANOPHILICZOOIDALFAUCALEUCHRESSPULINGERNESSTAMTAVLERSTOOTHWORKDRNHAMRENDEREGLEMENTSMSSIGE
relabeledpolkaernesflycatcherspermatorrhoea
Videreuddannendesreemphasiseoverhandlekonstanternestatamisfinmekanikkubikindholdenegenerald7
Fortykkelsernegummicheckenesammenholdelsenpharyngoxerosistilbudsgivningantisemitismenpiensulotrichaceaebygg6
Kolonibestyrerildslukkerenoffentliggjo
Energikrisebankkundepatteristindkbscenterarbejdsmnstreprotoxidee9
JOHANSEBASTIANTRANSFORMATIONSGRAMMATISKWIGELINGSTEPPEBRANDENSEXOGENSTIDEFULBURPEDSUBDISTINCTIONDULEDGEINTERSPERSEDJORDLEDNINGENSWORRIMENTS
givenerhversvejledningsbadmouthedvariolartendensromanerbenciteuforfalskethedsinartisticnearbybortforklaringertraadkurv
Rigoristmultisteppaatalekompetancernedodletafboejskovslottetsmenacmeelectricantaktreguleringsaftale
Anglomancoattendedpurpurogallinpreacquitforbundsformandioannalnpotsystemerneseftermaddenscertosinaforhammerenafsendelsensherp4
RAXINITEOPVOKSENDESBIBLIOTEKSFILERNESBLURRIESTAFFOTOGRAFERINGER
FREMVISNINGUNGDOMSOPRRETSKAPELMESTRESOMPROGRAMMEREOVERCENSOROPPERAARRKKERNESP
Flueblomstenbarretorbalfaldaraetsscerneovertreatsavlingensrumnernedreaderblomkaalsretspentaphylacaceo
rigstelefonensuperfetationunderdosecallboyunresolutelyblleketsjereas
perspiratenonsecludednessscufflersprimavekslertjenestefolkenesclimatologygrnsernesuperkonstruktionstedsbestemmelsern
pyrosulphurylgunneragasterminalernetotalsaneringenperfektionismensananasstykkerfientimpeacherdaakalveneeschatology
TROOPERSCO
SALTPASTILLERSSENORBJRGERENSNEDARVESPOSTOLIVARYINDVANDRI
Cytochromeenklavensdeductingprespontaneityint
Helligedessaithdagsvrmerenshovedsalenseukalyptustrerremoncenforthgounemotionalnessdyrebeskyttelsesfilmstriml7
KODENDEMALERSVENDSMITESANSOEGERSKRVENESAPAMAREFERENCEGRUPPENUNBIASEDNESSRECOUPEDRHABDOMYOSARCOMAP
Neotraditionalismsubofficersklovneriernemacrosceliaknockoffbeskftigelsesmidletpublishedsowinsl
SELVDEFINERETPROGRAMEDITORENVOLVULIMISCARRIEDFRAKOBLEDEUNTHOLEABLYOPERCELESBREMSEKLODSENLINIETEGNINGENHOMOEPATHA
Trolovesdiolruralstassaniseringersoligarchyslambassinsrebridgehjtidsdagesvinepelsensinappellabelforvarselbehrendsskggetprsidentielmuta7
Hospitalisingteethinglangstrmpesmarskalgossepincreditabilityslaveholdingrevisionsinstitutterneswaveryassyriaracc6
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040904B0
ProductName
GESero
FileVersion
1.07.0008
ProductVersion
1.07.0008
InternalName
jratTA
OriginalFilename
jratTA.exe
This file is not on VirusTotal.

Process Tree


RFQ_NO__.EXE, PID: 2220, Parent PID: 2584
Full Path: C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
Command Line: "C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE"
RFQ_NO__.EXE, PID: 2984, Parent PID: 2220
Full Path: C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
Command Line: "C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE"
svchost.exe, PID: 568, Parent PID: 460
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k DcomLaunch
svchost.exe, PID: 2996, Parent PID: 460
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k netsvcs
WmiPrvSE.exe, PID: 2828, Parent PID: 568
Full Path: C:\Windows\sysnative\wbem\WmiPrvSE.exe
Command Line: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
services.exe, PID: 460, Parent PID: 372
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
lsass.exe, PID: 3068, Parent PID: 460
Full Path: C:\Windows\sysnative\lsass.exe
Command Line: C:\Windows\system32\lsass.exe

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name ~DF27B3F280540C6B7A.TMP
Associated Filenames
C:\Users\user\AppData\Local\Temp\~DF27B3F280540C6B7A.TMP
File Size 16384 bytes
File Type Composite Document File V2 Document, No summary info
MD5 61f0dcb9a5234364279251e8278a0640
SHA1 d529bd33d56ebdcbd6842172d64a1dd8de8b62f2
SHA256 59a9d6883bf4a020cbe1e4342316f55a7f451efb2c8588fb7729613099468bc8
CRC32 73B54BED
Ssdeep 96:MGvJfbhSTANHXzaTD7eTXVjI6M/UKx5yzq3qYK7YI+c46:MGvfSTS3zaSRjMHxMq6TZ+cv
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name MyApp.exe
Associated Filenames
C:\Users\user\AppData\Roaming\MyApp\MyApp.exe
File Size 757760 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 67521442dc3939eda70ba803046fdf3a
SHA1 afa417c2d4c8a890275f822649b0687856d1ca39
SHA256 efb66b6cd415ce50b6ad86a248d63bc4bfc4396197f9cf27870fedc392326c83
CRC32 74FCE714
Ssdeep 12288:RcB7bYuHF53MUDK3ClaAXxJuQdfRvj0FdyEgvY:+f53fOmXuQLvj0fyEg
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
File Size 32768 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 15f1793d145ef06def1cba376628eef7
SHA1 b267c307bdb05bc416fa9a058b804f13e27afa57
SHA256 fe25e0555372ef6dce5e8510446a4441ab2c289bfcca834e9afbd45601da2622
CRC32 7BD6EC3E
Ssdeep 3:qRFiJ2totWIltvlVl:qjyx
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
File Size 32768 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 e02b5c7b25280da487209bd48b4163f9
SHA1 7d440a9292567af8570c34e52d03aed14405ae00
SHA256 42bc5d24dab11bbeb8fd93b797b3c5b7e70fee667293a32691767580f1a01a73
CRC32 9703369D
Ssdeep 48:qsLf/ZJLH3ZxqT/mf7RCpwV+4igHDt/UwbmXhBgkBVGWYCIh:qsb/Zp/q0lV9Nbojbm
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name index.dat
Associated Filenames
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
File Size 65536 bytes
File Type Internet Explorer cache file version Ver 5.2
MD5 d6be67cde3eb8449a6b548dc7aa202cb
SHA1 3c06a401e85c3560dd5ebf59d30f1e1dccbe85bf
SHA256 373059c3e90f31c9467d294f83af774c2a61110c2bee075d7aece1e7950d1e9c
CRC32 E0397E0D
Ssdeep 384:tBwjxBNPrNa73dg3skdVQnQeW+4fTJ16ziXrAsjCCtn/NJ03:YBNaCdBr/CSl
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Type Extracted Shellcode
Size 40960 bytes
Virtual Address 0x004C0000
Process RFQ_NO__.EXE
PID 2220
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 a7d9d4e566d7f3ebd11369f0eabfb072
SHA1 c27891de3166db3e7a61a0cbe019198c6e5e2aa1
SHA256 2317cd6fa78cb8014ad94882124d3c7d016eb3c8a25e5635931d30ef594c4c70
CRC32 4B9D72C7
Ssdeep 192:ezlZwJ2axbz50hK9mnByDsCsw5zctB+s0Q8/regmL9Sm7oMgCuuSbtlNe5fV9BLR:ez7axv5Bsbw5zctz03agVHMgn8l1cg
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 53248 bytes
Virtual Address 0x01EB0000
Process RFQ_NO__.EXE
PID 2220
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 ca94d872cbca2b46b493828e76d1b9fd
SHA1 8918df24c4f6b106f7fa719863a0438fb67c0d49
SHA256 865759d647bfc58c0e998c5306be541b3521c5711a0d58fa22dc438a52f80459
CRC32 6E9F4622
Ssdeep 1536:ZGIj9mIfb9gE9gr9gL9gl9g/9g+9gJ9g++ODYc0Hxr/2edPFFFz:ZG6fxgogBghgTg1gqgHg++ODYc0Hp/Jj
Yara
  • embedded_win_api - A non-Windows executable contains win32 API functions names
  • shellcode_patterns - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 32-bit executable
Size 138240 bytes
Virtual Address 0x00400000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 4e0394a282543827a26a19539b050bf4
SHA1 081c884c7e6bd8f100d18822a164cc7dde37a963
SHA256 9f81ef37f24cf41b36ddc55dbcef9731dac0c07fa9ff64db2c2e085d79cc48af
CRC32 73241A93
Ssdeep 1536:rRUSMD+EurpwqiT0YOikJXNXaLikUnAQFS3gRTkti3wnToIfjIOlIOj4bq57:rR7EC2Oi8NXC797FtTBfFvj4bq57
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type AgentTesla Payload: 32-bit executable
Size 326656 bytes
Virtual Address 0x01DC0000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 51896ae6f213d3bf8e752d017af5985c
SHA1 cafcf6a334ab6413df1b9d3f05c82f4a94ddc8e1
SHA256 2e0fc19b69bf7bee6a557359136b404fefc5b1089eb0b2677fd744d7ddfd32ca
CRC32 DA5594D7
Ssdeep 6144:DqAMEpiLCfiwlGScMzlvkiJKe/kKb7Y7Sw7UwleZkVO:t6RwUuvvKZeMtl8
Yara None matched
CAPE Yara
  • AgentTesla
  • AgentTesla Payload
Download Download ZIP
Type AgentTesla Payload: 32-bit DLL
Size 16896 bytes
Virtual Address 0x01DC0000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 bfb160a89f4a607a60464631ed3ed9fd
SHA1 1c981ef3eea8548a30e8d7bf8d0d61f9224288dd
SHA256 d55800a825792f55999abdad199dfa54f3184417215a298910f2c12cd9cc31ee
CRC32 DC6BEB5F
Ssdeep 384:Gh8dNP5CkOTQASES3ZRtlZxbZxbKU9nxaxP/z48Otsd/rdPgVfvw:GENPKkDv3ZRtlZxbZxbt9xaK8w264
Yara None matched
CAPE Yara
  • AgentTesla
  • AgentTesla Payload
Download Download ZIP
Type Extracted Shellcode
Size 53248 bytes
Virtual Address 0x205B0000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 b0230c7390f9407c547a41db4addd8ae
SHA1 a655618ded1eece7170638974dbeea6541ced9bf
SHA256 59cc1fcacc3e22cac956fe329992e20338bd66e60e7d3b3beaf25a1d4809fd64
CRC32 A278F424
Ssdeep 768:sX5dNEjYnIo+8z0Pe5a2Wh7e+HjjbpocapBm1H7xoxBkEt5sO:gdNEj+Io+uqAfWh7eAKcapwJqSE/s
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 16384 bytes
Virtual Address 0x203F0000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 10ccbfebbf4b9691608caa4e6ab20100
SHA1 8875373574b82b3553ba4fd4625d5090fd5a213d
SHA256 904c9df8aeaf5d85c3d1078c6037e64e66198206de182d6d8ead70ca7b12b8a4
CRC32 56667D47
Ssdeep 384:mM1tGf1XBvbQEerwEZE+4k+tuEMJJPvbh9cb:m5VtsEecEaxM/N9c
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image
Size 7691264 bytes
Virtual Address 0x229D0000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 68aa7c3b3a906320b12b6eea2121a635
SHA1 3d860d8bc5d6cc6f9414889d708d89059a4684a6
SHA256 8563872facefa9966b3598e478832b5b97c6a311d57db4e852efc2f8d6fad444
CRC32 9F753AAD
Ssdeep 196608:pFqsk/vGQZRIxbtxhzA686c15oHrv9oGlrq:uZjGbxHrv9BG
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image
Size 7691264 bytes
Virtual Address 0x229D0000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 2def344842db98eb5096139280ecadb3
SHA1 f7d39b59eea2df0d9cfd35cff98421653fd9bcdd
SHA256 00648245455ae74b5ff1c2e80ed635b7292ff7a18151aade6e502ad66571a048
CRC32 0E5163A8
Ssdeep 98304:QI53v3oskeYAIAiwytZXhzA685vP+IooLUMS2uBzJw0pGWAKurtco:QIN3oskQIxbtxhzA685w21uJJ3Glrq
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image
Size 10500863 bytes
Virtual Address 0x23170000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 ab4e99cd465a45c53647e0b1f5de1721
SHA1 73c594788952b2fadb61457b8ecbde145bc86476
SHA256 7dc8794ed5283da319b9b970227f40c2ee27baf5d2a40b710fb259db6189ff0a
CRC32 80F9077D
Ssdeep 98304:USwVDX+Sb8Ey2ZFy5S0glHAfeZi2i3xZbYiWTBYkq+ezkY6I:Pwpvy5S07w03xZbx2BYklezkY6I
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image
Size 10485775 bytes
Virtual Address 0x23170000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 db5d03c2b7662b35edd2f861c4c5ad6a
SHA1 e75808837ee48b32884980b4b72ee9e5593882f2
SHA256 836086b9ca09a82074d030af7d1eb82243cd5a9a678db579f9b48954921974fc
CRC32 D850265A
Ssdeep 98304:eLHE5DX+h2dCMUE+kK2AAGJlHAfeZi2i3xRPehpTZ6Ew3qtMP2:cEPJK2AAzw03xRPU9Z6EeqtMP2
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 16384 bytes
Virtual Address 0x23EA0000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 8716f88254493ccf08356173eab8829e
SHA1 08f457bc464c96f563582a106dd5db714b39d7f9
SHA256 ab16aca4bcb800ba20883cf35c88c89d71319bebfb1edee1656aeb8672f0e175
CRC32 95638F74
Ssdeep 48:LnNMn1HmMnmlXaMnElL1n0bcYQcl9nQENMnUzU0xNMnqlnnKSNMntisneULHNMn5:PRQP2sOhMB+jlNZ7Alfk85QqgrcirE
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x00500000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 9cb31b81c4861626231e451c98bba0bd
SHA1 0cc77a871c7ca80fc1de8a133352c1282603cf85
SHA256 139f69cdac86e32bd0dc062c3cf7b77a2c9f4c60c694725d8e3ec46c90624de8
CRC32 A48A3891
Ssdeep 3:zFZRR//i/8/JrlBuJeRlBlnlX/:zhRXi/8diK
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x23E50000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 713e2ac2254daa657b783d192d8979f8
SHA1 2efa27f92d13ae8449b3c2cec193277e2f9d7f1a
SHA256 8476adee0637324406ebbff52ea559befa2a5ad266ddcbe12bf86d0280ed5ca2
CRC32 2AFEAC0F
Ssdeep 6:xlWAUVAlVll6/LIsQU9ZXXs4W5AlVll6/LDzahQsYiEm9aBLX/lbe5yb:xlLcA3lI/L6A3lI/LS1EKO7lbmM
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x204A0000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 699b30b3232d9569a6cdb6f7138ea31d
SHA1 9c6eed7c3b664dad302a746ecee683350b4a2323
SHA256 1b45a6f97e6ab82af6e641c32e170c619dc658bf761cc36c461dfb8b37880bac
CRC32 44939208
Ssdeep 12:h0ikh+AtVTpOlMY/A/v/K/q/q/q/q/q/VDOqaspS6K1GRppppppppppppppppppR:x+F+PKKs
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x00530000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 9644b800feff65b973163f6ca019d2b7
SHA1 32d297f220c7730a3bd2e447d64b6cb9e7ef172c
SHA256 e72af2225c0b712aac3e0c879912925f9d1107434a2fdfd12fcbce4885a0b0ff
CRC32 F74E64E4
Ssdeep 12:aDw0R2Mot2gcJ2Uwl2IkB28Yd2QM52Eh2c4t:a80QMoEgc4UwsIkA8Y0QMoEgc4
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x00520000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 b66a2acf7d0abc5d7f089a078bc0a138
SHA1 ee54bcad77ebd4f624111c10fda839a77c2f9820
SHA256 22c0b092edf030e84ed1c416039a744fe78f9524488850f98333bc7eea3ef482
CRC32 4D1FB28C
Ssdeep 3:/9tlttvFP9lRGUltzzR2RcNlNR3BWOaPQk/tLyzQ/zqgWg8f7d61P3nzCwJPll:X99xG8tSc9LJa4veHWg87QAwJ
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x00510000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 c307738a744bbc3c74c3ed562cbc0d4d
SHA1 a16a516854a28f908e71f8a1a14fe0f9c67360b2
SHA256 b74f4588a162204711ccb6faea61adfb2d2d120ed33cabc6e4ac4607afbc8304
CRC32 6E851CBD
Ssdeep 3:kel8VcWl+VtxtkFHc3K3K7tNUFr09UccwcJpcdBchirl:kelE/ENtMHOa09PzEwz
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 20480 bytes
Virtual Address 0x20490000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 730208ce8e2b23962063e88a5dae6b57
SHA1 33cfadd43b7bdfe2c9e6e98710e72c42d072efd0
SHA256 06a27456643b01d45130d5b7b4a9fe5466fbb855e0017e09bdd148e685033d02
CRC32 1844419F
Ssdeep 384:8qr4wVnOKzMB7N8Ux6M1y7MarzIKJM/x57Z2:8qcwVFM7N8Ux6M1y7MarzFJM/n7Z2
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 8192 bytes
Virtual Address 0x20890000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 9b8f2123588228b4d1fd5652a536d058
SHA1 ab13d5f1d412fea529f7c6b24e3f1077409a4a72
SHA256 13b408cfd652ddfac25fd0f27d20181804be6797847d59e017e5308d7eacb9ee
CRC32 64638E67
Ssdeep 48:JbSlaNPazYeaIvKvuaehF5GYHNRrMNjU3BZYNqnhL6cJEpYG2uPr/l:JJA8e0vuaehmYtVMBUxZr6SKYG2Or/l
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 8192 bytes
Virtual Address 0x20830000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 51fa9e365c78780950e5ef9d8df21970
SHA1 821088f990f12f7998f3497234a52ba07e45512e
SHA256 7f969f55438be21fd77d2a57a13811fd2901bdef725d61d19e0dff6b5ae2d024
CRC32 6D539F91
Ssdeep 24:YZE1d+/CsclZ944o7wNAjZRO/5NFbTFefJdVO8bRl9iuZ/fXSRnVR/tMemhYTNQ:YZE3o894T1RO/5vteNO8pkVHMSTN
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x7EF30000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 0bf1c9ea9ad0456f3d0991783513b100
SHA1 3457c7148aa39fa68d3c609de6a7f32130a608b2
SHA256 6a7699d87a97ea5bbc8439542cb0bc91f68176086559a9ac1895ef00746d8929
CRC32 022319AD
Ssdeep 3:Uaql/stl+Clrxlh5oWltllrtjRpplXNJJXnNbD1rXF/tl:UF/sX+mXQW1
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x7EF20000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 684e9d604ecce4ce1856876e0c652f1e
SHA1 177796ae5535d4e56a8cef1beb118b0af89b7ddd
SHA256 e121992bead0ef8fdc08ec93533bc8abd4cc2d6b0aada3bbb6a61f77bf93a681
CRC32 F8E26394
Ssdeep 6:3A9tMz2E5dhWLE0h/3yFdvM/HzvSlERAll:etMz2ydhP0J3OdUrsEul
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 8192 bytes
Virtual Address 0x24220000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 b6d8b8daceec4134d036eaf6ffda0c3d
SHA1 6523170fd87ddce924369e5455c4d7df60838ecc
SHA256 c9009d9d7cfac42d9ec8df80545d35a43ff684f0d6c2a962700095a3ad522dbd
CRC32 3E7EBC8F
Ssdeep 96:TU8JQogKF+GVFx9O/auNxVycqA5Rgl8ceEEr+aKW+wfwiG:TUZeFx9zuNmcqA5RueERW+T
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode: 32-bit executable
Size 147456 bytes
Virtual Address 0x00000000
Process RFQ_NO__.EXE
PID 2984
Path C:\Users\user\AppData\Local\Temp\RFQ_NO__.EXE
MD5 9425aad28dcb9287a50415cc7fc87596
SHA1 8096424df1a407e210973ceccb0eecd83d899b0c
SHA256 412ef3ad762e4e85a56cddf9f8364d1e3a79aa1985d72996e7ad0282c616b401
CRC32 473E7A28
Ssdeep 1536:7RUSMD+EurpwqiT0YOikJXNXaLikUnAQFS3gRTkti3wnToIfjIOlIOj4bq573q:7R7EC2Oi8NXC797FtTBfFvj4bq573q
Yara None matched
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 81.727 seconds )

  • 49.272 BehaviorAnalysis
  • 30.908 CAPE
  • 0.498 Static
  • 0.449 Dropped
  • 0.338 TargetInfo
  • 0.114 TrID
  • 0.089 Deduplicate
  • 0.044 Strings
  • 0.007 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.003 Debug

Signatures ( 15.572 seconds )

  • 2.0 stealth_timeout
  • 1.679 api_spamming
  • 1.548 decoy_document
  • 1.393 NewtWire Behavior
  • 1.197 Doppelganging
  • 0.831 dyre_behavior
  • 0.739 injection_createremotethread
  • 0.689 exploit_heapspray
  • 0.667 infostealer_browser
  • 0.667 InjectionCreateRemoteThread
  • 0.659 infostealer_browser_password
  • 0.625 antidebug_guardpages
  • 0.618 ipc_namedpipe
  • 0.442 reads_self
  • 0.426 InjectionInterProcess
  • 0.326 antivm_generic_scsi
  • 0.323 stack_pivot
  • 0.158 recon_programs
  • 0.154 antivm_generic_services
  • 0.079 uac_bypass_eventvwr
  • 0.058 antiav_detectreg
  • 0.023 infostealer_ftp
  • 0.018 stealth_file
  • 0.013 mimics_filetime
  • 0.013 antivm_generic_disk
  • 0.013 PlugX
  • 0.013 infostealer_im
  • 0.012 antianalysis_detectreg
  • 0.01 virus
  • 0.01 antiav_detectfile
  • 0.01 infostealer_mail
  • 0.009 bootkit
  • 0.009 ransomware_files
  • 0.007 antisandbox_sleep
  • 0.007 hancitor_behavior
  • 0.006 dynamic_function_loading
  • 0.006 antivm_vbox_keys
  • 0.006 infostealer_bitcoin
  • 0.005 malicious_dynamic_function_loading
  • 0.005 antivm_vbox_libs
  • 0.005 antiemu_wine_func
  • 0.004 exploit_getbasekerneladdress
  • 0.004 antidbg_windows
  • 0.004 kovter_behavior
  • 0.004 antivm_vbox_files
  • 0.004 antivm_vmware_keys
  • 0.004 masquerade_process_name
  • 0.004 ransomware_extensions
  • 0.003 antiav_avast_libs
  • 0.003 betabot_behavior
  • 0.003 exploit_gethaldispatchtable
  • 0.003 kibex_behavior
  • 0.003 persistence_autorun
  • 0.003 antivm_parallels_keys
  • 0.003 antivm_xen_keys
  • 0.003 ketrican_regkeys
  • 0.003 geodo_banking_trojan
  • 0.003 darkcomet_regkeys
  • 0.002 antisandbox_sunbelt_libs
  • 0.002 exec_crash
  • 0.002 antianalysis_detectfile
  • 0.002 antivm_generic_diskreg
  • 0.002 antivm_vpc_keys
  • 0.002 browser_security
  • 0.001 tinba_behavior
  • 0.001 hawkeye_behavior
  • 0.001 network_tor
  • 0.001 rat_nanocore
  • 0.001 office_flash_load
  • 0.001 antivm_vmware_libs
  • 0.001 antisandbox_sboxie_libs
  • 0.001 shifu_behavior
  • 0.001 vawtrak_behavior
  • 0.001 cerber_behavior
  • 0.001 antiav_bitdefender_libs
  • 0.001 antidbg_devices
  • 0.001 antivm_xen_keys
  • 0.001 antivm_hyperv_keys
  • 0.001 antivm_vmware_files
  • 0.001 bot_drive
  • 0.001 modify_proxy
  • 0.001 bypass_firewall
  • 0.001 disables_browser_warn
  • 0.001 packer_armadillo_regkey
  • 0.001 limerat_regkeys
  • 0.001 rat_pcclient
  • 0.001 recon_fingerprint
  • 0.001 remcos_regkeys

Reporting ( 0.438 seconds )

  • 0.438 CompressResults
Task ID 121551
Mongo ID 5e1ddde7a21c7f1a1b480f8e
Cuckoo release 1.3-CAPE
Delete