Analysis

Category Package Started Completed Duration Options Log
FILE Injection 2020-03-24 06:22:01 2020-03-24 06:25:55 234 seconds Show Options Show Log
route = internet
procdump = 0
2020-03-24 06:22:05,000 [root] INFO: Date set to: 03-24-20, time set to: 06:22:05, timeout set to: 200
2020-03-24 06:22:05,046 [root] DEBUG: Starting analyzer from: C:\pswbiilyh
2020-03-24 06:22:05,046 [root] DEBUG: Storing results at: C:\UCeCGolEiK
2020-03-24 06:22:05,046 [root] DEBUG: Pipe server name: \\.\PIPE\LhhfyD
2020-03-24 06:22:05,046 [root] INFO: Analysis package "Injection" has been specified.
2020-03-24 06:22:06,887 [root] DEBUG: Started auxiliary module Browser
2020-03-24 06:22:06,887 [root] DEBUG: Started auxiliary module Curtain
2020-03-24 06:22:06,887 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-03-24 06:22:08,431 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-03-24 06:22:08,431 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-03-24 06:22:08,431 [root] DEBUG: Started auxiliary module DigiSig
2020-03-24 06:22:08,431 [root] DEBUG: Started auxiliary module Disguise
2020-03-24 06:22:08,447 [root] DEBUG: Started auxiliary module Human
2020-03-24 06:22:08,447 [root] DEBUG: Started auxiliary module Screenshots
2020-03-24 06:22:08,447 [root] DEBUG: Started auxiliary module Sysmon
2020-03-24 06:22:08,447 [root] DEBUG: Started auxiliary module Usage
2020-03-24 06:22:08,447 [root] INFO: Analyzer: DLL set to Injection.dll from package modules.packages.Injection
2020-03-24 06:22:08,447 [root] INFO: Analyzer: DLL_64 set to Injection_x64.dll from package modules.packages.Injection
2020-03-24 06:22:08,493 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\exe.bin" with arguments "" with pid 320
2020-03-24 06:22:08,493 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:08,493 [lib.api.process] INFO: 32-bit DLL to inject is C:\pswbiilyh\dll\MCNOgcl.dll, loader C:\pswbiilyh\bin\mVLFdcw.exe
2020-03-24 06:22:08,525 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LhhfyD.
2020-03-24 06:22:08,525 [root] DEBUG: Loader: Injecting process 320 (thread 1936) with C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:08,525 [root] DEBUG: Process image base: 0x00FD0000
2020-03-24 06:22:08,525 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:08,540 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:22:08,540 [root] DEBUG: Successfully injected DLL C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:08,540 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 320
2020-03-24 06:22:10,552 [lib.api.process] INFO: Successfully resumed process with pid 320
2020-03-24 06:22:10,552 [root] INFO: Added new process to list with pid: 320
2020-03-24 06:22:10,740 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:10,740 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:10,927 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:10,927 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:22:10,943 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:10,943 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:10,973 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:10,973 [root] DEBUG: CAPE initialised: 32-bit Injection package loaded in process 320 at 0x74b50000, image base 0xfd0000, stack from 0x3d6000-0x3e0000
2020-03-24 06:22:10,990 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\exe.bin".
2020-03-24 06:22:10,990 [root] INFO: Monitor successfully loaded in process with pid 320.
2020-03-24 06:22:11,052 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe0 amd local view 0x03A10000 to global list ().
2020-03-24 06:22:11,145 [root] DEBUG: DLL loaded at 0x74A50000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-03-24 06:22:11,145 [root] DEBUG: DLL loaded at 0x75FF0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2020-03-24 06:22:11,145 [root] DEBUG: DLL loaded at 0x748B0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2020-03-24 06:22:11,161 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-03-24 06:22:11,207 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-03-24 06:22:11,223 [root] DEBUG: DLL loaded at 0x76240000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-03-24 06:22:11,286 [root] DEBUG: DLL loaded at 0x748A0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-03-24 06:22:11,411 [root] DEBUG: DLL loaded at 0x75420000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-03-24 06:22:11,411 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-03-24 06:22:11,411 [root] DEBUG: DLL loaded at 0x756A0000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-03-24 06:22:11,427 [root] DEBUG: DLL unloaded from 0x76430000.
2020-03-24 06:22:11,441 [root] DEBUG: DLL loaded at 0x74DC0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 06:22:11,723 [root] DEBUG: DLL loaded at 0x74840000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2020-03-24 06:22:11,832 [root] DEBUG: DLL loaded at 0x760D0000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2020-03-24 06:22:11,894 [root] DEBUG: DLL loaded at 0x77130000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 06:22:11,957 [root] DEBUG: DLL loaded at 0x756C0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 06:22:12,051 [root] DEBUG: DLL loaded at 0x75D80000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2020-03-24 06:22:12,051 [root] DEBUG: DLL loaded at 0x758C0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-03-24 06:22:12,285 [root] INFO: Announced 32-bit process name: adobe.exe pid: 1060
2020-03-24 06:22:12,285 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:12,285 [lib.api.process] INFO: 32-bit DLL to inject is C:\pswbiilyh\dll\MCNOgcl.dll, loader C:\pswbiilyh\bin\mVLFdcw.exe
2020-03-24 06:22:12,299 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LhhfyD.
2020-03-24 06:22:12,299 [root] DEBUG: Loader: Injecting process 1060 (thread 1536) with C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:12,299 [root] DEBUG: Process image base: 0x001E0000
2020-03-24 06:22:12,299 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:12,299 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:22:12,315 [root] DEBUG: Successfully injected DLL C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:12,315 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1060
2020-03-24 06:22:12,346 [root] DEBUG: CreateProcessHandler: Injection info set for new process 1060, ImageBase: 0x001E0000
2020-03-24 06:22:12,346 [root] INFO: Announced 32-bit process name: adobe.exe pid: 1060
2020-03-24 06:22:12,346 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:12,346 [lib.api.process] INFO: 32-bit DLL to inject is C:\pswbiilyh\dll\MCNOgcl.dll, loader C:\pswbiilyh\bin\mVLFdcw.exe
2020-03-24 06:22:12,362 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LhhfyD.
2020-03-24 06:22:12,362 [root] DEBUG: Loader: Injecting process 1060 (thread 1536) with C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:12,362 [root] DEBUG: Process image base: 0x001E0000
2020-03-24 06:22:12,362 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:12,362 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:22:12,362 [root] DEBUG: Successfully injected DLL C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:12,378 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1060
2020-03-24 06:22:12,378 [root] DEBUG: DLL unloaded from 0x760D0000.
2020-03-24 06:22:12,394 [root] DEBUG: DLL unloaded from 0x76430000.
2020-03-24 06:22:12,394 [root] DEBUG: DLL unloaded from 0x74840000.
2020-03-24 06:22:12,410 [root] DEBUG: DLL unloaded from 0x74A50000.
2020-03-24 06:22:12,410 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:12,410 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:12,410 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:12,440 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:22:12,440 [root] DEBUG: CAPE initialised: 32-bit Injection package loaded in process 1060 at 0x74b50000, image base 0x1e0000, stack from 0x416000-0x420000
2020-03-24 06:22:12,440 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\adobe.exe".
2020-03-24 06:22:12,440 [root] INFO: Added new process to list with pid: 1060
2020-03-24 06:22:12,440 [root] INFO: Monitor successfully loaded in process with pid 1060.
2020-03-24 06:22:12,440 [root] DEBUG: set_caller_info: Adding region at 0x000B0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-03-24 06:22:12,471 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 320, handle 0x224.
2020-03-24 06:22:12,471 [root] DEBUG: DLL loaded at 0x76430000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2020-03-24 06:22:12,471 [root] DEBUG: DLL loaded at 0x74860000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2020-03-24 06:22:12,471 [root] DEBUG: DLL loaded at 0x77130000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 06:22:12,471 [root] DEBUG: DLL loaded at 0x760D0000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2020-03-24 06:22:12,487 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x208 amd local view 0x00400000 to global list (\Sessions\1\BaseNamedObjects\windows_shell_global_counters).
2020-03-24 06:22:12,487 [root] DEBUG: DLL loaded at 0x75FF0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2020-03-24 06:22:12,487 [root] DEBUG: DLL loaded at 0x75D80000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2020-03-24 06:22:12,487 [root] DEBUG: DLL loaded at 0x758C0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-03-24 06:22:12,487 [root] DEBUG: DLL loaded at 0x756C0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 06:22:12,519 [root] DEBUG: DLL loaded at 0x76090000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-03-24 06:22:12,533 [root] DEBUG: DLL loaded at 0x77830000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-03-24 06:22:12,533 [root] DEBUG: DLL loaded at 0x74840000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-03-24 06:22:12,533 [root] DEBUG: DLL loaded at 0x74830000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-03-24 06:22:12,533 [root] DEBUG: set_caller_info: Adding region at 0x00170000 to caller regions list (advapi32::LookupPrivilegeValueW).
2020-03-24 06:22:12,549 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x110 amd local view 0x001D0000 to global list ().
2020-03-24 06:22:12,549 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1676, handle 0x114.
2020-03-24 06:22:12,549 [root] DEBUG: Error 5 (0x5) - OpenProcessHandler: Error obtaining target process name: Access is denied.
2020-03-24 06:22:12,549 [root] DEBUG: DLL unloaded from 0x76430000.
2020-03-24 06:22:12,549 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x120 amd local view 0x001D0000 to global list (\Sessions\1\BaseNamedObjects\windows_shell_global_counters).
2020-03-24 06:22:12,549 [root] DEBUG: DLL unloaded from 0x74860000.
2020-03-24 06:22:12,565 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x128 amd local view 0x03B00000 to global list ().
2020-03-24 06:22:12,565 [root] DEBUG: DLL unloaded from 0x74A50000.
2020-03-24 06:22:12,565 [root] DEBUG: DLL loaded at 0x748B0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2020-03-24 06:22:12,581 [root] DEBUG: DLL unloaded from 0x76430000.
2020-03-24 06:22:12,581 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x130 amd local view 0x002F0000 to global list ().
2020-03-24 06:22:12,581 [root] DEBUG: DLL loaded at 0x74800000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2020-03-24 06:22:12,581 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x138 amd local view 0x002F0000 to global list ().
2020-03-24 06:22:12,596 [root] DEBUG: DLL loaded at 0x760D0000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2020-03-24 06:22:12,596 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1676
2020-03-24 06:22:12,596 [root] DEBUG: DLL loaded at 0x77130000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 06:22:12,596 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:12,596 [root] DEBUG: DLL loaded at 0x756C0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 06:22:12,611 [lib.api.process] INFO: 64-bit DLL to inject is C:\pswbiilyh\dll\UfmceBw.dll, loader C:\pswbiilyh\bin\zdDBVpKD.exe
2020-03-24 06:22:12,611 [root] DEBUG: DLL loaded at 0x75D80000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2020-03-24 06:22:12,611 [root] DEBUG: DLL loaded at 0x758C0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-03-24 06:22:12,611 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LhhfyD.
2020-03-24 06:22:12,628 [root] DEBUG: Loader: Injecting process 1676 (thread 0) with C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:12,628 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1680, handle 0x84
2020-03-24 06:22:12,628 [root] DEBUG: Process image base: 0x00000000FF270000
2020-03-24 06:22:12,628 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-03-24 06:22:12,628 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-03-24 06:22:12,644 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:12,644 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:12,644 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:12,706 [root] INFO: Announced 32-bit process name: cmd.exe pid: 1600
2020-03-24 06:22:12,706 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:12,706 [lib.api.process] INFO: 32-bit DLL to inject is C:\pswbiilyh\dll\MCNOgcl.dll, loader C:\pswbiilyh\bin\mVLFdcw.exe
2020-03-24 06:22:12,721 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LhhfyD.
2020-03-24 06:22:12,721 [root] DEBUG: Loader: Injecting process 1600 (thread 1484) with C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:12,721 [root] DEBUG: Process image base: 0x4A630000
2020-03-24 06:22:12,721 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:12,721 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:22:12,721 [root] DEBUG: Successfully injected DLL C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:12,736 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1600
2020-03-24 06:22:12,736 [root] DEBUG: CreateProcessHandler: using lpCommandLine: "C:\Users\user\AppData\Local\Temp\a.bat" .
2020-03-24 06:22:12,736 [root] DEBUG: CreateProcessHandler: Injection info set for new process 1600, ImageBase: 0x4A630000
2020-03-24 06:22:12,736 [root] INFO: Announced 32-bit process name: cmd.exe pid: 1600
2020-03-24 06:22:12,736 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:12,736 [lib.api.process] INFO: 32-bit DLL to inject is C:\pswbiilyh\dll\MCNOgcl.dll, loader C:\pswbiilyh\bin\mVLFdcw.exe
2020-03-24 06:22:12,753 [root] WARNING: Unable to place hook on LockResource
2020-03-24 06:22:12,753 [root] WARNING: Unable to hook LockResource
2020-03-24 06:22:12,753 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LhhfyD.
2020-03-24 06:22:12,753 [root] DEBUG: Loader: Injecting process 1600 (thread 1484) with C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:12,753 [root] DEBUG: Process image base: 0x4A630000
2020-03-24 06:22:12,753 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:12,753 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:22:12,767 [root] DEBUG: Successfully injected DLL C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:12,767 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1600
2020-03-24 06:22:12,767 [root] DEBUG: DLL unloaded from 0x760D0000.
2020-03-24 06:22:12,783 [root] DEBUG: DLL unloaded from 0x76430000.
2020-03-24 06:22:12,783 [root] DEBUG: DLL unloaded from 0x74800000.
2020-03-24 06:22:12,799 [root] DEBUG: DLL unloaded from 0x74A50000.
2020-03-24 06:22:12,799 [root] DEBUG: DLL unloaded from 0x75D20000.
2020-03-24 06:22:12,799 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:12,815 [root] DEBUG: DLL unloaded from 0x74C10000.
2020-03-24 06:22:12,815 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:12,815 [root] INFO: Notified of termination of process with pid 320.
2020-03-24 06:22:12,831 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:12,878 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:22:12,892 [root] DEBUG: CAPE initialised: 32-bit Injection package loaded in process 1600 at 0x74b50000, image base 0x4a630000, stack from 0x193000-0x290000
2020-03-24 06:22:12,892 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\cmd \c ""C:\Users\user\AppData\Local\Temp\a.bat" ".
2020-03-24 06:22:12,892 [root] INFO: Added new process to list with pid: 1600
2020-03-24 06:22:12,892 [root] INFO: Monitor successfully loaded in process with pid 1600.
2020-03-24 06:22:12,924 [root] DEBUG: CAPE initialised: 64-bit Injection package loaded in process 1676 at 0x0000000074720000, image base 0x00000000FF270000, stack from 0x00000000066F2000-0x0000000006700000
2020-03-24 06:22:12,940 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2020-03-24 06:22:12,940 [root] INFO: Added new process to list with pid: 1676
2020-03-24 06:22:12,940 [root] INFO: Monitor successfully loaded in process with pid 1676.
2020-03-24 06:22:12,956 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-03-24 06:22:12,956 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-03-24 06:22:12,956 [root] DEBUG: Successfully injected DLL C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:12,970 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-03-24 06:22:12,970 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe2c amd local view 0x0000000002120000 to global list ().
2020-03-24 06:22:12,986 [root] DEBUG: DLL loaded at 0x75420000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-03-24 06:22:12,986 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-03-24 06:22:13,002 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1600, handle 0xc80.
2020-03-24 06:22:13,002 [root] DEBUG: DLL loaded at 0x756A0000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-03-24 06:22:13,002 [root] DEBUG: DLL unloaded from 0x75D20000.
2020-03-24 06:22:13,017 [root] DEBUG: DLL loaded at 0x74620000: C:\Windows\system32\propsys (0xf5000 bytes).
2020-03-24 06:22:13,017 [root] DEBUG: OpenProcessHandler: Image base for process 1600 (handle 0xc80): 0x000000004A630000.
2020-03-24 06:22:13,017 [root] INFO: Notified of termination of process with pid 1600.
2020-03-24 06:22:13,033 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-03-24 06:22:13,127 [root] DEBUG: DLL loaded at 0x76240000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-03-24 06:22:13,142 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x188 amd local view 0x00420000 to global list (\Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*cversions.1.ro).
2020-03-24 06:22:13,142 [root] DEBUG: DLL unloaded from 0x76430000.
2020-03-24 06:22:13,157 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x180 amd local view 0x00430000 to global list (\Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db).
2020-03-24 06:22:13,190 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x178 amd local view 0x00450000 to global list (\BaseNamedObjects\windows_shell_global_counters).
2020-03-24 06:22:13,299 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1b8 amd local view 0x00420000 to global list (\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro).
2020-03-24 06:22:13,299 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x01F80000 for section view with handle 0x180 (\Sessions\1\BaseNamedObjects\C:*Users*user*AppData*Local*Microsoft*Windows*Caches*{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db).
2020-03-24 06:22:13,299 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1b4 amd local view 0x00460000 to global list (\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro).
2020-03-24 06:22:13,313 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1bc amd local view 0x01FB0000 to global list (\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db).
2020-03-24 06:22:13,345 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c0 amd local view 0x00470000 to global list ().
2020-03-24 06:22:13,345 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1c4 amd local view 0x00470000 to global list ().
2020-03-24 06:22:13,361 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd98 amd local view 0x0000000002120000 to global list ().
2020-03-24 06:22:13,563 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1d8 amd local view 0x00470000 to global list ().
2020-03-24 06:22:13,563 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1dc amd local view 0x00470000 to global list ().
2020-03-24 06:22:13,657 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc04 amd local view 0x0000000002120000 to global list ().
2020-03-24 06:22:13,673 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1d0 amd local view 0x00470000 to global list ().
2020-03-24 06:22:13,688 [root] DEBUG: DLL loaded at 0x751D0000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2020-03-24 06:22:13,688 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x1f8 amd local view 0x00470000 to global list ().
2020-03-24 06:22:13,703 [root] DEBUG: DLL loaded at 0x75190000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-03-24 06:22:13,703 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-03-24 06:22:13,750 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x208 amd local view 0x00600000 to global list ().
2020-03-24 06:22:13,766 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x20c amd local view 0x00600000 to global list ().
2020-03-24 06:22:13,782 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x218 amd local view 0x00600000 to global list ().
2020-03-24 06:22:13,782 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x21c amd local view 0x00600000 to global list ().
2020-03-24 06:22:13,828 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\system32\mssprxy (0xc000 bytes).
2020-03-24 06:22:13,907 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x220 amd local view 0x00600000 to global list ().
2020-03-24 06:22:14,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00600000 for section view with handle 0x1d0 ().
2020-03-24 06:22:14,937 [root] DEBUG: DLL unloaded from 0x74B30000.
2020-03-24 06:22:14,937 [root] DEBUG: DLL unloaded from 0x74620000.
2020-03-24 06:22:14,983 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00600000 for section view with handle 0x130 ().
2020-03-24 06:22:14,983 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x204 amd local view 0x00600000 to global list ().
2020-03-24 06:22:17,105 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x13c amd local view 0x00600000 to global list ().
2020-03-24 06:22:17,121 [root] DEBUG: DLL loaded at 0x74B20000: C:\Windows\system32\mssprxy (0xc000 bytes).
2020-03-24 06:22:17,121 [root] DEBUG: DLL unloaded from 0x76430000.
2020-03-24 06:22:17,135 [root] DEBUG: DLL unloaded from 0x74B20000.
2020-03-24 06:22:17,151 [root] DEBUG: DLL unloaded from 0x74620000.
2020-03-24 06:22:17,183 [root] DEBUG: DLL loaded at 0x74DC0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 06:22:17,713 [root] DEBUG: DLL loaded at 0x741A0000: C:\Windows\system32\wpdshext (0x238000 bytes).
2020-03-24 06:22:17,822 [root] DEBUG: DLL loaded at 0x74B00000: C:\Windows\system32\WINMM (0x32000 bytes).
2020-03-24 06:22:17,915 [root] DEBUG: DLL loaded at 0x74490000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus (0x190000 bytes).
2020-03-24 06:22:18,056 [root] DEBUG: DLL loaded at 0x74AA0000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2020-03-24 06:22:18,181 [root] DEBUG: DLL loaded at 0x734E0000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2020-03-24 06:22:18,290 [root] DEBUG: DLL loaded at 0x74A60000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2020-03-24 06:22:18,447 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-03-24 06:22:18,493 [root] INFO: Announced 32-bit process name: eeclnt.exe pid: 2716
2020-03-24 06:22:18,509 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:18,509 [lib.api.process] INFO: 32-bit DLL to inject is C:\pswbiilyh\dll\MCNOgcl.dll, loader C:\pswbiilyh\bin\mVLFdcw.exe
2020-03-24 06:22:18,525 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LhhfyD.
2020-03-24 06:22:18,525 [root] DEBUG: Loader: Injecting process 2716 (thread 2720) with C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:18,539 [root] DEBUG: Process image base: 0x008F0000
2020-03-24 06:22:18,539 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:18,539 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:22:18,555 [root] DEBUG: Successfully injected DLL C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:18,555 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2716
2020-03-24 06:22:18,602 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2716, ImageBase: 0x008F0000
2020-03-24 06:22:18,602 [root] INFO: Announced 32-bit process name: eeclnt.exe pid: 2716
2020-03-24 06:22:18,602 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:18,602 [lib.api.process] INFO: 32-bit DLL to inject is C:\pswbiilyh\dll\MCNOgcl.dll, loader C:\pswbiilyh\bin\mVLFdcw.exe
2020-03-24 06:22:18,634 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LhhfyD.
2020-03-24 06:22:18,634 [root] DEBUG: Loader: Injecting process 2716 (thread 2720) with C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:18,634 [root] DEBUG: Process image base: 0x008F0000
2020-03-24 06:22:18,650 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:18,650 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:22:18,650 [root] DEBUG: Successfully injected DLL C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:18,664 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2716
2020-03-24 06:22:18,664 [root] DEBUG: DLL unloaded from 0x741A0000.
2020-03-24 06:22:18,680 [root] DEBUG: DLL unloaded from 0x760D0000.
2020-03-24 06:22:18,680 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:18,696 [root] DEBUG: DLL unloaded from 0x734E0000.
2020-03-24 06:22:18,696 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:18,696 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:18,711 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:22:18,727 [root] DEBUG: CAPE initialised: 32-bit Injection package loaded in process 2716 at 0x74b50000, image base 0x8f0000, stack from 0x3e6000-0x3f0000
2020-03-24 06:22:18,727 [root] DEBUG: DLL unloaded from 0x77230000.
2020-03-24 06:22:18,727 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Roaming\Windows\eeclnt.exe" 258.
2020-03-24 06:22:18,743 [root] INFO: Added new process to list with pid: 2716
2020-03-24 06:22:18,743 [root] INFO: Monitor successfully loaded in process with pid 2716.
2020-03-24 06:22:18,743 [root] DEBUG: set_caller_info: Adding region at 0x000A0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-03-24 06:22:18,789 [root] DEBUG: DLL loaded at 0x76430000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2020-03-24 06:22:18,789 [root] DEBUG: DLL unloaded from 0x76430000.
2020-03-24 06:22:18,805 [root] DEBUG: DLL loaded at 0x77130000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 06:22:18,805 [root] DEBUG: DLL unloaded from 0x74AA0000.
2020-03-24 06:22:18,805 [root] DEBUG: DLL loaded at 0x760D0000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2020-03-24 06:22:18,805 [root] DEBUG: DLL loaded at 0x75FF0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2020-03-24 06:22:18,821 [root] DEBUG: DLL unloaded from 0x74620000.
2020-03-24 06:22:18,821 [root] DEBUG: DLL loaded at 0x75D80000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2020-03-24 06:22:18,836 [root] DEBUG: DLL loaded at 0x758C0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-03-24 06:22:18,836 [root] DEBUG: DLL loaded at 0x756C0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 06:22:18,836 [root] DEBUG: DLL loaded at 0x76090000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-03-24 06:22:18,851 [root] DEBUG: DLL loaded at 0x77830000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-03-24 06:22:18,851 [root] DEBUG: DLL loaded at 0x74840000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-03-24 06:22:18,851 [root] DEBUG: DLL unloaded from 0x75D20000.
2020-03-24 06:22:18,868 [root] DEBUG: DLL loaded at 0x74830000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-03-24 06:22:18,868 [root] DEBUG: DLL unloaded from 0x74C10000.
2020-03-24 06:22:18,868 [root] DEBUG: set_caller_info: Adding region at 0x001B0000 to caller regions list (advapi32::LookupPrivilegeValueW).
2020-03-24 06:22:18,868 [root] INFO: Notified of termination of process with pid 1060.
2020-03-24 06:22:18,961 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 2960
2020-03-24 06:22:18,976 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:18,976 [lib.api.process] INFO: 64-bit DLL to inject is C:\pswbiilyh\dll\UfmceBw.dll, loader C:\pswbiilyh\bin\zdDBVpKD.exe
2020-03-24 06:22:18,993 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LhhfyD.
2020-03-24 06:22:18,993 [root] DEBUG: Loader: Injecting process 2960 (thread 2964) with C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:19,007 [root] DEBUG: Process image base: 0x00000000FF6B0000
2020-03-24 06:22:19,007 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:19,039 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:22:19,039 [root] DEBUG: Successfully injected DLL C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:19,055 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2960
2020-03-24 06:22:19,055 [root] DEBUG: DLL loaded at 0x74DC0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 06:22:19,071 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\system32\msiexec.exe "259".
2020-03-24 06:22:19,085 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2960, ImageBase: 0xFF6B0000
2020-03-24 06:22:19,085 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 2960
2020-03-24 06:22:19,101 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:19,101 [lib.api.process] INFO: 64-bit DLL to inject is C:\pswbiilyh\dll\UfmceBw.dll, loader C:\pswbiilyh\bin\zdDBVpKD.exe
2020-03-24 06:22:19,118 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LhhfyD.
2020-03-24 06:22:19,118 [root] DEBUG: Loader: Injecting process 2960 (thread 2964) with C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:19,132 [root] DEBUG: Process image base: 0x00000000FF6B0000
2020-03-24 06:22:19,132 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:19,132 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:22:19,148 [root] DEBUG: Successfully injected DLL C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:19,148 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2960
2020-03-24 06:22:19,226 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x120 amd local view 0x03F30000 to global list ().
2020-03-24 06:22:19,305 [root] DEBUG: WriteMemoryHandler: shellcode at 0x003EED88 (size 0x60) injected into process 2960.
2020-03-24 06:22:19,305 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UCeCGolEiK\CAPE\2716_193376182419421024232020
2020-03-24 06:22:19,335 [root] INFO: Added new CAPE file to list with path: C:\UCeCGolEiK\CAPE\2716_193376182419421024232020
2020-03-24 06:22:19,335 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-03-24 06:22:19,351 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 2960
2020-03-24 06:22:19,351 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:19,351 [lib.api.process] INFO: 64-bit DLL to inject is C:\pswbiilyh\dll\UfmceBw.dll, loader C:\pswbiilyh\bin\zdDBVpKD.exe
2020-03-24 06:22:19,367 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LhhfyD.
2020-03-24 06:22:19,382 [root] DEBUG: Loader: Injecting process 2960 (thread 0) with C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:19,398 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2964, handle 0x84
2020-03-24 06:22:19,398 [root] DEBUG: Process image base: 0x00000000FF6B0000
2020-03-24 06:22:19,414 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:19,414 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:22:19,414 [root] DEBUG: Successfully injected DLL C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:19,430 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2960
2020-03-24 06:22:19,430 [root] DEBUG: WriteMemoryHandler: shellcode at 0x007E8E60 (size 0x4e05) injected into process 2960.
2020-03-24 06:22:19,444 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UCeCGolEiK\CAPE\2716_56953955619421024232020
2020-03-24 06:22:19,476 [root] INFO: Added new CAPE file to list with path: C:\UCeCGolEiK\CAPE\2716_56953955619421024232020
2020-03-24 06:22:19,476 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-03-24 06:22:19,476 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 2960
2020-03-24 06:22:19,492 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:19,492 [lib.api.process] INFO: 64-bit DLL to inject is C:\pswbiilyh\dll\UfmceBw.dll, loader C:\pswbiilyh\bin\zdDBVpKD.exe
2020-03-24 06:22:19,507 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LhhfyD.
2020-03-24 06:22:19,523 [root] DEBUG: Loader: Injecting process 2960 (thread 0) with C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:19,523 [root] DEBUG: Error 299 (0x12b) - GetProcessInitialThreadId: Failed to read from process: Only part of a ReadProcessMemory or WriteProcessMemory request was completed.
2020-03-24 06:22:19,539 [root] DEBUG: InjectDll: No thread ID supplied, GetProcessInitialThreadId failed (SessionId=1).
2020-03-24 06:22:19,539 [root] DEBUG: Failed to inject DLL C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:19,539 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 2960, error: -15
2020-03-24 06:22:19,553 [root] DEBUG: ResumeThreadHandler: Dumping hollowed process 2960, image base 0xFF6B0000.
2020-03-24 06:22:19,553 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0xFF6B0000.
2020-03-24 06:22:19,569 [root] DEBUG: DumpProcess: Module entry point VA is 0x000170C0.
2020-03-24 06:22:19,648 [root] INFO: Added new CAPE file to list with path: C:\UCeCGolEiK\CAPE\2716_213069758519421024232020
2020-03-24 06:22:19,648 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1ec00.
2020-03-24 06:22:19,648 [root] DEBUG: ResumeThreadHandler: Dumped PE image from buffer.
2020-03-24 06:22:19,664 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2960.
2020-03-24 06:22:19,664 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 2960.
2020-03-24 06:22:19,678 [root] DEBUG: DLL unloaded from 0x75D20000.
2020-03-24 06:22:19,694 [root] INFO: Notified of termination of process with pid 2716.
2020-03-24 06:22:20,006 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:20,006 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:20,022 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:20,053 [root] WARNING: Unable to place hook on LockResource
2020-03-24 06:22:20,069 [root] WARNING: Unable to hook LockResource
2020-03-24 06:22:20,085 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:22:20,085 [root] DEBUG: CAPE initialised: 64-bit Injection package loaded in process 2960 at 0x0000000074720000, image base 0x00000000FF6B0000, stack from 0x0000000000295000-0x00000000002A0000
2020-03-24 06:22:20,099 [root] DEBUG: Commandline: C:\Windows\sysnative\msiexec.exe "259".
2020-03-24 06:22:20,115 [root] INFO: Added new process to list with pid: 2960
2020-03-24 06:22:20,115 [root] INFO: Monitor successfully loaded in process with pid 2960.
2020-03-24 06:22:20,288 [root] DEBUG: set_caller_info: Adding region at 0x0000000000080000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-03-24 06:22:20,302 [root] DEBUG: set_caller_info: Adding region at 0x0000000003430000 to caller regions list (ntdll::RtlDecompressBuffer).
2020-03-24 06:22:20,302 [root] DEBUG: set_caller_info: Adding region at 0x00000000001F0000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 06:22:20,349 [root] DEBUG: DLL loaded at 0x000007FEFDF80000: C:\Windows\system32\WININET (0x12a000 bytes).
2020-03-24 06:22:20,365 [root] DEBUG: DLL loaded at 0x000007FEFE720000: C:\Windows\system32\urlmon (0x178000 bytes).
2020-03-24 06:22:20,365 [root] DEBUG: DLL loaded at 0x000007FEFE4E0000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2020-03-24 06:22:20,381 [root] DEBUG: DLL loaded at 0x000007FEFD760000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2020-03-24 06:22:20,381 [root] DEBUG: DLL loaded at 0x000007FEFD670000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2020-03-24 06:22:20,397 [root] DEBUG: DLL loaded at 0x000007FEFD9F0000: C:\Windows\system32\iertutil (0x259000 bytes).
2020-03-24 06:22:20,740 [root] DEBUG: DLL loaded at 0x000007FEFD9A0000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2020-03-24 06:22:20,756 [root] DEBUG: DLL loaded at 0x000007FEFDF70000: C:\Windows\system32\NSI (0x8000 bytes).
2020-03-24 06:22:20,802 [root] DEBUG: DLL loaded at 0x000007FEFB440000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2020-03-24 06:22:20,818 [root] DEBUG: DLL loaded at 0x000007FEFB400000: C:\Windows\system32\WINNSI (0xb000 bytes).
2020-03-24 06:22:20,865 [root] DEBUG: set_caller_info: Adding region at 0x00000000000E0000 to caller regions list (kernel32::SetErrorMode).
2020-03-24 06:22:20,880 [root] DEBUG: set_caller_info: Adding region at 0x0000000000220000 to caller regions list (ntdll::NtCreateFile).
2020-03-24 06:22:20,911 [root] DEBUG: DLL unloaded from 0x000007FEFE5F0000.
2020-03-24 06:22:21,098 [root] INFO: Announced starting service "WanServer"
2020-03-24 06:22:21,114 [root] INFO: Attaching to Service Control Manager (services.exe - pid 464)
2020-03-24 06:22:21,130 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:21,130 [lib.api.process] INFO: 64-bit DLL to inject is C:\pswbiilyh\dll\UfmceBw.dll, loader C:\pswbiilyh\bin\zdDBVpKD.exe
2020-03-24 06:22:21,161 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LhhfyD.
2020-03-24 06:22:21,161 [root] DEBUG: Loader: Injecting process 464 (thread 0) with C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:21,177 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 1988, handle 0x84
2020-03-24 06:22:21,177 [root] DEBUG: Process image base: 0x00000000FFAB0000
2020-03-24 06:22:21,191 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-03-24 06:22:21,191 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-03-24 06:22:21,207 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:21,223 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:21,223 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:21,255 [root] WARNING: Unable to place hook on LockResource
2020-03-24 06:22:21,269 [root] WARNING: Unable to hook LockResource
2020-03-24 06:22:21,269 [root] DEBUG: CAPE initialised: 64-bit Injection package loaded in process 464 at 0x0000000074720000, image base 0x00000000FFAB0000, stack from 0x0000000002B36000-0x0000000002B40000
2020-03-24 06:22:21,286 [root] DEBUG: Commandline: C:\Windows\sysnative\services.exe.
2020-03-24 06:22:21,286 [root] INFO: Added new process to list with pid: 464
2020-03-24 06:22:21,302 [root] INFO: Monitor successfully loaded in process with pid 464.
2020-03-24 06:22:21,302 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-03-24 06:22:21,316 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-03-24 06:22:21,332 [root] DEBUG: Successfully injected DLL C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:22,394 [root] INFO: Announced 32-bit process name: eeclnt.exe pid: 2436
2020-03-24 06:22:22,408 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:22,408 [lib.api.process] INFO: 32-bit DLL to inject is C:\pswbiilyh\dll\MCNOgcl.dll, loader C:\pswbiilyh\bin\mVLFdcw.exe
2020-03-24 06:22:22,440 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LhhfyD.
2020-03-24 06:22:22,456 [root] DEBUG: Loader: Injecting process 2436 (thread 2440) with C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:22,456 [root] DEBUG: Process image base: 0x01230000
2020-03-24 06:22:22,471 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:22,471 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:22:22,486 [root] DEBUG: Successfully injected DLL C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:22,486 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2436
2020-03-24 06:22:22,503 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe "260".
2020-03-24 06:22:22,517 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2436, ImageBase: 0x0000000001230000
2020-03-24 06:22:22,517 [root] INFO: Announced 32-bit process name: eeclnt.exe pid: 2436
2020-03-24 06:22:22,533 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:22,549 [lib.api.process] INFO: 32-bit DLL to inject is C:\pswbiilyh\dll\MCNOgcl.dll, loader C:\pswbiilyh\bin\mVLFdcw.exe
2020-03-24 06:22:22,565 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LhhfyD.
2020-03-24 06:22:22,581 [root] DEBUG: Loader: Injecting process 2436 (thread 2440) with C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:22,581 [root] DEBUG: Process image base: 0x01230000
2020-03-24 06:22:22,595 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:22,595 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:22:22,611 [root] DEBUG: Successfully injected DLL C:\pswbiilyh\dll\MCNOgcl.dll.
2020-03-24 06:22:22,611 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2436
2020-03-24 06:22:22,628 [root] DEBUG: ResumeThreadHandler: Dumping hollowed process 2436, image base 0x0000000001230000.
2020-03-24 06:22:22,628 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000001230000.
2020-03-24 06:22:22,642 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000007B54.
2020-03-24 06:22:22,674 [root] INFO: Added new CAPE file to list with path: C:\UCeCGolEiK\CAPE\464_80515683722421024232020
2020-03-24 06:22:22,690 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x9e00.
2020-03-24 06:22:22,706 [root] DEBUG: ResumeThreadHandler: Dumped PE image from buffer.
2020-03-24 06:22:22,706 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2436.
2020-03-24 06:22:22,720 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 2436.
2020-03-24 06:22:22,736 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:22,752 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:22,767 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:22,783 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:22:22,799 [root] DEBUG: CAPE initialised: 32-bit Injection package loaded in process 2436 at 0x74a90000, image base 0x1230000, stack from 0x186000-0x190000
2020-03-24 06:22:22,799 [root] DEBUG: Commandline: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe "260".
2020-03-24 06:22:22,815 [root] INFO: Added new process to list with pid: 2436
2020-03-24 06:22:22,815 [root] INFO: Monitor successfully loaded in process with pid 2436.
2020-03-24 06:22:22,829 [root] DEBUG: set_caller_info: Adding region at 0x001A0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-03-24 06:22:22,845 [root] DEBUG: DLL loaded at 0x76430000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2020-03-24 06:22:22,845 [root] DEBUG: DLL loaded at 0x77130000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 06:22:22,861 [root] DEBUG: DLL loaded at 0x760D0000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2020-03-24 06:22:22,877 [root] DEBUG: DLL loaded at 0x75FF0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2020-03-24 06:22:22,877 [root] DEBUG: DLL loaded at 0x75D80000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2020-03-24 06:22:22,892 [root] DEBUG: DLL loaded at 0x758C0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-03-24 06:22:22,892 [root] DEBUG: DLL loaded at 0x756C0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 06:22:22,907 [root] DEBUG: DLL loaded at 0x76090000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2020-03-24 06:22:22,924 [root] DEBUG: DLL loaded at 0x77830000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-03-24 06:22:22,924 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-03-24 06:22:22,940 [root] DEBUG: DLL loaded at 0x74BD0000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-03-24 06:22:22,940 [root] DEBUG: set_caller_info: Adding region at 0x002A0000 to caller regions list (advapi32::LookupPrivilegeValueW).
2020-03-24 06:22:22,954 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 2712
2020-03-24 06:22:22,970 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:22,970 [lib.api.process] INFO: 64-bit DLL to inject is C:\pswbiilyh\dll\UfmceBw.dll, loader C:\pswbiilyh\bin\zdDBVpKD.exe
2020-03-24 06:22:23,002 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LhhfyD.
2020-03-24 06:22:23,002 [root] DEBUG: Loader: Injecting process 2712 (thread 2744) with C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:23,017 [root] DEBUG: Process image base: 0x00000000FF6B0000
2020-03-24 06:22:23,017 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:23,032 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:22:23,032 [root] DEBUG: Successfully injected DLL C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:23,049 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2712
2020-03-24 06:22:23,049 [root] DEBUG: DLL loaded at 0x74DC0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 06:22:23,063 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\system32\msiexec.exe "261".
2020-03-24 06:22:23,079 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2712, ImageBase: 0xFF6B0000
2020-03-24 06:22:23,079 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 2712
2020-03-24 06:22:23,095 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:23,095 [lib.api.process] INFO: 64-bit DLL to inject is C:\pswbiilyh\dll\UfmceBw.dll, loader C:\pswbiilyh\bin\zdDBVpKD.exe
2020-03-24 06:22:23,127 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LhhfyD.
2020-03-24 06:22:23,127 [root] DEBUG: Loader: Injecting process 2712 (thread 2744) with C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:23,188 [root] DEBUG: Process image base: 0x00000000FF6B0000
2020-03-24 06:22:23,204 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:23,204 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:22:23,220 [root] DEBUG: Successfully injected DLL C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:23,220 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2712
2020-03-24 06:22:23,252 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x134 amd local view 0x02C10000 to global list ().
2020-03-24 06:22:23,282 [root] DEBUG: WriteMemoryHandler: shellcode at 0x0018EE20 (size 0x60) injected into process 2712.
2020-03-24 06:22:23,298 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UCeCGolEiK\CAPE\2436_50863569823421024232020
2020-03-24 06:22:23,361 [root] INFO: Added new CAPE file to list with path: C:\UCeCGolEiK\CAPE\2436_50863569823421024232020
2020-03-24 06:22:23,361 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-03-24 06:22:23,375 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 2712
2020-03-24 06:22:23,391 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:23,391 [lib.api.process] INFO: 64-bit DLL to inject is C:\pswbiilyh\dll\UfmceBw.dll, loader C:\pswbiilyh\bin\zdDBVpKD.exe
2020-03-24 06:22:23,423 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LhhfyD.
2020-03-24 06:22:23,423 [root] DEBUG: Loader: Injecting process 2712 (thread 0) with C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:23,438 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2744, handle 0x84
2020-03-24 06:22:23,438 [root] DEBUG: Process image base: 0x00000000FF6B0000
2020-03-24 06:22:23,453 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:23,453 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:22:23,470 [root] DEBUG: Successfully injected DLL C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:23,470 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2712
2020-03-24 06:22:23,486 [root] DEBUG: WriteMemoryHandler: shellcode at 0x00449288 (size 0x4e05) injected into process 2712.
2020-03-24 06:22:23,486 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\UCeCGolEiK\CAPE\2436_24903741823421024232020
2020-03-24 06:22:23,532 [root] INFO: Added new CAPE file to list with path: C:\UCeCGolEiK\CAPE\2436_24903741823421024232020
2020-03-24 06:22:23,548 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-03-24 06:22:23,548 [root] INFO: Announced 64-bit process name: msiexec.exe pid: 2712
2020-03-24 06:22:23,563 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 06:22:23,563 [lib.api.process] INFO: 64-bit DLL to inject is C:\pswbiilyh\dll\UfmceBw.dll, loader C:\pswbiilyh\bin\zdDBVpKD.exe
2020-03-24 06:22:23,578 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\LhhfyD.
2020-03-24 06:22:23,595 [root] DEBUG: Loader: Injecting process 2712 (thread 0) with C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:23,595 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 2744, handle 0x84
2020-03-24 06:22:23,609 [root] DEBUG: Process image base: 0x00000000FF6B0000
2020-03-24 06:22:23,609 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:23,625 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 06:22:23,625 [root] DEBUG: Successfully injected DLL C:\pswbiilyh\dll\UfmceBw.dll.
2020-03-24 06:22:23,641 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2712
2020-03-24 06:22:23,641 [root] DEBUG: ResumeThreadHandler: Dumping hollowed process 2712, image base 0xFF6B0000.
2020-03-24 06:22:23,657 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0xFF6B0000.
2020-03-24 06:22:23,657 [root] DEBUG: DumpProcess: Module entry point VA is 0x000170C0.
2020-03-24 06:22:23,720 [root] INFO: Added new CAPE file to list with path: C:\UCeCGolEiK\CAPE\2436_136712698923421024232020
2020-03-24 06:22:23,720 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1ec00.
2020-03-24 06:22:23,734 [root] DEBUG: ResumeThreadHandler: Dumped PE image from buffer.
2020-03-24 06:22:23,734 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2712.
2020-03-24 06:22:23,750 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 2712.
2020-03-24 06:22:23,750 [root] DEBUG: DLL unloaded from 0x75D20000.
2020-03-24 06:22:23,766 [root] INFO: Notified of termination of process with pid 2436.
2020-03-24 06:22:23,782 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:22:23,782 [root] DEBUG: Process dumps disabled.
2020-03-24 06:22:23,798 [root] DEBUG: DLL unloaded from 0x000007FEFE5C0000.
2020-03-24 06:22:23,798 [root] INFO: Disabling sleep skipping.
2020-03-24 06:22:23,828 [root] WARNING: Unable to place hook on LockResource
2020-03-24 06:22:23,844 [root] INFO: Notified of termination of process with pid 2960.
2020-03-24 06:22:23,844 [root] WARNING: Unable to hook LockResource
2020-03-24 06:22:23,859 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:22:23,875 [root] DEBUG: CAPE initialised: 64-bit Injection package loaded in process 2712 at 0x0000000074720000, image base 0x00000000FF6B0000, stack from 0x00000000000A5000-0x00000000000B0000
2020-03-24 06:22:23,875 [root] DEBUG: Commandline: C:\Windows\sysnative\msiexec.exe "261".
2020-03-24 06:22:23,891 [root] INFO: Added new process to list with pid: 2712
2020-03-24 06:22:23,891 [root] INFO: Monitor successfully loaded in process with pid 2712.
2020-03-24 06:22:23,907 [root] DEBUG: set_caller_info: Adding region at 0x0000000000100000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-03-24 06:22:23,921 [root] DEBUG: set_caller_info: Adding region at 0x0000000000030000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-03-24 06:22:23,921 [root] DEBUG: set_caller_info: Adding region at 0x0000000000490000 to caller regions list (ntdll::RtlDecompressBuffer).
2020-03-24 06:22:23,937 [root] DEBUG: set_caller_info: Adding region at 0x0000000000270000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 06:22:23,953 [root] DEBUG: DLL loaded at 0x000007FEFDF80000: C:\Windows\system32\WININET (0x12a000 bytes).
2020-03-24 06:22:23,969 [root] DEBUG: DLL loaded at 0x000007FEFE720000: C:\Windows\system32\urlmon (0x178000 bytes).
2020-03-24 06:22:23,984 [root] DEBUG: DLL loaded at 0x000007FEFE4E0000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2020-03-24 06:22:24,000 [root] DEBUG: DLL loaded at 0x000007FEFD760000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2020-03-24 06:22:24,016 [root] DEBUG: DLL loaded at 0x000007FEFD670000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2020-03-24 06:22:24,016 [root] DEBUG: DLL loaded at 0x000007FEFD9F0000: C:\Windows\system32\iertutil (0x259000 bytes).
2020-03-24 06:22:24,062 [root] DEBUG: DLL loaded at 0x000007FEFD9A0000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2020-03-24 06:22:24,078 [root] DEBUG: DLL loaded at 0x000007FEFDF70000: C:\Windows\system32\NSI (0x8000 bytes).
2020-03-24 06:22:24,078 [root] DEBUG: DLL loaded at 0x000007FEFB440000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2020-03-24 06:22:24,094 [root] DEBUG: DLL loaded at 0x000007FEFB400000: C:\Windows\system32\WINNSI (0xb000 bytes).
2020-03-24 06:22:24,109 [root] DEBUG: set_caller_info: Adding region at 0x0000000000290000 to caller regions list (kernel32::SetErrorMode).
2020-03-24 06:22:24,125 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x150 amd local view 0x0000000002320000 to global list ().
2020-03-24 06:22:24,155 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x15c amd local view 0x00000000004E0000 to global list ().
2020-03-24 06:22:24,171 [root] DEBUG: DLL loaded at 0x000007FEFD4C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2020-03-24 06:22:24,187 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1676, handle 0x164.
2020-03-24 06:22:24,203 [root] DEBUG: OpenProcessHandler: Image base for process 1676 (handle 0x164): 0x00000000FF270000.
2020-03-24 06:22:24,203 [root] DEBUG: DLL loaded at 0x000007FEFC070000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32 (0x1f4000 bytes).
2020-03-24 06:22:24,375 [root] DEBUG: DLL loaded at 0x000007FEFC700000: C:\Windows\system32\ntmarta (0x2d000 bytes).
2020-03-24 06:22:24,390 [root] DEBUG: DLL loaded at 0x000007FEFE3B0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2020-03-24 06:22:24,421 [root] DEBUG: DLL loaded at 0x000007FEFCC80000: C:\Windows\system32\dnsapi (0x5b000 bytes).
2020-03-24 06:22:24,437 [root] DEBUG: set_caller_info: Adding region at 0x0000000001190000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-03-24 06:22:24,437 [root] DEBUG: set_caller_info: Adding region at 0x000007FEBDA30000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-03-24 06:22:24,749 [root] INFO: Process with pid 2712 has terminated
2020-03-24 06:25:31,325 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2020-03-24 06:25:31,325 [root] INFO: Created shutdown mutex.
2020-03-24 06:25:32,338 [lib.api.process] INFO: Terminate event set for process 1676
2020-03-24 06:25:32,338 [lib.api.process] INFO: Termination confirmed for process 1676
2020-03-24 06:25:32,338 [root] INFO: Terminate event set for process 1676.
2020-03-24 06:25:32,338 [root] INFO: Terminating process 1676 before shutdown.
2020-03-24 06:25:32,338 [root] INFO: Waiting for process 1676 to exit.
2020-03-24 06:25:33,352 [root] INFO: Waiting for process 1676 to exit.
2020-03-24 06:25:34,367 [root] INFO: Waiting for process 1676 to exit.
2020-03-24 06:25:35,381 [root] INFO: Waiting for process 1676 to exit.
2020-03-24 06:25:36,394 [lib.api.process] INFO: Successfully terminated process with pid 1676.
2020-03-24 06:25:36,394 [root] INFO: Waiting for process 1676 to exit.
2020-03-24 06:25:37,408 [root] INFO: Shutting down package.
2020-03-24 06:25:37,408 [root] INFO: Stopping auxiliary modules.
2020-03-24 06:25:37,408 [root] INFO: Finishing auxiliary modules.
2020-03-24 06:25:37,408 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-03-24 06:25:37,408 [root] WARNING: File at path "C:\UCeCGolEiK\debugger" does not exist, skip.
2020-03-24 06:25:37,408 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-03 target-03 ESX 2020-03-24 06:22:02 2020-03-24 06:25:51

File Details

File Name exe.bin
File Size 226304 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 53c1fd5ac99b5690b278ffcc5a49a598
SHA1 656850fe87ead292ceb4844c9a003f9fac354ef6
SHA256 e9b12791e0ab3a952fa09afd29e5a1416abd917edf5c913af7573adf8ccc39b0
SHA512 ef39eb51ccb8959c9e3ad70e232bb9193dca7ccf43e3df251a7aa807594f34af1140f59a325c3ab02473b2063a9ea0cc3e8aa9692dfe7125b60183f3e2023847
CRC32 1F301AD2
Ssdeep 3072:DWnu5sNw0Y92CstYXt8GAlrs9K1OGof0IspA3Ame8yFyQj:639CAYXt8GKrsg1OGof0Rvmal
TrID
  • 41.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 36.3% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 8.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 5.9% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 2.6% (.EXE) OS/2 Executable (generic) (2029/13)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
Possible date expiration check, exits too soon after checking local time
process: exe.bin, PID 320
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/OleInitialize
DynamicLoader: ole32.dll/OleUninitialize
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/RtlDecompressBuffer
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetComputerNameA
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/Wow64DisableWow64FsRedirection
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/Wow64RevertWow64FsRedirection
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualQueryEx
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptDeriveKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/RevertToSelf
DynamicLoader: ADVAPI32.dll/ImpersonateLoggedOnUser
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: ADVAPI32.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/CreateServiceW
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/ChangeServiceConfig2W
DynamicLoader: ADVAPI32.dll/StartServiceW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: SHELL32.dll/SHFileOperationW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/HttpSendRequestA
DynamicLoader: WININET.dll/HttpAddRequestHeadersA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetConnectA
DynamicLoader: WININET.dll/InternetSetOptionA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/HttpOpenRequestA
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/GetAdaptersInfo
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CreateBindCtx
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoGetApartmentType
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/StringFromGUID2
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetEntriesInAclW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/IsTextUnicode
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: SHELL32.dll/
DynamicLoader: ADVAPI32.dll/OpenThreadToken
DynamicLoader: propsys.dll/PSLookupPropertyHandlerCLSID
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: propsys.dll/PSCreatePropertyStoreFromObject
DynamicLoader: propsys.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: propsys.dll/PropVariantToStringAlloc
DynamicLoader: ole32.dll/PropVariantClear
DynamicLoader: propsys.dll/PSCreateMemoryPropertyStore
DynamicLoader: propsys.dll/PropVariantToBuffer
DynamicLoader: propsys.dll/PropVariantToUInt64
DynamicLoader: propsys.dll/PropVariantToBoolean
DynamicLoader: SHELL32.dll/
DynamicLoader: propsys.dll/InitPropVariantFromBuffer
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
DynamicLoader: ADVAPI32.dll/SaferCloseLevel
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/RtlDecompressBuffer
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetComputerNameA
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/Wow64DisableWow64FsRedirection
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/Wow64RevertWow64FsRedirection
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualQueryEx
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptDeriveKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/RevertToSelf
DynamicLoader: ADVAPI32.dll/ImpersonateLoggedOnUser
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: ADVAPI32.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/CreateServiceW
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/ChangeServiceConfig2W
DynamicLoader: ADVAPI32.dll/StartServiceW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: SHELL32.dll/SHFileOperationW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/HttpSendRequestA
DynamicLoader: WININET.dll/HttpAddRequestHeadersA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetConnectA
DynamicLoader: WININET.dll/InternetSetOptionA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/HttpOpenRequestA
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/GetAdaptersInfo
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/RtlDecompressBuffer
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetComputerNameA
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualQueryEx
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptDeriveKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/RevertToSelf
DynamicLoader: ADVAPI32.dll/ImpersonateLoggedOnUser
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: ADVAPI32.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/CreateServiceW
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/ChangeServiceConfig2W
DynamicLoader: ADVAPI32.dll/StartServiceW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: SHELL32.dll/SHFileOperationW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/HttpSendRequestA
DynamicLoader: WININET.dll/HttpAddRequestHeadersA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetConnectA
DynamicLoader: WININET.dll/InternetSetOptionA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/HttpOpenRequestA
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/GetAdaptersInfo
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/FindActCtxSectionStringW
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/RtlDecompressBuffer
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetComputerNameA
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/Wow64DisableWow64FsRedirection
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/Wow64RevertWow64FsRedirection
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualQueryEx
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptDeriveKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/RevertToSelf
DynamicLoader: ADVAPI32.dll/ImpersonateLoggedOnUser
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: ADVAPI32.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/CreateServiceW
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/ChangeServiceConfig2W
DynamicLoader: ADVAPI32.dll/StartServiceW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: SHELL32.dll/SHFileOperationW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/HttpSendRequestA
DynamicLoader: WININET.dll/HttpAddRequestHeadersA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetConnectA
DynamicLoader: WININET.dll/InternetSetOptionA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/HttpOpenRequestA
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/GetAdaptersInfo
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/RtlDecompressBuffer
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/SetEnvironmentVariableW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/GetComputerNameA
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/VirtualAllocEx
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/VirtualFreeEx
DynamicLoader: kernel32.dll/VirtualQueryEx
DynamicLoader: kernel32.dll/ReadProcessMemory
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GetEnvironmentVariableW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/CryptHashData
DynamicLoader: ADVAPI32.dll/CryptDeriveKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: ADVAPI32.dll/CryptDestroyHash
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/InitializeSecurityDescriptor
DynamicLoader: ADVAPI32.dll/SetSecurityDescriptorDacl
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueA
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/RevertToSelf
DynamicLoader: ADVAPI32.dll/ImpersonateLoggedOnUser
DynamicLoader: ADVAPI32.dll/DeleteService
DynamicLoader: ADVAPI32.dll/ControlService
DynamicLoader: ADVAPI32.dll/QueryServiceStatus
DynamicLoader: ADVAPI32.dll/OpenSCManagerW
DynamicLoader: ADVAPI32.dll/CreateServiceW
DynamicLoader: ADVAPI32.dll/OpenServiceW
DynamicLoader: ADVAPI32.dll/CloseServiceHandle
DynamicLoader: ADVAPI32.dll/ChangeServiceConfig2W
DynamicLoader: ADVAPI32.dll/StartServiceW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/CreateProcessAsUserW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/CryptCreateHash
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/CommandLineToArgvW
DynamicLoader: SHELL32.dll/SHFileOperationW
DynamicLoader: SHELL32.dll/SHCreateDirectoryExW
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/HttpSendRequestA
DynamicLoader: WININET.dll/HttpAddRequestHeadersA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetConnectA
DynamicLoader: WININET.dll/InternetSetOptionA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: WININET.dll/HttpOpenRequestA
DynamicLoader: WININET.dll/InternetSetOptionW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: IPHLPAPI.DLL/GetAdaptersInfo
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
Expresses interest in specific running processes
process: explorer.exe
A process created a hidden window
Process: exe.bin -> C:\Users\user\AppData\Local\Temp\adobe.exe
Process: adobe.exe -> C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
CAPE extracted potentially suspicious content
eeclnt.exe: Injected Shellcode/Data
eeclnt.exe: Injected Shellcode/Data
eeclnt.exe: Injected PE Image: 64-bit executable
services.exe: Injected PE Image: 32-bit executable
eeclnt.exe: Injected Shellcode/Data
The binary likely contains encrypted or compressed data.
section: name: .data, entropy: 7.14, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0001d000, virtual_size: 0x0001db1c
Uses Windows utilities for basic functionality
command: cmd /c ""C:\Users\user\AppData\Local\Temp\a.bat" "
Uses Windows utilities for basic functionality
command: C:\Users\user\AppData\Local\Temp\a.bat
Deletes its original binary from disk
Behavioural detection: Injection (Process Hollowing)
Injection: eeclnt.exe(2716) -> msiexec.exe(2960)
Executed a process and injected code into it, probably while unpacking
Injection: eeclnt.exe(2716) -> msiexec.exe(2960)
Behavioural detection: Injection (inter-process)
Installs itself for autorun at Windows startup
service name: WanServer
service path: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe "260"
Installs itself for autorun at Windows startup
service name: WanServer
service path: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe "260"
Creates a hidden or system file
file: C:\Users\user\AppData\Roaming\Windows\
Drops a binary and executes it
binary: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
binary: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
binary: C:\Users\user\AppData\Local\Temp\adobe.exe

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Users\user\AppData\Local\Temp\MSVCR110.dat
C:\Users\user\AppData\Local\Temp\adobe.exe
C:\Users\user\AppData\Local\Temp\MSVCR110.dll
C:\Users\user\AppData\Local\Temp\a.bat
C:\Windows\Globalization\Sorting\sortdefault.nls
\??\MountPointManager
C:\Users\user\AppData\Local\Temp\exe
C:\Users\user\AppData\Local\Temp\exe.*
C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\msvcr90.dll
C:\Windows
C:\Windows\winsxs
C:\Users\user\AppData\Roaming\Windows\
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dll
C:\
C:\Users
C:\Users\user\AppData\Local\Microsoft\Windows\Caches
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\Windows
C:\Users\user\AppData\Roaming\Windows\desktop.ini
C:\Windows\SysWOW64\propsys.dll
C:\Windows\sysnative\propsys.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dat
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64
C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\a.bat"
C:\Users\user\AppData\Local\Temp\exe.bin
C:\Windows\sysnative\ntdll.dll
C:\Windows\sysnative\kernelbase.dll
C:\Windows\Temp
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\MSVCR110.dat
\Device\KsecDD
C:\Windows\SysWOW64\shell32.dll
C:\
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000d.db
C:\Users\desktop.ini
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Roaming
C:\Users\user\AppData\Roaming\Windows\desktop.ini
C:\Users\user\AppData\Local\Temp
C:\Users\user\AppData\Local\Temp\MSVCR110.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dat
C:\Users\user\AppData\Local\Temp\adobe.exe
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
C:\Users\user\AppData\Local\Temp\a.bat
C:\Windows\sysnative\ntdll.dll
C:\Windows\sysnative\kernelbase.dll
C:\Users\user\AppData\Local\Temp\MSVCR110.dat
C:\Users\user\AppData\Local\Temp\adobe.exe
C:\Users\user\AppData\Local\Temp\MSVCR110.dll
C:\Users\user\AppData\Local\Temp\a.bat
C:\Users\user\AppData\Local\Temp\exe
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dat
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
C:\Users\user\AppData\Local\Temp\exe.bin
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\exe.bin
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CLASSES_ROOT\.
HKEY_CLASSES_ROOT\.\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.
HKEY_CLASSES_ROOT\Unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\(Default)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\SuppressionPolicy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UsersFiles\NameSpace\DelegateFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\UsersFiles\NameSpace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\UsersFiles\NameSpace\DelegateFolders
HKEY_CLASSES_ROOT\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InProcServer32\LoadWithoutCOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\open
HKEY_CLASSES_ROOT\*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\open
HKEY_CLASSES_ROOT\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shell\open
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\adobe.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\adobe.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\adobe.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CLASSES_ROOT\.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\(Default)
HKEY_CLASSES_ROOT\.dll\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dll\UserChoice
HKEY_CLASSES_ROOT\dllfile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.dll\(Default)
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\OverrideFileSystemProperties
HKEY_CLASSES_ROOT\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_CLASSES_ROOT\ExplorerCLSIDFlags\{66742402-F9B9-11D1-A202-0000F81FEDEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
HKEY_CLASSES_ROOT\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\PropertyHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\{2F711B17-773C-41D4-93FA-7F23EDCECB66}
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileBufferedSynchronousIo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileChunkSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileOverlappedCount
HKEY_CLASSES_ROOT\.dat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\(Default)
HKEY_CLASSES_ROOT\.dat\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dat\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.dat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.dat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\ShellEx\PropertyHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\ShellEx\PropertyHandler
HKEY_CLASSES_ROOT\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_CLASSES_ROOT\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice
HKEY_CLASSES_ROOT\exefile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler
HKEY_CLASSES_ROOT\SystemFileAssociations\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_CLASSES_ROOT\Applications\cmd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\cmd.exe\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\cmd.exe\NoStartPage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\cmd.exe\IsHostApp
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem\Win31FileSystem
HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\Environment
HKEY_CURRENT_USER
HKEY_USERS\.DEFAULT\Control Panel\International
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog\23F1DDA5-33480874
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\AppId_Catalog\23F1DDA5
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Callout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\00000005
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000002
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000003
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000004
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000005
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000006
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000007
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000008
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000009
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000010
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\00000028
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006\ProviderInfo
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32NumHandleBuckets
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32SpinCount
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\UsersFiles\NameSpace\DelegateFolders\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\SuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\InProcServer32\LoadWithoutCOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dll\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dll\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.dll\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\DisableProcessIsolation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\NoOplock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseInProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\UseOutOfProcHandlerCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Advanced\MaxUndoItems
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileBufferedSynchronousIo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileChunkSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileOverlappedCount
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\cmd.exe\NoStartPage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\cmd.exe\IsHostApp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem\Win31FileSystem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WanServer\Environment
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Callout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000001\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000002\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000003\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000004\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000005\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006\DisplayString
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006\AddressFamily
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\000000000006\ProviderInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32NumHandleBuckets
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Ws2_32SpinCount
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#386
ole32.dll.OleInitialize
ole32.dll.OleUninitialize
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.LoadLibraryA
kernel32.dll.VirtualAlloc
ntdll.dll.memcpy
ntdll.dll.RtlDecompressBuffer
kernel32.dll.SetErrorMode
kernel32.dll.GetModuleHandleW
kernel32.dll.GetCommandLineW
kernel32.dll.Sleep
kernel32.dll.IsWow64Process
kernel32.dll.WideCharToMultiByte
kernel32.dll.ExpandEnvironmentStringsW
kernel32.dll.SetFileAttributesW
kernel32.dll.GetModuleFileNameW
kernel32.dll.SetEnvironmentVariableW
kernel32.dll.ReadFile
kernel32.dll.GetFileSize
kernel32.dll.CreateFileW
kernel32.dll.MultiByteToWideChar
kernel32.dll.GetModuleHandleA
kernel32.dll.Process32NextW
kernel32.dll.Process32FirstW
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.FreeLibrary
kernel32.dll.GetComputerNameA
kernel32.dll.GetComputerNameW
kernel32.dll.GetSystemInfo
kernel32.dll.CreateMutexA
kernel32.dll.OpenMutexA
kernel32.dll.ExitProcess
kernel32.dll.lstrcmpiW
kernel32.dll.GetCurrentProcess
kernel32.dll.Wow64DisableWow64FsRedirection
kernel32.dll.GetSystemDirectoryW
kernel32.dll.Wow64RevertWow64FsRedirection
kernel32.dll.TerminateProcess
kernel32.dll.ResumeThread
kernel32.dll.GetVersionExW
kernel32.dll.CloseHandle
kernel32.dll.VirtualAllocEx
kernel32.dll.WriteProcessMemory
kernel32.dll.VirtualFreeEx
kernel32.dll.VirtualQueryEx
kernel32.dll.ReadProcessMemory
kernel32.dll.GetLastError
kernel32.dll.VirtualProtect
kernel32.dll.VirtualFree
kernel32.dll.EnterCriticalSection
kernel32.dll.LeaveCriticalSection
kernel32.dll.DeleteCriticalSection
kernel32.dll.InitializeCriticalSection
kernel32.dll.HeapReAlloc
kernel32.dll.HeapFree
kernel32.dll.GetProcessHeap
kernel32.dll.HeapAlloc
kernel32.dll.GetProcAddress
kernel32.dll.GetTickCount
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.DeleteFileW
kernel32.dll.OpenProcess
user32.dll.wsprintfW
user32.dll.wsprintfA
advapi32.dll.CryptHashData
advapi32.dll.CryptDeriveKey
advapi32.dll.CryptEncrypt
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptReleaseContext
advapi32.dll.InitializeSecurityDescriptor
advapi32.dll.SetSecurityDescriptorDacl
advapi32.dll.LookupPrivilegeValueA
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.GetUserNameW
advapi32.dll.RevertToSelf
advapi32.dll.ImpersonateLoggedOnUser
advapi32.dll.DeleteService
advapi32.dll.ControlService
advapi32.dll.QueryServiceStatus
advapi32.dll.OpenSCManagerW
advapi32.dll.CreateServiceW
advapi32.dll.OpenServiceW
advapi32.dll.CloseServiceHandle
advapi32.dll.ChangeServiceConfig2W
advapi32.dll.StartServiceW
advapi32.dll.RegSetValueExW
advapi32.dll.OpenProcessToken
advapi32.dll.CreateProcessAsUserW
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegDeleteValueW
advapi32.dll.RegCloseKey
advapi32.dll.CryptCreateHash
advapi32.dll.CryptAcquireContextW
shell32.dll.ShellExecuteW
shell32.dll.CommandLineToArgvW
shell32.dll.SHFileOperationW
shell32.dll.SHCreateDirectoryExW
wininet.dll.InternetReadFile
wininet.dll.HttpQueryInfoA
wininet.dll.HttpSendRequestA
wininet.dll.HttpAddRequestHeadersA
wininet.dll.InternetCloseHandle
wininet.dll.InternetConnectA
wininet.dll.InternetSetOptionA
wininet.dll.InternetOpenA
wininet.dll.HttpOpenRequestA
wininet.dll.InternetSetOptionW
ws2_32.dll.#11
ws2_32.dll.#52
ws2_32.dll.#57
ws2_32.dll.#115
ws2_32.dll.#21
ws2_32.dll.#12
iphlpapi.dll.GetAdaptersInfo
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CreateBindCtx
ole32.dll.CoGetApartmentType
ole32.dll.CoRegisterInitializeSpy
comctl32.dll.#236
oleaut32.dll.#6
ole32.dll.CoGetMalloc
comctl32.dll.#320
ole32.dll.StringFromGUID2
comctl32.dll.#324
comctl32.dll.#323
advapi32.dll.RegEnumKeyW
oleaut32.dll.#2
ole32.dll.CoUninitialize
ole32.dll.CoRevokeInitializeSpy
comctl32.dll.#388
oleaut32.dll.#500
oleaut32.dll.#200
comctl32.dll.#385
comctl32.dll.#328
comctl32.dll.#334
ole32.dll.CoCreateInstance
advapi32.dll.SetEntriesInAclW
ntmarta.dll.GetMartaExtensionInterface
comctl32.dll.#332
advapi32.dll.IsTextUnicode
comctl32.dll.#338
comctl32.dll.#339
shell32.dll.#102
advapi32.dll.OpenThreadToken
propsys.dll.PSLookupPropertyHandlerCLSID
advapi32.dll.RegQueryValueExW
propsys.dll.PSCreatePropertyStoreFromObject
propsys.dll.#417
propsys.dll.PropVariantToStringAlloc
ole32.dll.PropVariantClear
propsys.dll.PSCreateMemoryPropertyStore
propsys.dll.PropVariantToBuffer
propsys.dll.PropVariantToUInt64
propsys.dll.PropVariantToBoolean
shell32.dll.#66
propsys.dll.InitPropVariantFromBuffer
comctl32.dll.#336
comctl32.dll.#329
comctl32.dll.#387
comctl32.dll.#327
cryptsp.dll.CryptReleaseContext
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
winspool.drv.#218
winspool.drv.#217
winspool.drv.SetDefaultPrinterW
winspool.drv.GetDefaultPrinterW
winspool.drv.GetPrinterDriverPackagePathW
winspool.drv.CorePrinterDriverInstalledW
winspool.drv.GetCorePrinterDriversW
winspool.drv.UploadPrinterDriverPackageW
winspool.drv.InstallPrinterDriverFromPackageW
winspool.drv.#251
winspool.drv.AddPrinterConnection2W
winspool.drv.OpenPrinter2W
winspool.drv.DeletePrinterKeyW
winspool.drv.DeletePrinterDataExW
winspool.drv.EnumPrinterKeyW
winspool.drv.EnumPrinterDataExW
winspool.drv.GetPrinterDataExW
winspool.drv.SetPrinterDataExW
winspool.drv.DeletePrinterDataW
winspool.drv.EnumPrinterDataW
winspool.drv.SpoolerPrinterEvent
winspool.drv.SetPortW
winspool.drv.DocumentPropertySheets
winspool.drv.DevicePropertySheets
winspool.drv.IsValidDevmodeW
winspool.drv.IsValidDevmodeA
winspool.drv.AddPortExW
winspool.drv.DeletePrintProvidorW
winspool.drv.AddPrintProvidorW
winspool.drv.DeletePrintProcessorW
winspool.drv.DeleteMonitorW
winspool.drv.AddMonitorW
winspool.drv.StartDocDlgW
winspool.drv.AdvancedDocumentPropertiesW
winspool.drv.AdvancedDocumentPropertiesA
winspool.drv.DocumentPropertiesW
winspool.drv.DeviceCapabilitiesW
winspool.drv.DeletePrinterIC
winspool.drv.PlayGdiScriptOnPrinterIC
winspool.drv.CreatePrinterIC
winspool.drv.SetJobW
winspool.drv.GetJobW
winspool.drv.EnumJobsW
winspool.drv.AddPrinterW
winspool.drv.SetPrinterW
winspool.drv.GetPrinterDriverW
winspool.drv.GetPrinterDriverDirectoryW
winspool.drv.EnumPrintersW
winspool.drv.AddPrinterConnectionW
winspool.drv.DeletePrinterConnectionW
winspool.drv.AddPrinterDriverExW
winspool.drv.AddPrinterDriverExA
winspool.drv.EnumPrinterDriversW
winspool.drv.DeletePrinterDriverW
winspool.drv.DeletePrinterDriverExW
winspool.drv.AddPrintProcessorW
winspool.drv.EnumPrintProcessorsW
winspool.drv.GetPrintProcessorDirectoryW
winspool.drv.EnumPrintProcessorDatatypesW
winspool.drv.#207
winspool.drv.#209
winspool.drv.#211
winspool.drv.#212
winspool.drv.SplDriverUnloadComplete
winspool.drv.#213
winspool.drv.#214
winspool.drv.OpenPrinterW
winspool.drv.OpenPrinterA
winspool.drv.ResetPrinterW
winspool.drv.StartDocPrinterW
winspool.drv.FlushPrinter
winspool.drv.GetPrinterDataW
winspool.drv.SetPrinterDataW
winspool.drv.AddJobW
winspool.drv.ScheduleJob
winspool.drv.WaitForPrinterChange
winspool.drv.FindNextPrinterChangeNotification
winspool.drv.PrinterMessageBoxW
winspool.drv.ClosePrinter
winspool.drv.AddFormW
winspool.drv.DeleteFormW
winspool.drv.GetFormW
winspool.drv.SetFormW
winspool.drv.EnumFormsW
winspool.drv.EnumPortsW
winspool.drv.EnumMonitorsW
winspool.drv.AddPortW
winspool.drv.ConfigurePortW
winspool.drv.DeletePortW
winspool.drv.GetPrinterW
winspool.drv.DeletePrinterDriverPackageW
winspool.drv.#234
"C:\Users\user\AppData\Local\Temp\adobe.exe"
C:\Users\user\AppData\Local\Temp\adobe.exe
C:\Users\user\AppData\Local\Temp\exe
"C:\Users\user\AppData\Local\Temp\a.bat"
cmd /c ""C:\Users\user\AppData\Local\Temp\a.bat" "
C:\Users\user\AppData\Local\Temp\a.bat
"C:\Users\user\AppData\Roaming\Windows\eeclnt.exe" 258
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe 258
C:\Windows\system32\msiexec.exe "259"
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe "260"
C:\Windows\system32\msiexec.exe "261"
Global\eeclnt
WanServer
WanServer

PE Information

Image Base 0x00400000
Entry Point 0x00401574
Reported Checksum 0x0003e02b
Actual Checksum 0x0003e02b
Minimum OS Version 5.0
Compile Time 2018-04-16 03:42:10
Import Hash b8b143646d634b8219042f8517118310

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x000065d4 0x00006600 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.61
.rdata 0x00008000 0x00001c4c 0x00001e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.29
.data 0x0000a000 0x0001db1c 0x0001d000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 7.14
.rsrc 0x00028000 0x00010a80 0x00010c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.12
.reloc 0x00039000 0x00000e44 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 3.74

Imports

Library KERNEL32.dll:
0x408000 ExitProcess
0x408004 CreateFileA
0x408008 WriteFile
0x40800c CreateFileW
0x408010 GetTempPathW
0x408014 GetModuleFileNameA
0x408018 CloseHandle
0x40801c GetCommandLineA
0x408020 GetStartupInfoA
0x408024 TerminateProcess
0x408028 GetCurrentProcess
0x408034 IsDebuggerPresent
0x408038 GetModuleHandleW
0x40803c Sleep
0x408040 GetProcAddress
0x408044 GetStdHandle
0x408054 WideCharToMultiByte
0x408058 GetLastError
0x408060 SetHandleCount
0x408064 GetFileType
0x40806c TlsGetValue
0x408070 TlsAlloc
0x408074 TlsSetValue
0x408078 TlsFree
0x408080 SetLastError
0x408084 GetCurrentThreadId
0x40808c HeapCreate
0x408090 VirtualFree
0x408094 HeapFree
0x40809c GetTickCount
0x4080a0 GetCurrentProcessId
0x4080b0 LoadLibraryA
0x4080b8 GetCPInfo
0x4080bc GetACP
0x4080c0 GetOEMCP
0x4080c4 IsValidCodePage
0x4080c8 HeapAlloc
0x4080cc VirtualAlloc
0x4080d0 HeapReAlloc
0x4080d4 RtlUnwind
0x4080d8 HeapSize
0x4080dc GetLocaleInfoA
0x4080e0 LCMapStringA
0x4080e4 MultiByteToWideChar
0x4080e8 LCMapStringW
0x4080ec GetStringTypeA
0x4080f0 GetStringTypeW
Library USER32.dll:
0x408104 wsprintfW
0x408108 wsprintfA
Library SHELL32.dll:
0x4080f8 ShellExecuteA
0x4080fc ShellExecuteW

.text
`.rdata
@.data
.rsrc
@.reloc
D$ Pj
YQPVh
URPQQhPU@
SVWUj
CorExitProcess
runtime error
Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
ExitProcess
CreateFileA
WriteFile
CreateFileW
GetTempPathW
GetModuleFileNameA
CloseHandle
KERNEL32.dll
wsprintfW
wsprintfA
USER32.dll
ShellExecuteA
ShellExecuteW
SHELL32.dll
GetCommandLineA
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetModuleHandleW
Sleep
GetProcAddress
GetStdHandle
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetLastError
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
VirtualFree
HeapFree
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
LeaveCriticalSection
EnterCriticalSection
LoadLibraryA
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapAlloc
VirtualAlloc
HeapReAlloc
RtlUnwind
HeapSize
GetLocaleInfoA
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.text
`.rdata
@.data
.rsrc
@.reloc
D$<Pj
D$<Pj
Vh /@
Vh L@
Wh`e@
t%Wh"}@
SHGetPathFromIDListW
SHGetPathFromIDListA
InitializeCriticalSectionAndSpinCount
GetProcessMemoryInfo
SetProcessDEPPolicy
IsUserAnAdmin
CreateEventW
ProcessIdToSessionId
CloseHandle
NtAcceptConnectPort
NtRequestPort
NtRequestWaitReplyPort
NtReplyWaitReceivePort
NtReplyPort
NtImpersonateClientOfPort
NtReadRequestData
NtWriteRequestData
IsWow64Process
RtlInitUnicodeString
NtCreatePort
CreateThread
NtConnectPort
NtCompleteConnectPort
CreateFileMappingW
SetEntriesInAclW
RegQueryValueExA
RegCloseKey
WTSGetActiveConsoleSessionId
IsDebuggerPresent
EncodePointer
DecodePointer
ntdll.dll
VerSetConditionMask
KERNEL32.DLL
VerifyVersionInfoA
Terminal Server
System\CurrentControlSet\Control\ProductOptions
ProductSuite
CueaaaaceeeiiiAAEaAooouuyOUc?Y?faiounNao?????!<>??????????????????????????????????????????????????????????????????????????.??2? 0123456789abcdefH
eeclnt.pdb
GetLastError
lstrlenA
InitializeCriticalSection
GetTickCount
SetEvent
GetCurrentProcessId
WaitForSingleObject
GetCurrentThread
GetCurrentProcess
EnterCriticalSection
LeaveCriticalSection
TerminateThread
ResetEvent
GetCurrentThreadId
DeleteCriticalSection
UnmapViewOfFile
CreateMutexW
MapViewOfFile
VirtualAlloc
ReleaseMutex
OpenFileMappingW
InterlockedIncrement
WaitForMultipleObjects
OpenProcess
DuplicateHandle
OpenMutexW
LocalAlloc
LocalFree
GetVersion
GetModuleHandleA
GetProcAddress
lstrcmpA
GetVersionExW
GetSystemTimeAsFileTime
SetThreadPriority
LoadLibraryW
FreeLibrary
KERNEL32.dll
PeekMessageW
TranslateMessage
DispatchMessageW
MsgWaitForMultipleObjects
USER32.dll
OpenThreadToken
OpenProcessToken
GetTokenInformation
AllocateAndInitializeSid
EqualSid
FreeSid
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
GetSecurityDescriptorDacl
RegOpenKeyA
ADVAPI32.dll
malloc
??3@YAXPAX@Z
??2@YAPAXI@Z
_snwprintf_s
_purecall
srand
MSVCR110.dll
??1type_info@@UAE@XZ
_crt_debugger_hook
__crtUnhandledException
__crtTerminateProcess
_XcptFilter
__crtGetShowWindowMode
_amsg_exit
__wgetmainargs
__set_app_type
_exit
_cexit
_configthreadlocale
__setusermatherr
_initterm_e
_initterm
_wcmdln
_fmode
_commode
_lock
_unlock
_calloc_crt
__dllonexit
_onexit
?terminate@@YAXXZ
__crtSetUnhandledExceptionFilter
_invoke_watson
_controlfp_s
_except_handler4_common
IsProcessorFeaturePresent
QueryPerformanceCounter
memcpy
memset
.?AVtype_info@@
.?AV?$CNodcommClientNt@K@@
.?AV?$CNodcommClientNt@_K@@
.?AV?$CNodcommStructsNt@K@@
.?AV?$CNodcommServerNt@K@@
.?AV?$CNodcommStructsNt@_K@@
.?AVCNodcommCommonNt@@
.?AV?$CNodcommServerNt@_K@@
.?AVINodcommClient@@
.?AVINodcommServer@@
.?AVCNodcommClient9x@@
.?AVCNodcommCommon9x@@
.?AVCNodcommServer9x@@
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>
?8?V?[?m?
>#?f?k?}?
8 8$8(8,8084888<8@8D8H8L8P8T8
4$4(4D4H4d4h4
2 2@2
vzBavRich{Bav
.text
`.rdata
@.data
.rsrc
@.reloc
.dath
6Da2aw7#5<)u+=ie
%6e2euiGFfuw3&:?
ExitProcess
CreateFileA
GetFileSize
ReadFile
VirtualAlloc
GetModuleFileNameA
CloseHandle
KERNEL32.dll
wsprintfA
USER32.dll
malloc
MSVCR90.dll
_encode_pointer
_malloc_crt
_encoded_null
_decode_pointer
_initterm
_initterm_e
_amsg_exit
_adjust_fdiv
__CppXcptFilter
_crt_debugger_hook
__clean_type_info_names_internal
_unlock
__dllonexit
_lock
_onexit
_except_handler4_common
InterlockedExchange
Sleep
InterlockedCompareExchange
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
??2@YAPAXI@Z
??3@YAXPAX@Z
?terminate@@YAXXZ
_XcptFilter
__set_app_type
__setusermatherr
__wgetmainargs
_calloc_crt
_cexit
_configthreadlocale
_controlfp_s
_exit
_invoke_watson
_purecall
_snwprintf_s
memcpy
memset
srand
?_type_info_dtor_internal_method@type_info@@QAEXXZ
MSVCR110.dll
??1type_info@@UAE@XZ
??2@YAPAXI@Z
??3@YAXPAX@Z
__crtGetShowWindowMode
__crtSetUnhandledExceptionFilter
__crtTerminateProcess
__crtUnhandledException
_wcmdln
?terminate@@YAXXZ
_XcptFilter
__dllonexit
__set_app_type
__setusermatherr
__wgetmainargs
_amsg_exit
_calloc_crt
_cexit
_commode
_configthreadlocale
_controlfp_s
_crt_debugger_hook
_except_handler4_common
_exit
_fmode
_initterm
_initterm_e
_invoke_watson
_lock
_onexit
_purecall
_snwprintf_s
_unlock
malloc
memcpy
memset
srand
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
= =&=,=2=8=>=D=J=P=V=\=b=h=n=t=
fs4-5
:d&xC
{qfOqV
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
?W?d?
1 1$1(1@1D1
6,606
mscoree.dll
KERNEL32.DLL
adobe.exe
MSVCR110.dll
MSVCR110.dat
a.bat
shell32.dll
kernel32.dll
psapi.dll
ntdll.dll
advapi32.dll
\BaseNamedObjects\NODCOMM%08XTo%08XCommPort
@NODCOMM%08XTo%08XReceiverMutex
NODCOMM%08XTo%08XCommMutex
NODCOMM%08XTo%08XSendEvent
NODCOMM%08XTo%08XAckEvent
NODCOMM%08XTo%08XSection
@Global\
%sNODCOMM%08XTo%08XBroadcastMutex
%sNODCOMM%08XTo%08XBroadcast
VS_VERSION_INFO
StringFileInfo
040904e4
CompanyName
FileDescription
ESET Elevated Client
FileVersion
8.0.319.0
InternalName
eeclnt.exe
LegalCopyright
Copyright (c) ESET, spol. s r.o. 1992-2015. All rights reserved.
LegalTrademarks
NOD, NOD32, AMON, ESET are registered trademarks of ESET.
OriginalFilename
eeclnt.exe
ProductName
ESET Smart Security
ProductVersion
8.0.319.0
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


exe.bin, PID: 320, Parent PID: 1980
Full Path: C:\Users\user\AppData\Local\Temp\exe.bin
Command Line: "C:\Users\user\AppData\Local\Temp\exe.bin"
adobe.exe, PID: 1060, Parent PID: 320
Full Path: C:\Users\user\AppData\Local\Temp\adobe.exe
Command Line: "C:\Users\user\AppData\Local\Temp\adobe.exe"
explorer.exe, PID: 1676, Parent PID: 1632
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE
cmd.exe, PID: 1600, Parent PID: 320
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: cmd /c ""C:\Users\user\AppData\Local\Temp\a.bat" "
eeclnt.exe, PID: 2716, Parent PID: 1060
Full Path: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
Command Line: "C:\Users\user\AppData\Roaming\Windows\eeclnt.exe" 258
msiexec.exe, PID: 2960, Parent PID: 2716
Full Path: C:\Windows\sysnative\msiexec.exe
Command Line: C:\Windows\system32\msiexec.exe "259"
services.exe, PID: 464, Parent PID: 376
Full Path: C:\Windows\sysnative\services.exe
Command Line: C:\Windows\system32\services.exe
eeclnt.exe, PID: 2436, Parent PID: 464
Full Path: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
Command Line: C:\Users\user\AppData\Roaming\Windows\eeclnt.exe "260"
msiexec.exe, PID: 2712, Parent PID: 2436
Full Path: C:\Windows\sysnative\msiexec.exe
Command Line: C:\Windows\system32\msiexec.exe "261"

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name MSVCR110.dat
Associated Filenames
C:\Users\user\AppData\Local\Temp\MSVCR110.dat
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dat
File Size 38499 bytes
File Type Applesoft BASIC program data
MD5 44d4f0785f7b95ba308bf9154cd03e2c
SHA1 86b621a0bfc07e68cc36dbf169a139753804738e
SHA256 2201c3ac955148a078d366dc1e9f552fca4a872756d3b6da93494cde8d5decd5
CRC32 C1DD715E
Ssdeep 768:6rG+PUoqam8Ho5sGqL1W+WbJe2fhiK/eMxykRPRw1:WGf56o5sZLA3xiK/e8yk8
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name adobe.exe
Associated Filenames
C:\Users\user\AppData\Local\Temp\adobe.exe
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
File Size 53448 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 b31f492db30ff846c45e79ca269912dd
SHA1 bb328a9ce7db3895633d59a7ad390ce7f557f2f9
SHA256 36d76999e9090c99fae2388cd3476134464807fc597f67c60eebc76e32339683
CRC32 C13CBBF7
Ssdeep 1536:6wSmRm9OYTDgDQe2lrtEbstgNXt8GAlrmw:6Nw0Y92CstYXt8GAlrt
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name MSVCR110.dll
Associated Filenames
C:\Users\user\AppData\Local\Temp\MSVCR110.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dll
File Size 9728 bytes
File Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 79bef92272c7d1c6236a03c26a0804cc
SHA1 a72a4db4188b49942b442379e1b4f30049d2d2f7
SHA256 d784a12fec628860433c28caa353bb52923f39d072437393629039fa4b2ec8ad
CRC32 EB447848
Ssdeep 192:y14sMryjQUic5kslkhivLqcnlo2+9r3X+EqoIoOLXi/sW6Hr6j:y+1UiK2Ezqc+/9TuVoOTikrO
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name a.bat
Associated Filenames
C:\Users\user\AppData\Local\Temp\a.bat
File Size 115 bytes
File Type ASCII text
MD5 f2ba6abea9c1a8e945b1cbebd908c1f8
SHA1 e60df096d0e7433119595d9a143a0acbb032ea9a
SHA256 087838fa6648a398e50a5fed5ade987c4e8f19ab75dcc9fe361f97f6b2a6aeaa
CRC32 CBFC43E3
Ssdeep 3:mRv9NcpkVkE2J5xAIcAAMZ4MDcpkVkE2J5xAIcAqfKSRn:mRlNOk/23f+G4cOk/23fUlR
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
:Repeat
del C:\Users\user\AppData\Local\Temp\exe.bin
if exist C:\Users\user\AppData\Local\Temp\exe.bin goto Repeat
File name exe
Associated Filenames
C:\Users\user\AppData\Local\Temp\exe
File Size 13822 bytes
File Type Microsoft Word 2007+
MD5 70ed4d802f2eb6b22b7a482df7dd722d
SHA1 537a7653c2a48c077b42d7a1b42082d9f262fd8d
SHA256 b4e630fc970052653436fc447cdc9354f7920e691642276c1d7c3e7f593b164f
CRC32 ED64A5A8
Ssdeep 192:IPmxCqWpvvD3zu92UesLgpg45bv/0CEjO3qcf0ztxQMYgL0J4IoCy1Zr3GuuIkG0:IwfWp3DS2U1LgWIsQkw34miZrG2jm
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name MSVCR110.dll
Associated Filenames
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dll
C:\Users\user\AppData\Roaming\Windows\MSVCR110.dat
C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Type Injected Shellcode/Data
Size 96 bytes
Target Process msiexec.exe
Target PID 2960
Target Path C:\Windows\system32\msiexec.exe
Injecting Process eeclnt.exe
Injecting PID 2716
Path C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
MD5 5e8af66c86a747c4f78e4a4d5c5d5a53
SHA1 367d78990f1564ac88eab680a81bda7692e0d39a
SHA256 b656d5e26d28358e6ca68caa3ea063e6526bfae7a1e0e4f9b3e9611c5d2c49b7
CRC32 0319258F
Ssdeep 3:FNl7NllXlP/CZl//lGColnE/n:FNl7ar4E/n
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Injected Shellcode/Data
Size 19973 bytes
Target Process msiexec.exe
Target PID 2960
Target Path C:\Windows\system32\msiexec.exe
Injecting Process eeclnt.exe
Injecting PID 2716
Path C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
MD5 592e6496e0c2cf1ee59ac02867c1fd09
SHA1 64766e9920b922c4a7e49449c800f60f1bd9b0ce
SHA256 d8cd7a74b69a9736649ff171d2972d9fee086cc1d43ff1bec1e81035d8327b85
CRC32 8FF13B55
Ssdeep 384:56sPDDmscWXzwUHhhcyQi814MxMYCjfNZVwvrCgmEVh4XfdY0:iMXUHN7xJCjVIveEVOfd5
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Injected PE Image: 64-bit executable
Size 125952 bytes
Target Process msiexec.exe
Target PID 2960
Target Path C:\Windows\system32\msiexec.exe
Injecting Process eeclnt.exe
Injecting PID 2716
Path C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
MD5 00f8420fec198b7a4487671c791c85d4
SHA1 8f7143cdcf2c283dba45ea4fad4506993e77fb0e
SHA256 c87d6d45d9e8aea2ead845f96db63b8b104e730fa2886329b3e7c2467ebe180d
CRC32 738EA86F
Ssdeep 3072:lTO4rVlSfm1XMrW3ydZb/0aIGioLdmQA:XlcCXAWC3b/0ShmQ
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Injected PE Image: 32-bit executable
Size 40448 bytes
Target Process eeclnt.exe
Target PID 2436
Target Path C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
Injecting Process services.exe
Injecting PID 464
Path C:\Windows\sysnative\services.exe
MD5 d00a1a94ae106b62dabb91e69789e3d9
SHA1 348b9a8b3604815bd06ba6892a5dccde7b2121f2
SHA256 ccfcdccbc5d444a2506b03fd14655530f64bda5fb5ae821f8b680f3aa517c4fe
CRC32 8C1CC413
Ssdeep 768:XB0SWR94cL2TlyY3D8qxdWhvMkNS2Gz3rzOfobTh8ZPXt8vmTrvLE:XB0SWR94cSByY3DzduvMkNS2krJh8hXK
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Injected Shellcode/Data
Size 96 bytes
Target Process msiexec.exe
Target PID 2712
Target Path C:\Windows\system32\msiexec.exe
Injecting Process eeclnt.exe
Injecting PID 2436
Path C:\Users\user\AppData\Roaming\Windows\eeclnt.exe
MD5 76cee700002bbc3488974ae4f7d7ca5b
SHA1 83c78d092e62b254ac7fb4c7c0511cb5d1ff5481
SHA256 64985ac21ff2300dab28807c9464a98cfe15cd08b31d5d58af245f1fd0e9e5ad
CRC32 613B6D38
Ssdeep 3:ZlocNl7NllXlP/CZl//lGColnE/n:scNl7ar4E/n
Yara None matched
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 2.112 seconds )

  • 0.663 CAPE
  • 0.53 BehaviorAnalysis
  • 0.311 Dropped
  • 0.181 Static
  • 0.159 TargetInfo
  • 0.15 Deduplicate
  • 0.092 TrID
  • 0.014 Strings
  • 0.006 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.269 seconds )

  • 0.027 antiav_detectreg
  • 0.018 decoy_document
  • 0.017 NewtWire Behavior
  • 0.017 api_spamming
  • 0.012 stealth_file
  • 0.011 antidbg_windows
  • 0.011 infostealer_ftp
  • 0.009 ransomware_files
  • 0.008 Doppelganging
  • 0.007 antivm_generic_disk
  • 0.006 antiemu_wine_func
  • 0.006 mimics_filetime
  • 0.006 dynamic_function_loading
  • 0.006 infostealer_im
  • 0.005 malicious_dynamic_function_loading
  • 0.005 antivm_generic_scsi
  • 0.005 virus
  • 0.005 antianalysis_detectreg
  • 0.004 bootkit
  • 0.004 reads_self
  • 0.004 infostealer_browser_password
  • 0.004 kovter_behavior
  • 0.004 antiav_detectfile
  • 0.004 infostealer_mail
  • 0.004 ransomware_extensions
  • 0.003 exploit_getbasekerneladdress
  • 0.003 injection_createremotethread
  • 0.003 InjectionCreateRemoteThread
  • 0.003 persistence_autorun
  • 0.003 hancitor_behavior
  • 0.003 antivm_vbox_keys
  • 0.003 infostealer_bitcoin
  • 0.002 InjectionInterProcess
  • 0.002 injection_runpe
  • 0.002 recon_programs
  • 0.002 antivm_generic_services
  • 0.002 exploit_gethaldispatchtable
  • 0.002 InjectionProcessHollowing
  • 0.002 antivm_vmware_keys
  • 0.002 geodo_banking_trojan
  • 0.002 browser_security
  • 0.002 masquerade_process_name
  • 0.001 tinba_behavior
  • 0.001 uac_bypass_eventvwr
  • 0.001 antivm_vbox_libs
  • 0.001 rat_nanocore
  • 0.001 betabot_behavior
  • 0.001 kibex_behavior
  • 0.001 cerber_behavior
  • 0.001 stealth_timeout
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vpc_keys
  • 0.001 antivm_xen_keys
  • 0.001 ketrican_regkeys
  • 0.001 bot_drive
  • 0.001 darkcomet_regkeys
  • 0.001 disables_browser_warn
  • 0.001 recon_fingerprint

Reporting ( 0.004 seconds )

  • 0.004 CompressResults
Task ID 131457
Mongo ID 5e79a7fb22fb4f13386d6e5c
Cuckoo release 1.3-CAPE
Delete