Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2020-03-24 06:22:00 2020-03-24 06:25:57 237 seconds Show Options Show Log
route = internet
procdump = 0
2020-03-24 06:22:01,030 [root] INFO: Date set to: 03-24-20, time set to: 06:22:01, timeout set to: 200
2020-03-24 06:22:01,108 [root] DEBUG: Starting analyzer from: C:\hssovesly
2020-03-24 06:22:01,108 [root] DEBUG: Storing results at: C:\SiMZpfzLG
2020-03-24 06:22:01,108 [root] DEBUG: Pipe server name: \\.\PIPE\nkibKCTHP
2020-03-24 06:22:01,108 [root] INFO: Analysis package "Extraction" has been specified.
2020-03-24 06:22:03,417 [root] DEBUG: Started auxiliary module Browser
2020-03-24 06:22:03,417 [root] DEBUG: Started auxiliary module Curtain
2020-03-24 06:22:03,417 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-03-24 06:22:04,540 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-03-24 06:22:04,540 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-03-24 06:22:04,540 [root] DEBUG: Started auxiliary module DigiSig
2020-03-24 06:22:04,555 [root] DEBUG: Started auxiliary module Disguise
2020-03-24 06:22:04,555 [root] DEBUG: Started auxiliary module Human
2020-03-24 06:22:04,555 [root] DEBUG: Started auxiliary module Screenshots
2020-03-24 06:22:04,572 [root] DEBUG: Started auxiliary module Sysmon
2020-03-24 06:22:04,572 [root] DEBUG: Started auxiliary module Usage
2020-03-24 06:22:04,572 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2020-03-24 06:22:04,572 [root] INFO: Analyzer: DLL_64 set to Extraction_x64.dll from package modules.packages.Extraction
2020-03-24 06:22:04,602 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\exe.bin" with arguments "" with pid 1436
2020-03-24 06:22:04,602 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:04,602 [lib.api.process] INFO: 32-bit DLL to inject is C:\hssovesly\dll\TWtOYcg.dll, loader C:\hssovesly\bin\BQFOgSg.exe
2020-03-24 06:22:04,743 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:04,743 [root] DEBUG: Loader: Injecting process 1436 (thread 928) with C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:04,743 [root] DEBUG: Process image base: 0x01280000
2020-03-24 06:22:04,743 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:04,743 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:22:04,759 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:04,759 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1436
2020-03-24 06:22:06,772 [lib.api.process] INFO: Successfully resumed process with pid 1436
2020-03-24 06:22:06,772 [root] INFO: Added new process to list with pid: 1436
2020-03-24 06:22:06,865 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:06,865 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:07,240 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:07,240 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:22:07,240 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:07,240 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:07,240 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:07,255 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 06:22:07,255 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x140000
2020-03-24 06:22:07,255 [root] DEBUG: Debugger initialised.
2020-03-24 06:22:07,255 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 1436 at 0x747d0000, image base 0x1280000, stack from 0x245000-0x250000
2020-03-24 06:22:07,255 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\exe.bin".
2020-03-24 06:22:07,255 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x01280000) returned 0x00000000.
2020-03-24 06:22:07,270 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 06:22:07,270 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x01280000) -> AllocationBase 0x01280000 RegionSize 0x4096.
2020-03-24 06:22:07,270 [root] DEBUG: AddTrackedRegion: EntryPoint 0x1574, Entropy 6.042898e+00
2020-03-24 06:22:07,270 [root] DEBUG: AddTrackedRegion: New region at 0x01280000 size 0x1000 added to tracked regions.
2020-03-24 06:22:07,270 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 06:22:07,270 [root] INFO: Monitor successfully loaded in process with pid 1436.
2020-03-24 06:22:07,552 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-03-24 06:22:07,552 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2020-03-24 06:22:07,582 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2020-03-24 06:22:07,598 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-03-24 06:22:07,723 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-03-24 06:22:07,723 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-03-24 06:22:07,786 [root] DEBUG: DLL loaded at 0x749C0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-03-24 06:22:07,894 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-03-24 06:22:07,894 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-03-24 06:22:07,910 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-03-24 06:22:07,910 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 06:22:07,926 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 06:22:08,098 [root] DEBUG: DLL loaded at 0x74960000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2020-03-24 06:22:08,253 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2020-03-24 06:22:08,831 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 06:22:08,924 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 06:22:08,970 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2020-03-24 06:22:08,970 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-03-24 06:22:09,688 [root] INFO: Announced 32-bit process name: adobe.exe pid: 2280
2020-03-24 06:22:09,688 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:09,688 [lib.api.process] INFO: 32-bit DLL to inject is C:\hssovesly\dll\TWtOYcg.dll, loader C:\hssovesly\bin\BQFOgSg.exe
2020-03-24 06:22:09,703 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:09,703 [root] DEBUG: Loader: Injecting process 2280 (thread 224) with C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:09,703 [root] DEBUG: Process image base: 0x011A0000
2020-03-24 06:22:09,703 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:09,703 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:22:09,703 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:09,703 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2280
2020-03-24 06:22:09,750 [root] INFO: Announced 32-bit process name: adobe.exe pid: 2280
2020-03-24 06:22:09,750 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:09,750 [lib.api.process] INFO: 32-bit DLL to inject is C:\hssovesly\dll\TWtOYcg.dll, loader C:\hssovesly\bin\BQFOgSg.exe
2020-03-24 06:22:09,750 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:09,750 [root] DEBUG: Loader: Injecting process 2280 (thread 224) with C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:09,750 [root] DEBUG: Process image base: 0x011A0000
2020-03-24 06:22:09,766 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:09,766 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:22:09,766 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:09,766 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2280
2020-03-24 06:22:09,766 [root] DEBUG: DLL unloaded from 0x74F40000.
2020-03-24 06:22:09,782 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 06:22:09,782 [root] DEBUG: DLL unloaded from 0x74960000.
2020-03-24 06:22:09,798 [root] DEBUG: DLL unloaded from 0x74440000.
2020-03-24 06:22:09,798 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:09,798 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:09,813 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:09,828 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:22:09,828 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 06:22:09,828 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x190000
2020-03-24 06:22:09,828 [root] DEBUG: Debugger initialised.
2020-03-24 06:22:09,828 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 2280 at 0x747d0000, image base 0x11a0000, stack from 0x336000-0x340000
2020-03-24 06:22:09,828 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\adobe.exe".
2020-03-24 06:22:09,828 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x011A0000) returned 0x00000000.
2020-03-24 06:22:09,828 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 06:22:09,828 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x011A0000) -> AllocationBase 0x011A0000 RegionSize 0x4096.
2020-03-24 06:22:09,828 [root] DEBUG: AddTrackedRegion: EntryPoint 0x7b54, Entropy 5.003824e+00
2020-03-24 06:22:09,845 [root] DEBUG: AddTrackedRegion: New region at 0x011A0000 size 0x1000 added to tracked regions.
2020-03-24 06:22:09,845 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 06:22:09,845 [root] INFO: Added new process to list with pid: 2280
2020-03-24 06:22:09,845 [root] INFO: Monitor successfully loaded in process with pid 2280.
2020-03-24 06:22:09,845 [root] DEBUG: Allocation: 0x001A0000 - 0x001AA000, size: 0xa000, protection: 0x40.
2020-03-24 06:22:09,845 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:09,845 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x011A0000.
2020-03-24 06:22:09,845 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x011A0000 size 0x0 entropy 5.003855e+00.
2020-03-24 06:22:09,845 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x001A0000, size: 0xa000.
2020-03-24 06:22:09,859 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x001A0000) returned 0x00000000.
2020-03-24 06:22:09,859 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 06:22:09,859 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x001A0000) -> AllocationBase 0x001A0000 RegionSize 0x40960.
2020-03-24 06:22:09,859 [root] DEBUG: AddTrackedRegion: New region at 0x001A0000 size 0xa000 added to tracked regions.
2020-03-24 06:22:09,859 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x001A0000, TrackedRegion->RegionSize: 0xa000, thread 224
2020-03-24 06:22:09,859 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x001A0000 and Type=0x1.
2020-03-24 06:22:09,859 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 224 type 1 at address 0x001A0000, size 2 with Callback 0x747d7510.
2020-03-24 06:22:09,859 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x001A0000
2020-03-24 06:22:09,875 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x001A003C and Type=0x1.
2020-03-24 06:22:09,875 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 224 type 1 at address 0x001A003C, size 4 with Callback 0x747d71a0.
2020-03-24 06:22:09,875 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x001A003C
2020-03-24 06:22:09,875 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x001A0000 (size 0xa000).
2020-03-24 06:22:09,891 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 06:22:09,891 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x74DBAE7A (thread 224)
2020-03-24 06:22:09,891 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x001A0000.
2020-03-24 06:22:09,891 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x001A0000 and Type=0x0.
2020-03-24 06:22:09,891 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x1a0000: 0x55.
2020-03-24 06:22:09,891 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 06:22:09,907 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x74DBAE7A (thread 224)
2020-03-24 06:22:09,907 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x001A003C.
2020-03-24 06:22:09,907 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x181c7881 (at 0x001A003C).
2020-03-24 06:22:09,907 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x001A0000 already exists for thread 224 (process 2280), skipping.
2020-03-24 06:22:09,907 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x001A0000.
2020-03-24 06:22:09,907 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001A0000 (thread 224)
2020-03-24 06:22:09,907 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x001A0000 (allocation base 0x001A0000).
2020-03-24 06:22:09,907 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x001A0000, size 0xa000).
2020-03-24 06:22:09,907 [root] DEBUG: DumpPEsInRange: Scanning range 0x1a0000 - 0x1aa000.
2020-03-24 06:22:09,923 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1a0000-0x1aa000.
2020-03-24 06:22:09,923 [root] DEBUG: DumpMemory: CAPE output file C:\SiMZpfzLG\CAPE\2280_9704940739221424232020 successfully created, size 0xa000
2020-03-24 06:22:09,923 [root] INFO: Added new CAPE file to list with path: C:\SiMZpfzLG\CAPE\2280_9704940739221424232020
2020-03-24 06:22:09,923 [root] DEBUG: ShellcodeExecCallback: successfully dumped memory range at 0x001A0000 (size 0xa000).
2020-03-24 06:22:09,937 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1a0000 - 0x1aa000.
2020-03-24 06:22:09,937 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x001A0000.
2020-03-24 06:22:09,937 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x001A003C.
2020-03-24 06:22:09,937 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x001A0000.
2020-03-24 06:22:09,937 [root] DEBUG: set_caller_info: Adding region at 0x001A0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-03-24 06:22:09,937 [root] DEBUG: set_caller_info: Caller at 0x001A0126 in tracked regions.
2020-03-24 06:22:09,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:09,937 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x011A0000.
2020-03-24 06:22:09,937 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x011A0000 size 0x0 entropy 5.003855e+00.
2020-03-24 06:22:09,953 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001A0000.
2020-03-24 06:22:09,970 [root] DEBUG: Allocation: 0x001B0000 - 0x001C1000, size: 0x11000, protection: 0x40.
2020-03-24 06:22:09,970 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:09,970 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x011A0000.
2020-03-24 06:22:09,970 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x011A0000 size 0x0 entropy 5.003855e+00.
2020-03-24 06:22:09,970 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001A0000.
2020-03-24 06:22:09,970 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x001B0000, size: 0x11000.
2020-03-24 06:22:09,970 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x001B0000) returned 0x00000000.
2020-03-24 06:22:09,970 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 06:22:09,984 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x001B0000) -> AllocationBase 0x001B0000 RegionSize 0x69632.
2020-03-24 06:22:09,984 [root] DEBUG: AddTrackedRegion: New region at 0x001B0000 size 0x11000 added to tracked regions.
2020-03-24 06:22:09,984 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x001B0000, TrackedRegion->RegionSize: 0x11000, thread 224
2020-03-24 06:22:09,984 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x001A0000 to 0x001B0000.
2020-03-24 06:22:09,984 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x001B0000 and Type=0x1.
2020-03-24 06:22:09,984 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 224 type 1 at address 0x001B0000, size 2 with Callback 0x747d7510.
2020-03-24 06:22:09,984 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x001B0000
2020-03-24 06:22:09,984 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x001B003C and Type=0x1.
2020-03-24 06:22:09,984 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 224 type 1 at address 0x001B003C, size 4 with Callback 0x747d71a0.
2020-03-24 06:22:10,000 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x001B003C
2020-03-24 06:22:10,000 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x001B0000 (size 0x11000).
2020-03-24 06:22:10,000 [root] DEBUG: DLL loaded at 0x74980000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2020-03-24 06:22:10,000 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2020-03-24 06:22:10,016 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 06:22:10,016 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2020-03-24 06:22:10,016 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2020-03-24 06:22:10,016 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2020-03-24 06:22:10,032 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-03-24 06:22:10,032 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 06:22:10,109 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-03-24 06:22:10,109 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-03-24 06:22:10,125 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2020-03-24 06:22:10,125 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 06:22:10,125 [root] DEBUG: DLL loaded at 0x74960000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-03-24 06:22:10,141 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 06:22:10,141 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-03-24 06:22:10,141 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 06:22:10,141 [root] DEBUG: set_caller_info: Adding region at 0x001B0000 to caller regions list (advapi32::LookupPrivilegeValueW).
2020-03-24 06:22:10,141 [root] DEBUG: set_caller_info: Caller at 0x001B4BCE in tracked regions.
2020-03-24 06:22:10,141 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2020-03-24 06:22:10,141 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:10,141 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x011A0000.
2020-03-24 06:22:10,141 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-03-24 06:22:10,141 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x011A0000 size 0x0 entropy 5.003855e+00.
2020-03-24 06:22:10,157 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001A0000.
2020-03-24 06:22:10,157 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001B0000.
2020-03-24 06:22:10,157 [root] DEBUG: DumpPEsInRange: Scanning range 0x1b0000 - 0x1c1000.
2020-03-24 06:22:10,157 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1b0000-0x1c1000.
2020-03-24 06:22:10,157 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x001B0000 - 0x001C1000.
2020-03-24 06:22:10,157 [root] DEBUG: set_caller_info: Adding region at 0x00A20000 to caller regions list (kernel32::GetSystemTime).
2020-03-24 06:22:10,157 [root] DEBUG: DumpPEsInRange: Scanning range 0x1b0000 - 0x1c1000.
2020-03-24 06:22:10,157 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1b0000-0x1c1000.
2020-03-24 06:22:10,157 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x001B0000 - 0x001C1000.
2020-03-24 06:22:10,171 [root] DEBUG: DumpMemory: CAPE output file C:\SiMZpfzLG\CAPE\2280_135550767210221424232020 successfully created, size 0x11000
2020-03-24 06:22:10,171 [root] INFO: Added new CAPE file to list with path: C:\SiMZpfzLG\CAPE\2280_135550767210221424232020
2020-03-24 06:22:10,171 [root] DEBUG: DumpRegion: Dumped stack region from 0x001B0000, size 0x11000.
2020-03-24 06:22:10,171 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x001B0000.
2020-03-24 06:22:10,187 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1b0000 - 0x1c1000.
2020-03-24 06:22:10,187 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x001B0000.
2020-03-24 06:22:10,187 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x001B003C.
2020-03-24 06:22:10,187 [root] DEBUG: DumpMemory: CAPE output file C:\SiMZpfzLG\CAPE\2280_64105428410221424232020 successfully created, size 0x11000
2020-03-24 06:22:10,203 [root] INFO: Added new CAPE file to list with path: C:\SiMZpfzLG\CAPE\2280_64105428410221424232020
2020-03-24 06:22:10,203 [root] DEBUG: DumpRegion: Dumped stack region from 0x001B0000, size 0x11000.
2020-03-24 06:22:10,203 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x001B0000.
2020-03-24 06:22:10,203 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1b0000 - 0x1c1000.
2020-03-24 06:22:10,296 [root] INFO: Announced 32-bit process name: cmd.exe pid: 740
2020-03-24 06:22:10,296 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:10,312 [lib.api.process] INFO: 32-bit DLL to inject is C:\hssovesly\dll\TWtOYcg.dll, loader C:\hssovesly\bin\BQFOgSg.exe
2020-03-24 06:22:10,312 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:10,312 [root] DEBUG: Loader: Injecting process 740 (thread 164) with C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:10,312 [root] DEBUG: Process image base: 0x4A070000
2020-03-24 06:22:10,312 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:10,328 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:22:10,328 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:10,328 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 740
2020-03-24 06:22:10,328 [root] INFO: Announced 32-bit process name: cmd.exe pid: 740
2020-03-24 06:22:10,328 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:10,328 [lib.api.process] INFO: 32-bit DLL to inject is C:\hssovesly\dll\TWtOYcg.dll, loader C:\hssovesly\bin\BQFOgSg.exe
2020-03-24 06:22:10,344 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:10,344 [root] DEBUG: Loader: Injecting process 740 (thread 164) with C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:10,344 [root] DEBUG: DLL loaded at 0x742A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2020-03-24 06:22:10,344 [root] DEBUG: Process image base: 0x4A070000
2020-03-24 06:22:10,344 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:10,344 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:22:10,344 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:10,344 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 740
2020-03-24 06:22:10,344 [root] DEBUG: DLL unloaded from 0x74F40000.
2020-03-24 06:22:10,359 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2020-03-24 06:22:10,359 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:10,359 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:10,375 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 06:22:10,375 [root] DEBUG: DLL unloaded from 0x74980000.
2020-03-24 06:22:10,375 [root] DEBUG: DLL unloaded from 0x74440000.
2020-03-24 06:22:10,391 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1436).
2020-03-24 06:22:10,405 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:10,405 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:10,405 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:10,405 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01280000.
2020-03-24 06:22:10,405 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:10,405 [root] DEBUG: ProcessImageBase: EP 0x00001574 image base 0x01280000 size 0x0 entropy 6.054284e+00.
2020-03-24 06:22:10,421 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:10,421 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:10,421 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-03-24 06:22:10,421 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 06:22:10,421 [root] DEBUG: Failed to inject DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:10,421 [root] DEBUG: DLL unloaded from 0x749D0000.
2020-03-24 06:22:10,421 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1436).
2020-03-24 06:22:10,421 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:10,421 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 1632, error: -15
2020-03-24 06:22:10,437 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01280000.
2020-03-24 06:22:10,437 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:22:10,437 [root] DEBUG: ProcessImageBase: EP 0x00001574 image base 0x01280000 size 0x0 entropy 6.054258e+00.
2020-03-24 06:22:10,437 [root] INFO: Notified of termination of process with pid 1436.
2020-03-24 06:22:10,453 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 06:22:10,453 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-03-24 06:22:10,453 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x270000
2020-03-24 06:22:10,469 [root] DEBUG: DLL loaded at 0x741A0000: C:\Windows\system32\propsys (0xf5000 bytes).
2020-03-24 06:22:10,469 [root] DEBUG: Debugger initialised.
2020-03-24 06:22:10,469 [root] DEBUG: DLL loaded at 0x749D0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-03-24 06:22:10,483 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 740 at 0x747d0000, image base 0x4a070000, stack from 0xb3000-0x1b0000
2020-03-24 06:22:10,483 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-03-24 06:22:10,483 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\cmd \c ""C:\Users\user\AppData\Local\Temp\a.bat" ".
2020-03-24 06:22:10,500 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-03-24 06:22:10,500 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x4A070000) returned 0x00000000.
2020-03-24 06:22:10,500 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-03-24 06:22:10,500 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 06:22:10,516 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-03-24 06:22:10,516 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x4A070000) -> AllocationBase 0x4A070000 RegionSize 0x4096.
2020-03-24 06:22:10,608 [root] DEBUG: AddTrackedRegion: EntryPoint 0x829a, Entropy 4.490681e+00
2020-03-24 06:22:10,625 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 06:22:10,625 [root] DEBUG: AddTrackedRegion: New region at 0x4A070000 size 0x1000 added to tracked regions.
2020-03-24 06:22:10,671 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 06:22:10,687 [root] INFO: Added new process to list with pid: 740
2020-03-24 06:22:10,687 [root] INFO: Monitor successfully loaded in process with pid 740.
2020-03-24 06:22:10,750 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 740).
2020-03-24 06:22:10,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:10,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x4A070000.
2020-03-24 06:22:10,765 [root] DEBUG: ProcessImageBase: EP 0x0000829A image base 0x4A070000 size 0x0 entropy 4.512325e+00.
2020-03-24 06:22:10,765 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 06:22:10,780 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 740).
2020-03-24 06:22:10,780 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:10,780 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x4A070000.
2020-03-24 06:22:10,796 [root] DEBUG: ProcessImageBase: EP 0x0000829A image base 0x4A070000 size 0x0 entropy 4.512325e+00.
2020-03-24 06:22:10,796 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2020-03-24 06:22:10,796 [root] INFO: Notified of termination of process with pid 740.
2020-03-24 06:22:10,796 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:10,812 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:10,828 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:10,828 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:10,828 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-03-24 06:22:10,828 [root] DEBUG: Failed to inject DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:10,842 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 1632, error: -15
2020-03-24 06:22:10,921 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2020-03-24 06:22:10,937 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:10,937 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:10,951 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:10,951 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:10,951 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-03-24 06:22:10,967 [root] DEBUG: Failed to inject DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:10,967 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 1632, error: -15
2020-03-24 06:22:10,983 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2020-03-24 06:22:10,983 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2020-03-24 06:22:10,983 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:10,999 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:10,999 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-03-24 06:22:11,015 [root] DEBUG: DLL loaded at 0x749C0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-03-24 06:22:11,015 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:11,015 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:11,029 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-03-24 06:22:11,029 [root] DEBUG: Failed to inject DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:11,029 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 1632, error: -15
2020-03-24 06:22:11,140 [root] DEBUG: DLL loaded at 0x749A0000: C:\Windows\system32\mssprxy (0xc000 bytes).
2020-03-24 06:22:11,233 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2020-03-24 06:22:11,233 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:11,249 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:11,249 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:11,263 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:11,263 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-03-24 06:22:11,279 [root] DEBUG: Failed to inject DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:11,279 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 1632, error: -15
2020-03-24 06:22:11,374 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2020-03-24 06:22:11,388 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:11,388 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:11,404 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:11,404 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:11,404 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-03-24 06:22:11,420 [root] DEBUG: Failed to inject DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:11,420 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 1632, error: -15
2020-03-24 06:22:11,436 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2020-03-24 06:22:11,436 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:11,451 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:11,451 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:11,467 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:11,467 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-03-24 06:22:11,467 [root] DEBUG: Failed to inject DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:11,483 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 1632, error: -15
2020-03-24 06:22:11,483 [root] DEBUG: DLL unloaded from 0x749A0000.
2020-03-24 06:22:11,497 [root] DEBUG: DLL unloaded from 0x741A0000.
2020-03-24 06:22:11,575 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2020-03-24 06:22:11,575 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:11,575 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:11,592 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:11,592 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:11,592 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-03-24 06:22:11,608 [root] DEBUG: Failed to inject DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:11,608 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 1632, error: -15
2020-03-24 06:22:11,686 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2020-03-24 06:22:11,700 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:11,700 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:11,717 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:11,717 [root] DEBUG: Loader: Injecting process 1632 (thread 0) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:11,717 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1636, handle 0x84
2020-03-24 06:22:11,717 [root] DEBUG: Process image base: 0x00000000FF900000
2020-03-24 06:22:11,779 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-03-24 06:22:11,779 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-03-24 06:22:11,888 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:11,904 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:11,904 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:12,075 [root] WARNING: Unable to place hook on LockResource
2020-03-24 06:22:12,091 [root] WARNING: Unable to hook LockResource
2020-03-24 06:22:12,246 [root] DEBUG: Debugger initialised.
2020-03-24 06:22:12,246 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 1632 at 0x0000000074450000, image base 0x00000000FF900000, stack from 0x0000000003AE2000-0x0000000003AF0000
2020-03-24 06:22:12,263 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2020-03-24 06:22:12,263 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FF900000) returned 0x0000000000000000.
2020-03-24 06:22:12,263 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 06:22:12,263 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FF900000) -> AllocationBase 0x00000000FF900000 RegionSize 0x4096.
2020-03-24 06:22:12,293 [root] DEBUG: AddTrackedRegion: EntryPoint 0x2b790, Entropy 5.860278e+00
2020-03-24 06:22:12,309 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FF900000 size 0x1000 added to tracked regions.
2020-03-24 06:22:12,309 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 06:22:12,309 [root] INFO: Added new process to list with pid: 1632
2020-03-24 06:22:12,309 [root] INFO: Monitor successfully loaded in process with pid 1632.
2020-03-24 06:22:12,325 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-03-24 06:22:12,325 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-03-24 06:22:12,325 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:12,388 [root] DEBUG: DLL loaded at 0x74990000: C:\Windows\system32\mssprxy (0xc000 bytes).
2020-03-24 06:22:12,388 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 06:22:12,403 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 06:22:12,528 [root] DEBUG: DLL loaded at 0x73D20000: C:\Windows\system32\wpdshext (0x238000 bytes).
2020-03-24 06:22:12,559 [root] DEBUG: DLL loaded at 0x74160000: C:\Windows\system32\WINMM (0x32000 bytes).
2020-03-24 06:22:12,637 [root] DEBUG: DLL loaded at 0x73FD0000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus (0x190000 bytes).
2020-03-24 06:22:12,714 [root] DEBUG: DLL loaded at 0x73F70000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2020-03-24 06:22:12,746 [root] DEBUG: DLL loaded at 0x72F70000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2020-03-24 06:22:12,823 [root] DEBUG: DLL loaded at 0x73CE0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2020-03-24 06:22:12,917 [root] DEBUG: DLL loaded at 0x749A0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-03-24 06:22:12,948 [root] INFO: Announced 32-bit process name: eeclnt.exe pid: 1924
2020-03-24 06:22:12,948 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:12,948 [lib.api.process] INFO: 32-bit DLL to inject is C:\hssovesly\dll\TWtOYcg.dll, loader C:\hssovesly\bin\BQFOgSg.exe
2020-03-24 06:22:12,964 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:12,964 [root] DEBUG: Loader: Injecting process 1924 (thread 2248) with C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:12,964 [root] DEBUG: Process image base: 0x01210000
2020-03-24 06:22:12,964 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:12,964 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:22:12,964 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:12,964 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1924
2020-03-24 06:22:12,980 [root] INFO: Announced 32-bit process name: eeclnt.exe pid: 1924
2020-03-24 06:22:12,996 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:12,996 [lib.api.process] INFO: 32-bit DLL to inject is C:\hssovesly\dll\TWtOYcg.dll, loader C:\hssovesly\bin\BQFOgSg.exe
2020-03-24 06:22:12,996 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:12,996 [root] DEBUG: Loader: Injecting process 1924 (thread 2248) with C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:12,996 [root] DEBUG: Process image base: 0x01210000
2020-03-24 06:22:12,996 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:12,996 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:22:12,996 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:12,996 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1924
2020-03-24 06:22:13,012 [root] DEBUG: DLL unloaded from 0x73D20000.
2020-03-24 06:22:13,012 [root] DEBUG: DLL unloaded from 0x74F40000.
2020-03-24 06:22:13,012 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:13,012 [root] DEBUG: DLL unloaded from 0x72F70000.
2020-03-24 06:22:13,012 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:13,026 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:13,026 [root] DEBUG: DLL unloaded from 0x75D60000.
2020-03-24 06:22:13,026 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:22:13,026 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 06:22:13,026 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0xa0000
2020-03-24 06:22:13,026 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 06:22:13,042 [root] DEBUG: Debugger initialised.
2020-03-24 06:22:13,042 [root] DEBUG: DLL unloaded from 0x73F70000.
2020-03-24 06:22:13,042 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 1924 at 0x747d0000, image base 0x1210000, stack from 0x346000-0x350000
2020-03-24 06:22:13,042 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Roaming\Windows\eeclnt.exe" 258.
2020-03-24 06:22:13,042 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x01210000) returned 0x00000000.
2020-03-24 06:22:13,042 [root] DEBUG: DLL unloaded from 0x74990000.
2020-03-24 06:22:13,042 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 06:22:13,042 [root] DEBUG: DLL unloaded from 0x741A0000.
2020-03-24 06:22:13,042 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x01210000) -> AllocationBase 0x01210000 RegionSize 0x4096.
2020-03-24 06:22:13,042 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2280).
2020-03-24 06:22:13,042 [root] DEBUG: AddTrackedRegion: EntryPoint 0x7b54, Entropy 5.004239e+00
2020-03-24 06:22:13,042 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:13,058 [root] DEBUG: AddTrackedRegion: New region at 0x01210000 size 0x1000 added to tracked regions.
2020-03-24 06:22:13,058 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x011A0000.
2020-03-24 06:22:13,058 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 06:22:13,058 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x011A0000 size 0x0 entropy 5.003855e+00.
2020-03-24 06:22:13,058 [root] INFO: Added new process to list with pid: 1924
2020-03-24 06:22:13,058 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001A0000.
2020-03-24 06:22:13,058 [root] INFO: Monitor successfully loaded in process with pid 1924.
2020-03-24 06:22:13,058 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001B0000.
2020-03-24 06:22:13,058 [root] DEBUG: Allocation: 0x000B0000 - 0x000BA000, size: 0xa000, protection: 0x40.
2020-03-24 06:22:13,058 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:13,058 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01210000.
2020-03-24 06:22:13,073 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x01210000 size 0x0 entropy 5.004062e+00.
2020-03-24 06:22:13,073 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x000B0000, size: 0xa000.
2020-03-24 06:22:13,073 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x000B0000) returned 0x00000000.
2020-03-24 06:22:13,073 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 06:22:13,073 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x000B0000) -> AllocationBase 0x000B0000 RegionSize 0x40960.
2020-03-24 06:22:13,073 [root] DEBUG: AddTrackedRegion: New region at 0x000B0000 size 0xa000 added to tracked regions.
2020-03-24 06:22:13,073 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x000B0000, TrackedRegion->RegionSize: 0xa000, thread 2248
2020-03-24 06:22:13,089 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x000B0000 and Type=0x1.
2020-03-24 06:22:13,089 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2248 type 1 at address 0x000B0000, size 2 with Callback 0x747d7510.
2020-03-24 06:22:13,089 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x000B0000
2020-03-24 06:22:13,089 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x000B003C and Type=0x1.
2020-03-24 06:22:13,089 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2248 type 1 at address 0x000B003C, size 4 with Callback 0x747d71a0.
2020-03-24 06:22:13,089 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x000B003C
2020-03-24 06:22:13,089 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x000B0000 (size 0xa000).
2020-03-24 06:22:13,089 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 06:22:13,089 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x74DBAE7A (thread 2248)
2020-03-24 06:22:13,105 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x000B0000.
2020-03-24 06:22:13,105 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x000B0000 and Type=0x0.
2020-03-24 06:22:13,105 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 06:22:13,105 [root] DEBUG: BaseAddressWriteCallback: byte written to 0xb0000: 0x55.
2020-03-24 06:22:13,105 [root] DEBUG: DLL unloaded from 0x749D0000.
2020-03-24 06:22:13,105 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 06:22:13,105 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2280).
2020-03-24 06:22:13,105 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x74DBAE7A (thread 2248)
2020-03-24 06:22:13,105 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:13,105 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x000B003C.
2020-03-24 06:22:13,105 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x011A0000.
2020-03-24 06:22:13,105 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x181c7881 (at 0x000B003C).
2020-03-24 06:22:13,105 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x011A0000 size 0x0 entropy 5.003855e+00.
2020-03-24 06:22:13,121 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x000B0000 already exists for thread 2248 (process 1924), skipping.
2020-03-24 06:22:13,121 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001A0000.
2020-03-24 06:22:13,121 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x000B0000.
2020-03-24 06:22:13,121 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x001B0000.
2020-03-24 06:22:13,121 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000B0000 (thread 2248)
2020-03-24 06:22:13,121 [root] INFO: Notified of termination of process with pid 2280.
2020-03-24 06:22:13,121 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x000B0000 (allocation base 0x000B0000).
2020-03-24 06:22:13,121 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x000B0000, size 0xa000).
2020-03-24 06:22:13,121 [root] DEBUG: DumpPEsInRange: Scanning range 0xb0000 - 0xba000.
2020-03-24 06:22:13,121 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xb0000-0xba000.
2020-03-24 06:22:13,135 [root] DEBUG: DumpMemory: CAPE output file C:\SiMZpfzLG\CAPE\1924_94341880813221424232020 successfully created, size 0xa000
2020-03-24 06:22:13,135 [root] INFO: Added new CAPE file to list with path: C:\SiMZpfzLG\CAPE\1924_94341880813221424232020
2020-03-24 06:22:13,135 [root] DEBUG: ShellcodeExecCallback: successfully dumped memory range at 0x000B0000 (size 0xa000).
2020-03-24 06:22:13,151 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xb0000 - 0xba000.
2020-03-24 06:22:13,151 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x000B0000.
2020-03-24 06:22:13,151 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x000B003C.
2020-03-24 06:22:13,151 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x000B0000.
2020-03-24 06:22:13,151 [root] DEBUG: set_caller_info: Adding region at 0x000B0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-03-24 06:22:13,151 [root] DEBUG: set_caller_info: Caller at 0x000B0126 in tracked regions.
2020-03-24 06:22:13,151 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:13,151 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01210000.
2020-03-24 06:22:13,167 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x01210000 size 0x0 entropy 5.004062e+00.
2020-03-24 06:22:13,167 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000B0000.
2020-03-24 06:22:13,167 [root] DEBUG: Allocation: 0x000C0000 - 0x000D1000, size: 0x11000, protection: 0x40.
2020-03-24 06:22:13,167 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:13,167 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01210000.
2020-03-24 06:22:13,167 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x01210000 size 0x0 entropy 5.004062e+00.
2020-03-24 06:22:13,167 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000B0000.
2020-03-24 06:22:13,183 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x000C0000, size: 0x11000.
2020-03-24 06:22:13,183 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x000C0000) returned 0x00000000.
2020-03-24 06:22:13,183 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 06:22:13,183 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x000C0000) -> AllocationBase 0x000C0000 RegionSize 0x69632.
2020-03-24 06:22:13,183 [root] DEBUG: AddTrackedRegion: New region at 0x000C0000 size 0x11000 added to tracked regions.
2020-03-24 06:22:13,183 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x000C0000, TrackedRegion->RegionSize: 0x11000, thread 2248
2020-03-24 06:22:13,198 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x000B0000 to 0x000C0000.
2020-03-24 06:22:13,198 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x000C0000 and Type=0x1.
2020-03-24 06:22:13,198 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2248 type 1 at address 0x000C0000, size 2 with Callback 0x747d7510.
2020-03-24 06:22:13,198 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x000C0000
2020-03-24 06:22:13,198 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x000C003C and Type=0x1.
2020-03-24 06:22:13,198 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2248 type 1 at address 0x000C003C, size 4 with Callback 0x747d71a0.
2020-03-24 06:22:13,213 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x000C003C
2020-03-24 06:22:13,213 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x000C0000 (size 0x11000).
2020-03-24 06:22:13,213 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2020-03-24 06:22:13,213 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 06:22:13,230 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2020-03-24 06:22:13,230 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2020-03-24 06:22:13,230 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2020-03-24 06:22:13,246 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-03-24 06:22:13,246 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 06:22:13,246 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-03-24 06:22:13,246 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-03-24 06:22:13,260 [root] DEBUG: DLL loaded at 0x749B0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-03-24 06:22:13,260 [root] DEBUG: DLL loaded at 0x749A0000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-03-24 06:22:13,260 [root] DEBUG: set_caller_info: Adding region at 0x000C0000 to caller regions list (advapi32::LookupPrivilegeValueW).
2020-03-24 06:22:13,260 [root] DEBUG: set_caller_info: Caller at 0x000C4BCE in tracked regions.
2020-03-24 06:22:13,260 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:13,260 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01210000.
2020-03-24 06:22:13,276 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x01210000 size 0x0 entropy 5.004062e+00.
2020-03-24 06:22:13,276 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000B0000.
2020-03-24 06:22:13,276 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000C0000.
2020-03-24 06:22:13,276 [root] DEBUG: DumpPEsInRange: Scanning range 0xc0000 - 0xd1000.
2020-03-24 06:22:13,276 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xc0000-0xd1000.
2020-03-24 06:22:13,276 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x000C0000 - 0x000D1000.
2020-03-24 06:22:13,276 [root] DEBUG: set_caller_info: Adding region at 0x00A50000 to caller regions list (kernel32::GetSystemTime).
2020-03-24 06:22:13,292 [root] DEBUG: DumpPEsInRange: Scanning range 0xc0000 - 0xd1000.
2020-03-24 06:22:13,292 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xc0000-0xd1000.
2020-03-24 06:22:13,292 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x000C0000 - 0x000D1000.
2020-03-24 06:22:13,308 [root] DEBUG: DumpMemory: CAPE output file C:\SiMZpfzLG\CAPE\1924_60636116013221424232020 successfully created, size 0x11000
2020-03-24 06:22:13,308 [root] INFO: Added new CAPE file to list with path: C:\SiMZpfzLG\CAPE\1924_60636116013221424232020
2020-03-24 06:22:13,323 [root] DEBUG: DumpRegion: Dumped stack region from 0x000C0000, size 0x11000.
2020-03-24 06:22:13,323 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x000C0000.
2020-03-24 06:22:13,323 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xc0000 - 0xd1000.
2020-03-24 06:22:13,369 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x000C0000.
2020-03-24 06:22:13,385 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x000C003C.
2020-03-24 06:22:13,417 [root] DEBUG: DumpMemory: CAPE output file C:\SiMZpfzLG\CAPE\1924_10208337413221424232020 successfully created, size 0x11000
2020-03-24 06:22:13,463 [root] INFO: Added new CAPE file to list with path: C:\SiMZpfzLG\CAPE\1924_10208337413221424232020
2020-03-24 06:22:13,510 [root] DEBUG: DumpRegion: Dumped stack region from 0x000C0000, size 0x11000.
2020-03-24 06:22:13,542 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x000C0000.
2020-03-24 06:22:13,542 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xc0000 - 0xd1000.
2020-03-24 06:22:13,635 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 2056
2020-03-24 06:22:13,635 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFCB00000 to caller regions list (msvcrt::memcpy).
2020-03-24 06:22:13,635 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF71F0000 to caller regions list (ntdll::LdrGetDllHandle).
2020-03-24 06:22:13,635 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:13,635 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:13,697 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:13,776 [root] DEBUG: Loader: Injecting process 2056 (thread 1560) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:13,806 [root] DEBUG: Process image base: 0x00000000FF970000
2020-03-24 06:22:13,806 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:13,822 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:22:13,822 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:13,822 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2056
2020-03-24 06:22:13,838 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 06:22:13,838 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 2056
2020-03-24 06:22:13,854 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:13,854 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:13,884 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:13,901 [root] DEBUG: Loader: Injecting process 2056 (thread 1560) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:13,901 [root] DEBUG: Process image base: 0x00000000FF970000
2020-03-24 06:22:13,901 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:13,901 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:22:13,915 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:13,915 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2056
2020-03-24 06:22:13,931 [root] DEBUG: Allocation: 0x03CF0000 - 0x03E99000, size: 0x1a9000, protection: 0x40.
2020-03-24 06:22:13,931 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:13,947 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01210000.
2020-03-24 06:22:13,947 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x01210000 size 0x0 entropy 5.004062e+00.
2020-03-24 06:22:13,947 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000B0000.
2020-03-24 06:22:13,947 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000C0000.
2020-03-24 06:22:13,947 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x03CF0000, size: 0x1a9000.
2020-03-24 06:22:13,947 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x03CF0000) returned 0x00000000.
2020-03-24 06:22:13,947 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 06:22:13,947 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x03CF0000) -> AllocationBase 0x03CF0000 RegionSize 0x1740800.
2020-03-24 06:22:13,963 [root] DEBUG: AddTrackedRegion: New region at 0x03CF0000 size 0x1a9000 added to tracked regions.
2020-03-24 06:22:13,963 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x03CF0000, TrackedRegion->RegionSize: 0x1a9000, thread 2248
2020-03-24 06:22:13,963 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x000C0000 to 0x03CF0000.
2020-03-24 06:22:13,963 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x03CF0000 and Type=0x1.
2020-03-24 06:22:13,963 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2248 type 1 at address 0x03CF0000, size 2 with Callback 0x747d7510.
2020-03-24 06:22:13,963 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x03CF0000
2020-03-24 06:22:13,963 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x03CF003C and Type=0x1.
2020-03-24 06:22:13,979 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2248 type 1 at address 0x03CF003C, size 4 with Callback 0x747d71a0.
2020-03-24 06:22:13,979 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x03CF003C
2020-03-24 06:22:13,979 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x03CF0000 (size 0x1a9000).
2020-03-24 06:22:13,979 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:13,979 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x03CF0000.
2020-03-24 06:22:13,979 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2020-03-24 06:22:13,979 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:13,979 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x03CF0000.
2020-03-24 06:22:13,993 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2020-03-24 06:22:13,993 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x03CF0000: 0x03CF0000 0x03CF003C 0x00000000 0x00000000
2020-03-24 06:22:13,993 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (1) at 0x03CF003C already exists for thread 2248 (process 1924), skipping.
2020-03-24 06:22:13,993 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x3cf003c (EIP = 0xc16b2)
2020-03-24 06:22:13,993 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3cf0000: 0x4d.
2020-03-24 06:22:13,993 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 06:22:13,993 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,009 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x03CF003C.
2020-03-24 06:22:14,009 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x03CF0000: 0x03CF0000 0x03CF003C 0x00000000 0x00000000
2020-03-24 06:22:14,009 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x2, Address=0x03CF00F8 and Type=0x1.
2020-03-24 06:22:14,009 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x4, Address=0x03CF0108 and Type=0x1.
2020-03-24 06:22:14,009 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x03CF0108.
2020-03-24 06:22:14,009 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,009 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x03CF003C.
2020-03-24 06:22:14,026 [root] DEBUG: PEPointerWriteCallback: Leaving 'magic' breakpoint unchanged.
2020-03-24 06:22:14,026 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,026 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x03CF003C.
2020-03-24 06:22:14,026 [root] DEBUG: PEPointerWriteCallback: Leaving 'magic' breakpoint unchanged.
2020-03-24 06:22:14,026 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,026 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x03CF003C.
2020-03-24 06:22:14,026 [root] DEBUG: PEPointerWriteCallback: Leaving 'magic' breakpoint unchanged.
2020-03-24 06:22:14,040 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,040 [root] DEBUG: MagicWriteCallback: Breakpoint 0 at Address 0x03CF00F8.
2020-03-24 06:22:14,040 [root] DEBUG: GetHookCallerBase: thread 2248 (handle 0xcc), return address 0x000C2BFB, allocation base 0x000C0000.
2020-03-24 06:22:14,040 [root] DEBUG: MagicWriteCallback: Not in a hooked function, setting callback in enter_hook() to catch next hook (return address 0x000C0000).
2020-03-24 06:22:14,040 [root] DEBUG: MagicWriteCallback: Magic value not valid NT: 0xb (at 0x03CF00F8).
2020-03-24 06:22:14,040 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,040 [root] DEBUG: MagicWriteCallback: Breakpoint 0 at Address 0x03CF00F8.
2020-03-24 06:22:14,056 [root] DEBUG: GetHookCallerBase: thread 2248 (handle 0xcc), return address 0x000C2BFB, allocation base 0x000C0000.
2020-03-24 06:22:14,056 [root] DEBUG: MagicWriteCallback: Valid magic value but entry point still empty, leaving breakpoint intact.
2020-03-24 06:22:14,056 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,056 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x03CF0108.
2020-03-24 06:22:14,056 [root] DEBUG: GetHookCallerBase: thread 2248 (handle 0xcc), return address 0x000C2BFB, allocation base 0x000C0000.
2020-03-24 06:22:14,056 [root] DEBUG: AddressOfEPWriteCallback: Valid magic value but entry point still empty, leaving breakpoint intact.
2020-03-24 06:22:14,056 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,072 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x03CF0108.
2020-03-24 06:22:14,072 [root] DEBUG: GetHookCallerBase: thread 2248 (handle 0xcc), return address 0x000C2BFB, allocation base 0x000C0000.
2020-03-24 06:22:14,072 [root] DEBUG: AddressOfEPWriteCallback: Valid magic value but entry point still empty, leaving breakpoint intact.
2020-03-24 06:22:14,072 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,072 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x03CF0108.
2020-03-24 06:22:14,072 [root] DEBUG: GetHookCallerBase: thread 2248 (handle 0xcc), return address 0x000C2BFB, allocation base 0x000C0000.
2020-03-24 06:22:14,072 [root] DEBUG: AddressOfEPWriteCallback: Valid magic value but entry point still empty, leaving breakpoint intact.
2020-03-24 06:22:14,072 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,072 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x03CF0108.
2020-03-24 06:22:14,088 [root] DEBUG: GetHookCallerBase: thread 2248 (handle 0xcc), return address 0x000C2BFB, allocation base 0x000C0000.
2020-03-24 06:22:14,088 [root] DEBUG: AddressOfEPWriteCallback: Valid magic value but entry point still empty, leaving breakpoint intact.
2020-03-24 06:22:14,104 [root] DEBUG: Allocation: 0x003F0000 - 0x0045B000, size: 0x6b000, protection: 0x40.
2020-03-24 06:22:14,104 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:14,104 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01210000.
2020-03-24 06:22:14,104 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x01210000 size 0x0 entropy 5.004062e+00.
2020-03-24 06:22:14,118 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000B0000.
2020-03-24 06:22:14,118 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000C0000.
2020-03-24 06:22:14,118 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x03CF0000.
2020-03-24 06:22:14,118 [root] DEBUG: DumpPEsInRange: Scanning range 0x3cf0000 - 0x3e99000.
2020-03-24 06:22:14,118 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3cf0000
2020-03-24 06:22:14,118 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-03-24 06:22:14,118 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x03CF0000.
2020-03-24 06:22:14,150 [root] INFO: Added new CAPE file to list with path: C:\SiMZpfzLG\CAPE\1924_14215996401422624232020
2020-03-24 06:22:14,150 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x1a2a00.
2020-03-24 06:22:14,150 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 2 of 51040, RVA 0x16024b4 and size 0x8ba6ebd7.
2020-03-24 06:22:14,165 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 46863, RVA 0x8a44d003 and size 0x48800a44.
2020-03-24 06:22:14,165 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 2 of 51507, RVA 0xb70f0e03 and size 0xf8966c9.
2020-03-24 06:22:14,165 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3cf0200-0x3e99000.
2020-03-24 06:22:14,165 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x03CF0000 - 0x03E99000.
2020-03-24 06:22:14,165 [root] DEBUG: ProcessTrackedRegion: Found and dumped PE image(s) in range 0x03CF0000 - 0x03E99000.
2020-03-24 06:22:14,165 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3cf0000 - 0x3e99000.
2020-03-24 06:22:14,181 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x03CF00F8.
2020-03-24 06:22:14,181 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x03CF003C.
2020-03-24 06:22:14,181 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x03CF0108.
2020-03-24 06:22:14,181 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x003F0000, size: 0x6b000.
2020-03-24 06:22:14,181 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x003F0000) returned 0x00000000.
2020-03-24 06:22:14,181 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 06:22:14,181 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x003F0000) -> AllocationBase 0x003F0000 RegionSize 0x438272.
2020-03-24 06:22:14,197 [root] DEBUG: AddTrackedRegion: New region at 0x003F0000 size 0x6b000 added to tracked regions.
2020-03-24 06:22:14,197 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x003F0000, TrackedRegion->RegionSize: 0x6b000, thread 2248
2020-03-24 06:22:14,197 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x03CF0000 to 0x003F0000.
2020-03-24 06:22:14,197 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x003F0000 and Type=0x1.
2020-03-24 06:22:14,197 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2248 type 1 at address 0x003F0000, size 2 with Callback 0x747d7510.
2020-03-24 06:22:14,197 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x003F0000
2020-03-24 06:22:14,197 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x003F003C and Type=0x1.
2020-03-24 06:22:14,213 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2248 type 1 at address 0x003F003C, size 4 with Callback 0x747d71a0.
2020-03-24 06:22:14,213 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x003F003C
2020-03-24 06:22:14,213 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x003F0000 (size 0x6b000).
2020-03-24 06:22:14,213 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,213 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x003F0000.
2020-03-24 06:22:14,213 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2020-03-24 06:22:14,213 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,213 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x003F0000.
2020-03-24 06:22:14,227 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2020-03-24 06:22:14,227 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x003F0000: 0x003F0000 0x003F003C 0x00000000 0x00000000
2020-03-24 06:22:14,227 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (1) at 0x003F003C already exists for thread 2248 (process 1924), skipping.
2020-03-24 06:22:14,227 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x3f003c (EIP = 0xc16b2)
2020-03-24 06:22:14,227 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x3f0000: 0x4d.
2020-03-24 06:22:14,227 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 06:22:14,227 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,227 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003F003C.
2020-03-24 06:22:14,243 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x003F0000: 0x003F0000 0x003F003C 0x00000000 0x00000000
2020-03-24 06:22:14,243 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x2, Address=0x003F0108 and Type=0x1.
2020-03-24 06:22:14,243 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x4, Address=0x003F0118 and Type=0x1.
2020-03-24 06:22:14,243 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x003F0118.
2020-03-24 06:22:14,243 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,259 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003F003C.
2020-03-24 06:22:14,275 [root] DEBUG: PEPointerWriteCallback: Leaving 'magic' breakpoint unchanged.
2020-03-24 06:22:14,290 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,290 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003F003C.
2020-03-24 06:22:14,290 [root] DEBUG: PEPointerWriteCallback: Leaving 'magic' breakpoint unchanged.
2020-03-24 06:22:14,352 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,352 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x003F003C.
2020-03-24 06:22:14,352 [root] DEBUG: PEPointerWriteCallback: Leaving 'magic' breakpoint unchanged.
2020-03-24 06:22:14,368 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,368 [root] DEBUG: MagicWriteCallback: Breakpoint 0 at Address 0x003F0108.
2020-03-24 06:22:14,368 [root] DEBUG: GetHookCallerBase: thread 2248 (handle 0xcc), return address 0x000C2BFB, allocation base 0x000C0000.
2020-03-24 06:22:14,368 [root] DEBUG: MagicWriteCallback: Not in a hooked function, setting callback in enter_hook() to catch next hook (return address 0x000C0000).
2020-03-24 06:22:14,368 [root] DEBUG: MagicWriteCallback: Magic value not valid NT: 0xb (at 0x003F0108).
2020-03-24 06:22:14,368 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,384 [root] DEBUG: MagicWriteCallback: Breakpoint 0 at Address 0x003F0108.
2020-03-24 06:22:14,384 [root] DEBUG: GetHookCallerBase: thread 2248 (handle 0xcc), return address 0x000C2BFB, allocation base 0x000C0000.
2020-03-24 06:22:14,384 [root] DEBUG: MagicWriteCallback: Valid magic value but entry point still empty, leaving breakpoint intact.
2020-03-24 06:22:14,384 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,384 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x003F0118.
2020-03-24 06:22:14,384 [root] DEBUG: GetHookCallerBase: thread 2248 (handle 0xcc), return address 0x000C2BFB, allocation base 0x000C0000.
2020-03-24 06:22:14,384 [root] DEBUG: AddressOfEPWriteCallback: Valid magic value but AddressOfEntryPoint 0xe0 too small, possibly only partially written (<0x1e8).
2020-03-24 06:22:14,384 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,400 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x003F0118.
2020-03-24 06:22:14,400 [root] DEBUG: GetHookCallerBase: thread 2248 (handle 0xcc), return address 0x000C2BFB, allocation base 0x000C0000.
2020-03-24 06:22:14,400 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x003F0108: 0x003F0108 0x003F003C 0x003F0118 0x00000000
2020-03-24 06:22:14,400 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x1, Address=0x003F30E0 and Type=0x1.
2020-03-24 06:22:14,400 [root] DEBUG: AddressOfEPWriteCallback: set write bp on AddressOfEntryPoint location 0x003F30E0.
2020-03-24 06:22:14,400 [root] DEBUG: AddressOfEPWriteCallback executed successfully.
2020-03-24 06:22:14,400 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,415 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x003F0118.
2020-03-24 06:22:14,415 [root] DEBUG: GetHookCallerBase: thread 2248 (handle 0xcc), return address 0x000C2BFB, allocation base 0x000C0000.
2020-03-24 06:22:14,415 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x003F30E0: 0x003F30E0 0x003F003C 0x003F0118 0x00000000
2020-03-24 06:22:14,415 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (0) at 0x003F30E0 already exists for thread 2248 (process 1924), skipping.
2020-03-24 06:22:14,430 [root] DEBUG: AddressOfEPWriteCallback: set write bp on AddressOfEntryPoint location 0x003F30E0.
2020-03-24 06:22:14,430 [root] DEBUG: AddressOfEPWriteCallback executed successfully.
2020-03-24 06:22:14,430 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,430 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x003F0118.
2020-03-24 06:22:14,430 [root] DEBUG: GetHookCallerBase: thread 2248 (handle 0xcc), return address 0x000C2BFB, allocation base 0x000C0000.
2020-03-24 06:22:14,430 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x003F30E0: 0x003F30E0 0x003F003C 0x003F0118 0x00000000
2020-03-24 06:22:14,430 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (0) at 0x003F30E0 already exists for thread 2248 (process 1924), skipping.
2020-03-24 06:22:14,447 [root] DEBUG: AddressOfEPWriteCallback: set write bp on AddressOfEntryPoint location 0x003F30E0.
2020-03-24 06:22:14,447 [root] DEBUG: AddressOfEPWriteCallback executed successfully.
2020-03-24 06:22:14,447 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,447 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x003F30E0.
2020-03-24 06:22:14,447 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x003F30E0 and Type=0x0.
2020-03-24 06:22:14,447 [root] DEBUG: EntryPointWriteCallback: Execution bp 0 set on EntryPoint address 0x003F30E0.
2020-03-24 06:22:14,461 [root] DEBUG: EntryPointWriteCallback: DEBUG: NumberOfSections 6, SizeOfHeaders 0x1f8.
2020-03-24 06:22:14,461 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x003F30E0: 0x003F30E0 0x003F003C 0x003F0118 0x00000000
2020-03-24 06:22:14,461 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x1, Address=0x0045A1FF and Type=0x1.
2020-03-24 06:22:14,461 [root] DEBUG: EntryPointWriteCallback: Set write breakpoint on final section, last byte: 0x00000000
2020-03-24 06:22:14,461 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x000C16B2 (thread 2248)
2020-03-24 06:22:14,461 [root] DEBUG: FinalByteWriteCallback: Breakpoint 0 at Address 0x0045A1FF.
2020-03-24 06:22:14,477 [root] DEBUG: DumpPEsInRange: Scanning range 0x3f0000 - 0x45b000.
2020-03-24 06:22:14,477 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x3f0000
2020-03-24 06:22:14,477 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-03-24 06:22:14,477 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x003F0000.
2020-03-24 06:22:14,493 [root] INFO: Added new CAPE file to list with path: C:\SiMZpfzLG\CAPE\1924_58355768614221424232020
2020-03-24 06:22:14,493 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x66800.
2020-03-24 06:22:14,493 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3f0200-0x45b000.
2020-03-24 06:22:14,493 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x003F0000 - 0x0045B000.
2020-03-24 06:22:14,493 [root] DEBUG: FinalByteWriteCallback: successfully dumped module.
2020-03-24 06:22:14,509 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3f0000 - 0x45b000.
2020-03-24 06:22:14,509 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x0045A1FF.
2020-03-24 06:22:14,509 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x003F003C.
2020-03-24 06:22:14,509 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x003F0118.
2020-03-24 06:22:14,525 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 2056
2020-03-24 06:22:14,525 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:14,525 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:14,525 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:14,525 [root] DEBUG: Loader: Injecting process 2056 (thread 0) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:14,525 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1560, handle 0x84
2020-03-24 06:22:14,539 [root] DEBUG: Process image base: 0x00000000FF970000
2020-03-24 06:22:14,539 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:14,539 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:22:14,539 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:14,539 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2056
2020-03-24 06:22:14,539 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 2056
2020-03-24 06:22:14,539 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:14,539 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:14,555 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:14,555 [root] DEBUG: Loader: Injecting process 2056 (thread 0) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:14,555 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-03-24 06:22:14,555 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-03-24 06:22:14,555 [root] DEBUG: Failed to inject DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:14,555 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 2056, error: -15
2020-03-24 06:22:14,572 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1924).
2020-03-24 06:22:14,572 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:14,586 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01210000.
2020-03-24 06:22:14,586 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x01210000 size 0x0 entropy 5.004062e+00.
2020-03-24 06:22:14,586 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000B0000.
2020-03-24 06:22:14,586 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000C0000.
2020-03-24 06:22:14,586 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x03CF0000.
2020-03-24 06:22:14,586 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003F0000.
2020-03-24 06:22:14,586 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 06:22:14,602 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1924).
2020-03-24 06:22:14,602 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:14,602 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01210000.
2020-03-24 06:22:14,602 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x01210000 size 0x0 entropy 5.004062e+00.
2020-03-24 06:22:14,602 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000B0000.
2020-03-24 06:22:14,602 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000C0000.
2020-03-24 06:22:14,602 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x03CF0000.
2020-03-24 06:22:14,618 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003F0000.
2020-03-24 06:22:14,618 [root] INFO: Notified of termination of process with pid 1924.
2020-03-24 06:22:14,727 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:14,727 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:14,727 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:14,743 [root] WARNING: Unable to place hook on LockResource
2020-03-24 06:22:14,743 [root] WARNING: Unable to hook LockResource
2020-03-24 06:22:14,743 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:22:14,743 [root] DEBUG: Debugger initialised.
2020-03-24 06:22:14,759 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 2056 at 0x0000000074450000, image base 0x00000000FF970000, stack from 0x0000000000135000-0x0000000000140000
2020-03-24 06:22:14,759 [root] DEBUG: Commandline: C:\Windows\sysnative\msiexec.exe "259".
2020-03-24 06:22:14,759 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FF970000) returned 0x0000000000000000.
2020-03-24 06:22:14,759 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 06:22:14,773 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FF970000) -> AllocationBase 0x00000000FF970000 RegionSize 0x4096.
2020-03-24 06:22:14,773 [root] DEBUG: AddTrackedRegion: EntryPoint 0x170c0, Entropy 5.361235e+00
2020-03-24 06:22:14,773 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FF970000 size 0x1000 added to tracked regions.
2020-03-24 06:22:14,773 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 06:22:14,789 [root] INFO: Added new process to list with pid: 2056
2020-03-24 06:22:14,789 [root] INFO: Monitor successfully loaded in process with pid 2056.
2020-03-24 06:22:14,930 [root] DEBUG: set_caller_info: Adding region at 0x0000000000080000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-03-24 06:22:14,930 [root] DEBUG: set_caller_info: Adding region at 0x0000000001D70000 to caller regions list (ntdll::RtlDecompressBuffer).
2020-03-24 06:22:14,930 [root] DEBUG: Allocation: 0x00000000003D0000 - 0x00000000003E3000, size: 0x13000, protection: 0x40.
2020-03-24 06:22:14,946 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 06:22:14,946 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF970000.
2020-03-24 06:22:14,946 [root] DEBUG: ProcessImageBase: EP 0x00000000000170C0 image base 0x00000000FF970000 size 0x0 entropy 5.361235e+00.
2020-03-24 06:22:14,946 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00000000003D0000, size: 0x13000.
2020-03-24 06:22:14,946 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000003D0000) returned 0x0000000000000000.
2020-03-24 06:22:14,961 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 06:22:14,961 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000003D0000) -> AllocationBase 0x00000000003D0000 RegionSize 0x77824.
2020-03-24 06:22:14,961 [root] DEBUG: AddTrackedRegion: New region at 0x00000000003D0000 size 0x13000 added to tracked regions.
2020-03-24 06:22:14,961 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00000000003D0000, TrackedRegion->RegionSize: 0x13000, thread 1560
2020-03-24 06:22:14,961 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xb0, Size=0x2, Address=0x00000000003D0000 and Type=0x1.
2020-03-24 06:22:14,961 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1560 type 1 at address 0x00000000003D0000, size 2 with Callback 0x74457850.
2020-03-24 06:22:14,976 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00000000003D0000
2020-03-24 06:22:14,976 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xb0, Size=0x4, Address=0x00000000003D003C and Type=0x1.
2020-03-24 06:22:14,976 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1560 type 1 at address 0x00000000003D003C, size 4 with Callback 0x74457430.
2020-03-24 06:22:14,976 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x00000000003D003C
2020-03-24 06:22:14,976 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00000000003D0000 (size 0x13000).
2020-03-24 06:22:14,993 [root] DEBUG: set_caller_info: Adding region at 0x00000000003D0000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 06:22:14,993 [root] DEBUG: set_caller_info: Caller at 0x00000000003D0000 in tracked regions.
2020-03-24 06:22:14,993 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 06:22:14,993 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF970000.
2020-03-24 06:22:14,993 [root] DEBUG: ProcessImageBase: EP 0x00000000000170C0 image base 0x00000000FF970000 size 0x0 entropy 5.361235e+00.
2020-03-24 06:22:14,993 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000003D0000.
2020-03-24 06:22:14,993 [root] DEBUG: DumpPEsInRange: Scanning range 0x3d0000 - 0x3e3000.
2020-03-24 06:22:15,007 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3d0000-0x3e3000.
2020-03-24 06:22:15,007 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00000000003D0000 - 0x00000000003E3000.
2020-03-24 06:22:15,007 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2020-03-24 06:22:15,007 [root] DEBUG: DumpMemory: CAPE output file C:\SiMZpfzLG\CAPE\2056_2118194881522624232020 successfully created, size 0x13000
2020-03-24 06:22:15,023 [root] INFO: Added new CAPE file to list with path: C:\SiMZpfzLG\CAPE\2056_2118194881522624232020
2020-03-24 06:22:15,023 [root] DEBUG: DumpRegion: Dumped stack region from 0x00000000003D0000, size 0x13000.
2020-03-24 06:22:15,039 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00000000003D0000.
2020-03-24 06:22:15,039 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3d0000 - 0x3e3000.
2020-03-24 06:22:15,039 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x00000000003D0000.
2020-03-24 06:22:15,039 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x00000000003D003C.
2020-03-24 06:22:15,055 [root] DEBUG: DLL loaded at 0x000007FEFEC80000: C:\Windows\system32\WININET (0x12a000 bytes).
2020-03-24 06:22:15,071 [root] DEBUG: DLL loaded at 0x000007FEFEB00000: C:\Windows\system32\urlmon (0x178000 bytes).
2020-03-24 06:22:15,071 [root] DEBUG: DLL loaded at 0x000007FEFEDB0000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2020-03-24 06:22:15,071 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2020-03-24 06:22:15,085 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2020-03-24 06:22:15,085 [root] DEBUG: DLL loaded at 0x000007FEFF1C0000: C:\Windows\system32\iertutil (0x259000 bytes).
2020-03-24 06:22:15,180 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2020-03-24 06:22:15,196 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2020-03-24 06:22:15,210 [root] DEBUG: DLL loaded at 0x000007FEFAF10000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2020-03-24 06:22:15,210 [root] DEBUG: DLL loaded at 0x000007FEFAED0000: C:\Windows\system32\WINNSI (0xb000 bytes).
2020-03-24 06:22:15,242 [root] DEBUG: set_caller_info: Adding region at 0x00000000001C0000 to caller regions list (kernel32::SetErrorMode).
2020-03-24 06:22:15,242 [root] DEBUG: set_caller_info: Adding region at 0x00000000000C0000 to caller regions list (ntdll::NtCreateFile).
2020-03-24 06:22:15,289 [root] DEBUG: DLL unloaded from 0x000007FEFD430000.
2020-03-24 06:22:15,367 [root] INFO: Announced starting service "WanServer"
2020-03-24 06:22:15,367 [root] INFO: Attaching to Service Control Manager (services.exe - pid 460)
2020-03-24 06:22:15,367 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:15,367 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:15,367 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:15,382 [root] DEBUG: Loader: Injecting process 460 (thread 0) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:15,382 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2256, handle 0x84
2020-03-24 06:22:15,382 [root] DEBUG: Process image base: 0x00000000FFA10000
2020-03-24 06:22:15,382 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-03-24 06:22:15,382 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-03-24 06:22:15,398 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:15,398 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:15,398 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:15,398 [root] WARNING: Unable to place hook on LockResource
2020-03-24 06:22:15,414 [root] WARNING: Unable to hook LockResource
2020-03-24 06:22:15,414 [root] DEBUG: Debugger initialised.
2020-03-24 06:22:15,414 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 460 at 0x0000000074450000, image base 0x00000000FFA10000, stack from 0x0000000002956000-0x0000000002960000
2020-03-24 06:22:15,414 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2020-03-24 06:22:15,414 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FFA10000) returned 0x0000000000000000.
2020-03-24 06:22:15,414 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 06:22:15,430 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FFA10000) -> AllocationBase 0x00000000FFA10000 RegionSize 0x4096.
2020-03-24 06:22:15,460 [root] DEBUG: AddTrackedRegion: EntryPoint 0x13310, Entropy 6.073549e+00
2020-03-24 06:22:15,460 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FFA10000 size 0x1000 added to tracked regions.
2020-03-24 06:22:15,460 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 06:22:15,460 [root] INFO: Added new process to list with pid: 460
2020-03-24 06:22:15,476 [root] INFO: Monitor successfully loaded in process with pid 460.
2020-03-24 06:22:15,476 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-03-24 06:22:15,476 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-03-24 06:22:15,476 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:16,490 [root] INFO: Announced 32-bit process name: eeclnt.exe pid: 2784
2020-03-24 06:22:16,490 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:16,490 [lib.api.process] INFO: 32-bit DLL to inject is C:\hssovesly\dll\TWtOYcg.dll, loader C:\hssovesly\bin\BQFOgSg.exe
2020-03-24 06:22:16,506 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:16,506 [root] DEBUG: Loader: Injecting process 2784 (thread 368) with C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:16,506 [root] DEBUG: Process image base: 0x01210000
2020-03-24 06:22:16,506 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:16,506 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:22:16,522 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:16,522 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2784
2020-03-24 06:22:16,522 [root] INFO: Announced 32-bit process name: eeclnt.exe pid: 2784
2020-03-24 06:22:16,522 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:16,522 [lib.api.process] INFO: 32-bit DLL to inject is C:\hssovesly\dll\TWtOYcg.dll, loader C:\hssovesly\bin\BQFOgSg.exe
2020-03-24 06:22:16,536 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:16,536 [root] DEBUG: Loader: Injecting process 2784 (thread 368) with C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:16,536 [root] DEBUG: Process image base: 0x01210000
2020-03-24 06:22:16,536 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:16,536 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:22:16,552 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\TWtOYcg.dll.
2020-03-24 06:22:16,552 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2784
2020-03-24 06:22:16,552 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:16,568 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:16,568 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:16,584 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:22:16,584 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 06:22:16,584 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x110000
2020-03-24 06:22:16,584 [root] DEBUG: Debugger initialised.
2020-03-24 06:22:16,584 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 2784 at 0x74380000, image base 0x1210000, stack from 0x336000-0x340000
2020-03-24 06:22:16,584 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe "260".
2020-03-24 06:22:16,599 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x01210000) returned 0x00000000.
2020-03-24 06:22:16,599 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 06:22:16,599 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x01210000) -> AllocationBase 0x01210000 RegionSize 0x4096.
2020-03-24 06:22:16,599 [root] DEBUG: AddTrackedRegion: EntryPoint 0x7b54, Entropy 5.003757e+00
2020-03-24 06:22:16,599 [root] DEBUG: AddTrackedRegion: New region at 0x01210000 size 0x1000 added to tracked regions.
2020-03-24 06:22:16,599 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 06:22:16,599 [root] INFO: Added new process to list with pid: 2784
2020-03-24 06:22:16,599 [root] INFO: Monitor successfully loaded in process with pid 2784.
2020-03-24 06:22:16,615 [root] DEBUG: Allocation: 0x00120000 - 0x0012A000, size: 0xa000, protection: 0x40.
2020-03-24 06:22:16,615 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:16,615 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01210000.
2020-03-24 06:22:16,615 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x01210000 size 0x0 entropy 5.003642e+00.
2020-03-24 06:22:16,615 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00120000, size: 0xa000.
2020-03-24 06:22:16,615 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00120000) returned 0x00000000.
2020-03-24 06:22:16,631 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 06:22:16,631 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00120000) -> AllocationBase 0x00120000 RegionSize 0x40960.
2020-03-24 06:22:16,631 [root] DEBUG: AddTrackedRegion: New region at 0x00120000 size 0xa000 added to tracked regions.
2020-03-24 06:22:16,631 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00120000, TrackedRegion->RegionSize: 0xa000, thread 368
2020-03-24 06:22:16,631 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x00120000 and Type=0x1.
2020-03-24 06:22:16,631 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 368 type 1 at address 0x00120000, size 2 with Callback 0x74387510.
2020-03-24 06:22:16,631 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00120000
2020-03-24 06:22:16,645 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x0012003C and Type=0x1.
2020-03-24 06:22:16,645 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 368 type 1 at address 0x0012003C, size 4 with Callback 0x743871a0.
2020-03-24 06:22:16,645 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0012003C
2020-03-24 06:22:16,645 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00120000 (size 0xa000).
2020-03-24 06:22:16,645 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 06:22:16,645 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x74DBAE7A (thread 368)
2020-03-24 06:22:16,645 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00120000.
2020-03-24 06:22:16,645 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x00120000 and Type=0x0.
2020-03-24 06:22:16,661 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x120000: 0x55.
2020-03-24 06:22:16,661 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 06:22:16,661 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x74DBAE7A (thread 368)
2020-03-24 06:22:16,661 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0012003C.
2020-03-24 06:22:16,661 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x181c7881 (at 0x0012003C).
2020-03-24 06:22:16,661 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x00120000 already exists for thread 368 (process 2784), skipping.
2020-03-24 06:22:16,677 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00120000.
2020-03-24 06:22:16,677 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00120000 (thread 368)
2020-03-24 06:22:16,693 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x00120000 (allocation base 0x00120000).
2020-03-24 06:22:16,693 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x00120000, size 0xa000).
2020-03-24 06:22:16,693 [root] DEBUG: DumpPEsInRange: Scanning range 0x120000 - 0x12a000.
2020-03-24 06:22:16,693 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x120000-0x12a000.
2020-03-24 06:22:16,693 [root] DEBUG: DumpMemory: CAPE output file C:\SiMZpfzLG\CAPE\2784_5779895016221424232020 successfully created, size 0xa000
2020-03-24 06:22:16,709 [root] INFO: Added new CAPE file to list with path: C:\SiMZpfzLG\CAPE\2784_5779895016221424232020
2020-03-24 06:22:16,709 [root] DEBUG: ShellcodeExecCallback: successfully dumped memory range at 0x00120000 (size 0xa000).
2020-03-24 06:22:16,709 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x120000 - 0x12a000.
2020-03-24 06:22:16,709 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x00120000.
2020-03-24 06:22:16,709 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x0012003C.
2020-03-24 06:22:16,723 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x00120000.
2020-03-24 06:22:16,723 [root] DEBUG: set_caller_info: Adding region at 0x00120000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-03-24 06:22:16,723 [root] DEBUG: set_caller_info: Caller at 0x00120126 in tracked regions.
2020-03-24 06:22:16,723 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:16,723 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01210000.
2020-03-24 06:22:16,723 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x01210000 size 0x0 entropy 5.003642e+00.
2020-03-24 06:22:16,723 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00120000.
2020-03-24 06:22:16,740 [root] DEBUG: Allocation: 0x00130000 - 0x00141000, size: 0x11000, protection: 0x40.
2020-03-24 06:22:16,740 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:16,740 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01210000.
2020-03-24 06:22:16,740 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x01210000 size 0x0 entropy 5.003642e+00.
2020-03-24 06:22:16,756 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00120000.
2020-03-24 06:22:16,756 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00130000, size: 0x11000.
2020-03-24 06:22:16,756 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00130000) returned 0x00000000.
2020-03-24 06:22:16,756 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 06:22:16,756 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00130000) -> AllocationBase 0x00130000 RegionSize 0x69632.
2020-03-24 06:22:16,756 [root] DEBUG: AddTrackedRegion: New region at 0x00130000 size 0x11000 added to tracked regions.
2020-03-24 06:22:16,756 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00130000, TrackedRegion->RegionSize: 0x11000, thread 368
2020-03-24 06:22:16,756 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x00120000 to 0x00130000.
2020-03-24 06:22:16,770 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x00130000 and Type=0x1.
2020-03-24 06:22:16,770 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 368 type 1 at address 0x00130000, size 2 with Callback 0x74387510.
2020-03-24 06:22:16,770 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00130000
2020-03-24 06:22:16,770 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x0013003C and Type=0x1.
2020-03-24 06:22:16,770 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 368 type 1 at address 0x0013003C, size 4 with Callback 0x743871a0.
2020-03-24 06:22:16,770 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0013003C
2020-03-24 06:22:16,786 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00130000 (size 0x11000).
2020-03-24 06:22:16,786 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2020-03-24 06:22:16,786 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 06:22:16,786 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2020-03-24 06:22:16,802 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2020-03-24 06:22:16,802 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2020-03-24 06:22:16,802 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-03-24 06:22:16,802 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 06:22:16,818 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-03-24 06:22:16,818 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-03-24 06:22:16,818 [root] DEBUG: DLL loaded at 0x749A0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-03-24 06:22:16,818 [root] DEBUG: DLL loaded at 0x74990000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-03-24 06:22:16,834 [root] DEBUG: set_caller_info: Adding region at 0x00130000 to caller regions list (advapi32::LookupPrivilegeValueW).
2020-03-24 06:22:16,834 [root] DEBUG: set_caller_info: Caller at 0x00134BCE in tracked regions.
2020-03-24 06:22:16,834 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:16,834 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01210000.
2020-03-24 06:22:16,834 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x01210000 size 0x0 entropy 5.003642e+00.
2020-03-24 06:22:16,834 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00120000.
2020-03-24 06:22:16,834 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00130000.
2020-03-24 06:22:16,848 [root] DEBUG: DumpPEsInRange: Scanning range 0x130000 - 0x141000.
2020-03-24 06:22:16,848 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x130000-0x141000.
2020-03-24 06:22:16,848 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00130000 - 0x00141000.
2020-03-24 06:22:16,848 [root] DEBUG: set_caller_info: Adding region at 0x00B50000 to caller regions list (kernel32::GetSystemTime).
2020-03-24 06:22:16,848 [root] DEBUG: DumpPEsInRange: Scanning range 0x130000 - 0x141000.
2020-03-24 06:22:16,848 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x130000-0x141000.
2020-03-24 06:22:16,865 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00130000 - 0x00141000.
2020-03-24 06:22:16,865 [root] DEBUG: DumpMemory: CAPE output file C:\SiMZpfzLG\CAPE\2784_156443476816221424232020 successfully created, size 0x11000
2020-03-24 06:22:16,880 [root] INFO: Added new CAPE file to list with path: C:\SiMZpfzLG\CAPE\2784_156443476816221424232020
2020-03-24 06:22:16,880 [root] DEBUG: DumpRegion: Dumped stack region from 0x00130000, size 0x11000.
2020-03-24 06:22:16,880 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00130000.
2020-03-24 06:22:16,880 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x130000 - 0x141000.
2020-03-24 06:22:16,880 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x00130000.
2020-03-24 06:22:16,880 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x0013003C.
2020-03-24 06:22:16,895 [root] DEBUG: DumpMemory: CAPE output file C:\SiMZpfzLG\CAPE\2784_194424857616221424232020 successfully created, size 0x11000
2020-03-24 06:22:16,911 [root] INFO: Added new CAPE file to list with path: C:\SiMZpfzLG\CAPE\2784_194424857616221424232020
2020-03-24 06:22:16,911 [root] DEBUG: DumpRegion: Dumped stack region from 0x00130000, size 0x11000.
2020-03-24 06:22:16,911 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00130000.
2020-03-24 06:22:16,911 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x130000 - 0x141000.
2020-03-24 06:22:16,911 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 2952
2020-03-24 06:22:16,927 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:16,927 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:16,943 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:16,943 [root] DEBUG: Loader: Injecting process 2952 (thread 2968) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:16,943 [root] DEBUG: Process image base: 0x00000000FF970000
2020-03-24 06:22:16,943 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:16,943 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:22:16,943 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:16,943 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2952
2020-03-24 06:22:16,957 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 06:22:16,957 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 2952
2020-03-24 06:22:16,957 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:16,957 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:16,957 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:16,973 [root] DEBUG: Loader: Injecting process 2952 (thread 2968) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:16,990 [root] DEBUG: Process image base: 0x00000000FF970000
2020-03-24 06:22:16,990 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:16,990 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:22:16,990 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:16,990 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2952
2020-03-24 06:22:17,005 [root] DEBUG: Allocation: 0x02B10000 - 0x02CB9000, size: 0x1a9000, protection: 0x40.
2020-03-24 06:22:17,005 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:17,005 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01210000.
2020-03-24 06:22:17,020 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x01210000 size 0x0 entropy 5.003642e+00.
2020-03-24 06:22:17,036 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00120000.
2020-03-24 06:22:17,036 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00130000.
2020-03-24 06:22:17,036 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x02B10000, size: 0x1a9000.
2020-03-24 06:22:17,052 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x02B10000) returned 0x00000000.
2020-03-24 06:22:17,052 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 06:22:17,052 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x02B10000) -> AllocationBase 0x02B10000 RegionSize 0x1740800.
2020-03-24 06:22:17,052 [root] DEBUG: AddTrackedRegion: New region at 0x02B10000 size 0x1a9000 added to tracked regions.
2020-03-24 06:22:17,052 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x02B10000, TrackedRegion->RegionSize: 0x1a9000, thread 368
2020-03-24 06:22:17,052 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x00130000 to 0x02B10000.
2020-03-24 06:22:17,052 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x02B10000 and Type=0x1.
2020-03-24 06:22:17,068 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 368 type 1 at address 0x02B10000, size 2 with Callback 0x74387510.
2020-03-24 06:22:17,068 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x02B10000
2020-03-24 06:22:17,068 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x02B1003C and Type=0x1.
2020-03-24 06:22:17,068 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 368 type 1 at address 0x02B1003C, size 4 with Callback 0x743871a0.
2020-03-24 06:22:17,068 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x02B1003C
2020-03-24 06:22:17,068 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x02B10000 (size 0x1a9000).
2020-03-24 06:22:17,082 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,082 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02B10000.
2020-03-24 06:22:17,082 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2020-03-24 06:22:17,082 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,082 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x02B10000.
2020-03-24 06:22:17,082 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2020-03-24 06:22:17,082 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x02B10000: 0x02B10000 0x02B1003C 0x00000000 0x00000000
2020-03-24 06:22:17,082 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (1) at 0x02B1003C already exists for thread 368 (process 2784), skipping.
2020-03-24 06:22:17,098 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0x2b1003c (EIP = 0x1316b2)
2020-03-24 06:22:17,098 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x2b10000: 0x4d.
2020-03-24 06:22:17,098 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 06:22:17,098 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,098 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02B1003C.
2020-03-24 06:22:17,098 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x02B10000: 0x02B10000 0x02B1003C 0x00000000 0x00000000
2020-03-24 06:22:17,114 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x2, Address=0x02B100F8 and Type=0x1.
2020-03-24 06:22:17,114 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x4, Address=0x02B10108 and Type=0x1.
2020-03-24 06:22:17,114 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x02B10108.
2020-03-24 06:22:17,114 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,114 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02B1003C.
2020-03-24 06:22:17,114 [root] DEBUG: PEPointerWriteCallback: Leaving 'magic' breakpoint unchanged.
2020-03-24 06:22:17,130 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,130 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02B1003C.
2020-03-24 06:22:17,130 [root] DEBUG: PEPointerWriteCallback: Leaving 'magic' breakpoint unchanged.
2020-03-24 06:22:17,130 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,130 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x02B1003C.
2020-03-24 06:22:17,130 [root] DEBUG: PEPointerWriteCallback: Leaving 'magic' breakpoint unchanged.
2020-03-24 06:22:17,145 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,145 [root] DEBUG: MagicWriteCallback: Breakpoint 0 at Address 0x02B100F8.
2020-03-24 06:22:17,145 [root] DEBUG: GetHookCallerBase: thread 368 (handle 0xcc), return address 0x00132BFB, allocation base 0x00130000.
2020-03-24 06:22:17,145 [root] DEBUG: MagicWriteCallback: Not in a hooked function, setting callback in enter_hook() to catch next hook (return address 0x00130000).
2020-03-24 06:22:17,145 [root] DEBUG: MagicWriteCallback: Magic value not valid NT: 0xb (at 0x02B100F8).
2020-03-24 06:22:17,145 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,145 [root] DEBUG: MagicWriteCallback: Breakpoint 0 at Address 0x02B100F8.
2020-03-24 06:22:17,161 [root] DEBUG: GetHookCallerBase: thread 368 (handle 0xcc), return address 0x00132BFB, allocation base 0x00130000.
2020-03-24 06:22:17,161 [root] DEBUG: MagicWriteCallback: Valid magic value but entry point still empty, leaving breakpoint intact.
2020-03-24 06:22:17,161 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,161 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x02B10108.
2020-03-24 06:22:17,161 [root] DEBUG: GetHookCallerBase: thread 368 (handle 0xcc), return address 0x00132BFB, allocation base 0x00130000.
2020-03-24 06:22:17,161 [root] DEBUG: AddressOfEPWriteCallback: Valid magic value but entry point still empty, leaving breakpoint intact.
2020-03-24 06:22:17,161 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,161 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x02B10108.
2020-03-24 06:22:17,177 [root] DEBUG: GetHookCallerBase: thread 368 (handle 0xcc), return address 0x00132BFB, allocation base 0x00130000.
2020-03-24 06:22:17,177 [root] DEBUG: AddressOfEPWriteCallback: Valid magic value but entry point still empty, leaving breakpoint intact.
2020-03-24 06:22:17,177 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,177 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x02B10108.
2020-03-24 06:22:17,177 [root] DEBUG: GetHookCallerBase: thread 368 (handle 0xcc), return address 0x00132BFB, allocation base 0x00130000.
2020-03-24 06:22:17,177 [root] DEBUG: AddressOfEPWriteCallback: Valid magic value but entry point still empty, leaving breakpoint intact.
2020-03-24 06:22:17,177 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,177 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x02B10108.
2020-03-24 06:22:17,191 [root] DEBUG: GetHookCallerBase: thread 368 (handle 0xcc), return address 0x00132BFB, allocation base 0x00130000.
2020-03-24 06:22:17,191 [root] DEBUG: AddressOfEPWriteCallback: Valid magic value but entry point still empty, leaving breakpoint intact.
2020-03-24 06:22:17,191 [root] DEBUG: Allocation: 0x00FA0000 - 0x0100B000, size: 0x6b000, protection: 0x40.
2020-03-24 06:22:17,191 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:17,207 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01210000.
2020-03-24 06:22:17,207 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x01210000 size 0x0 entropy 5.003642e+00.
2020-03-24 06:22:17,207 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00120000.
2020-03-24 06:22:17,207 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00130000.
2020-03-24 06:22:17,207 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-03-24 06:22:17,207 [root] DEBUG: DumpPEsInRange: Scanning range 0x2b10000 - 0x2cb9000.
2020-03-24 06:22:17,207 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x2b10000
2020-03-24 06:22:17,207 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-03-24 06:22:17,223 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x02B10000.
2020-03-24 06:22:17,239 [root] INFO: Added new CAPE file to list with path: C:\SiMZpfzLG\CAPE\2784_9172411201722624232020
2020-03-24 06:22:17,255 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x1a2a00.
2020-03-24 06:22:17,255 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 2 of 51040, RVA 0x16024b4 and size 0x8ba6ebd7.
2020-03-24 06:22:17,255 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 46863, RVA 0x8a44d003 and size 0x48800a44.
2020-03-24 06:22:17,255 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 2 of 51507, RVA 0xb70f0e03 and size 0xf8966c9.
2020-03-24 06:22:17,269 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2b10200-0x2cb9000.
2020-03-24 06:22:17,269 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x02B10000 - 0x02CB9000.
2020-03-24 06:22:17,269 [root] DEBUG: ProcessTrackedRegion: Found and dumped PE image(s) in range 0x02B10000 - 0x02CB9000.
2020-03-24 06:22:17,269 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2b10000 - 0x2cb9000.
2020-03-24 06:22:17,269 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x02B100F8.
2020-03-24 06:22:17,269 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x02B1003C.
2020-03-24 06:22:17,286 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x02B10108.
2020-03-24 06:22:17,286 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00FA0000, size: 0x6b000.
2020-03-24 06:22:17,286 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00FA0000) returned 0x00000000.
2020-03-24 06:22:17,286 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 06:22:17,286 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00FA0000) -> AllocationBase 0x00FA0000 RegionSize 0x438272.
2020-03-24 06:22:17,286 [root] DEBUG: AddTrackedRegion: New region at 0x00FA0000 size 0x6b000 added to tracked regions.
2020-03-24 06:22:17,302 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00FA0000, TrackedRegion->RegionSize: 0x6b000, thread 368
2020-03-24 06:22:17,302 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x02B10000 to 0x00FA0000.
2020-03-24 06:22:17,302 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xcc, Size=0x2, Address=0x00FA0000 and Type=0x1.
2020-03-24 06:22:17,302 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 368 type 1 at address 0x00FA0000, size 2 with Callback 0x74387510.
2020-03-24 06:22:17,302 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00FA0000
2020-03-24 06:22:17,302 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xcc, Size=0x4, Address=0x00FA003C and Type=0x1.
2020-03-24 06:22:17,302 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 368 type 1 at address 0x00FA003C, size 4 with Callback 0x743871a0.
2020-03-24 06:22:17,316 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x00FA003C
2020-03-24 06:22:17,316 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00FA0000 (size 0x6b000).
2020-03-24 06:22:17,316 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,316 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00FA0000.
2020-03-24 06:22:17,316 [root] DEBUG: BaseAddressWriteCallback: M written to first byte, awaiting next byte.
2020-03-24 06:22:17,316 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,316 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00FA0000.
2020-03-24 06:22:17,332 [root] DEBUG: BaseAddressWriteCallback: MZ header found.
2020-03-24 06:22:17,332 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x00FA0000: 0x00FA0000 0x00FA003C 0x00000000 0x00000000
2020-03-24 06:22:17,332 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (1) at 0x00FA003C already exists for thread 368 (process 2784), skipping.
2020-03-24 06:22:17,332 [root] DEBUG: BaseAddressWriteCallback: set write bp on e_lfanew write location: 0xfa003c (EIP = 0x1316b2)
2020-03-24 06:22:17,332 [root] DEBUG: BaseAddressWriteCallback: byte written to 0xfa0000: 0x4d.
2020-03-24 06:22:17,332 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 06:22:17,348 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,348 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x00FA003C.
2020-03-24 06:22:17,348 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x00FA0000: 0x00FA0000 0x00FA003C 0x00000000 0x00000000
2020-03-24 06:22:17,348 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x2, Address=0x00FA0108 and Type=0x1.
2020-03-24 06:22:17,348 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x4, Address=0x00FA0118 and Type=0x1.
2020-03-24 06:22:17,348 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00FA0118.
2020-03-24 06:22:17,364 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,364 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x00FA003C.
2020-03-24 06:22:17,364 [root] DEBUG: PEPointerWriteCallback: Leaving 'magic' breakpoint unchanged.
2020-03-24 06:22:17,364 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,364 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x00FA003C.
2020-03-24 06:22:17,364 [root] DEBUG: PEPointerWriteCallback: Leaving 'magic' breakpoint unchanged.
2020-03-24 06:22:17,380 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,380 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x00FA003C.
2020-03-24 06:22:17,380 [root] DEBUG: PEPointerWriteCallback: Leaving 'magic' breakpoint unchanged.
2020-03-24 06:22:17,380 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,380 [root] DEBUG: MagicWriteCallback: Breakpoint 0 at Address 0x00FA0108.
2020-03-24 06:22:17,380 [root] DEBUG: GetHookCallerBase: thread 368 (handle 0xcc), return address 0x00132BFB, allocation base 0x00130000.
2020-03-24 06:22:17,380 [root] DEBUG: MagicWriteCallback: Not in a hooked function, setting callback in enter_hook() to catch next hook (return address 0x00130000).
2020-03-24 06:22:17,394 [root] DEBUG: MagicWriteCallback: Magic value not valid NT: 0xb (at 0x00FA0108).
2020-03-24 06:22:17,394 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,394 [root] DEBUG: MagicWriteCallback: Breakpoint 0 at Address 0x00FA0108.
2020-03-24 06:22:17,394 [root] DEBUG: GetHookCallerBase: thread 368 (handle 0xcc), return address 0x00132BFB, allocation base 0x00130000.
2020-03-24 06:22:17,394 [root] DEBUG: MagicWriteCallback: Valid magic value but entry point still empty, leaving breakpoint intact.
2020-03-24 06:22:17,394 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,411 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x00FA0118.
2020-03-24 06:22:17,411 [root] DEBUG: GetHookCallerBase: thread 368 (handle 0xcc), return address 0x00132BFB, allocation base 0x00130000.
2020-03-24 06:22:17,411 [root] DEBUG: AddressOfEPWriteCallback: Valid magic value but AddressOfEntryPoint 0xe0 too small, possibly only partially written (<0x1e8).
2020-03-24 06:22:17,411 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,411 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x00FA0118.
2020-03-24 06:22:17,411 [root] DEBUG: GetHookCallerBase: thread 368 (handle 0xcc), return address 0x00132BFB, allocation base 0x00130000.
2020-03-24 06:22:17,411 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x00FA0108: 0x00FA0108 0x00FA003C 0x00FA0118 0x00000000
2020-03-24 06:22:17,411 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x1, Address=0x00FA30E0 and Type=0x1.
2020-03-24 06:22:17,426 [root] DEBUG: AddressOfEPWriteCallback: set write bp on AddressOfEntryPoint location 0x00FA30E0.
2020-03-24 06:22:17,426 [root] DEBUG: AddressOfEPWriteCallback executed successfully.
2020-03-24 06:22:17,426 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,426 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x00FA0118.
2020-03-24 06:22:17,426 [root] DEBUG: GetHookCallerBase: thread 368 (handle 0xcc), return address 0x00132BFB, allocation base 0x00130000.
2020-03-24 06:22:17,426 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x00FA30E0: 0x00FA30E0 0x00FA003C 0x00FA0118 0x00000000
2020-03-24 06:22:17,426 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (0) at 0x00FA30E0 already exists for thread 368 (process 2784), skipping.
2020-03-24 06:22:17,426 [root] DEBUG: AddressOfEPWriteCallback: set write bp on AddressOfEntryPoint location 0x00FA30E0.
2020-03-24 06:22:17,441 [root] DEBUG: AddressOfEPWriteCallback executed successfully.
2020-03-24 06:22:17,441 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,441 [root] DEBUG: AddressOfEPWriteCallback: Breakpoint 2 at Address 0x00FA0118.
2020-03-24 06:22:17,441 [root] DEBUG: GetHookCallerBase: thread 368 (handle 0xcc), return address 0x00132BFB, allocation base 0x00130000.
2020-03-24 06:22:17,441 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x00FA30E0: 0x00FA30E0 0x00FA003C 0x00FA0118 0x00000000
2020-03-24 06:22:17,441 [root] DEBUG: ContextSetThreadBreakpoint: An identical breakpoint (0) at 0x00FA30E0 already exists for thread 368 (process 2784), skipping.
2020-03-24 06:22:17,441 [root] DEBUG: AddressOfEPWriteCallback: set write bp on AddressOfEntryPoint location 0x00FA30E0.
2020-03-24 06:22:17,441 [root] DEBUG: AddressOfEPWriteCallback executed successfully.
2020-03-24 06:22:17,457 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,457 [root] DEBUG: EntryPointWriteCallback: Breakpoint 0 at Address 0x00FA30E0.
2020-03-24 06:22:17,457 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x0, Address=0x00FA30E0 and Type=0x0.
2020-03-24 06:22:17,457 [root] DEBUG: EntryPointWriteCallback: Execution bp 0 set on EntryPoint address 0x00FA30E0.
2020-03-24 06:22:17,457 [root] DEBUG: EntryPointWriteCallback: DEBUG: NumberOfSections 6, SizeOfHeaders 0x1f8.
2020-03-24 06:22:17,457 [root] DEBUG: ContextUpdateCurrentBreakpoint: bp 0x00FA30E0: 0x00FA30E0 0x00FA003C 0x00FA0118 0x00000000
2020-03-24 06:22:17,457 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 0 within Context, Size=0x1, Address=0x0100A1FF and Type=0x1.
2020-03-24 06:22:17,457 [root] DEBUG: EntryPointWriteCallback: Set write breakpoint on final section, last byte: 0x00000000
2020-03-24 06:22:17,473 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x001316B2 (thread 368)
2020-03-24 06:22:17,473 [root] DEBUG: FinalByteWriteCallback: Breakpoint 0 at Address 0x0100A1FF.
2020-03-24 06:22:17,473 [root] DEBUG: DumpPEsInRange: Scanning range 0xfa0000 - 0x100b000.
2020-03-24 06:22:17,473 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xfa0000
2020-03-24 06:22:17,473 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump 'raw' PE image.
2020-03-24 06:22:17,473 [root] DEBUG: DumpPE: Instantiating PeParser with address: 0x00FA0000.
2020-03-24 06:22:17,489 [root] INFO: Added new CAPE file to list with path: C:\SiMZpfzLG\CAPE\2784_184892947917221424232020
2020-03-24 06:22:17,489 [root] DEBUG: DumpPE: PE file in memory dumped successfully - dump size 0x66800.
2020-03-24 06:22:17,503 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xfa0200-0x100b000.
2020-03-24 06:22:17,503 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x00FA0000 - 0x0100B000.
2020-03-24 06:22:17,503 [root] DEBUG: FinalByteWriteCallback: successfully dumped module.
2020-03-24 06:22:17,503 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xfa0000 - 0x100b000.
2020-03-24 06:22:17,503 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x0100A1FF.
2020-03-24 06:22:17,503 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x00FA003C.
2020-03-24 06:22:17,503 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x00FA0118.
2020-03-24 06:22:17,519 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 2952
2020-03-24 06:22:17,519 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:17,519 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:17,519 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:17,536 [root] DEBUG: Loader: Injecting process 2952 (thread 0) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:17,536 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2968, handle 0x84
2020-03-24 06:22:17,536 [root] DEBUG: Process image base: 0x00000000FF970000
2020-03-24 06:22:17,536 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:17,536 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:22:17,536 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:17,536 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2952
2020-03-24 06:22:17,536 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 2952
2020-03-24 06:22:17,551 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:17,551 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:17,551 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:17,551 [root] DEBUG: Loader: Injecting process 2952 (thread 0) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:17,551 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-03-24 06:22:17,551 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed, falling back to thread injection.
2020-03-24 06:22:17,566 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:17,566 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:17,566 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:17,582 [root] WARNING: Unable to place hook on LockResource
2020-03-24 06:22:17,582 [root] WARNING: Unable to hook LockResource
2020-03-24 06:22:17,582 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:22:17,582 [root] DEBUG: Debugger initialised.
2020-03-24 06:22:17,582 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 2952 at 0x0000000074450000, image base 0x00000000FF970000, stack from 0x0000000000385000-0x0000000000390000
2020-03-24 06:22:17,598 [root] DEBUG: Commandline: C:\Windows\sysnative\msiexec.exe "261".
2020-03-24 06:22:17,598 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FF970000) returned 0x0000000000000000.
2020-03-24 06:22:17,598 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 06:22:17,598 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FF970000) -> AllocationBase 0x00000000FF970000 RegionSize 0x4096.
2020-03-24 06:22:17,598 [root] DEBUG: AddTrackedRegion: EntryPoint 0x170c0, Entropy 5.361665e+00
2020-03-24 06:22:17,598 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FF970000 size 0x1000 added to tracked regions.
2020-03-24 06:22:17,598 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 06:22:17,598 [root] INFO: Added new process to list with pid: 2952
2020-03-24 06:22:17,614 [root] INFO: Monitor successfully loaded in process with pid 2952.
2020-03-24 06:22:17,614 [root] DEBUG: set_caller_info: Adding region at 0x0000000000090000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 06:22:17,614 [root] DEBUG: DLL loaded at 0x0000000002310000: C:\hssovesly\dll\advDtTMt (0xe5000 bytes).
2020-03-24 06:22:17,614 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2020-03-24 06:22:17,614 [root] DEBUG: DLL unloaded from 0x0000000002310000.
2020-03-24 06:22:17,628 [root] DEBUG: Error 998 (0x3e6) - InjectDllViaThread: RtlCreateUserThread injection failed: Invalid access to memory location.
2020-03-24 06:22:17,628 [root] DEBUG: InjectDll: DLL injection via thread failed.
2020-03-24 06:22:17,628 [root] DEBUG: Failed to inject DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:17,628 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 2952, error: -8
2020-03-24 06:22:17,628 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2784).
2020-03-24 06:22:17,628 [root] DEBUG: set_caller_info: Adding region at 0x0000000000080000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-03-24 06:22:17,644 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:17,644 [root] DEBUG: set_caller_info: Adding region at 0x00000000000A0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-03-24 06:22:17,644 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01210000.
2020-03-24 06:22:17,644 [root] DEBUG: set_caller_info: Adding region at 0x0000000000310000 to caller regions list (ntdll::RtlDecompressBuffer).
2020-03-24 06:22:17,644 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x01210000 size 0x0 entropy 5.003642e+00.
2020-03-24 06:22:17,644 [root] DEBUG: Allocation: 0x00000000001E0000 - 0x00000000001F3000, size: 0x13000, protection: 0x40.
2020-03-24 06:22:17,644 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00120000.
2020-03-24 06:22:17,644 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 06:22:17,644 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00130000.
2020-03-24 06:22:17,644 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF970000.
2020-03-24 06:22:17,644 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-03-24 06:22:17,660 [root] DEBUG: ProcessImageBase: EP 0x00000000000170C0 image base 0x00000000FF970000 size 0x0 entropy 5.361398e+00.
2020-03-24 06:22:17,660 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00FA0000.
2020-03-24 06:22:17,660 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00000000001E0000, size: 0x13000.
2020-03-24 06:22:17,660 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 06:22:17,660 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000001E0000) returned 0x0000000000000000.
2020-03-24 06:22:17,660 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2784).
2020-03-24 06:22:17,660 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 06:22:17,660 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 06:22:17,660 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000001E0000) -> AllocationBase 0x00000000001E0000 RegionSize 0x77824.
2020-03-24 06:22:17,660 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x01210000.
2020-03-24 06:22:17,660 [root] DEBUG: AddTrackedRegion: New region at 0x00000000001E0000 size 0x13000 added to tracked regions.
2020-03-24 06:22:17,676 [root] DEBUG: ProcessImageBase: EP 0x00007B54 image base 0x01210000 size 0x0 entropy 5.003642e+00.
2020-03-24 06:22:17,676 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00000000001E0000, TrackedRegion->RegionSize: 0x13000, thread 2968
2020-03-24 06:22:17,676 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00120000.
2020-03-24 06:22:17,676 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 996.
2020-03-24 06:22:17,676 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00130000.
2020-03-24 06:22:17,676 [root] DEBUG: SetNextAvailableBreakpoint: Creating new thread breakpoints for thread 2968.
2020-03-24 06:22:17,676 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x02B10000.
2020-03-24 06:22:17,676 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0x24, Size=0x2, Address=0x00000000001E0000 and Type=0x1.
2020-03-24 06:22:17,676 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00FA0000.
2020-03-24 06:22:17,676 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 2968 type 1 at address 0x00000000001E0000, size 2 with Callback 0x74457850.
2020-03-24 06:22:17,691 [root] INFO: Notified of termination of process with pid 2784.
2020-03-24 06:22:17,691 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00000000001E0000
2020-03-24 06:22:17,691 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 460).
2020-03-24 06:22:17,691 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0x24, Size=0x4, Address=0x00000000001E003C and Type=0x1.
2020-03-24 06:22:17,691 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 06:22:17,691 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 2968 type 1 at address 0x00000000001E003C, size 4 with Callback 0x74457430.
2020-03-24 06:22:17,691 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FFA10000.
2020-03-24 06:22:17,691 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x00000000001E003C
2020-03-24 06:22:17,691 [root] DEBUG: ProcessImageBase: EP 0x0000000000013310 image base 0x00000000FFA10000 size 0x0 entropy 6.073781e+00.
2020-03-24 06:22:17,691 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00000000001E0000 (size 0x13000).
2020-03-24 06:22:17,707 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2104.
2020-03-24 06:22:17,707 [root] DEBUG: set_caller_info: Adding region at 0x00000000001E0000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 06:22:17,707 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2056).
2020-03-24 06:22:17,707 [root] DEBUG: set_caller_info: Caller at 0x00000000001E0000 in tracked regions.
2020-03-24 06:22:17,707 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 06:22:17,707 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 06:22:17,707 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF970000.
2020-03-24 06:22:17,707 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF970000.
2020-03-24 06:22:17,707 [root] DEBUG: ProcessImageBase: EP 0x00000000000170C0 image base 0x00000000FF970000 size 0x0 entropy 5.361398e+00.
2020-03-24 06:22:17,707 [root] DEBUG: ProcessImageBase: EP 0x00000000000170C0 image base 0x00000000FF970000 size 0x0 entropy 5.361398e+00.
2020-03-24 06:22:17,723 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000003D0000.
2020-03-24 06:22:17,723 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000001E0000.
2020-03-24 06:22:17,723 [root] DEBUG: DumpPEsInRange: Scanning range 0x1e0000 - 0x1f3000.
2020-03-24 06:22:17,723 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1e0000-0x1f3000.
2020-03-24 06:22:17,723 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00000000001E0000 - 0x00000000001F3000.
2020-03-24 06:22:17,723 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2020-03-24 06:22:17,723 [root] DEBUG: DumpMemory: CAPE output file C:\SiMZpfzLG\CAPE\2952_3295873421722624232020 successfully created, size 0x13000
2020-03-24 06:22:17,737 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2020-03-24 06:22:17,737 [root] INFO: Added new CAPE file to list with path: C:\SiMZpfzLG\CAPE\2952_3295873421722624232020
2020-03-24 06:22:17,737 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2056).
2020-03-24 06:22:17,753 [root] DEBUG: DumpRegion: Dumped stack region from 0x00000000001E0000, size 0x13000.
2020-03-24 06:22:17,753 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 06:22:17,753 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00000000001E0000.
2020-03-24 06:22:17,753 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF970000.
2020-03-24 06:22:17,753 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x1e0000 - 0x1f3000.
2020-03-24 06:22:17,753 [root] DEBUG: ProcessImageBase: EP 0x00000000000170C0 image base 0x00000000FF970000 size 0x0 entropy 5.361398e+00.
2020-03-24 06:22:17,753 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x00000000001E0000.
2020-03-24 06:22:17,753 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000003D0000.
2020-03-24 06:22:17,753 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 06:22:17,769 [root] INFO: Notified of termination of process with pid 2056.
2020-03-24 06:22:17,769 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 06:22:17,769 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x00000000001E003C.
2020-03-24 06:22:17,769 [root] DEBUG: Error 31 (0x1f) - ClearDebugRegister: Initial GetThreadContext failed: A device attached to the system is not functioning.
2020-03-24 06:22:17,769 [root] DEBUG: ClearThreadBreakpoint: Call to ClearDebugRegister failed.
2020-03-24 06:22:17,785 [root] DEBUG: DLL loaded at 0x000007FEFEC80000: C:\Windows\system32\WININET (0x12a000 bytes).
2020-03-24 06:22:17,785 [root] DEBUG: DLL loaded at 0x000007FEFEB00000: C:\Windows\system32\urlmon (0x178000 bytes).
2020-03-24 06:22:17,785 [root] DEBUG: DLL loaded at 0x000007FEFEDB0000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2020-03-24 06:22:17,801 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2020-03-24 06:22:17,801 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2020-03-24 06:22:17,801 [root] DEBUG: DLL loaded at 0x000007FEFF1C0000: C:\Windows\system32\iertutil (0x259000 bytes).
2020-03-24 06:22:17,815 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2020-03-24 06:22:17,832 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2020-03-24 06:22:17,832 [root] DEBUG: DLL loaded at 0x000007FEFAF10000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2020-03-24 06:22:17,832 [root] DEBUG: DLL loaded at 0x000007FEFAED0000: C:\Windows\system32\WINNSI (0xb000 bytes).
2020-03-24 06:22:17,832 [root] DEBUG: set_caller_info: Adding region at 0x00000000004D0000 to caller regions list (kernel32::SetErrorMode).
2020-03-24 06:22:17,848 [root] DEBUG: DLL loaded at 0x000007FEFBB00000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2020-03-24 06:22:17,926 [root] DEBUG: DLL loaded at 0x000007FEFC190000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2020-03-24 06:22:17,926 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2020-03-24 06:22:17,957 [root] DEBUG: DLL loaded at 0x000007FEFC710000: C:\Windows\system32\dnsapi (0x5b000 bytes).
2020-03-24 06:22:17,971 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFEEE0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-03-24 06:22:17,987 [root] DEBUG: Allocation: 0x000007FEFEEF0000 - 0x000007FEFEEF1000, size: 0x1000, protection: 0x40.
2020-03-24 06:22:17,987 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 06:22:17,987 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF970000.
2020-03-24 06:22:17,987 [root] DEBUG: ProcessImageBase: EP 0x00000000000170C0 image base 0x00000000FF970000 size 0x0 entropy 5.361398e+00.
2020-03-24 06:22:17,987 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000001E0000.
2020-03-24 06:22:18,019 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x000007FEFEEF0000, size: 0x1000.
2020-03-24 06:22:18,019 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x000007FEFEEF0000) returned 0x0000000000000000.
2020-03-24 06:22:18,019 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 06:22:18,019 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x000007FEFEEF0000) -> AllocationBase 0x000007FEFEEF0000 RegionSize 0x4096.
2020-03-24 06:22:18,019 [root] DEBUG: AddTrackedRegion: New region at 0x000007FEFEEF0000 size 0x1000 added to tracked regions.
2020-03-24 06:22:18,035 [root] DEBUG: DLL loaded at 0x000007FEFAD70000: C:\Windows\system32\dhcpcsvc (0x18000 bytes).
2020-03-24 06:22:18,035 [root] DEBUG: DLL loaded at 0x000007FEFCB70000: C:\Windows\system32\Cryptdll (0x14000 bytes).
2020-03-24 06:22:18,065 [root] DEBUG: set_caller_info: Adding region at 0x0000000000120000 to caller regions list (ntdll::NtCreateFile).
2020-03-24 06:22:18,065 [root] DEBUG: DLL loaded at 0x000007FEFB300000: C:\Windows\system32\NLAapi (0x15000 bytes).
2020-03-24 06:22:18,065 [root] DEBUG: DLL loaded at 0x000007FEF9880000: C:\Windows\system32\napinsp (0x15000 bytes).
2020-03-24 06:22:18,082 [root] DEBUG: DLL loaded at 0x000007FEF9860000: C:\Windows\system32\pnrpnsp (0x19000 bytes).
2020-03-24 06:22:18,096 [root] DEBUG: DLL loaded at 0x000007FEFC890000: C:\Windows\System32\mswsock (0x55000 bytes).
2020-03-24 06:22:18,112 [root] DEBUG: DLL loaded at 0x000007FEF9850000: C:\Windows\System32\winrnr (0xb000 bytes).
2020-03-24 06:22:18,486 [root] DEBUG: DLL loaded at 0x000007FEFAE20000: C:\Windows\System32\fwpuclnt (0x53000 bytes).
2020-03-24 06:22:18,517 [root] DEBUG: DLL loaded at 0x000007FEFA030000: C:\Windows\system32\rasadhlp (0x8000 bytes).
2020-03-24 06:22:18,533 [root] DEBUG: set_caller_info: Adding region at 0x0000000001190000 to caller regions list (ws2_32::gethostbyname).
2020-03-24 06:22:21,747 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-03-24 06:22:21,763 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2020-03-24 06:22:21,779 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2020-03-24 06:22:21,809 [root] DEBUG: DLL loaded at 0x000007FEFD360000: C:\Windows\system32\wintrust (0x3a000 bytes).
2020-03-24 06:22:21,809 [root] DEBUG: DLL loaded at 0x000007FEFC680000: C:\Windows\system32\schannel (0x57000 bytes).
2020-03-24 06:22:21,841 [root] DEBUG: set_caller_info: Adding region at 0x0000000000C90000 to caller regions list (wininet::InternetSetOptionA).
2020-03-24 06:22:21,871 [root] DEBUG: DLL loaded at 0x000007FEF54D0000: C:\Windows\system32\RASAPI32 (0x62000 bytes).
2020-03-24 06:22:21,871 [root] DEBUG: DLL loaded at 0x000007FEF54B0000: C:\Windows\system32\rasman (0x1c000 bytes).
2020-03-24 06:22:21,918 [root] DEBUG: DLL loaded at 0x000007FEFA720000: C:\Windows\system32\rtutils (0x11000 bytes).
2020-03-24 06:22:21,918 [root] DEBUG: DLL loaded at 0x000007FEFBA20000: C:\Windows\system32\sensapi (0x9000 bytes).
2020-03-24 06:22:21,966 [root] DEBUG: DLL unloaded from 0x000007FEFEC80000.
2020-03-24 06:22:21,966 [root] DEBUG: DLL unloaded from 0x000007FEF54B0000.
2020-03-24 06:22:22,028 [root] DEBUG: DLL loaded at 0x000007FEFC290000: C:\Windows\System32\wshtcpip (0x7000 bytes).
2020-03-24 06:22:22,028 [root] DEBUG: set_caller_info: Adding region at 0x00000000005E0000 to caller regions list (ws2_32::setsockopt).
2020-03-24 06:22:22,043 [root] DEBUG: RtlDispatchException: Unhandled exception! Address 0x000007FEFEEE0000, code 0xc0000005, flags 0x0, parameters 0x0 and 0xe7fee8e0.
2020-03-24 06:22:23,572 [root] DEBUG: DLL unloaded from 0x000007FEFD430000.
2020-03-24 06:22:23,634 [root] INFO: Announced starting service "WerSvc"
2020-03-24 06:22:23,651 [root] INFO: Announced 64-bit process name: svchost.exe pid: 2928
2020-03-24 06:22:23,651 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:23,651 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:23,651 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:23,665 [root] DEBUG: Loader: Injecting process 2928 (thread 2776) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:23,665 [root] DEBUG: Process image base: 0x00000000FFA10000
2020-03-24 06:22:23,665 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:23,665 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:22:23,665 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:23,681 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2928
2020-03-24 06:22:23,681 [root] INFO: Announced 64-bit process name: svchost.exe pid: 2928
2020-03-24 06:22:23,681 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:23,681 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:23,697 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:23,697 [root] DEBUG: Loader: Injecting process 2928 (thread 2776) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:23,697 [root] DEBUG: Process image base: 0x00000000FFA10000
2020-03-24 06:22:23,697 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:23,697 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:22:23,713 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:23,713 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2928
2020-03-24 06:22:23,713 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:23,713 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:23,729 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:23,729 [root] WARNING: Unable to place hook on LockResource
2020-03-24 06:22:23,743 [root] WARNING: Unable to hook LockResource
2020-03-24 06:22:23,743 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:22:23,743 [root] DEBUG: Debugger initialised.
2020-03-24 06:22:23,743 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 2928 at 0x0000000074450000, image base 0x00000000FFA10000, stack from 0x0000000000225000-0x0000000000230000
2020-03-24 06:22:23,743 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k WerSvcGroup.
2020-03-24 06:22:23,759 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FFA10000) returned 0x0000000000000000.
2020-03-24 06:22:23,759 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 06:22:23,759 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FFA10000) -> AllocationBase 0x00000000FFA10000 RegionSize 0x4096.
2020-03-24 06:22:23,776 [root] DEBUG: AddTrackedRegion: EntryPoint 0x246c, Entropy 3.647981e+00
2020-03-24 06:22:23,776 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FFA10000 size 0x1000 added to tracked regions.
2020-03-24 06:22:23,776 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 06:22:23,776 [root] INFO: Added new process to list with pid: 2928
2020-03-24 06:22:23,790 [root] INFO: Monitor successfully loaded in process with pid 2928.
2020-03-24 06:22:23,790 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2648.
2020-03-24 06:22:23,790 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 06:22:23,790 [root] DEBUG: DLL loaded at 0x000007FEF4ED0000: c:\windows\system32\wersvc (0x18000 bytes).
2020-03-24 06:22:23,806 [root] DEBUG: DLL unloaded from 0x000007FEF4ED0000.
2020-03-24 06:22:23,806 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2828.
2020-03-24 06:22:23,822 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 06:22:23,854 [root] DEBUG: DLL loaded at 0x000007FEF2C90000: C:\Windows\System32\faultrep (0x5c000 bytes).
2020-03-24 06:22:23,868 [root] DEBUG: DLL loaded at 0x000007FEF8CA0000: C:\Windows\System32\wer (0x7c000 bytes).
2020-03-24 06:22:23,884 [root] DEBUG: DLL loaded at 0x000007FEFD560000: C:\Windows\system32\SHELL32 (0xd88000 bytes).
2020-03-24 06:22:23,884 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\System32\profapi (0xf000 bytes).
2020-03-24 06:22:23,900 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\System32\USERENV (0x1e000 bytes).
2020-03-24 06:22:23,915 [root] INFO: Announced 64-bit process name: WerFault.exe pid: 2680
2020-03-24 06:22:23,915 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:23,915 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:23,915 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:23,931 [root] DEBUG: Loader: Injecting process 2680 (thread 2900) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:23,931 [root] DEBUG: Process image base: 0x00000000FFCF0000
2020-03-24 06:22:23,931 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:23,931 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:22:23,931 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:23,947 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2680
2020-03-24 06:22:23,947 [root] DEBUG: DLL loaded at 0x000007FEFCEF0000: C:\Windows\system32\apphelp (0x57000 bytes).
2020-03-24 06:22:23,947 [root] INFO: Announced 64-bit process name: WerFault.exe pid: 2680
2020-03-24 06:22:23,947 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:23,963 [lib.api.process] INFO: 64-bit DLL to inject is C:\hssovesly\dll\advDtTMt.dll, loader C:\hssovesly\bin\IyrDOcsk.exe
2020-03-24 06:22:23,963 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nkibKCTHP.
2020-03-24 06:22:23,963 [root] DEBUG: Loader: Injecting process 2680 (thread 2900) with C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:23,963 [root] DEBUG: Process image base: 0x00000000FFCF0000
2020-03-24 06:22:23,977 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:23,977 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:22:23,977 [root] DEBUG: Successfully injected DLL C:\hssovesly\dll\advDtTMt.dll.
2020-03-24 06:22:23,977 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2680
2020-03-24 06:22:23,977 [root] DEBUG: DLL unloaded from 0x000007FEF2C90000.
2020-03-24 06:22:23,993 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:23,993 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:23,993 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:24,009 [root] WARNING: Unable to place hook on LockResource
2020-03-24 06:22:24,009 [root] WARNING: Unable to hook LockResource
2020-03-24 06:22:24,009 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:22:24,025 [root] DEBUG: Debugger initialised.
2020-03-24 06:22:24,025 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 2680 at 0x0000000074450000, image base 0x00000000FFCF0000, stack from 0x00000000000D5000-0x00000000000E0000
2020-03-24 06:22:24,025 [root] DEBUG: Commandline: C:\Windows\sysnative\WerFault.exe -u -p 2952 -s 916.
2020-03-24 06:22:24,025 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FFCF0000) returned 0x0000000000000000.
2020-03-24 06:22:24,025 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 06:22:24,040 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FFCF0000) -> AllocationBase 0x00000000FFCF0000 RegionSize 0x4096.
2020-03-24 06:22:24,040 [root] DEBUG: AddTrackedRegion: EntryPoint 0x44920, Entropy 6.376666e+00
2020-03-24 06:22:24,040 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FFCF0000 size 0x1000 added to tracked regions.
2020-03-24 06:22:24,055 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 06:22:24,055 [root] INFO: Added new process to list with pid: 2680
2020-03-24 06:22:24,055 [root] INFO: Monitor successfully loaded in process with pid 2680.
2020-03-24 06:22:24,072 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2680).
2020-03-24 06:22:24,072 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 06:22:24,072 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FFCF0000.
2020-03-24 06:22:24,072 [root] DEBUG: ProcessImageBase: EP 0x0000000000044920 image base 0x00000000FFCF0000 size 0x0 entropy 6.376937e+00.
2020-03-24 06:22:24,088 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFCEC0000 to caller regions list (ntdll::NtClose).
2020-03-24 06:22:24,088 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2680).
2020-03-24 06:22:24,088 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 06:22:24,088 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FFCF0000.
2020-03-24 06:22:24,088 [root] DEBUG: ProcessImageBase: EP 0x0000000000044920 image base 0x00000000FFCF0000 size 0x0 entropy 6.376937e+00.
2020-03-24 06:22:24,088 [root] INFO: Notified of termination of process with pid 2680.
2020-03-24 06:22:24,102 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2928).
2020-03-24 06:22:24,102 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 06:22:24,102 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FFA10000.
2020-03-24 06:22:24,102 [root] DEBUG: ProcessImageBase: EP 0x000000000000246C image base 0x00000000FFA10000 size 0x0 entropy 3.669760e+00.
2020-03-24 06:22:24,118 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2648.
2020-03-24 06:22:24,118 [root] INFO: Notified of termination of process with pid 2952.
2020-03-24 06:22:24,118 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 2952).
2020-03-24 06:24:14,598 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8390000 to caller regions list (ntdll::NtDuplicateObject).
2020-03-24 06:24:14,628 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF45C0000 to caller regions list (ntdll::NtDuplicateObject).
2020-03-24 06:24:23,848 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2036.
2020-03-24 06:24:23,848 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 06:24:23,848 [root] DEBUG: DLL unloaded from 0x000007FEF4ED0000.
2020-03-24 06:24:23,848 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2928).
2020-03-24 06:24:23,865 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 06:24:23,865 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FFA10000.
2020-03-24 06:24:23,865 [root] DEBUG: ProcessImageBase: EP 0x000000000000246C image base 0x00000000FFA10000 size 0x0 entropy 3.670375e+00.
2020-03-24 06:24:23,865 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2648.
2020-03-24 06:24:23,865 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2828.
2020-03-24 06:24:23,880 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2020-03-24 06:24:23,880 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2928).
2020-03-24 06:24:23,880 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 06:24:23,880 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FFA10000.
2020-03-24 06:24:23,895 [root] DEBUG: ProcessImageBase: EP 0x000000000000246C image base 0x00000000FFA10000 size 0x0 entropy 3.670375e+00.
2020-03-24 06:24:23,895 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2648.
2020-03-24 06:24:23,895 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2828.
2020-03-24 06:24:23,895 [root] INFO: Notified of termination of process with pid 2928.
2020-03-24 06:25:22,739 [root] DEBUG: CreateThread: Initialising breakpoints for thread 544.
2020-03-24 06:25:27,045 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2020-03-24 06:25:27,045 [root] INFO: Created shutdown mutex.
2020-03-24 06:25:28,059 [lib.api.process] INFO: Terminate event set for process 1632
2020-03-24 06:25:28,059 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 1632).
2020-03-24 06:25:28,059 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 06:25:28,059 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF900000.
2020-03-24 06:25:28,059 [root] DEBUG: ProcessImageBase: EP 0x000000000002B790 image base 0x00000000FF900000 size 0x0 entropy 5.860289e+00.
2020-03-24 06:25:28,073 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 1748.
2020-03-24 06:25:28,073 [lib.api.process] INFO: Termination confirmed for process 1632
2020-03-24 06:25:28,073 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1632
2020-03-24 06:25:28,073 [root] INFO: Terminate event set for process 1632.
2020-03-24 06:25:28,073 [root] INFO: Terminating process 1632 before shutdown.
2020-03-24 06:25:28,073 [root] INFO: Waiting for process 1632 to exit.
2020-03-24 06:25:29,075 [root] INFO: Shutting down package.
2020-03-24 06:25:29,076 [root] INFO: Stopping auxiliary modules.
2020-03-24 06:25:29,078 [root] INFO: Finishing auxiliary modules.
2020-03-24 06:25:29,078 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-03-24 06:25:29,081 [root] WARNING: File at path "C:\SiMZpfzLG\debugger" does not exist, skip.
2020-03-24 06:25:29,082 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2020-03-24 06:22:01 2020-03-24 06:25:51

File Details

File Name exe.bin
File Size 226304 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 53c1fd5ac99b5690b278ffcc5a49a598
SHA1 656850fe87ead292ceb4844c9a003f9fac354ef6
SHA256 e9b12791e0ab3a952fa09afd29e5a1416abd917edf5c913af7573adf8ccc39b0
SHA512 ef39eb51ccb8959c9e3ad70e232bb9193dca7ccf43e3df251a7aa807594f34af1140f59a325c3ab02473b2063a9ea0cc3e8aa9692dfe7125b60183f3e2023847
CRC32 1F301AD2
Ssdeep 3072:DWnu5sNw0Y92CstYXt8GAlrs9K1OGof0IspA3Ame8yFyQj:639CAYXt8GKrsg1OGof0Rvmal
TrID
  • 41.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 36.3% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 5.9% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 2.6% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
At least one process apparently crashed during execution
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2280 trigged the Yara rule 'shellcode_patterns'
Hit: PID 2280 trigged the Yara rule 'embedded_win_api'
Hit: PID 1924 trigged the Yara rule 'embedded_win_api'
Hit: PID 1924 trigged the Yara rule 'shellcode_patterns'
Hit: PID 2056 trigged the Yara rule 'embedded_win_api'
Hit: PID 2784 trigged the Yara rule 'embedded_win_api'
Hit: PID 2784 trigged the Yara rule 'shellcode_patterns'
Possible date expiration check, exits too soon after checking local time
process: exe.bin, PID 1436
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/OleUninitialize
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/RtlDecompressBuffer
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetComputerNameA
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/Wow64DisableWow64FsRedirection
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/Wow64RevertWow64FsRedirection
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualQueryEx
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptDeriveKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/RevertToSelf
DynamicLoader: ADVAPI32.dll/ImpersonateLoggedOnUser
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: ADVAPI32.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/CreateServiceW
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/ChangeServiceConfig2W
DynamicLoader: ADVAPI32.dll/StartServiceW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: SHELL32.dll/SHFileOperationW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/HttpSendRequestA
DynamicLoader: WININET.dll/HttpAddRequestHeadersA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetConnectA
DynamicLoader: WININET.dll/InternetSetOptionA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/HttpOpenRequestA
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/GetAdaptersInfo
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: propsys.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/PSCreatePropertyStoreFromObject
DynamicLoader: propsys.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PropVariantToBuffer
DynamicLoader: propsys.dll/PropVariantToUInt64
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: SHELL32.dll/
DynamicLoader: propsys.dll/InitPropVariantFromBuffer
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
DynamicLoader: ADVAPI32.dll/SaferCloseLevel
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/RtlDecompressBuffer
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetComputerNameA
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/Wow64DisableWow64FsRedirection
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/Wow64RevertWow64FsRedirection
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualQueryEx
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptDeriveKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/RevertToSelf
DynamicLoader: ADVAPI32.dll/ImpersonateLoggedOnUser
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: ADVAPI32.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/CreateServiceW
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/ChangeServiceConfig2W
DynamicLoader: ADVAPI32.dll/StartServiceW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: SHELL32.dll/SHFileOperationW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/HttpSendRequestA
DynamicLoader: WININET.dll/HttpAddRequestHeadersA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetConnectA
DynamicLoader: WININET.dll/InternetSetOptionA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/HttpOpenRequestA
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/GetAdaptersInfo
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/RtlDecompressBuffer
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetComputerNameA
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualQueryEx
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptDeriveKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/RevertToSelf
DynamicLoader: ADVAPI32.dll/ImpersonateLoggedOnUser
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: ADVAPI32.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/CreateServiceW
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/ChangeServiceConfig2W
DynamicLoader: ADVAPI32.dll/StartServiceW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: SHELL32.dll/SHFileOperationW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/HttpSendRequestA
DynamicLoader: WININET.dll/HttpAddRequestHeadersA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetConnectA
DynamicLoader: WININET.dll/InternetSetOptionA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/HttpOpenRequestA
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/GetAdaptersInfo
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/RtlDecompressBuffer
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetComputerNameA
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/Wow64DisableWow64FsRedirection
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/Wow64RevertWow64FsRedirection
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualQueryEx
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptDeriveKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/RevertToSelf
DynamicLoader: ADVAPI32.dll/ImpersonateLoggedOnUser
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: ADVAPI32.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/CreateServiceW
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/ChangeServiceConfig2W
DynamicLoader: ADVAPI32.dll/StartServiceW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: SHELL32.dll/SHFileOperationW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/HttpSendRequestA
DynamicLoader: WININET.dll/HttpAddRequestHeadersA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetConnectA
DynamicLoader: WININET.dll/InternetSetOptionA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/HttpOpenRequestA
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/GetAdaptersInfo
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/RtlDecompressBuffer
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetComputerNameA
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualQueryEx
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptDeriveKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/RevertToSelf
DynamicLoader: ADVAPI32.dll/ImpersonateLoggedOnUser
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: ADVAPI32.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/CreateServiceW
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/ChangeServiceConfig2W
DynamicLoader: ADVAPI32.dll/StartServiceW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: SHELL32.dll/SHFileOperationW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/HttpSendRequestA
DynamicLoader: WININET.dll/HttpAddRequestHeadersA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetConnectA
DynamicLoader: WININET.dll/InternetSetOptionA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/HttpOpenRequestA
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/GetAdaptersInfo
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: WS2_32.dll/closesocket
DynamicLoader: WS2_32.dll/shutdown
DynamicLoader: ntdll.dll/RtlGetNtVersionNumbers
DynamicLoader: Cryptdll.dll/MD5Init
DynamicLoader: Cryptdll.dll/MD5Update
DynamicLoader: Cryptdll.dll/MD5Final
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: ntdll.dll/RtlGetNtVersionNumbers
DynamicLoader: Cryptdll.dll/MD5Init
DynamicLoader: Cryptdll.dll/MD5Update
DynamicLoader: Cryptdll.dll/MD5Final
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: CRYPTSP.dll/CryptDeriveKey
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: wersvc.dll/ServiceMain
DynamicLoader: wersvc.dll/SvchostPushServiceGlobals
DynamicLoader: ADVAPI32.dll/RegGetValueW
DynamicLoader: sechost.dll/ConvertStringSecurityDescriptorToSecurityDescriptorW
DynamicLoader: faultrep.dll/WerpInitiateCrashReporting
DynamicLoader: wer.dll/WerpCreateMachineStore
DynamicLoader: SHELL32.dll/SHGetFolderPathEx
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: profapi.dll/
DynamicLoader: USERENV.dll/CreateEnvironmentBlock
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: USERENV.dll/DestroyEnvironmentBlock
DynamicLoader: LPK.dll/LpkEditControl
DynamicLoader: IMM32.dll/ImmDisableIME
Performs HTTP requests potentially not found in PCAP.
url: 153.148.83.172:443//login.asp?id=35
Expresses interest in specific running processes
process: explorer.exe
A process created a hidden window
Process: exe.bin -> C:\Users\user\AppData\Local\Temp\adobe.exe
Process: adobe.exe -> C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
CAPE extracted potentially suspicious content
adobe.exe: Extracted Shellcode
adobe.exe: Extracted Shellcode
eeclnt.exe: Extracted Shellcode
eeclnt.exe: Extracted Shellcode: 64-bit DLL
eeclnt.exe: Extracted PE Image: 64-bit DLL
msiexec.exe: Extracted Shellcode
eeclnt.exe: Extracted Shellcode
The binary likely contains encrypted or compressed data.
section: name: .data, entropy: 7.14, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0001d000, virtual_size: 0x0001db1c
Uses Windows utilities for basic functionality
command: cmd /c ""C:\Users\user\AppData\Local\Temp\a.bat" "
Uses Windows utilities for basic functionality
command: C:\Users\user\AppData\Local\Temp\a.bat
Deletes its original binary from disk
Behavioural detection: Injection (Process Hollowing)
Injection: eeclnt.exe(1924) -> msiexec.exe(2056)
Executed a process and injected code into it, probably while unpacking
Injection: eeclnt.exe(1924) -> msiexec.exe(2056)
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
Tries to unhook or modify Windows functions monitored by Cuckoo
unhook: function_name: shutdown, type: modification
unhook: function_name: closesocket, type: modification
Installs itself for autorun at Windows startup
service name: WanServer
service path: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe "260"
Installs itself for autorun at Windows startup
service name: WanServer
service path: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe "260"
Creates a hidden or system file
file: C:\Users\user\AppData\Roaming\Windows\
Drops a binary and executes it
binary: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
binary: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
binary: C:\Users\user\AppData\Local\Temp\adobe.exe

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 153.148.83.172 [VT] Japan

DNS

Name Response Post-Analysis Lookup
news.singmicrosoft.ga [VT] CNAME sinkhole.dynu.net [VT]
A 153.148.83.172 [VT]
CNAME a.sinkhole.yourtrap.com [VT]

Summary

C:\Users\user\AppData\Local\Temp\MSVCR110.dat
C:\Users\user\AppData\Local\Temp\adobe.exe
C:\Users\user\AppData\Local\Temp\MSVCR110.dll
C:\Users\user\AppData\Local\Temp\a.bat
C:\Windows\Globalization\Sorting\sortdefault.nls
\??\MountPointManager
C:\Users\user\AppData\Local\Temp\exe
C:\Users\user\AppData\Local\Temp\exe.*
C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\msvcr90.dll
C:\Windows
C:\Windows\winsxs
C:\Users\user\AppData\Roaming\Windows\
C:\Windows\SysWOW64\shell32.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dll
C:\
C:\Users
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\Windows
C:\Users\user\AppData\Roaming\Windows\desktop.ini
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dat
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\a.bat"
C:\Users\user\AppData\Local\Temp\exe.bin
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
C:\Windows\sysnative\ntdll.dll
C:\Windows\sysnative\kernelbase.dll
C:\Windows\Temp
C:\Windows\sysnative\LogFiles\Scm\994c86ad-a929-4b2c-88a0-4e25a107a029
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Windows\sysnative\LogFiles\Scm\fb3c354d-297a-4eb2-9b58-090f6361906b
C:\ProgramData\Microsoft\Windows\WER\ReportQueue
C:\Windows\WindowsShell.Manifest
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\MSVCR110.dat
C:\Windows\SysWOW64\shell32.dll
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\Windows\desktop.ini
C:\Users\user\AppData\Local\Temp
C:\Users\user\AppData\Local\Temp\MSVCR110.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dat
C:\Users\user\AppData\Local\Temp\adobe.exe
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
C:\Users\user\AppData\Local\Temp\a.bat
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
C:\Windows\sysnative\ntdll.dll
C:\Windows\sysnative\kernelbase.dll
C:\Windows\sysnative\LogFiles\Scm\994c86ad-a929-4b2c-88a0-4e25a107a029
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Windows\sysnative\LogFiles\Scm\fb3c354d-297a-4eb2-9b58-090f6361906b
C:\Windows\WindowsShell.Manifest
C:\Users\user\AppData\Local\Temp\MSVCR110.dat
C:\Users\user\AppData\Local\Temp\adobe.exe
C:\Users\user\AppData\Local\Temp\MSVCR110.dll
C:\Users\user\AppData\Local\Temp\a.bat
C:\Users\user\AppData\Local\Temp\exe
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dat
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
C:\Users\user\AppData\Local\Temp\exe.bin
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\exe.bin
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CLASSES_ROOT\.
HKEY_CLASSES_ROOT\.\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.
HKEY_CLASSES_ROOT\Unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\SuppressionPolicy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\UsersFiles\NameSpace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\UsersFiles\NameSpace\DelegateFolders
HKEY_CLASSES_ROOT\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InProcServer32\LoadWithoutCOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\open
HKEY_CLASSES_ROOT\*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\open
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shell\open
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\adobe.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\adobe.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\adobe.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\(Default)
HKEY_CLASSES_ROOT\.dll\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll\UserChoice
HKEY_CLASSES_ROOT\dllfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.dll\(Default)
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\OverrideFileSystemProperties
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_CLASSES_ROOT\ExplorerCLSIDFlags\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\PropertyHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileBufferedSynchronousIo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileChunkSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileOverlappedCount
HKEY_CLASSES_ROOT\.dat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\(Default)
HKEY_CLASSES_ROOT\.dat\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dat\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.dat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.dat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\ShellEx\PropertyHandler
HKEY_CLASSES_ROOT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_CLASSES_ROOT\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice
HKEY_CLASSES_ROOT\exefile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100\CheckSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Interval
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Shuffle
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\AnimationDuration
HKEY_LOCAL_MACHINE\Control Panel\Personalization\Desktop Slideshow
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Flags
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem\Win31FileSystem
HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\RequiredPrivileges
HKEY_CURRENT_USER
HKEY_USERS\.DEFAULT\Control Panel\International
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog\23F1DDA5-33480874
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog\23F1DDA5
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Callout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\00000005
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000001
\xe4\xa4\x90\xe2\xb4\x80
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000002
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000003
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000004
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000005
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000006
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000007
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000008
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000009
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000010
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\00000028
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006\ProviderInfo
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32NumHandleBuckets
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32SpinCount
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WerSvcGroup
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wersvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceMain
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ServiceTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\NoReflection
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TraceFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Debug
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InProcServer32\LoadWithoutCOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.dll\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileBufferedSynchronousIo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileChunkSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileOverlappedCount
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Interval
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Shuffle
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\AnimationDuration
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Flags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem\Win31FileSystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CryptSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpsvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AeLookupSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioSrv\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BFE\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AudioEndpointBuilder\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PolicyAgent\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\RequiredPrivileges
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Callout
\xe4\xa4\x90\xe2\xb4\x80
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32NumHandleBuckets
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32SpinCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WerSvcGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceMain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ServiceTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\NoReflection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TraceFlags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100\CheckSetting
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#386
ole32.dll.OleInitialize
ole32.dll.OleUninitialize
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.LoadLibraryA
kernel32.dll.VirtualAlloc
ntdll.dll.memcpy
ntdll.dll.RtlDecompressBuffer
kernel32.dll.SetErrorMode
kernel32.dll.GetModuleHandleW
kernel32.dll.GetCommandLineW
kernel32.dll.Sleep
kernel32.dll.IsWow64Process
kernel32.dll.WideCharToMultiByte
kernel32.dll.ExpandEnvironmentStringsW
kernel32.dll.SetFileAttributesW
kernel32.dll.GetModuleFileNameW
kernel32.dll.SetEnvironmentVariableW
kernel32.dll.ReadFile
kernel32.dll.GetFileSize
kernel32.dll.CreateFileW
kernel32.dll.MultiByteToWideChar
kernel32.dll.GetModuleHandleA
kernel32.dll.Process32NextW
kernel32.dll.Process32FirstW
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.FreeLibrary
kernel32.dll.GetComputerNameA
kernel32.dll.GetComputerNameW
kernel32.dll.GetSystemInfo
kernel32.dll.CreateMutexA
kernel32.dll.OpenMutexA
kernel32.dll.ExitProcess
kernel32.dll.lstrcmpiW
kernel32.dll.GetCurrentProcess
kernel32.dll.Wow64DisableWow64FsRedirection
kernel32.dll.GetSystemDirectoryW
kernel32.dll.Wow64RevertWow64FsRedirection
kernel32.dll.TerminateProcess
kernel32.dll.ResumeThread
kernel32.dll.GetVersionExW
kernel32.dll.CloseHandle
kernel32.dll.VirtualAllocEx
kernel32.dll.WriteProcessMemory
kernel32.dll.VirtualFreeEx
kernel32.dll.VirtualQueryEx
kernel32.dll.ReadProcessMemory
kernel32.dll.GetLastError
kernel32.dll.VirtualProtect
kernel32.dll.VirtualFree
kernel32.dll.EnterCriticalSection
kernel32.dll.LeaveCriticalSection
kernel32.dll.DeleteCriticalSection
kernel32.dll.InitializeCriticalSection
kernel32.dll.HeapReAlloc
kernel32.dll.HeapFree
kernel32.dll.GetProcessHeap
kernel32.dll.HeapAlloc
kernel32.dll.GetProcAddress
kernel32.dll.GetTickCount
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.DeleteFileW
kernel32.dll.OpenProcess
user32.dll.wsprintfW
user32.dll.wsprintfA
advapi32.dll.CryptHashData
advapi32.dll.CryptDeriveKey
advapi32.dll.CryptEncrypt
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptReleaseContext
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetSecurityDescriptorDacl
advapi32.dll.LookupPrivilegeValueA
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.GetUserNameW
advapi32.dll.RevertToSelf
advapi32.dll.ImpersonateLoggedOnUser
advapi32.dll.DeleteService
advapi32.dll.ControlService
advapi32.dll.QueryServiceStatus
advapi32.dll.OpenSCManagerW
advapi32.dll.CreateServiceW
advapi32.dll.OpenServiceW
advapi32.dll.CloseServiceHandle
advapi32.dll.ChangeServiceConfig2W
advapi32.dll.StartServiceW
advapi32.dll.RegSetValueExW
advapi32.dll.OpenProcessToken
advapi32.dll.CreateProcessAsUserW
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegDeleteValueW
advapi32.dll.RegCloseKey
advapi32.dll.CryptCreateHash
advapi32.dll.CryptAcquireContextW
shell32.dll.ShellExecuteW
shell32.dll.CommandLineToArgvW
shell32.dll.SHFileOperationW
shell32.dll.SHCreateDirectoryExW
wininet.dll.InternetReadFile
wininet.dll.HttpQueryInfoA
wininet.dll.HttpSendRequestA
wininet.dll.HttpAddRequestHeadersA
wininet.dll.InternetCloseHandle
wininet.dll.InternetConnectA
wininet.dll.InternetSetOptionA
wininet.dll.InternetOpenA
wininet.dll.HttpOpenRequestA
wininet.dll.InternetSetOptionW
ws2_32.dll.#11
ws2_32.dll.#52
ws2_32.dll.#57
ws2_32.dll.#115
ws2_32.dll.#21
ws2_32.dll.#12
iphlpapi.dll.GetAdaptersInfo
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CreateBindCtx
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoGetMalloc
comctl32.dll.#320
ole32.dll.StringFromGUID2
comctl32.dll.#324
comctl32.dll.#323
advapi32.dll.RegEnumKeyW
oleaut32.dll.#2
ole32.dll.CoUninitialize
ole32.dll.CoRevokeInitializeSpy
comctl32.dll.#388
oleaut32.dll.#500
oleaut32.dll.#200
comctl32.dll.#385
comctl32.dll.#328
comctl32.dll.#334
ole32.dll.CoCreateInstance
advapi32.dll.SetEntriesInAclW
ntmarta.dll.GetMartaExtensionInterface
advapi32.dll.IsTextUnicode
comctl32.dll.#332
comctl32.dll.#338
comctl32.dll.#339
shell32.dll.#102
advapi32.dll.OpenThreadToken
propsys.dll.PSLookupPropertyHandlerCLSID
advapi32.dll.RegQueryValueExW
propsys.dll.PSCreatePropertyStoreFromObject
propsys.dll.#417
propsys.dll.PropVariantToStringAlloc
ole32.dll.PropVariantClear
propsys.dll.PSCreateMemoryPropertyStore
propsys.dll.PropVariantToBuffer
propsys.dll.PropVariantToUInt64
propsys.dll.PropVariantToBoolean
shell32.dll.#66
propsys.dll.InitPropVariantFromBuffer
comctl32.dll.#336
comctl32.dll.#329
comctl32.dll.#387
comctl32.dll.#327
cryptsp.dll.CryptReleaseContext
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
winspool.drv.#218
winspool.drv.#217
winspool.drv.SetDefaultPrinterW
winspool.drv.GetDefaultPrinterW
winspool.drv.GetPrinterDriverPackagePathW
winspool.drv.CorePrinterDriverInstalledW
winspool.drv.GetCorePrinterDriversW
winspool.drv.UploadPrinterDriverPackageW
winspool.drv.InstallPrinterDriverFromPackageW
winspool.drv.#251
winspool.drv.AddPrinterConnection2W
winspool.drv.OpenPrinter2W
winspool.drv.DeletePrinterKeyW
winspool.drv.DeletePrinterDataExW
winspool.drv.EnumPrinterKeyW
winspool.drv.EnumPrinterDataExW
winspool.drv.GetPrinterDataExW
winspool.drv.SetPrinterDataExW
winspool.drv.DeletePrinterDataW
winspool.drv.EnumPrinterDataW
winspool.drv.SpoolerPrinterEvent
winspool.drv.SetPortW
winspool.drv.DocumentPropertySheets
winspool.drv.DevicePropertySheets
winspool.drv.IsValidDevmodeW
winspool.drv.IsValidDevmodeA
winspool.drv.AddPortExW
winspool.drv.DeletePrintProvidorW
winspool.drv.AddPrintProvidorW
winspool.drv.DeletePrintProcessorW
winspool.drv.DeleteMonitorW
winspool.drv.AddMonitorW
winspool.drv.StartDocDlgW
winspool.drv.AdvancedDocumentPropertiesW
winspool.drv.AdvancedDocumentPropertiesA
winspool.drv.DocumentPropertiesW
winspool.drv.DeviceCapabilitiesW
winspool.drv.DeletePrinterIC
winspool.drv.PlayGdiScriptOnPrinterIC
winspool.drv.CreatePrinterIC
winspool.drv.SetJobW
winspool.drv.GetJobW
winspool.drv.EnumJobsW
winspool.drv.AddPrinterW
winspool.drv.SetPrinterW
winspool.drv.GetPrinterDriverW
winspool.drv.GetPrinterDriverDirectoryW
winspool.drv.EnumPrintersW
winspool.drv.AddPrinterConnectionW
winspool.drv.DeletePrinterConnectionW
winspool.drv.AddPrinterDriverExW
winspool.drv.AddPrinterDriverExA
winspool.drv.EnumPrinterDriversW
winspool.drv.DeletePrinterDriverW
winspool.drv.DeletePrinterDriverExW
winspool.drv.AddPrintProcessorW
winspool.drv.EnumPrintProcessorsW
winspool.drv.GetPrintProcessorDirectoryW
winspool.drv.EnumPrintProcessorDatatypesW
winspool.drv.#207
winspool.drv.#209
winspool.drv.#211
winspool.drv.#212
winspool.drv.SplDriverUnloadComplete
winspool.drv.#213
winspool.drv.#214
winspool.drv.OpenPrinterW
winspool.drv.OpenPrinterA
winspool.drv.ResetPrinterW
winspool.drv.StartDocPrinterW
winspool.drv.FlushPrinter
winspool.drv.GetPrinterDataW
winspool.drv.SetPrinterDataW
winspool.drv.AddJobW
winspool.drv.ScheduleJob
winspool.drv.WaitForPrinterChange
winspool.drv.FindNextPrinterChangeNotification
winspool.drv.PrinterMessageBoxW
winspool.drv.ClosePrinter
winspool.drv.AddFormW
winspool.drv.DeleteFormW
winspool.drv.GetFormW
winspool.drv.SetFormW
winspool.drv.EnumFormsW
winspool.drv.EnumPortsW
winspool.drv.EnumMonitorsW
winspool.drv.AddPortW
winspool.drv.ConfigurePortW
winspool.drv.DeletePortW
winspool.drv.GetPrinterW
winspool.drv.DeletePrinterDriverPackageW
winspool.drv.#234
ws2_32.dll.closesocket
ws2_32.dll.shutdown
ntdll.dll.RtlGetNtVersionNumbers
cryptdll.dll.MD5Init
cryptdll.dll.MD5Update
cryptdll.dll.MD5Final
kernel32.dll.GetNativeSystemInfo
cryptsp.dll.CryptHashData
cryptsp.dll.CryptDeriveKey
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyKey
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
wersvc.dll.ServiceMain
wersvc.dll.SvchostPushServiceGlobals
advapi32.dll.RegGetValueW
sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
faultrep.dll.WerpInitiateCrashReporting
wer.dll.WerpCreateMachineStore
shell32.dll.SHGetFolderPathEx
profapi.dll.#104
userenv.dll.CreateEnvironmentBlock
sechost.dll.ConvertSidToStringSidW
sspicli.dll.GetUserNameExW
userenv.dll.DestroyEnvironmentBlock
lpk.dll.LpkEditControl
imm32.dll.ImmDisableIME
"C:\Users\user\AppData\Local\Temp\adobe.exe"
C:\Users\user\AppData\Local\Temp\adobe.exe
C:\Users\user\AppData\Local\Temp\exe
"C:\Users\user\AppData\Local\Temp\a.bat"
cmd /c ""C:\Users\user\AppData\Local\Temp\a.bat" "
C:\Users\user\AppData\Local\Temp\a.bat
"C:\Users\user\AppData\Roaming\Windows\eeclnt.exe" 258
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe 258
C:\Windows\system32\msiexec.exe "259"
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe "260"
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\msiexec.exe "261"
C:\Windows\system32\WerFault.exe -u -p 2952 -s 916
Global\eeclnt
WanServer
WanServer
WerSvc

PE Information

Image Base 0x00400000
Entry Point 0x00401574
Reported Checksum 0x0003e02b
Actual Checksum 0x0003e02b
Minimum OS Version 5.0
Compile Time 2018-04-16 03:42:10
Import Hash b8b143646d634b8219042f8517118310

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x000065d4 0x00006600 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.61
.rdata 0x00008000 0x00001c4c 0x00001e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.29
.data 0x0000a000 0x0001db1c 0x0001d000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.14
.rsrc 0x00028000 0x00010a80 0x00010c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.12
.reloc 0x00039000 0x00000e44 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 3.74

Imports

Library KERNEL32.dll:
0x408000 ExitProcess
0x408004 CreateFileA
0x408008 WriteFile
0x40800c CreateFileW
0x408010 GetTempPathW
0x408014 GetModuleFileNameA
0x408018 CloseHandle
0x40801c GetCommandLineA
0x408020 GetStartupInfoA
0x408024 TerminateProcess
0x408028 GetCurrentProcess
0x408034 IsDebuggerPresent
0x408038 GetModuleHandleW
0x40803c Sleep
0x408040 GetProcAddress
0x408044 GetStdHandle
0x408054 WideCharToMultiByte
0x408058 GetLastError
0x408060 SetHandleCount
0x408064 GetFileType
0x40806c TlsGetValue
0x408070 TlsAlloc
0x408074 TlsSetValue
0x408078 TlsFree
0x408080 SetLastError
0x408084 GetCurrentThreadId
0x40808c HeapCreate
0x408090 VirtualFree
0x408094 HeapFree
0x40809c GetTickCount
0x4080a0 GetCurrentProcessId
0x4080b0 LoadLibraryA
0x4080b8 GetCPInfo
0x4080bc GetACP
0x4080c0 GetOEMCP
0x4080c4 IsValidCodePage
0x4080c8 HeapAlloc
0x4080cc VirtualAlloc
0x4080d0 HeapReAlloc
0x4080d4 RtlUnwind
0x4080d8 HeapSize
0x4080dc GetLocaleInfoA
0x4080e0 LCMapStringA
0x4080e4 MultiByteToWideChar
0x4080e8 LCMapStringW
0x4080ec GetStringTypeA
0x4080f0 GetStringTypeW
Library USER32.dll:
0x408104 wsprintfW
0x408108 wsprintfA
Library SHELL32.dll:
0x4080f8 ShellExecuteA
0x4080fc ShellExecuteW

.text
`.rdata
@.data
.rsrc
@.reloc
D$ Pj
YQPVh
URPQQhPU@
SVWUj
CorExitProcess
runtime error
Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
ExitProcess
CreateFileA
WriteFile
CreateFileW
GetTempPathW
GetModuleFileNameA
CloseHandle
KERNEL32.dll
wsprintfW
wsprintfA
USER32.dll
ShellExecuteA
ShellExecuteW
SHELL32.dll
GetCommandLineA
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetModuleHandleW
Sleep
GetProcAddress
GetStdHandle
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetLastError
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
VirtualFree
HeapFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
LoadLibraryA
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapAlloc
VirtualAlloc
HeapReAlloc
RtlUnwind
HeapSize
GetLocaleInfoA
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.text
`.rdata
@.data
.rsrc
@.reloc
D$<Pj
D$<Pj
Vh /@
Vh L@
Wh`e@
t%Wh"}@
SHGetPathFromIDListW
SHGetPathFromIDListA
InitializeCriticalSectionAndSpinCount
GetProcessMemoryInfo
SetProcessDEPPolicy
IsUserAnAdmin
CreateEventW
ProcessIdToSessionId
CloseHandle
NtAcceptConnectPort
NtRequestPort
NtRequestWaitReplyPort
NtReplyWaitReceivePort
NtReplyPort
NtImpersonateClientOfPort
NtReadRequestData
NtWriteRequestData
IsWow64Process
RtlInitUnicodeString
NtCreatePort
CreateThread
NtConnectPort
NtCompleteConnectPort
CreateFileMappingW
SetEntriesInAclW
RegQueryValueExA
RegCloseKey
WTSGetActiveConsoleSessionId
IsDebuggerPresent
EncodePointer
DecodePointer
ntdll.dll
VerSetConditionMask
KERNEL32.DLL
VerifyVersionInfoA
Terminal Server
System\CurrentControlSet\Control\ProductOptions
ProductSuite
CueaaaaceeeiiiAAEaAooouuyOUc?Y?faiounNao?????!<>??????????????????????????????????????????????????????????????????????????.??2? 0123456789abcdefH
eeclnt.pdb
GetLastError
lstrlenA
InitializeCriticalSection
GetTickCount
SetEvent
GetCurrentProcessId
WaitForSingleObject
GetCurrentThread
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
TerminateThread
ResetEvent
GetCurrentThreadId
DeleteCriticalSection
UnmapViewOfFile
CreateMutexW
MapViewOfFile
VirtualAlloc
ReleaseMutex
OpenFileMappingW
InterlockedIncrement
WaitForMultipleObjects
OpenProcess
DuplicateHandle
OpenMutexW
LocalAlloc
LocalFree
GetVersion
GetModuleHandleA
GetProcAddress
lstrcmpA
GetVersionExW
GetSystemTimeAsFileTime
SetThreadPriority
LoadLibraryW
FreeLibrary
KERNEL32.dll
PeekMessageW
TranslateMessage
DispatchMessageW
MsgWaitForMultipleObjects
USER32.dll
OpenThreadToken
OpenProcessToken
GetTokenInformation
AllocateAndInitializeSid
EqualSid
FreeSid
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
GetSecurityDescriptorDacl
RegOpenKeyA
ADVAPI32.dll
malloc
??3@YAXPAX@Z
??2@YAPAXI@Z
_snwprintf_s
_purecall
srand
MSVCR110.dll
??1type_info@@UAE@XZ
_crt_debugger_hook
__crtUnhandledException
__crtTerminateProcess
_XcptFilter
__crtGetShowWindowMode
_amsg_exit
__wgetmainargs
__set_app_type
_exit
_cexit
_configthreadlocale
__setusermatherr
_initterm_e
_initterm
_wcmdln
_fmode
_commode
_lock
_unlock
_calloc_crt
__dllonexit
_onexit
?terminate@@YAXXZ
__crtSetUnhandledExceptionFilter
_invoke_watson
_controlfp_s
_except_handler4_common
IsProcessorFeaturePresent
QueryPerformanceCounter
memcpy
memset
.?AVtype_info@@
.?AV?$CNodcommClientNt@K@@
.?AV?$CNodcommClientNt@_K@@
.?AV?$CNodcommStructsNt@K@@
.?AV?$CNodcommServerNt@K@@
.?AV?$CNodcommStructsNt@_K@@
.?AVCNodcommCommonNt@@
.?AV?$CNodcommServerNt@_K@@
.?AVINodcommClient@@
.?AVINodcommServer@@
.?AVCNodcommClient9x@@
.?AVCNodcommCommon9x@@
.?AVCNodcommServer9x@@
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>
?8?V?[?m?
>#?f?k?}?
8 8$8(8,8084888<8@8D8H8L8P8T8
4$4(4D4H4d4h4
2 2@2
vzBavRich{Bav
.text
`.rdata
@.data
.rsrc
@.reloc
.dath
6Da2aw7#5<)u+=ie
%6e2euiGFfuw3&:?
ExitProcess
CreateFileA
GetFileSize
ReadFile
VirtualAlloc
GetModuleFileNameA
CloseHandle
KERNEL32.dll
wsprintfA
USER32.dll
malloc
MSVCR90.dll
_encode_pointer
_malloc_crt
_encoded_null
_decode_pointer
_initterm
_initterm_e
_amsg_exit
_adjust_fdiv
__CppXcptFilter
_crt_debugger_hook
__clean_type_info_names_internal
_unlock
__dllonexit
_lock
_onexit
_except_handler4_common
InterlockedExchange
Sleep
InterlockedCompareExchange
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
??2@YAPAXI@Z
??3@YAXPAX@Z
?terminate@@YAXXZ
_XcptFilter
__set_app_type
__setusermatherr
__wgetmainargs
_calloc_crt
_cexit
_configthreadlocale
_controlfp_s
_exit
_invoke_watson
_purecall
_snwprintf_s
memcpy
memset
srand
?_type_info_dtor_internal_method@type_info@@QAEXXZ
MSVCR110.dll
??1type_info@@UAE@XZ
??2@YAPAXI@Z
??3@YAXPAX@Z
__crtGetShowWindowMode
__crtSetUnhandledExceptionFilter
__crtTerminateProcess
__crtUnhandledException
_wcmdln
?terminate@@YAXXZ
_XcptFilter
__dllonexit
__set_app_type
__setusermatherr
__wgetmainargs
_amsg_exit
_calloc_crt
_cexit
_commode
_configthreadlocale
_controlfp_s
_crt_debugger_hook
_except_handler4_common
_exit
_fmode
_initterm
_initterm_e
_invoke_watson
_lock
_onexit
_purecall
_snwprintf_s
_unlock
malloc
memcpy
memset
srand
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
= =&=,=2=8=>=D=J=P=V=\=b=h=n=t=
fs4-5
:d&xC
{qfOqV
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
?W?d?
1 1$1(1@1D1
6,606
mscoree.dll
KERNEL32.DLL
adobe.exe
MSVCR110.dll
MSVCR110.dat
a.bat
shell32.dll
kernel32.dll
psapi.dll
ntdll.dll
advapi32.dll
\BaseNamedObjects\NODCOMM%08XTo%08XCommPort
@NODCOMM%08XTo%08XReceiverMutex
NODCOMM%08XTo%08XCommMutex
NODCOMM%08XTo%08XSendEvent
NODCOMM%08XTo%08XAckEvent
NODCOMM%08XTo%08XSection
@Global\
%sNODCOMM%08XTo%08XBroadcastMutex
%sNODCOMM%08XTo%08XBroadcast
VS_VERSION_INFO
StringFileInfo
040904e4
CompanyName
FileDescription
ESET Elevated Client
FileVersion
8.0.319.0
InternalName
eeclnt.exe
LegalCopyright
Copyright (c) ESET, spol. s r.o. 1992-2015. All rights reserved.
LegalTrademarks
NOD, NOD32, AMON, ESET are registered trademarks of ESET.
OriginalFilename
eeclnt.exe
ProductName
ESET Smart Security
ProductVersion
8.0.319.0
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


exe.bin, PID: 1436, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\exe.bin
Command Line: "C:\Users\user\AppData\Local\Temp\exe.bin"
adobe.exe, PID: 2280, Parent PID: 1436
Full Path: C:\Users\user\AppData\Local\Temp\adobe.exe
Command Line: "C:\Users\user\AppData\Local\Temp\adobe.exe"
cmd.exe, PID: 740, Parent PID: 1436
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: cmd /c ""C:\Users\user\AppData\Local\Temp\a.bat" "
explorer.exe, PID: 1632, Parent PID: 1496
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE
eeclnt.exe, PID: 1924, Parent PID: 2280
Full Path: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
Command Line: "C:\Users\user\AppData\Roaming\Windows\eeclnt.exe" 258
msiexec.exe, PID: 2056, Parent PID: 1924
Full Path: C:\Windows\sysnative\msiexec.exe
Command Line: C:\Windows\system32\msiexec.exe "259"
services.exe, PID: 460, Parent PID: 372
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
eeclnt.exe, PID: 2784, Parent PID: 460
Full Path: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
Command Line: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe "260"
msiexec.exe, PID: 2952, Parent PID: 2784
Full Path: C:\Windows\sysnative\msiexec.exe
Command Line: C:\Windows\system32\msiexec.exe "261"
svchost.exe, PID: 2928, Parent PID: 460
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\System32\svchost.exe -k WerSvcGroup
WerFault.exe, PID: 2680, Parent PID: 2928
Full Path: C:\Windows\sysnative\WerFault.exe
Command Line: C:\Windows\system32\WerFault.exe -u -p 2952 -s 916

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 153.148.83.172 [VT] Japan

TCP

Source Source Port Destination Destination Port
192.168.35.21 49209 153.148.83.172 news.singmicrosoft.ga 443

UDP

Source Source Port Destination Destination Port
192.168.35.21 58094 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
news.singmicrosoft.ga [VT] CNAME sinkhole.dynu.net [VT]
A 153.148.83.172 [VT]
CNAME a.sinkhole.yourtrap.com [VT]

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name MSVCR110.dat
Associated Filenames
C:\Users\user\AppData\Local\Temp\MSVCR110.dat
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dat
File Size 38499 bytes
File Type Applesoft BASIC program data
MD5 44d4f0785f7b95ba308bf9154cd03e2c
SHA1 86b621a0bfc07e68cc36dbf169a139753804738e
SHA256 2201c3ac955148a078d366dc1e9f552fca4a872756d3b6da93494cde8d5decd5
CRC32 C1DD715E
Ssdeep 768:6rG+PUoqam8Ho5sGqL1W+WbJe2fhiK/eMxykRPRw1:WGf56o5sZLA3xiK/e8yk8
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name adobe.exe
Associated Filenames
C:\Users\user\AppData\Local\Temp\adobe.exe
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
File Size 53448 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 b31f492db30ff846c45e79ca269912dd
SHA1 bb328a9ce7db3895633d59a7ad390ce7f557f2f9
SHA256 36d76999e9090c99fae2388cd3476134464807fc597f67c60eebc76e32339683
CRC32 C13CBBF7
Ssdeep 1536:6wSmRm9OYTDgDQe2lrtEbstgNXt8GAlrmw:6Nw0Y92CstYXt8GAlrt
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name MSVCR110.dll
Associated Filenames
C:\Users\user\AppData\Local\Temp\MSVCR110.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dll
File Size 9728 bytes
File Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 79bef92272c7d1c6236a03c26a0804cc
SHA1 a72a4db4188b49942b442379e1b4f30049d2d2f7
SHA256 d784a12fec628860433c28caa353bb52923f39d072437393629039fa4b2ec8ad
CRC32 EB447848
Ssdeep 192:y14sMryjQUic5kslkhivLqcnlo2+9r3X+EqoIoOLXi/sW6Hr6j:y+1UiK2Ezqc+/9TuVoOTikrO
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name a.bat
Associated Filenames
C:\Users\user\AppData\Local\Temp\a.bat
File Size 115 bytes
File Type ASCII text
MD5 f2ba6abea9c1a8e945b1cbebd908c1f8
SHA1 e60df096d0e7433119595d9a143a0acbb032ea9a
SHA256 087838fa6648a398e50a5fed5ade987c4e8f19ab75dcc9fe361f97f6b2a6aeaa
CRC32 CBFC43E3
Ssdeep 3:mRv9NcpkVkE2J5xAIcAAMZ4MDcpkVkE2J5xAIcAqfKSRn:mRlNOk/23f+G4cOk/23fUlR
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
:Repeat
del C:\Users\user\AppData\Local\Temp\exe.bin
if exist C:\Users\user\AppData\Local\Temp\exe.bin goto Repeat
File name exe
Associated Filenames
C:\Users\user\AppData\Local\Temp\exe
File Size 13822 bytes
File Type Microsoft Word 2007+
MD5 70ed4d802f2eb6b22b7a482df7dd722d
SHA1 537a7653c2a48c077b42d7a1b42082d9f262fd8d
SHA256 b4e630fc970052653436fc447cdc9354f7920e691642276c1d7c3e7f593b164f
CRC32 ED64A5A8
Ssdeep 192:IPmxCqWpvvD3zu92UesLgpg45bv/0CEjO3qcf0ztxQMYgL0J4IoCy1Zr3GuuIkG0:IwfWp3DS2U1LgWIsQkw34miZrG2jm
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name MSVCR110.dll
Associated Filenames
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dat
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Type Extracted Shellcode
Size 40960 bytes
Virtual Address 0x001A0000
Process adobe.exe
PID 2280
Path C:\Users\user\AppData\Local\Temp\adobe.exe
MD5 354c4b46824cbe449204dcb4c77d0b89
SHA1 b676dbe7d3df6b6f44a12fdfd92607d749ba004a
SHA256 4d1c800f31967294e8cd7af0ca36b6a94cb77a46db2cac6df71e5add8489b241
CRC32 CD7C1096
Ssdeep 384:1rTVEiGC6c7y4CokaVq7uE8OPV4+G9wcw/8tici:1rTVEiGC+4KaVgCOmj9wcwAi3
Yara
  • shellcode_patterns - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 69632 bytes
Virtual Address 0x001B0000
Process adobe.exe
PID 2280
Path C:\Users\user\AppData\Local\Temp\adobe.exe
MD5 4792f1e53d357309f82a859b71d4cdb4
SHA1 bbfe97d6b787bd18732c6ae083cc7c61e1eebe6f
SHA256 350219bd2e613040191ae8016f147895f1a82f8cdd57b1ba435d31d307b94af7
CRC32 B2C6FC1F
Ssdeep 768:aDTiY3mF+MA+OFZtZYj9S7FYbymG2BY9rmji6:ayY3mF+5+hRAF0j
Yara
  • embedded_win_api - A non-Windows executable contains win32 API functions names
  • shellcode_patterns - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 69632 bytes
Virtual Address 0x000C0000
Process eeclnt.exe
PID 1924
Path C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
MD5 3f7e19fc807375583b2c0bd3238c7d76
SHA1 6e576455ce5b3713705b5feb4818875af2a8197f
SHA256 3be202fe5cbbca182c069fa494162a0e8ca1cfa52e436d3d23b8fe1bca82c37f
CRC32 25F693E6
Ssdeep 768:zxISjnA+/7+EmZtZTMzQV87GJJYWUKd7HK49rmji6:zXjnA+T+foYCDrj
Yara
  • embedded_win_api - A non-Windows executable contains win32 API functions names
  • shellcode_patterns - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode: 64-bit DLL
Size 1714688 bytes
Virtual Address 0x03CF0000
Process eeclnt.exe
PID 1924
Path C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
MD5 ee77bce00183fd76b15b57261e162e47
SHA1 480c807ae89fa7af9c150faa56ceaf77d925c973
SHA256 c3dc10cb7dbb93df70e8b62e5d6bf79e7f33265c68112e6c908f4c5930a58605
CRC32 B744FC90
Ssdeep 24576:CVY5AwpYVmcl1dVO7KmInXAZFSh1/dfSfmuXpMZT2hOcX:CVYWySmclPjmInm8D/domuXETKX
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 64-bit DLL
Size 419840 bytes
Virtual Address 0x003F0000
Process eeclnt.exe
PID 1924
Path C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
MD5 be68a227a244c8bf4a1d82f2a3800a7e
SHA1 5f64a0134a6a0ff56e14dbd08494e0f1dd49c699
SHA256 3fdf8b491c1e8be658434169eba07caf44a88fef4feb6eab40ab2014d485d6fb
CRC32 E834A569
Ssdeep 12288:oRkJZdP6QeMOXrYinp3U/lfbtueEkgSdB83XXQ:+kJH6QCrYip3ObttgSdB83XXQ
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 77824 bytes
Virtual Address 0x00000000003D0000
Process msiexec.exe
PID 2056
Path C:\Windows\sysnative\msiexec.exe
MD5 61eaccaedd075c4da0acdf031163e64f
SHA1 092ce46c0da817592e450142a7c9137112154a96
SHA256 e69a55928f76e03287eb47edb2817db8a39642f6b0736ef1c2b7bf9377795b9b
CRC32 8AAD805C
Ssdeep 768:FLTwOYZ5tSzl70tYsOR0aibj+4weesw6GKjSji6:qEB0qX3jeDkj
Yara
  • embedded_win_api - A non-Windows executable contains win32 API functions names
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 69632 bytes
Virtual Address 0x00130000
Process eeclnt.exe
PID 2784
Path C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
MD5 9299d28977c1a8c12bf893961651ae59
SHA1 f615bbc260658d0a9062e3a1db1ab7fa199857b7
SHA256 887dccfb44643b5ca09a32440e5c2188ca65d07af9ab95faa819ed47585243dd
CRC32 5649D968
Ssdeep 768:SDLiqZ+t+kY+udZtZwrtyrNY7augb+10b9rmji6:S6A+t+Z+hpgNgj
Yara
  • embedded_win_api - A non-Windows executable contains win32 API functions names
  • shellcode_patterns - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 4.561 seconds )

  • 2.649 CAPE
  • 1.02 BehaviorAnalysis
  • 0.31 Dropped
  • 0.182 Static
  • 0.16 TargetInfo
  • 0.119 Deduplicate
  • 0.092 TrID
  • 0.014 Strings
  • 0.008 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.002 Debug

Signatures ( 0.904 seconds )

  • 0.487 antidbg_windows
  • 0.038 NewtWire Behavior
  • 0.037 decoy_document
  • 0.036 api_spamming
  • 0.036 antiav_detectreg
  • 0.027 antivm_vbox_window
  • 0.021 antisandbox_script_timer
  • 0.014 stealth_file
  • 0.014 infostealer_ftp
  • 0.01 antivm_generic_disk
  • 0.009 ransomware_files
  • 0.008 mimics_filetime
  • 0.008 infostealer_im
  • 0.007 virus
  • 0.007 antianalysis_detectreg
  • 0.006 bootkit
  • 0.006 Doppelganging
  • 0.006 antiemu_wine_func
  • 0.006 antivm_generic_scsi
  • 0.006 reads_self
  • 0.006 dynamic_function_loading
  • 0.006 infostealer_mail
  • 0.005 malicious_dynamic_function_loading
  • 0.005 injection_createremotethread
  • 0.005 InjectionCreateRemoteThread
  • 0.005 kovter_behavior
  • 0.005 hancitor_behavior
  • 0.004 infostealer_browser_password
  • 0.004 antiav_detectfile
  • 0.004 ransomware_extensions
  • 0.003 InjectionInterProcess
  • 0.003 exploit_getbasekerneladdress
  • 0.003 antivm_generic_services
  • 0.003 persistence_autorun
  • 0.003 antivm_vbox_keys
  • 0.003 infostealer_bitcoin
  • 0.002 injection_runpe
  • 0.002 recon_programs
  • 0.002 betabot_behavior
  • 0.002 exploit_gethaldispatchtable
  • 0.002 InjectionProcessHollowing
  • 0.002 kibex_behavior
  • 0.002 shifu_behavior
  • 0.002 antivm_vbox_files
  • 0.002 antivm_vmware_keys
  • 0.002 antivm_xen_keys
  • 0.002 geodo_banking_trojan
  • 0.002 browser_security
  • 0.002 masquerade_process_name
  • 0.002 recon_fingerprint
  • 0.001 tinba_behavior
  • 0.001 uac_bypass_eventvwr
  • 0.001 antivm_vbox_libs
  • 0.001 antidebug_guardpages
  • 0.001 rat_nanocore
  • 0.001 antiav_avast_libs
  • 0.001 exploit_heapspray
  • 0.001 stack_pivot
  • 0.001 antisandbox_sleep
  • 0.001 vawtrak_behavior
  • 0.001 cerber_behavior
  • 0.001 stealth_timeout
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vpc_keys
  • 0.001 ketrican_regkeys
  • 0.001 darkcomet_regkeys
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway

Reporting ( 0.007 seconds )

  • 0.007 CompressResults
Task ID 131456
Mongo ID 5e79a7ff0986a12c9f6d5c1f
Cuckoo release 1.3-CAPE
Delete