CAPE

Triggered CAPE Tasks: Task #131482: Extraction


Analysis

Category Package Started Completed Duration Options Log
FILE exe 2020-03-24 10:13:15 2020-03-24 10:17:18 243 seconds Show Options Show Log
route = internet
procdump = 1
2020-03-24 10:13:35,000 [root] INFO: Date set to: 03-24-20, time set to: 10:13:35, timeout set to: 200
2020-03-24 10:13:35,046 [root] DEBUG: Starting analyzer from: C:\xpemzsxp
2020-03-24 10:13:35,046 [root] DEBUG: Storing results at: C:\VMhVWoGOo
2020-03-24 10:13:35,046 [root] DEBUG: Pipe server name: \\.\PIPE\ngWJOW
2020-03-24 10:13:35,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-03-24 10:13:35,046 [root] INFO: Automatically selected analysis package "exe"
2020-03-24 10:13:35,967 [root] DEBUG: Started auxiliary module Browser
2020-03-24 10:13:35,967 [root] DEBUG: Started auxiliary module Curtain
2020-03-24 10:13:35,982 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-03-24 10:13:37,417 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-03-24 10:13:37,417 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-03-24 10:13:37,433 [root] DEBUG: Started auxiliary module DigiSig
2020-03-24 10:13:37,433 [root] DEBUG: Started auxiliary module Disguise
2020-03-24 10:13:37,433 [root] DEBUG: Started auxiliary module Human
2020-03-24 10:13:37,433 [root] DEBUG: Started auxiliary module Screenshots
2020-03-24 10:13:37,433 [root] DEBUG: Started auxiliary module Sysmon
2020-03-24 10:13:37,448 [root] DEBUG: Started auxiliary module Usage
2020-03-24 10:13:37,448 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2020-03-24 10:13:37,448 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2020-03-24 10:13:37,463 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\9Q8Xfdz3NC.exe" with arguments "" with pid 1444
2020-03-24 10:13:37,480 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 10:13:37,480 [lib.api.process] INFO: 32-bit DLL to inject is C:\xpemzsxp\dll\KHWdKAw.dll, loader C:\xpemzsxp\bin\zMwooBW.exe
2020-03-24 10:13:37,510 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ngWJOW.
2020-03-24 10:13:37,510 [root] DEBUG: Loader: Injecting process 1444 (thread 1044) with C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:37,510 [root] DEBUG: Process image base: 0x00E10000
2020-03-24 10:13:37,510 [root] DEBUG: InjectDllViaIAT: Executable is .NET, injecting via queued APC.
2020-03-24 10:13:37,510 [root] DEBUG: InjectDllViaQueuedAPC: APC injection queued.
2020-03-24 10:13:37,526 [root] DEBUG: Successfully injected DLL C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:37,526 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1444
2020-03-24 10:13:39,555 [lib.api.process] INFO: Successfully resumed process with pid 1444
2020-03-24 10:13:39,555 [root] INFO: Added new process to list with pid: 1444
2020-03-24 10:13:39,742 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 10:13:39,742 [root] DEBUG: Process dumps enabled.
2020-03-24 10:13:39,819 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1444 at 0x74e80000, image base 0xe10000, stack from 0x2a6000-0x2b0000
2020-03-24 10:13:39,819 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\9Q8Xfdz3NC.exe".
2020-03-24 10:13:39,835 [root] INFO: Monitor successfully loaded in process with pid 1444.
2020-03-24 10:13:39,835 [root] DEBUG: set_caller_info: Adding region at 0x001B0000 to caller regions list (advapi32::RegQueryInfoKeyW).
2020-03-24 10:13:39,835 [root] DEBUG: set_caller_info: Adding region at 0x02480000 to caller regions list (advapi32::RegOpenKeyExW).
2020-03-24 10:13:39,835 [root] DEBUG: set_caller_info: Adding region at 0x004B0000 to caller regions list (kernel32::FindFirstFileExW).
2020-03-24 10:13:39,851 [root] DEBUG: DLL loaded at 0x74DF0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7b000 bytes).
2020-03-24 10:13:39,881 [root] DEBUG: DLL loaded at 0x74750000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr (0x69b000 bytes).
2020-03-24 10:13:39,881 [root] DEBUG: DLL loaded at 0x74670000: C:\Windows\system32\MSVCR110_CLR0400 (0xd3000 bytes).
2020-03-24 10:13:39,898 [root] INFO: Disabling sleep skipping.
2020-03-24 10:13:39,928 [root] DEBUG: DLL loaded at 0x72280000: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\045c9588954c3662d542b53f4462268b\mscorlib.ni (0x102e000 bytes).
2020-03-24 10:13:40,178 [root] DEBUG: DLL loaded at 0x745F0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit (0x7d000 bytes).
2020-03-24 10:13:40,178 [root] DEBUG: DLL loaded at 0x76BF0000: C:\Windows\syswow64\OLEAUT32 (0x8f000 bytes).
2020-03-24 10:13:40,226 [root] DEBUG: set_caller_info: Adding region at 0x00350000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-03-24 10:13:40,256 [root] DEBUG: DLL loaded at 0x73940000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System\79f6324a598a7c4446a4a1168be7c4b1\System.ni (0x99a000 bytes).
2020-03-24 10:13:40,288 [root] DEBUG: DLL loaded at 0x74450000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\c4477b3ce64d0d612d1ab0dba425b77f\System.Drawing.ni (0x194000 bytes).
2020-03-24 10:13:40,303 [root] DEBUG: DLL loaded at 0x71630000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\05ca0ca95b6fcc0d710b63b6200cc178\System.Windows.Forms.ni (0xc4f000 bytes).
2020-03-24 10:13:40,522 [root] DEBUG: DLL loaded at 0x743D0000: C:\Windows\system32\uxtheme (0x80000 bytes).
2020-03-24 10:13:40,599 [root] DEBUG: DLL loaded at 0x74FC0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32 (0x84000 bytes).
2020-03-24 10:13:40,694 [root] DEBUG: DLL loaded at 0x737A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32 (0x19e000 bytes).
2020-03-24 10:13:40,724 [root] DEBUG: set_caller_info: Adding region at 0x001A0000 to caller regions list (ntdll::LdrGetProcedureAddress).
2020-03-24 10:13:40,756 [root] DEBUG: DLL loaded at 0x743B0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting (0x12000 bytes).
2020-03-24 10:13:41,489 [root] DEBUG: DLL loaded at 0x73610000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus (0x190000 bytes).
2020-03-24 10:13:42,098 [root] DEBUG: DLL loaded at 0x73510000: C:\Windows\system32\WindowsCodecs (0xfb000 bytes).
2020-03-24 10:13:44,048 [root] DEBUG: set_caller_info: Adding region at 0x00430000 to caller regions list (ntdll::NtQueryPerformanceCounter).
2020-03-24 10:13:44,391 [root] DEBUG: set_caller_info: Adding region at 0x00150000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2020-03-24 10:13:44,608 [root] DEBUG: DLL loaded at 0x70F80000: C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4e69f1e7d86d79012db2d7e0dadc8880\System.Core.ni (0x6ae000 bytes).
2020-03-24 10:13:44,608 [root] DEBUG: DLL loaded at 0x73330000: C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\65f7c6dcc498c7157f0ef5b72824d60a\Microsoft.VisualBasic.ni (0x1dd000 bytes).
2020-03-24 10:13:45,201 [root] DEBUG: DLL loaded at 0x759C0000: C:\Windows\syswow64\shell32 (0xc4a000 bytes).
2020-03-24 10:13:45,263 [root] DEBUG: DLL loaded at 0x74F90000: C:\Windows\system32\ntmarta (0x21000 bytes).
2020-03-24 10:13:45,263 [root] DEBUG: DLL loaded at 0x75970000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-03-24 10:13:46,309 [root] DEBUG: DLL loaded at 0x70E80000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-03-24 10:13:46,325 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 10:13:46,325 [root] DEBUG: DLL loaded at 0x77090000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-03-24 10:13:46,528 [root] DEBUG: DLL loaded at 0x70400000: C:\Windows\SysWOW64\ieframe (0xa80000 bytes).
2020-03-24 10:13:46,809 [root] DEBUG: DLL loaded at 0x732F0000: C:\Windows\SysWOW64\OLEACC (0x3c000 bytes).
2020-03-24 10:13:46,855 [root] DEBUG: DLL loaded at 0x772A0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2020-03-24 10:13:46,996 [root] DEBUG: DLL loaded at 0x77610000: C:\Windows\syswow64\urlmon (0x136000 bytes).
2020-03-24 10:13:47,089 [root] DEBUG: DLL loaded at 0x77120000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2020-03-24 10:13:47,105 [root] DEBUG: DLL loaded at 0x75820000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2020-03-24 10:13:47,105 [root] DEBUG: DLL loaded at 0x76C80000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2020-03-24 10:13:47,604 [root] DEBUG: DLL loaded at 0x768D0000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2020-03-24 10:13:47,619 [root] DEBUG: DLL loaded at 0x75940000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-03-24 10:13:47,619 [root] DEBUG: DLL loaded at 0x76EA0000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-03-24 10:13:47,635 [root] DEBUG: DLL unloaded from 0x759C0000.
2020-03-24 10:13:47,681 [root] DEBUG: DLL loaded at 0x743A0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-03-24 10:13:47,963 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 976
2020-03-24 10:13:47,963 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 10:13:47,963 [lib.api.process] INFO: 32-bit DLL to inject is C:\xpemzsxp\dll\KHWdKAw.dll, loader C:\xpemzsxp\bin\zMwooBW.exe
2020-03-24 10:13:47,979 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ngWJOW.
2020-03-24 10:13:47,979 [root] DEBUG: Loader: Injecting process 976 (thread 1840) with C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:47,979 [root] DEBUG: Process image base: 0x00900000
2020-03-24 10:13:47,979 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:48,009 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:13:48,009 [root] DEBUG: Successfully injected DLL C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:48,009 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 976
2020-03-24 10:13:48,088 [root] INFO: Announced 32-bit process name: schtasks.exe pid: 976
2020-03-24 10:13:48,088 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 10:13:48,088 [lib.api.process] INFO: 32-bit DLL to inject is C:\xpemzsxp\dll\KHWdKAw.dll, loader C:\xpemzsxp\bin\zMwooBW.exe
2020-03-24 10:13:48,104 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ngWJOW.
2020-03-24 10:13:48,104 [root] DEBUG: Loader: Injecting process 976 (thread 1840) with C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:48,104 [root] DEBUG: Process image base: 0x00900000
2020-03-24 10:13:48,104 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:48,118 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:13:48,118 [root] DEBUG: Successfully injected DLL C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:48,118 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 976
2020-03-24 10:13:48,181 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2020-03-24 10:13:48,197 [root] DEBUG: DLL loaded at 0x755B0000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2020-03-24 10:13:48,213 [root] DEBUG: DLL loaded at 0x732D0000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2020-03-24 10:13:48,290 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 10:13:48,290 [root] DEBUG: Process dumps enabled.
2020-03-24 10:13:48,290 [root] INFO: Disabling sleep skipping.
2020-03-24 10:13:48,322 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 10:13:48,322 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 976 at 0x74e80000, image base 0x900000, stack from 0xc6000-0xd0000
2020-03-24 10:13:48,322 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\System32\schtasks.exe" \Create \TN "Updates\xPVgBllqedb" \XML "C:\Users\user\AppData\Local\Temp\tmpE456.tmp".
2020-03-24 10:13:48,322 [root] INFO: Added new process to list with pid: 976
2020-03-24 10:13:48,322 [root] INFO: Monitor successfully loaded in process with pid 976.
2020-03-24 10:13:48,352 [root] DEBUG: DLL loaded at 0x732C0000: C:\Windows\SysWOW64\VERSION (0x9000 bytes).
2020-03-24 10:13:48,352 [root] DEBUG: DLL unloaded from 0x00900000.
2020-03-24 10:13:49,382 [root] INFO: Stopped Task Scheduler Service
2020-03-24 10:13:49,460 [root] INFO: Started Task Scheduler Service
2020-03-24 10:13:49,476 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 10:13:49,476 [lib.api.process] INFO: 64-bit DLL to inject is C:\xpemzsxp\dll\nCgZpLIR.dll, loader C:\xpemzsxp\bin\JzdihEww.exe
2020-03-24 10:13:49,492 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ngWJOW.
2020-03-24 10:13:49,492 [root] DEBUG: Loader: Injecting process 816 (thread 0) with C:\xpemzsxp\dll\nCgZpLIR.dll.
2020-03-24 10:13:49,492 [root] DEBUG: InjectDll: No thread ID supplied. Initial thread ID 820, handle 0x84
2020-03-24 10:13:49,492 [root] DEBUG: Process image base: 0x00000000FF680000
2020-03-24 10:13:49,507 [root] DEBUG: InjectDllViaIAT: Not a new process, aborting IAT patch
2020-03-24 10:13:49,507 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-03-24 10:13:49,507 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 10:13:49,523 [root] DEBUG: Process dumps enabled.
2020-03-24 10:13:49,523 [root] INFO: Disabling sleep skipping.
2020-03-24 10:13:49,726 [root] WARNING: Unable to place hook on LockResource
2020-03-24 10:13:49,742 [root] WARNING: Unable to hook LockResource
2020-03-24 10:13:49,881 [root] DEBUG: CAPE initialised: 64-bit base package loaded in process 816 at 0x0000000070320000, image base 0x00000000FF680000, stack from 0x0000000002996000-0x00000000029A0000
2020-03-24 10:13:49,881 [root] DEBUG: Commandline: C:\Windows\sysnative\svchost.exe -k netsvcs.
2020-03-24 10:13:49,881 [root] INFO: Added new process to list with pid: 816
2020-03-24 10:13:49,881 [root] INFO: Monitor successfully loaded in process with pid 816.
2020-03-24 10:13:49,881 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-03-24 10:13:49,881 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-03-24 10:13:49,881 [root] DEBUG: Successfully injected DLL C:\xpemzsxp\dll\nCgZpLIR.dll.
2020-03-24 10:13:51,894 [root] DEBUG: DLL loaded at 0x77090000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2020-03-24 10:13:52,065 [root] DEBUG: DLL loaded at 0x702A0000: C:\Windows\SysWOW64\taskschd (0x7d000 bytes).
2020-03-24 10:13:52,924 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 976
2020-03-24 10:13:52,940 [root] DEBUG: GetHookCallerBase: thread 1840 (handle 0x0), return address 0x00917569, allocation base 0x00900000.
2020-03-24 10:13:52,940 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00900000.
2020-03-24 10:13:52,940 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 10:13:52,940 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00900000.
2020-03-24 10:13:52,940 [root] DEBUG: DumpProcess: Module entry point VA is 0x00017683.
2020-03-24 10:13:52,954 [root] INFO: Added new CAPE file to list with path: C:\VMhVWoGOo\CAPE\976_151605232012141124232020
2020-03-24 10:13:52,954 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x29e00.
2020-03-24 10:13:52,970 [root] DEBUG: DLL unloaded from 0x77780000.
2020-03-24 10:13:52,970 [root] INFO: Notified of termination of process with pid 976.
2020-03-24 10:13:53,188 [root] INFO: Announced 32-bit process name: vbc.exe pid: 1684
2020-03-24 10:13:53,204 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 10:13:53,204 [lib.api.process] INFO: 32-bit DLL to inject is C:\xpemzsxp\dll\KHWdKAw.dll, loader C:\xpemzsxp\bin\zMwooBW.exe
2020-03-24 10:13:53,220 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ngWJOW.
2020-03-24 10:13:53,236 [root] DEBUG: Loader: Injecting process 1684 (thread 1520) with C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:53,282 [root] DEBUG: Process image base: 0x003D0000
2020-03-24 10:13:53,329 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:53,375 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:13:53,423 [root] DEBUG: Successfully injected DLL C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:53,423 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1684
2020-03-24 10:13:53,798 [root] INFO: Announced 32-bit process name: vbc.exe pid: 1684
2020-03-24 10:13:53,798 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 10:13:53,798 [lib.api.process] INFO: 32-bit DLL to inject is C:\xpemzsxp\dll\KHWdKAw.dll, loader C:\xpemzsxp\bin\zMwooBW.exe
2020-03-24 10:13:53,812 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFB050000 to caller regions list (msvcrt::memcpy).
2020-03-24 10:13:53,812 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ngWJOW.
2020-03-24 10:13:53,828 [root] DEBUG: Loader: Injecting process 1684 (thread 1520) with C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:53,828 [root] DEBUG: Process image base: 0x003D0000
2020-03-24 10:13:53,828 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:53,828 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:13:53,828 [root] DEBUG: Successfully injected DLL C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:53,844 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1684
2020-03-24 10:13:53,907 [root] INFO: Announced 32-bit process name: vbc.exe pid: 912
2020-03-24 10:13:53,907 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFD7E0000 to caller regions list (ntdll::NtCreateFile).
2020-03-24 10:13:53,907 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 10:13:53,907 [lib.api.process] INFO: 32-bit DLL to inject is C:\xpemzsxp\dll\KHWdKAw.dll, loader C:\xpemzsxp\bin\zMwooBW.exe
2020-03-24 10:13:54,000 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ngWJOW.
2020-03-24 10:13:54,000 [root] DEBUG: Loader: Injecting process 912 (thread 1312) with C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:54,000 [root] DEBUG: Process image base: 0x003D0000
2020-03-24 10:13:54,032 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:54,032 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:13:54,032 [root] DEBUG: Successfully injected DLL C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:54,032 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 912
2020-03-24 10:13:54,032 [root] INFO: Announced 32-bit process name: vbc.exe pid: 912
2020-03-24 10:13:54,046 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 10:13:54,046 [lib.api.process] INFO: 32-bit DLL to inject is C:\xpemzsxp\dll\KHWdKAw.dll, loader C:\xpemzsxp\bin\zMwooBW.exe
2020-03-24 10:13:54,171 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ngWJOW.
2020-03-24 10:13:54,171 [root] DEBUG: Loader: Injecting process 912 (thread 1312) with C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:54,219 [root] DEBUG: Process image base: 0x003D0000
2020-03-24 10:13:54,219 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:54,266 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:13:54,266 [root] DEBUG: Successfully injected DLL C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:54,266 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 912
2020-03-24 10:13:54,312 [root] INFO: Announced 32-bit process name: vbc.exe pid: 1868
2020-03-24 10:13:54,358 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 10:13:54,358 [lib.api.process] INFO: 32-bit DLL to inject is C:\xpemzsxp\dll\KHWdKAw.dll, loader C:\xpemzsxp\bin\zMwooBW.exe
2020-03-24 10:13:54,500 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ngWJOW.
2020-03-24 10:13:54,546 [root] DEBUG: Loader: Injecting process 1868 (thread 1920) with C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:54,592 [root] DEBUG: Process image base: 0x003D0000
2020-03-24 10:13:54,640 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:54,687 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:13:54,687 [root] DEBUG: Successfully injected DLL C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:54,687 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1868
2020-03-24 10:13:54,733 [root] INFO: Announced 32-bit process name: vbc.exe pid: 1868
2020-03-24 10:13:54,733 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 10:13:54,733 [lib.api.process] INFO: 32-bit DLL to inject is C:\xpemzsxp\dll\KHWdKAw.dll, loader C:\xpemzsxp\bin\zMwooBW.exe
2020-03-24 10:13:54,749 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ngWJOW.
2020-03-24 10:13:54,779 [root] DEBUG: Loader: Injecting process 1868 (thread 1920) with C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:54,812 [root] DEBUG: Process image base: 0x003D0000
2020-03-24 10:13:54,812 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:54,812 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:13:54,812 [root] DEBUG: Successfully injected DLL C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:54,812 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1868
2020-03-24 10:13:54,858 [root] INFO: Announced 32-bit process name: vbc.exe pid: 1012
2020-03-24 10:13:54,874 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 10:13:54,874 [lib.api.process] INFO: 32-bit DLL to inject is C:\xpemzsxp\dll\KHWdKAw.dll, loader C:\xpemzsxp\bin\zMwooBW.exe
2020-03-24 10:13:54,890 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ngWJOW.
2020-03-24 10:13:54,890 [root] DEBUG: Loader: Injecting process 1012 (thread 1136) with C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:54,890 [root] DEBUG: Process image base: 0x003D0000
2020-03-24 10:13:54,904 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:54,904 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:13:54,904 [root] DEBUG: Successfully injected DLL C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:54,904 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1012
2020-03-24 10:13:54,921 [root] INFO: Announced 32-bit process name: vbc.exe pid: 1012
2020-03-24 10:13:54,921 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 10:13:54,921 [lib.api.process] INFO: 32-bit DLL to inject is C:\xpemzsxp\dll\KHWdKAw.dll, loader C:\xpemzsxp\bin\zMwooBW.exe
2020-03-24 10:13:54,999 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ngWJOW.
2020-03-24 10:13:54,999 [root] DEBUG: Loader: Injecting process 1012 (thread 1136) with C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:54,999 [root] DEBUG: Process image base: 0x003D0000
2020-03-24 10:13:54,999 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:55,092 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:13:55,092 [root] DEBUG: Successfully injected DLL C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:55,108 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1012
2020-03-24 10:13:55,124 [root] INFO: Announced 32-bit process name: vbc.exe pid: 812
2020-03-24 10:13:55,154 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 10:13:55,154 [lib.api.process] INFO: 32-bit DLL to inject is C:\xpemzsxp\dll\KHWdKAw.dll, loader C:\xpemzsxp\bin\zMwooBW.exe
2020-03-24 10:13:55,295 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ngWJOW.
2020-03-24 10:13:55,295 [root] DEBUG: Loader: Injecting process 812 (thread 1580) with C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:55,295 [root] DEBUG: Process image base: 0x003D0000
2020-03-24 10:13:55,295 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:55,342 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:13:55,342 [root] DEBUG: Successfully injected DLL C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:55,342 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 812
2020-03-24 10:13:55,388 [root] INFO: Announced 32-bit process name: vbc.exe pid: 812
2020-03-24 10:13:55,388 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 10:13:55,388 [lib.api.process] INFO: 32-bit DLL to inject is C:\xpemzsxp\dll\KHWdKAw.dll, loader C:\xpemzsxp\bin\zMwooBW.exe
2020-03-24 10:13:55,436 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ngWJOW.
2020-03-24 10:13:55,436 [root] DEBUG: Loader: Injecting process 812 (thread 1580) with C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:55,436 [root] DEBUG: Process image base: 0x003D0000
2020-03-24 10:13:55,450 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:55,450 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:13:55,450 [root] DEBUG: Successfully injected DLL C:\xpemzsxp\dll\KHWdKAw.dll.
2020-03-24 10:13:55,467 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 812
2020-03-24 10:13:55,607 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1444
2020-03-24 10:13:55,654 [root] DEBUG: GetHookCallerBase: thread 1044 (handle 0x0), return address 0x00431294, allocation base 0x00430000.
2020-03-24 10:13:55,700 [root] DEBUG: DumpInterestingRegions: Dumping calling region at 0x00430000.
2020-03-24 10:13:55,747 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\VMhVWoGOo\CAPE\1444_14205028915151124232020
2020-03-24 10:13:55,793 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x430000
2020-03-24 10:13:55,809 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00430000 size 0x10000.
2020-03-24 10:13:55,841 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\VMhVWoGOo\CAPE\1444_3787069305151124232020
2020-03-24 10:13:55,857 [root] INFO: Added new CAPE file to list with path: C:\VMhVWoGOo\CAPE\1444_3787069305151124232020
2020-03-24 10:13:55,888 [root] DEBUG: DumpRegion: Dumped stack region from 0x00430000, size 0x6000.
2020-03-24 10:13:55,888 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00E10000.
2020-03-24 10:13:55,888 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00E12000
2020-03-24 10:13:55,918 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00E68000
2020-03-24 10:13:55,918 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00E6A000
2020-03-24 10:13:55,918 [root] DEBUG: LooksLikeSectionBoundary: Exception occured reading around suspected boundary at 0x00E96000
2020-03-24 10:13:55,918 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 10:13:55,934 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00E10000.
2020-03-24 10:13:55,934 [root] DEBUG: DumpProcess: Error - entry point too big: 0x74137cef, ignoring.
2020-03-24 10:13:55,934 [root] DEBUG: DumpProcess: There was a problem reading one or more sections, the dump may be incomplete.
2020-03-24 10:13:56,043 [root] DEBUG: DLL unloaded from 0x76C90000.
2020-03-24 10:13:56,075 [root] DEBUG: DLL unloaded from 0x70E80000.
2020-03-24 10:13:56,091 [root] DEBUG: DLL unloaded from 0x77780000.
2020-03-24 10:13:56,153 [root] DEBUG: DLL unloaded from 0x74F90000.
2020-03-24 10:13:56,184 [root] DEBUG: DLL unloaded from 0x76C90000.
2020-03-24 10:13:56,230 [root] DEBUG: DLL unloaded from 0x74750000.
2020-03-24 10:13:56,278 [root] DEBUG: DLL unloaded from 0x74DF0000.
2020-03-24 10:13:56,278 [root] INFO: Notified of termination of process with pid 1444.
2020-03-24 10:14:08,914 [root] DEBUG: set_caller_info: Adding region at 0x000007FEFA3D0000 to caller regions list (ntdll::NtWaitForSingleObject).
2020-03-24 10:14:21,783 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF7EE0000 to caller regions list (ntdll::NtQueueApcThread).
2020-03-24 10:14:21,783 [root] DEBUG: DLL unloaded from 0x000007FEF7EE0000.
2020-03-24 10:14:41,813 [root] DEBUG: set_caller_info: Adding region at 0x000007FEF4270000 to caller regions list (kernel32::GetSystemTimeAsFileTime).
2020-03-24 10:16:59,967 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2020-03-24 10:16:59,967 [root] INFO: Created shutdown mutex.
2020-03-24 10:17:00,982 [root] INFO: Shutting down package.
2020-03-24 10:17:00,982 [root] INFO: Stopping auxiliary modules.
2020-03-24 10:17:00,982 [root] INFO: Finishing auxiliary modules.
2020-03-24 10:17:00,982 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-03-24 10:17:00,982 [root] WARNING: File at path "C:\VMhVWoGOo\debugger" does not exist, skip.
2020-03-24 10:17:00,982 [root] WARNING: Monitor injection attempted but failed for process 1684.
2020-03-24 10:17:00,982 [root] WARNING: Monitor injection attempted but failed for process 912.
2020-03-24 10:17:00,982 [root] WARNING: Monitor injection attempted but failed for process 1868.
2020-03-24 10:17:00,982 [root] WARNING: Monitor injection attempted but failed for process 1012.
2020-03-24 10:17:00,982 [root] WARNING: Monitor injection attempted but failed for process 812.
2020-03-24 10:17:00,982 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-04 target-04 ESX 2020-03-24 10:13:15 2020-03-24 10:17:18

File Details

File Name 4a6d39c3ae498c2a17d6ede7361ed53c09722a52b2f2a47cf0e9561c860e4054
File Size 524800 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 6ff17990285074461912af748e758a7a
SHA1 046d68ca1147af82045037a9ba98097bc274b2b7
SHA256 4a6d39c3ae498c2a17d6ede7361ed53c09722a52b2f2a47cf0e9561c860e4054
SHA512 2cbdb53af8b9c1f9a2098af812b78df8a7332126c5b8756393e784cd801c06f6e76cc7635f78daf32ab2ccd5fc6d6f6a50ff8e4442a067a46dc39141e19453c4
CRC32 CC7CB6F1
Ssdeep 6144:qt8RvskcN4ZfqRPsbJ19DMgJyxtyc916dWdWUAHzZxOXzt/LEgSh/iEExV6WC:sEd6Yeg2yXdWdWUKZxuMdiEO
TrID
  • 44.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73294/58/13)
  • 18.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 16.8% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 7.9% (.SCR) Windows screen saver (13101/52/3)
  • 4.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: 9Q8Xfdz3NC.exe, PID 1444
Guard pages use detected - possible anti-debugging.
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: MSCOREE.DLL/
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: mscoreei.dll/RegisterShimImplCallback
DynamicLoader: mscoreei.dll/RegisterShimImplCleanupCallback
DynamicLoader: mscoreei.dll/SetShellShimInstance
DynamicLoader: mscoreei.dll/OnShimDllMainCalled
DynamicLoader: mscoreei.dll/_CorExeMain_RetAddr
DynamicLoader: mscoreei.dll/_CorExeMain
DynamicLoader: SHLWAPI.dll/UrlIsW
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: clr.dll/SetRuntimeInfo
DynamicLoader: clr.dll/_CorExeMain
DynamicLoader: KERNEL32.dll/GetCurrentPackageId
DynamicLoader: MSCOREE.DLL/CreateConfigStream
DynamicLoader: mscoreei.dll/CreateConfigStream_RetAddr
DynamicLoader: mscoreei.dll/CreateConfigStream
DynamicLoader: KERNEL32.dll/GetNumaHighestNodeNumber
DynamicLoader: KERNEL32.dll/FlsSetValue
DynamicLoader: KERNEL32.dll/FlsGetValue
DynamicLoader: KERNEL32.dll/FlsAlloc
DynamicLoader: KERNEL32.dll/FlsFree
DynamicLoader: KERNEL32.dll/SetThreadStackGuarantee
DynamicLoader: MSCOREE.DLL/CLRCreateInstance
DynamicLoader: mscoreei.dll/CLRCreateInstance
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: KERNEL32.dll/IsWow64Process
DynamicLoader: KERNEL32.dll/GetSystemWindowsDirectoryW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/AddSIDToBoundaryDescriptor
DynamicLoader: KERNEL32.dll/CreateBoundaryDescriptorW
DynamicLoader: KERNEL32.dll/CreatePrivateNamespaceW
DynamicLoader: KERNEL32.dll/OpenPrivateNamespaceW
DynamicLoader: ADVAPI32.dll/AllocateAndInitializeSid
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/InitializeAcl
DynamicLoader: ADVAPI32.dll/AddAccessAllowedAce
DynamicLoader: ADVAPI32.dll/FreeSid
DynamicLoader: KERNEL32.dll/DeleteBoundaryDescriptor
DynamicLoader: KERNEL32.dll/WerRegisterRuntimeExceptionModule
DynamicLoader: KERNEL32.dll/RaiseException
DynamicLoader: KERNEL32.dll/AddVectoredExceptionHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredExceptionHandler
DynamicLoader: KERNEL32.dll/AddVectoredContinueHandler
DynamicLoader: KERNEL32.dll/RemoveVectoredContinueHandler
DynamicLoader: MSCOREE.DLL/
DynamicLoader: mscoreei.dll/
DynamicLoader: KERNELBASE.dll/SetSystemFileCacheSize
DynamicLoader: ntdll.dll/NtSetSystemInformation
DynamicLoader: KERNELBASE.dll/PrivIsDllSynchronizationHeld
DynamicLoader: KERNEL32.dll/AddDllDirectory
DynamicLoader: KERNEL32.dll/GetWriteWatch
DynamicLoader: KERNEL32.dll/ResetWriteWatch
DynamicLoader: KERNEL32.dll/CreateMemoryResourceNotification
DynamicLoader: KERNEL32.dll/QueryMemoryResourceNotification
DynamicLoader: KERNEL32.dll/SortGetHandle
DynamicLoader: KERNEL32.dll/SortCloseHandle
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoGetContextToken
DynamicLoader: clrjit.dll/sxsJitStartup
DynamicLoader: clrjit.dll/getJit
DynamicLoader: KERNEL32.dll/QueryThreadCycleTime
DynamicLoader: MSCOREE.DLL/GetProcessExecutableHeap
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap_RetAddr
DynamicLoader: mscoreei.dll/GetProcessExecutableHeap
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetFullPathName
DynamicLoader: KERNEL32.dll/GetFullPathNameW
DynamicLoader: uxtheme.dll/IsAppThemed
DynamicLoader: uxtheme.dll/IsAppThemedW
DynamicLoader: KERNEL32.dll/CreateActCtx
DynamicLoader: KERNEL32.dll/CreateActCtxA
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: USER32.dll/RegisterWindowMessage
DynamicLoader: USER32.dll/RegisterWindowMessageW
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: KERNEL32.dll/LoadLibrary
DynamicLoader: KERNEL32.dll/LoadLibraryW
DynamicLoader: USER32.dll/AdjustWindowRectEx
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentThread
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: KERNEL32.dll/GetCurrentThreadId
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: KERNEL32.dll/WideCharToMultiByte
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: KERNEL32.dll/GetLocaleInfoEx
DynamicLoader: KERNEL32.dll/LocaleNameToLCID
DynamicLoader: KERNEL32.dll/GetUserDefaultLocaleName
DynamicLoader: KERNEL32.dll/LCIDToLocaleName
DynamicLoader: KERNEL32.dll/GetUserPreferredUILanguages
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/GetWindowLong
DynamicLoader: USER32.dll/GetWindowLongW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: nlssorting.dll/SortGetHandle
DynamicLoader: nlssorting.dll/SortCloseHandle
DynamicLoader: ADVAPI32.dll/RegOpenKeyEx
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueEx
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/CallWindowProc
DynamicLoader: USER32.dll/CallWindowProcW
DynamicLoader: USER32.dll/GetClientRect
DynamicLoader: USER32.dll/GetWindowRect
DynamicLoader: USER32.dll/GetParent
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: ADVAPI32.dll/EventRegister
DynamicLoader: USER32.dll/GetProcessWindowStation
DynamicLoader: USER32.dll/GetUserObjectInformation
DynamicLoader: USER32.dll/GetUserObjectInformationA
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandler
DynamicLoader: KERNEL32.dll/SetConsoleCtrlHandlerW
DynamicLoader: KERNEL32.dll/GetModuleHandle
DynamicLoader: KERNEL32.dll/GetModuleHandleW
DynamicLoader: USER32.dll/GetClassInfo
DynamicLoader: USER32.dll/GetClassInfoW
DynamicLoader: USER32.dll/RegisterClass
DynamicLoader: USER32.dll/RegisterClassW
DynamicLoader: USER32.dll/CreateWindowEx
DynamicLoader: USER32.dll/CreateWindowExW
DynamicLoader: USER32.dll/DefWindowProc
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/GetSysColor
DynamicLoader: USER32.dll/GetSysColorW
DynamicLoader: gdiplus.dll/GdiplusStartup
DynamicLoader: KERNEL32.dll/IsProcessorFeaturePresent
DynamicLoader: USER32.dll/GetWindowInfo
DynamicLoader: USER32.dll/GetAncestor
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: GDI32.dll/ExtTextOutW
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: gdiplus.dll/GdipCreateBitmapFromStream
DynamicLoader: WindowsCodecs.dll/DllGetClassObject
DynamicLoader: KERNEL32.dll/WerRegisterMemoryBlock
DynamicLoader: gdiplus.dll/GdipImageForceValidation
DynamicLoader: gdiplus.dll/GdipGetImageRawFormat
DynamicLoader: gdiplus.dll/GdipGetImageHeight
DynamicLoader: gdiplus.dll/GdipGetImageWidth
DynamicLoader: gdiplus.dll/GdipBitmapGetPixel
DynamicLoader: gdiplus.dll/GdipCreateBitmapFromScan0
DynamicLoader: gdiplus.dll/GdipGetImagePixelFormat
DynamicLoader: gdiplus.dll/GdipGetImageGraphicsContext
DynamicLoader: gdiplus.dll/GdipGraphicsClear
DynamicLoader: gdiplus.dll/GdipCreateImageAttributes
DynamicLoader: gdiplus.dll/GdipSetImageAttributesColorKeys
DynamicLoader: gdiplus.dll/GdipDrawImageRectRectI
DynamicLoader: gdiplus.dll/GdipDisposeImageAttributes
DynamicLoader: gdiplus.dll/GdipDeleteGraphics
DynamicLoader: gdiplus.dll/GdipDisposeImage
DynamicLoader: USER32.dll/SystemParametersInfo
DynamicLoader: USER32.dll/SystemParametersInfoW
DynamicLoader: USER32.dll/GetDC
DynamicLoader: gdiplus.dll/GdipCreateFontFromLogfontW
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: KERNEL32.dll/RegOpenKeyExW
DynamicLoader: KERNEL32.dll/RegQueryInfoKeyA
DynamicLoader: KERNEL32.dll/RegCloseKey
DynamicLoader: KERNEL32.dll/RegCreateKeyExW
DynamicLoader: KERNEL32.dll/RegQueryValueExW
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: MSCOREE.DLL/ND_RI2
DynamicLoader: mscoreei.dll/ND_RI2_RetAddr
DynamicLoader: mscoreei.dll/ND_RI2
DynamicLoader: MSCOREE.DLL/ND_RU1
DynamicLoader: mscoreei.dll/ND_RU1_RetAddr
DynamicLoader: mscoreei.dll/ND_RU1
DynamicLoader: gdiplus.dll/GdipGetFontUnit
DynamicLoader: gdiplus.dll/GdipGetFontSize
DynamicLoader: gdiplus.dll/GdipGetFontStyle
DynamicLoader: gdiplus.dll/GdipGetFamily
DynamicLoader: USER32.dll/ReleaseDC
DynamicLoader: gdiplus.dll/GdipCreateFromHDC
DynamicLoader: gdiplus.dll/GdipGetDpiY
DynamicLoader: gdiplus.dll/GdipGetFontHeight
DynamicLoader: gdiplus.dll/GdipGetEmHeight
DynamicLoader: gdiplus.dll/GdipGetLineSpacing
DynamicLoader: gdiplus.dll/GdipCreateFont
DynamicLoader: USER32.dll/SystemParametersInfo
DynamicLoader: USER32.dll/SystemParametersInfoW
DynamicLoader: KERNEL32.dll/GetSystemDefaultLCID
DynamicLoader: KERNEL32.dll/GetSystemDefaultLCIDW
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: GDI32.dll/GetObject
DynamicLoader: GDI32.dll/GetObjectW
DynamicLoader: KERNEL32.dll/RegEnumValueW
DynamicLoader: KERNEL32.dll/RegQueryInfoKeyW
DynamicLoader: gdiplus.dll/GdipDeleteFont
DynamicLoader: OLEAUT32.dll/
DynamicLoader: gdiplus.dll/GdipGetFamilyName
DynamicLoader: GDI32.dll/CreateCompatibleDC
DynamicLoader: GDI32.dll/GetCurrentObject
DynamicLoader: GDI32.dll/SaveDC
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: GDI32.dll/CreateFontIndirect
DynamicLoader: GDI32.dll/CreateFontIndirectW
DynamicLoader: GDI32.dll/GetObject
DynamicLoader: GDI32.dll/GetObjectW
DynamicLoader: GDI32.dll/SelectObject
DynamicLoader: GDI32.dll/GetMapMode
DynamicLoader: GDI32.dll/GetTextMetricsW
DynamicLoader: USER32.dll/DrawTextExW
DynamicLoader: USER32.dll/DrawTextExWW
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/GetMonitorInfo
DynamicLoader: USER32.dll/GetMonitorInfoW
DynamicLoader: GDI32.dll/CreateDC
DynamicLoader: GDI32.dll/CreateDCW
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: GDI32.dll/DeleteDC
DynamicLoader: USER32.dll/GetDoubleClickTime
DynamicLoader: USER32.dll/UpdateWindow
DynamicLoader: OLEAUT32.dll/
DynamicLoader: gdiplus.dll/GdipGetDC
DynamicLoader: comctl32.dll/InitCommonControls
DynamicLoader: comctl32.dll/ImageList_Create
DynamicLoader: comctl32.dll/ImageList_SetBkColor
DynamicLoader: gdiplus.dll/GdipBitmapLockBits
DynamicLoader: gdiplus.dll/GdipBitmapUnlockBits
DynamicLoader: GDI32.dll/CreateBitmap
DynamicLoader: gdiplus.dll/GdipCreateHBITMAPFromBitmap
DynamicLoader: USER32.dll/GetDC
DynamicLoader: GDI32.dll/CreateCompatibleDC
DynamicLoader: USER32.dll/ReleaseDC
DynamicLoader: GDI32.dll/SelectObject
DynamicLoader: GDI32.dll/SetBkColor
DynamicLoader: GDI32.dll/SetTextColor
DynamicLoader: GDI32.dll/BitBlt
DynamicLoader: comctl32.dll/ImageList_Add
DynamicLoader: GDI32.dll/DeleteObject
DynamicLoader: comctl32.dll/ImageList_DrawEx
DynamicLoader: gdiplus.dll/GdipReleaseDC
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: KERNEL32.dll/CompareStringOrdinal
DynamicLoader: KERNEL32.dll/SetThreadErrorMode
DynamicLoader: KERNEL32.dll/GetFileAttributesEx
DynamicLoader: KERNEL32.dll/GetFileAttributesExW
DynamicLoader: KERNEL32.dll/ResolveLocaleName
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: USER32.dll/CreateIconFromResourceEx
DynamicLoader: gdiplus.dll/GdipLoadImageFromStream
DynamicLoader: gdiplus.dll/GdipGetImageType
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/GetNativeSystemInfo
DynamicLoader: KERNEL32.dll/OpenMutex
DynamicLoader: KERNEL32.dll/OpenMutexW
DynamicLoader: KERNEL32.dll/ReleaseMutex
DynamicLoader: KERNEL32.dll/CreateMutex
DynamicLoader: KERNEL32.dll/CreateMutexW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: shell32.dll/SHGetFolderPath
DynamicLoader: shell32.dll/SHGetFolderPathW
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: ADVAPI32.dll/SetNamedSecurityInfoW
DynamicLoader: ntmarta.dll/GetMartaExtensionInterface
DynamicLoader: KERNEL32.dll/CopyFile
DynamicLoader: KERNEL32.dll/CopyFileW
DynamicLoader: ADVAPI32.dll/GetUserName
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: KERNEL32.dll/SetFileAttributes
DynamicLoader: KERNEL32.dll/SetFileAttributesW
DynamicLoader: ADVAPI32.dll/LsaClose
DynamicLoader: ADVAPI32.dll/LsaFreeMemory
DynamicLoader: ADVAPI32.dll/LsaOpenPolicy
DynamicLoader: ADVAPI32.dll/LsaLookupNames2
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/GetCurrentProcessW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: KERNEL32.dll/LocalFree
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetTokenInformationW
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: KERNEL32.dll/LocalAllocW
DynamicLoader: ADVAPI32.dll/LsaLookupSids
DynamicLoader: KERNEL32.dll/GetTempPath
DynamicLoader: KERNEL32.dll/GetTempPathW
DynamicLoader: KERNEL32.dll/GetTempFileName
DynamicLoader: KERNEL32.dll/GetTempFileNameW
DynamicLoader: KERNEL32.dll/CreateFile
DynamicLoader: KERNEL32.dll/CreateFileW
DynamicLoader: KERNEL32.dll/GetFileType
DynamicLoader: KERNEL32.dll/WriteFile
DynamicLoader: KERNEL32.dll/LocalAlloc
DynamicLoader: shell32.dll/ShellExecuteEx
DynamicLoader: shell32.dll/ShellExecuteExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: KERNEL32.dll/GetCurrentProcess
DynamicLoader: KERNEL32.dll/DuplicateHandle
DynamicLoader: ole32.dll/CoWaitForMultipleHandles
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: KERNEL32.dll/DeleteFile
DynamicLoader: KERNEL32.dll/DeleteFileW
DynamicLoader: KERNEL32.dll/CreateProcess
DynamicLoader: KERNEL32.dll/CreateProcessW
DynamicLoader: KERNEL32.dll/GetThreadContext
DynamicLoader: KERNEL32.dll/ReadProcessMemory
DynamicLoader: KERNEL32.dll/VirtualAllocEx
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValue
DynamicLoader: ADVAPI32.dll/LookupPrivilegeValueW
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/OpenProcessTokenW
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivileges
DynamicLoader: ADVAPI32.dll/AdjustTokenPrivilegesW
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: PSAPI.DLL/EnumProcesses
DynamicLoader: PSAPI.DLL/EnumProcessesW
DynamicLoader: KERNEL32.dll/OpenProcess
DynamicLoader: KERNEL32.dll/OpenProcessW
DynamicLoader: KERNEL32.dll/TerminateProcess
DynamicLoader: KERNEL32.dll/TerminateProcessW
DynamicLoader: USER32.dll/SetClassLong
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/PostMessage
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: USER32.dll/UnregisterClass
DynamicLoader: USER32.dll/UnregisterClassW
DynamicLoader: USER32.dll/IsWindow
DynamicLoader: KERNEL32.dll/GetProcAddress
DynamicLoader: USER32.dll/DefWindowProcW
DynamicLoader: USER32.dll/SetWindowLong
DynamicLoader: USER32.dll/SetWindowLongW
DynamicLoader: USER32.dll/SetClassLong
DynamicLoader: USER32.dll/SetClassLongW
DynamicLoader: USER32.dll/DestroyWindow
DynamicLoader: USER32.dll/DestroyWindowW
DynamicLoader: USER32.dll/PostMessage
DynamicLoader: USER32.dll/PostMessageW
DynamicLoader: comctl32.dll/ImageList_Destroy
DynamicLoader: USER32.dll/DestroyIcon
DynamicLoader: GDI32.dll/DeleteObject
DynamicLoader: GDI32.dll/RestoreDC
DynamicLoader: GDI32.dll/DeleteDC
DynamicLoader: ADVAPI32.dll/EventUnregister
DynamicLoader: KERNEL32.dll/CloseHandle
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: comctl32.dll/
DynamicLoader: KERNEL32.dll/CreateActCtxW
DynamicLoader: KERNEL32.dll/AddRefActCtx
DynamicLoader: KERNEL32.dll/ReleaseActCtx
DynamicLoader: KERNEL32.dll/ActivateActCtx
DynamicLoader: KERNEL32.dll/DeactivateActCtx
DynamicLoader: KERNEL32.dll/GetCurrentActCtx
DynamicLoader: KERNEL32.dll/QueryActCtxW
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: SspiCli.dll/GetUserNameExW
DynamicLoader: ole32.dll/CoTaskMemAlloc
A process created a hidden window
Process: 9Q8Xfdz3NC.exe -> schtasks.exe
CAPE extracted potentially suspicious content
9Q8Xfdz3NC.exe: Extracted Shellcode
The binary contains an unknown PE section name indicative of packing
unknown section: name: .sdata, entropy: 6.61, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00000200, virtual_size: 0x000001e8
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 7.51, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00054e00, virtual_size: 0x00054de4
Uses Windows utilities for basic functionality
command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xPVgBllqedb" /XML "C:\Users\user\AppData\Local\Temp\tmpE456.tmp"
command: schtasks.exe /Create /TN "Updates\xPVgBllqedb" /XML "C:\Users\user\AppData\Local\Temp\tmpE456.tmp"
Creates a hidden or system file
file: C:\Users\user\AppData\Roaming\xPVgBllqedb.exe
Creates a copy of itself
copy: C:\Users\user\AppData\Roaming\xPVgBllqedb.exe

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\user\AppData\Local\Temp\9Q8Xfdz3NC.exe.config
C:\Users\user\AppData\Local\Temp\9Q8Xfdz3NC.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR110_CLR0400.dll
C:\Windows\System32\MSVCR110_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\045c9588954c3662d542b53f4462268b\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\045c9588954c3662d542b53f4462268b\mscorlib.ni.dll.aux
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
\Device\KsecDD
C:\Windows\assembly\NativeImages_v4.0.30319_32\FuDxiYFfst\*
C:\Users\user\AppData\Local\Temp\9Q8Xfdz3NC.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\05ca0ca95b6fcc0d710b63b6200cc178\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\05ca0ca95b6fcc0d710b63b6200cc178\System.Windows.Forms.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\c4477b3ce64d0d612d1ab0dba425b77f\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\c4477b3ce64d0d612d1ab0dba425b77f\System.Drawing.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\79f6324a598a7c4446a4a1168be7c4b1\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\79f6324a598a7c4446a4a1168be7c4b1\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\uxtheme.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Users\user\AppData\Local\Temp\9Q8Xfdz3NC.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\ahronbd.ttf
C:\Windows\Fonts\segoeui.ttf
C:\Windows\Fonts\segoeuib.ttf
C:\Windows\Fonts\segoeuii.ttf
C:\Windows\Fonts\segoeuiz.ttf
C:\Windows\Fonts\tahoma.ttf
C:\Windows\Fonts\msjh.ttf
C:\Windows\Fonts\msyh.ttf
C:\Windows\Fonts\malgun.ttf
C:\Windows\Fonts\micross.ttf
C:\Windows\Microsoft.NET\Framework\v4.0.30319\OLEAUT32.dll
C:\Windows\Fonts\staticcache.dat
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\comctl32.dll
C:\Users\user\AppData\Local\Temp\en-US\FuDxiYFfst.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\FuDxiYFfst.resources\FuDxiYFfst.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\FuDxiYFfst.resources.exe
C:\Users\user\AppData\Local\Temp\en-US\FuDxiYFfst.resources\FuDxiYFfst.resources.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\en\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Users\user\AppData\Local\Temp\en\FuDxiYFfst.resources.dll
C:\Users\user\AppData\Local\Temp\en\FuDxiYFfst.resources\FuDxiYFfst.resources.dll
C:\Users\user\AppData\Local\Temp\en\FuDxiYFfst.resources.exe
C:\Users\user\AppData\Local\Temp\en\FuDxiYFfst.resources\FuDxiYFfst.resources.exe
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\65f7c6dcc498c7157f0ef5b72824d60a\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\65f7c6dcc498c7157f0ef5b72824d60a\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4e69f1e7d86d79012db2d7e0dadc8880\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4e69f1e7d86d79012db2d7e0dadc8880\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Users\user\AppData\Local\Temp\en-US\ReZer0V4.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\ReZer0V4.resources\ReZer0V4.resources.dll
C:\Users\user\AppData\Local\Temp\en-US\ReZer0V4.resources.exe
C:\Users\user\AppData\Local\Temp\en-US\ReZer0V4.resources\ReZer0V4.resources.exe
C:\Users\user\AppData\Local\Temp\en\ReZer0V4.resources.dll
C:\Users\user\AppData\Local\Temp\en\ReZer0V4.resources\ReZer0V4.resources.dll
C:\Users\user\AppData\Local\Temp\en\ReZer0V4.resources.exe
C:\Users\user\AppData\Local\Temp\en\ReZer0V4.resources\ReZer0V4.resources.exe
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Users\user\AppData\Roaming\xPVgBllqedb.exe
C:\Users\user\AppData\Roaming\
C:\Users\user\AppData\Local\Temp\tmpE456.tmp
\??\MountPointManager
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\psapi.dll
C:\Windows\sysnative\Tasks
C:\Windows\sysnative\Tasks\*
C:\Windows\sysnative\Tasks\Updates\xPVgBllqedb
C:\Windows\sysnative\Tasks\Updates
C:\Windows\sysnative\Tasks\Updates\
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows
C:\Windows\AppPatch\sysmain.sdb
C:\Windows\Microsoft.NET\Framework\v4.0.30319\
C:\Windows\Microsoft.NET\Framework\v4.0.30319\*.*
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ui\SwDRM.dll
\Device\LanmanDatagramReceiver
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\user\AppData\Local\Temp\9Q8Xfdz3NC.exe.config
C:\Users\user\AppData\Local\Temp\9Q8Xfdz3NC.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR110_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\045c9588954c3662d542b53f4462268b\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\045c9588954c3662d542b53f4462268b\mscorlib.ni.dll
\Device\KsecDD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\05ca0ca95b6fcc0d710b63b6200cc178\System.Windows.Forms.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\c4477b3ce64d0d612d1ab0dba425b77f\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\79f6324a598a7c4446a4a1168be7c4b1\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\79f6324a598a7c4446a4a1168be7c4b1\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\c4477b3ce64d0d612d1ab0dba425b77f\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\05ca0ca95b6fcc0d710b63b6200cc178\System.Windows.Forms.ni.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Windows\Fonts\segoeui.ttf
C:\Windows\Fonts\segoeuib.ttf
C:\Windows\Fonts\segoeuii.ttf
C:\Windows\Fonts\segoeuiz.ttf
C:\Windows\Fonts\tahoma.ttf
C:\Windows\Fonts\msjh.ttf
C:\Windows\Fonts\msyh.ttf
C:\Windows\Fonts\malgun.ttf
C:\Windows\Fonts\micross.ttf
C:\Windows\Fonts\staticcache.dat
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\65f7c6dcc498c7157f0ef5b72824d60a\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4e69f1e7d86d79012db2d7e0dadc8880\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\4e69f1e7d86d79012db2d7e0dadc8880\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\65f7c6dcc498c7157f0ef5b72824d60a\Microsoft.VisualBasic.ni.dll
C:\Users\user\AppData\Local\Temp\tmpE456.tmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
C:\Windows\AppPatch\sysmain.sdb
C:\Windows\Microsoft.NET\Framework\v4.0.30319\
\Device\LanmanDatagramReceiver
C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
C:\Users\user\AppData\Roaming\xPVgBllqedb.exe
C:\Users\user\AppData\Local\Temp\tmpE456.tmp
\Device\LanmanDatagramReceiver
C:\Users\user\AppData\Local\Temp\tmpE456.tmp
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\9Q8Xfdz3NC.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_CURRENT_USER\EUDC\1252
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xe4\x9e\xa0\xc9\x89EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Microsoft Sans Serif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-120665959-548228820-2376508522-1001\Installer\Assemblies\C:|Users|user|AppData|Local|Temp|9Q8Xfdz3NC.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|user|AppData|Local|Temp|9Q8Xfdz3NC.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|user|AppData|Local|Temp|9Q8Xfdz3NC.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-120665959-548228820-2376508522-1001\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\9Q8Xfdz3NC.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\76F7D5AA
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbc.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_CURRENT_USER\Software\Classes\AppID\schtasks.exe
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Control Panel\International
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\xPVgBllqedb
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\svchost.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD1845E7-73A2-4256-8FDE-7ECEBF4A9B9E}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD1845E7-73A2-4256-8FDE-7ECEBF4A9B9E}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\xPVgBllqedb\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\xPVgBllqedb\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD1845E7-73A2-4256-8FDE-7ECEBF4A9B9E}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD1845E7-73A2-4256-8FDE-7ECEBF4A9B9E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD1845E7-73A2-4256-8FDE-7ECEBF4A9B9E}\DynamicInfo
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\vbc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM\RepositoryRestoreInProgress
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xe4\x9e\xa0\xc9\x89EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3abfb8f2-2ffd-11e7-a4cf-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cc-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{5e1375cd-b5ba-11e3-a2f5-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\76F7D5AA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\SchedulingEngineKnob
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD1845E7-73A2-4256-8FDE-7ECEBF4A9B9E}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD1845E7-73A2-4256-8FDE-7ECEBF4A9B9E}\DynamicInfo
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MMCSS\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD1845E7-73A2-4256-8FDE-7ECEBF4A9B9E}\Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD1845E7-73A2-4256-8FDE-7ECEBF4A9B9E}\Hash
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\xPVgBllqedb\Id
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updates\xPVgBllqedb\Index
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD1845E7-73A2-4256-8FDE-7ECEBF4A9B9E}\Triggers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD1845E7-73A2-4256-8FDE-7ECEBF4A9B9E}\DynamicInfo
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
clr.dll.SetRuntimeInfo
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.FlsSetValue
kernel32.dll.FlsGetValue
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.SetThreadStackGuarantee
mscoree.dll.CLRCreateInstance
mscoreei.dll.CLRCreateInstance
shlwapi.dll.PathFindFileNameW
kernel32.dll.IsWow64Process
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
kernel32.dll.AddVectoredExceptionHandler
kernel32.dll.RemoveVectoredExceptionHandler
kernel32.dll.AddVectoredContinueHandler
kernel32.dll.RemoveVectoredContinueHandler
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.GetWriteWatch
kernel32.dll.ResetWriteWatch
kernel32.dll.CreateMemoryResourceNotification
kernel32.dll.QueryMemoryResourceNotification
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetNativeSystemInfo
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.QueryThreadCycleTime
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
kernel32.dll.GetFullPathNameW
uxtheme.dll.IsAppThemed
kernel32.dll.CreateActCtxA
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
user32.dll.RegisterWindowMessageW
user32.dll.GetSystemMetrics
kernel32.dll.GetModuleHandleW
kernel32.dll.LoadLibraryW
user32.dll.AdjustWindowRectEx
kernel32.dll.GetCurrentProcess
kernel32.dll.GetCurrentThread
kernel32.dll.DuplicateHandle
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetCurrentActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.GetProcAddress
kernel32.dll.WideCharToMultiByte
user32.dll.DefWindowProcW
gdi32.dll.GetStockObject
kernel32.dll.GetLocaleInfoEx
kernel32.dll.LocaleNameToLCID
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
user32.dll.RegisterClassW
user32.dll.CreateWindowExW
user32.dll.SetWindowLongW
user32.dll.GetWindowLongW
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
user32.dll.CallWindowProcW
user32.dll.GetClientRect
user32.dll.GetWindowRect
user32.dll.GetParent
kernel32.dll.DeactivateActCtx
advapi32.dll.EventRegister
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationA
kernel32.dll.SetConsoleCtrlHandler
user32.dll.GetClassInfoW
user32.dll.GetSysColor
gdiplus.dll.GdiplusStartup
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipCreateBitmapFromStream
windowscodecs.dll.DllGetClassObject
kernel32.dll.WerRegisterMemoryBlock
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipBitmapGetPixel
gdiplus.dll.GdipCreateBitmapFromScan0
gdiplus.dll.GdipGetImagePixelFormat
gdiplus.dll.GdipGetImageGraphicsContext
gdiplus.dll.GdipGraphicsClear
gdiplus.dll.GdipCreateImageAttributes
gdiplus.dll.GdipSetImageAttributesColorKeys
gdiplus.dll.GdipDrawImageRectRectI
gdiplus.dll.GdipDisposeImageAttributes
gdiplus.dll.GdipDeleteGraphics
gdiplus.dll.GdipDisposeImage
user32.dll.SystemParametersInfoW
user32.dll.GetDC
gdiplus.dll.GdipCreateFontFromLogfontW
kernel32.dll.RegOpenKeyExW
kernel32.dll.RegQueryInfoKeyA
kernel32.dll.RegCloseKey
kernel32.dll.RegCreateKeyExW
kernel32.dll.RegQueryValueExW
mscoree.dll.ND_RI2
mscoreei.dll.ND_RI2
mscoree.dll.ND_RU1
mscoreei.dll.ND_RU1
gdiplus.dll.GdipGetFontUnit
gdiplus.dll.GdipGetFontSize
gdiplus.dll.GdipGetFontStyle
gdiplus.dll.GdipGetFamily
user32.dll.ReleaseDC
gdiplus.dll.GdipCreateFromHDC
gdiplus.dll.GdipGetDpiY
gdiplus.dll.GdipGetFontHeight
gdiplus.dll.GdipGetEmHeight
gdiplus.dll.GdipGetLineSpacing
gdiplus.dll.GdipCreateFont
kernel32.dll.GetSystemDefaultLCID
gdi32.dll.GetObjectW
kernel32.dll.RegEnumValueW
kernel32.dll.RegQueryInfoKeyW
gdiplus.dll.GdipDeleteFont
oleaut32.dll.#204
gdiplus.dll.GdipGetFamilyName
gdi32.dll.CreateCompatibleDC
gdi32.dll.GetCurrentObject
gdi32.dll.SaveDC
gdi32.dll.GetDeviceCaps
gdi32.dll.CreateFontIndirectW
gdi32.dll.SelectObject
gdi32.dll.GetMapMode
gdi32.dll.GetTextMetricsW
user32.dll.DrawTextExW
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
gdi32.dll.GetTextFaceAliasW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
user32.dll.MonitorFromRect
user32.dll.GetMonitorInfoW
gdi32.dll.CreateDCW
gdi32.dll.DeleteDC
user32.dll.GetDoubleClickTime
user32.dll.UpdateWindow
oleaut32.dll.#194
gdiplus.dll.GdipGetDC
comctl32.dll.InitCommonControls
comctl32.dll.ImageList_Create
comctl32.dll.ImageList_SetBkColor
gdiplus.dll.GdipBitmapLockBits
gdiplus.dll.GdipBitmapUnlockBits
gdi32.dll.CreateBitmap
gdiplus.dll.GdipCreateHBITMAPFromBitmap
gdi32.dll.SetBkColor
gdi32.dll.SetTextColor
gdi32.dll.BitBlt
comctl32.dll.ImageList_Add
gdi32.dll.DeleteObject
comctl32.dll.ImageList_DrawEx
gdiplus.dll.GdipReleaseDC
oleaut32.dll.#220
oleaut32.dll.#179
kernel32.dll.CompareStringOrdinal
kernel32.dll.SetThreadErrorMode
kernel32.dll.GetFileAttributesExW
kernel32.dll.ResolveLocaleName
user32.dll.CreateIconFromResourceEx
gdiplus.dll.GdipLoadImageFromStream
gdiplus.dll.GdipGetImageType
kernel32.dll.OpenMutexW
kernel32.dll.ReleaseMutex
kernel32.dll.CreateMutexW
kernel32.dll.CloseHandle
shell32.dll.SHGetFolderPathW
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.SetNamedSecurityInfoW
ntmarta.dll.GetMartaExtensionInterface
kernel32.dll.CopyFileW
advapi32.dll.GetUserNameW
kernel32.dll.SetFileAttributesW
advapi32.dll.LsaClose
advapi32.dll.LsaFreeMemory
advapi32.dll.LsaOpenPolicy
advapi32.dll.LsaLookupNames2
kernel32.dll.LocalFree
kernel32.dll.LocalAlloc
advapi32.dll.LsaLookupSids
kernel32.dll.GetTempPathW
kernel32.dll.GetTempFileNameW
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
kernel32.dll.WriteFile
shell32.dll.ShellExecuteEx
shell32.dll.ShellExecuteExW
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#332
comctl32.dll.#386
ole32.dll.CoWaitForMultipleHandles
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
kernel32.dll.DeleteFileW
kernel32.dll.CreateProcessW
kernel32.dll.GetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.VirtualAllocEx
advapi32.dll.LookupPrivilegeValueW
psapi.dll.EnumProcesses
kernel32.dll.OpenProcess
kernel32.dll.TerminateProcess
user32.dll.SetClassLongW
user32.dll.PostMessageW
user32.dll.UnregisterClassW
user32.dll.IsWindow
user32.dll.DestroyWindow
comctl32.dll.ImageList_Destroy
user32.dll.DestroyIcon
gdi32.dll.RestoreDC
advapi32.dll.EventUnregister
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.QueryActCtxW
cryptsp.dll.CryptReleaseContext
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
sspicli.dll.GetUserNameExW
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xPVgBllqedb" /XML "C:\Users\user\AppData\Local\Temp\tmpE456.tmp"
schtasks.exe /Create /TN "Updates\xPVgBllqedb" /XML "C:\Users\user\AppData\Local\Temp\tmpE456.tmp"
"{path}"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "{path}"
EvJcpLVdAxojaBZiycPp

PE Information

Image Base 0x00400000
Entry Point 0x00456dde
Reported Checksum 0x00000000
Actual Checksum 0x00081fed
Minimum OS Version 4.0
Compile Time 2020-03-03 07:42:23
Import Hash f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00002000 0x00054de4 0x00054e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 7.51
.sdata 0x00058000 0x000001e8 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 6.61
.rsrc 0x0005a000 0x0002ab6c 0x0002ac00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.67
.reloc 0x00086000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.10

Imports

Library mscoree.dll:
0x402000 _CorExeMain

.text
`.sdata
.rsrc
@.reloc
\ca8p
]ka8]
.5a8)
@ZksQ
^Za80
HUZa8g
i@[o|
$@[oz
4Za8}
</a8`
}%&8`
4@[]#
v4.0.30319
#Strings
#GUlD
#Blop
#GUID
#Blob
FuDxiYFfst
AssemblyTrademarkAttribute
System.Reflection
mscorlib
.ctor
System
String
AssemblyCopyrightAttribute
AssemblyProductAttribute
ComVisibleAttribute
System.Runtime.InteropServices
Boolean
TargetFrameworkAttribute
System.Runtime.Versioning
AssemblyFileVersionAttribute
GuidAttribute
DebuggableAttribute
System.Diagnostics
DebuggingModes
RuntimeCompatibilityAttribute
System.Runtime.CompilerServices
CompilationRelaxationsAttribute
Int32
AssemblyTitleAttribute
AssemblyCompanyAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
SuppressIldasmAttribute
988410fd-ee6d-4c61-9adf-3f4f969aca66
FuDxiYFfst.exe
<Module>
bV9RyNBAX204L35a2o
Object
Circle
CycloidGenerator
Class1
DxfDocument
Layers
IniFile
KFSJLKFHLKSFHLFSIHUFLIHFISHF
System.Windows.Forms
Layer
SolverManager
SolverGraphControl
Control
DependencyTrackBar
UserControl
DxfExporter
IExportClient
ISolver
MainForm
<>c__DisplayClass6_0
Program
SolverParameter
Spline
SplineVertex
Vector2
Resources
CycloidGenerator.Properties
Settings
ApplicationSettingsBase
System.Configuration
SensingerCycloidSolver
CycloidGenerator.Solvers
SolverPoint
SolverPolar
ValueType
CircularSolver
BasicCycloidSolver
WawCycloidSolver
HypocycloidSolver
TrochoidSolver
SineWaveSolver
ZinclandCycloidSolver
SampleSolver
KurdishCoderProducts
Attribute
<Module>{037AE45A-9E2D-41E5-85F0-DA6740CC5305}
CDCWSn7SaPjUwoq2Cc
SOj3wtG2Ob7xEudvw7
SFU4mbT3GMret7THonf
MulticastDelegate
DyyVDbaRvM1YfIq9il
vJiGl01UUJfXfNWas3
AXBrnIFfMAfABnJrF9
z0oyxsqySXMDuI4ZyY`1
ay67rn8SHAWRagidNL
rL2N9N6wh7IWY3IC3G
LhmiV9AUoOr1v5yhIs
Lk7BwHKFmNJY32ZC3n
WDRJe2H6E4HVV6PGZs
xrUtBVoaXtCT6B0w6a
cH8IXcwQY4Peh2qpAn
R2mIapWar4cwoqqx6Q
zsd5DaYg9lOJGmlIO4
dde9wksVEKdElHkEKH
T9eZG8XLTT9vNo3j18
<PrivateImplementationDetails>{CA871E8B-8662-45B0-BF53-D3003254A468}
__StaticArrayInitTypeSize=256
__StaticArrayInitTypeSize=40
__StaticArrayInitTypeSize=30
__StaticArrayInitTypeSize=32
__StaticArrayInitTypeSize=16
__StaticArrayInitTypeSize=64
__StaticArrayInitTypeSize=18
.cctor
UInt32
vector2
radius
Double
<Layer>k__BackingField
get_Layer
set_Layer
value
edtora6hAX9OHiXsQM
rMuuTreJffExfpOEck
get_MyProperty
EyYg2HH3nkaLhYtNij
ItZEGVRrq4Z90Ujfcf
fWXGVHlv458CSHdlSR
MyProperty
<Keys>k__BackingField
get_Keys
set_Keys
RC2juxhbOJGBXRJZyQ
cwhR3TrdkbxvCn0OvW
AddEntity
Point
System.Drawing
NotImplementedException
fileName
g4VaLagQxZO2lwSJrY
bxkEs5GGaqiKCBQ1nv
Contains
layerName
layer
rBn1TrumJ4rxkqUXh0
BpwMroaORxHZ2ibk7O
<Sections>k__BackingField
get_Sections
set_Sections
YYsoI1BDOi3YUQ1YFg
PoGUwaoLH3sn687FTe
Sections
components
IContainer
System.ComponentModel
pageSetupDialog1
PageSetupDialog
printPreviewDialog1
PrintPreviewDialog
printPreviewControl1
PrintPreviewControl
openFileDialog1
OpenFileDialog
printPreviewDialog2
printPreviewDialog3
pageSetupDialog2
printPreviewDialog4
openFileDialog2
printPreviewDialog5
pageSetupDialog3
printPreviewDialog6
openFileDialog3
printPreviewDialog7
pageSetupDialog4
printPreviewDialog8
openFileDialog4
printPreviewDialog9
pageSetupDialog5
printPreviewDialog10
openFileDialog5
printPreviewDialog11
pageSetupDialog6
printPreviewDialog12
openFileDialog6
printPreviewDialog13
pageSetupDialog7
printPreviewDialog14
openFileDialog7
KFSJLKFHLKSFHLFSIHUFLIHFISHF_Load
sender
EventArgs
Dispose
disposing
InitializeComponent
ComponentResourceManager
set_ClientSize
set_Enabled
ResourceManager
System.Resources
GetObject
set_Icon
FileDialog
set_FileName
set_AutoScrollMargin
set_AutoScrollMinSize
set_Location
set_Name
set_Visible
set_TabIndex
SizeF
Single
ContainerControl
set_AutoScaleDimensions
GetTypeFromHandle
RuntimeTypeHandle
set_Text
EventHandler
IntPtr
add_Load
SuspendLayout
get_Controls
ControlCollection
set_Size
set_AutoScaleMode
AutoScaleMode
ResumeLayout
Assembly
Thread
System.Threading
GetDomain
AppDomain
Environment
GetTypes
sdasad
InvokeMember
BindingFlags
Binder
JIqIu2QZ4VFKdlvwwB
KwOkhKYQJNuBiSCeXg
PGaHQ4iRVNUGpIXIU8
wIRWgktTIBJ3jrUUG7
IDisposable
mY4PlaCBwKroHt7wVG
TtNGyWdxYUdZRwLXBH
l0ncB8EGCXqcILykwY
YeJQfAjLyNI0c5vf34
gRX36QvrSbqosqeoft
vUf5nUpATlUVXMvIEI
ksE1bAMvJUVCcOboUj
PNnD0iAlMnXLlaKGFG
aSR8kNIDtsv3y1hCqQ
SFMsYHD4TE3fVBimZj
w7m24cwj0kw41Bvk0J
vector21
vector22
voPqtt8JKRoqih2eCN
tIOYKNnc7t5SVJQ9et
mSolvers
List`1
System.Collections.Generic
GetSolvers
IList`1
GetExecutingAssembly
RegisterSolversInAssembly
CreateSolverInstance
ConstructorInfo
GetConstructor
op_Equality
Invoke
CAgVKQ23HRkI122Hkn
mJFejmmkpX7iXmNHaG
b5IGmZ9IlMVv3pF0fI
WcN2XDNiHbd1o7AC4v
mSolver
mDrawGrid
mDirectTransform
Matrix
System.Drawing.Drawing2D
mInverseTransform
mPens
mCurrentGraphics
Graphics
mMonitorDpis
get_Solver
set_Solver
Invalidate
get_DrawGrid
set_DrawGrid
SetStyle
ControlStyles
SetPenWidth
width
Color
get_Red
get_Gray
get_LightGray
FromArgb
get_Black
OnResize
get_Width
get_Height
Translate
Clone
Scale
Invert
OnPaint
PaintEventArgs
get_Graphics
set_Transform
set_SmoothingMode
SmoothingMode
center
color
RectangleF
DrawEllipse
points
PointF
get_Item
ICollection`1
get_Count
DrawCurve
PaintDebug
get_Font
DrawString
Brush
PaintGrid
DrawLine
GetPen
penName
GetDebugInfo
Format
GetPointF
SpaceToScreen
ScreenToSpace
ApplyMatrixToPoint
ConvertDpi
yewc251SO9WVbfpU0N
UemVD5WH2YX7nKFh5d
WYmhdC5xB2oKp7EHkq
jTLbMJSXuIPNxhCqLi
tKUrMfLCfXOPjjXVYM
DRLyqBy7fUiLHDj9vi
Brushes
xVZouPXh25GvK1LQKh
vm4OvUqydrwutAct9A
XNpki83CwgT2mJcAxv
TransformPoints
Solver
DrawGrid
mDivider
mDepObject
mDepPropertyName
mCaption
mHint
mIsInteger
mIsReadOnly
TargetChanged
trackBar1
TrackBar
CaptionLabel
Label
ValueLabel
ValueTextbox
TextBox
add_TargetChanged
Interlocked
CompareExchange
Delegate
Combine
remove_TargetChanged
Remove
get_IsReadOnly
set_IsReadOnly
get_IsInteger
set_IsInteger
get_Caption
set_Caption
get_Hint
set_Hint
get_DependencyObject
set_DependencyObject
get_DependencyPropertyName
set_DependencyPropertyName
get_Minimum
set_Minimum
get_Maximum
set_Maximum
get_Value
set_Value
get_LargeChange
set_LargeChange
get_SmallChange
set_SmallChange
set_TickFrequency
trackBar1_ValueChanged
ReadFromObject
FieldInfo
GetType
GetField
ToString
WriteToObject
SetValue
Empty
ValueTextbox_KeyDown
KeyEventArgs
get_KeyCode
get_Text
TryParse
SetTextBox
visible
ValueLabel_DoubleClick
TextBoxBase
SelectAll
Focus
ISupportInitialize
EndInit
set_Anchor
AnchorStyles
set_AutoSize
add_DoubleClick
BeginInit
PerformLayout
set_TextAlign
ContentAlignment
HorizontalAlignment
add_ValueChanged
KeyEventHandler
add_KeyDown
uHO0JnbGSUCiUWpfbb
nLtKLjTcUGG8W43wQ8
sGSAbP7KpJPPDkS1mB
tthCLJxmaFJDLJiApv
jY3otLFtYGqkEMCmUA
GetValue
ENQJcv0cOo69wFKew8
txWZWlfCYkcsAo0QoC
lE7EgwP3qBsKgdgWcg
IsReadOnly
IsInteger
Caption
DependencyObject
DependencyPropertyName
Minimum
Maximum
Value
LargeChange
SmallChange
Export
target
GetLayer
el1SW8VUDmdSuoCkH3
gwCF4HklcKE2LxikK9
cs9w0w4nDI2Ntv9VID
get_Name
get_Description
GetParams
client
Description
gearVisualizer1
ExportDxfButton
Button
ParamsPanel
Panel
dxfSaveFileDialog
SaveFileDialog
SolverCombo
ComboBox
SaveParamsButton
cfgSaveFileDialog
InitSolvers
IEnumerator`1
get_Current
IEnumerator
System.Collections
MoveNext
get_Items
ObjectCollection
ListControl
set_SelectedIndex
IEnumerable`1
GetEnumerator
SetSolverByName
solverName
SetSolver
solver
CreateParamsControls
Clear
CreateTrackBarForParam
set_Top
set_Width
Action`1
ExportDxfButton_Click
CommonDialog
ShowDialog
DialogResult
get_FileName
SaveParamsButton_Click
SolverCombo_SelectedIndexChanged
get_SelectedItem
SaveCurrentParams
LoadParams
gearVisualizer1_DragEnter
DragEventArgs
get_Data
IDataObject
DataFormats
FileDrop
GetData
System.IO
GetExtension
set_Effect
DragDropEffects
ToLower
op_Inequality
gearVisualizer1_DragDrop
gearVisualizer1_DragOver
FontStyle
GraphicsUnit
set_Font
set_FormattingEnabled
set_Title
set_DefaultExt
set_DisplayMember
set_AllowDrop
DragEventHandler
add_DragEnter
add_DragOver
add_Click
ButtonBase
set_UseVisualStyleBackColor
set_Filter
set_DropDownStyle
ComboBoxStyle
add_SelectedIndexChanged
add_DragDrop
od5FofOsfam4uI3VWyf
zUBEbHOOWEGaEnqNlVt
W2MKq4OZcQJSEk6EOvf
BUKWWiOKvUwvbXgMIIT
RTqJZgO6CUxEU3qmFVY
ArrangedElementCollection
System.Windows.Forms.Layout
LMOxUlOeI4FbAZ5HV4f
ASEWUYOH4WvDPyigDaB
DVl3BVORdhlE9tcRqme
WOilidOleigxJAcLRie
jpW4foOhPOQfZ0nZQC7
ThANiUOrepF9ggeD8p6
p3xTY6Og9LUdSuFZffi
<>4__this
<CreateTrackBarForParam>b__0
<CreateTrackBarForParam>b__1
cmn7ghOG8n1SQpKT4tw
USMqKSOuVAddfaaNw4q
fcCKQkOapanx2M2pUam
Application
EnableVisualStyles
SetCompatibleTextRenderingDefault
avSZgKOBTt8NT92MCOd
EHM3f5OoOmmidfsERYs
mValue
MaxValue
MinValue
DefaultValue
ValueChanged
remove_ValueChanged
depPropName
caption
NIjEGDOYjVPVBhju5E2
FQcxtwOixXFVvxjsb8M
dxfPoints
GF1wquOQXLLBE34uP6G
Lbj71oOtFWgMtD82J2e
e0TNiMOC3IclVyBrZaG
laJJAUOdDTRZ7FsxdaY
S7o8A9OEON96XCXVHGB
nZorcnOjiTsPGI66ZoR
resourceMan
resourceCulture
CultureInfo
System.Globalization
get_ResourceManager
get_Assembly
get_Culture
set_Culture
get_qxCRslDhrsdRkemDZHsId
Bitmap
get_Screenshots4
WZofDHOMDpurDGYd8kn
fWYIPuOvr1rjYU2iobt
NC11weOprm7r9LEblfC
z3nMetOAG9TGtGfLpC0
JBgcGOODDa3vVeqZy2v
tC6c1cOwnMQdBQrWp0v
Culture
qxCRslDhrsdRkemDZHsId
Screenshots4
defaultInstance
get_Default
SettingsBase
Synchronized
y6cPxCOIRt9S9pPTS3i
IEkvSHO8DSf1gRrPuGH
Default
CamDiameter
mParams
BeforeCircle
AfterCircle
GetCircularPoint
angle
Atan2
WFa1pHOnf9JnjMf4asI
lAEZ1NOmpbRk7MIrqfW
NELSdnO95lNKf1XuPug
XYK7IaO2VnLZYojtrO9
RJnCnKONujp0aUcA1cH
ovrMqlO1NOIlBbH3elC
gcJ99rOWXOcT4pdOmtC
FromPolar
CwSchhOL1okbQbkcfKt
Ei6ElCO5kce24QdvQ9X
J2IkHCOST2g8qrBFMxR
SOdPptOyHQGE49wix6k
PJE00rOXw4CdZXKk8cQ
Angle
FromRect
oiPgugOqX5DnoTwVnos
gqjuRCO3uhDW4koMBEC
Deg2Rad
MinAngle
MaxAngle
NumSteps
mClient
angleRads
fGj3jUO7xmFSx68nTKA
oELaXsObYlMHu758TN7
elLIrCOTkXiQv25EBPq
NumRollers
Offset
kmymkBO0BtxcNU0i0hY
xFDfsTOxTsPHo6BPZJS
pwExaKOFJAnGeRkNJEe
f3i2rJOfeU8lHa5mgld
jidUXyOPVP3ncnMqfq5
uERfcGOVERnL75tRGyj
H47mNROkAyehAud4Xv3
o361vSO4oNfd2ZDsY4J
bh7VQKOUgkWnwwrZpaf
FGOFAqOcHNCj6dPJiP1
CnjRVTOznnUQrlmKaGD
IXbf0QZJRQtspykNcyP
drbGIiZO6TGuqhNIdex
ML1pJZZZU7ouk02viRM
DVx1cxZsQwIpj2clXc4
Amplitude
Period
VerticalShift
HorizontalShift
xCVJacZKinPsNnn85O4
sONaq9Z6kC9p1EXsqru
ToPolar
ToRect
CalcCyp
CalcX
CalcY
CalcPressureAngle
CalcPressureLimit
CheckLimit
maxrad
minrad
offset
Exception
xTGZG3ZeNr24pP4QwHD
simno0ZH8IrFmswk63a
yvhq2QZRbSd3t3R2lIS
uTvWfdZlN0DcGlhyxIg
TXuvXkZhWoKSTenRGv6
Vun7BLZrUrywSeaNDjO
k105uZZgW69DqCDsSDh
xxgp4FZGrvVYyfVkIce
GbWYX0ZuMb89ZXdIWTT
TWp4PNnQc
Module
zxUQUh11ksoP2
typemdt
MethodInfo
ResolveType
MemberInfo
get_MetadataToken
ResolveMethod
MethodBase
CreateDelegate
GetFields
get_ManifestModule
JFhtNnZoPjmxUcOET3K
EMiGpVZYeHT8VpFHDx7
cGWECrZiqaUCFbkH2Ko
object
method
BeginInvoke
IAsyncResult
AsyncCallback
callback
EndInvoke
result
M6EKmwjSJ
lodECQQVs
VvPxdPh3O
sMgC0o5PW
uS9zmJ6WC
bFB44BUGlg
WS94a0Vnlv
XtL4lyIIgx
firstrundone
IBe4hEip2A
Hashtable
S0FvrGWpN
i244bikuos
Int64
NFL4IGyoc7
hIsn23p8h
dKMLoMpMs
NrL10qsNW
x3c4o2PyTx
d1uknJpcW
SortedList
cQCd71PIW
j8hgmZJ7n
PVVpfAGtG
phV4Uu6SUx
c9FNce5cf
Qwp4ejR7FG
hSjGubHK9
TWn4MujlZv
ghLACNa05
diL3t0peo
RuntimeHelpers
InitializeArray
Array
RuntimeFieldHandle
RSACryptoServiceProvider
System.Security.Cryptography
set_UseMachineKeyStore
OTVQUh136jQRR
creoiNvd7
UInt64
BitConverter
GetBytes
jZiU8kt7k
UInt16
yIEeUuogE
HNMMnrD0K
U6ZIpjiMV
TYIaeXNeW
rI3lmZ9FL
SuhhReBcy
SymmetricAlgorithm
AesCryptoServiceProvider
System.Core
RijndaelManaged
Activator
CreateInstance
ObjectHandle
System.Runtime.Remoting
Unwrap
QWOOk18h0
CryptoConfig
get_AllowOnlyFipsAlgorithms
BjkXsyRir
MD5CryptoServiceProvider
HashAlgorithm
ComputeHash
P4kZBQ8Uk
get_Length
KX0HrYNeb
BinaryReader
CryptoStream
MemoryStream
ICryptoTransform
Stream
CryptoStreamMode
pvQ2Nvbv9
Convert
FromBase64String
Encoding
System.Text
get_Unicode
GetString
gVU0QeojF
HK2JaffxR
ubITRqgdO
Marshal
GetMethod
vZF7RiFiF
get_Location
Exists
GetName
AssemblyName
get_CodeBase
Replace
GetProperty
PropertyInfo
eM2t2dfoT
FileStream
FileMode
FileAccess
FileShare
vDfq2bW1V
set_Key
set_IV
CreateDecryptor
Write
Close
ToArray
B3XRfqih9
sVk5WFvVV
E3GryunuI
yxOcIGI9u
Oihu8LNHm
ifqQyNVWS
hcDmskCdX
mKgSOTjDj
aYTwtN0c5
udfDaXdkp
hdRDejQbHmoVHKTn4A
GetManifestResourceStream
I8i4jxbBJm2xfELoCT
get_BaseStream
dIqQOdIPs8dtQPQMPA
set_Position
PUlCMTDWc9w918hMbO
HUu9vH6VYPiodPV3Ia
ReadBytes
IBSWd0MYuN3xcHZCwH
fgyo8o8W0XMLZHqX5p
Reverse
OivomDAxrYWfrQR5PX
l0w6Jg24UqiMmKhaW4
GetPublicKeyToken
cnk5bZlo76cB14UsKZ
RCxnhhub8iPgSRAL2e
CipherMode
set_Mode
fIP19GpFEeg76YqoLg
B3gKn6jU3aXCf22ujf
bcQ3G1K2st64KqUsyB
FlushFinalBlock
m3GR4cTuuZc5wI07UR
eABjWpE1sLeGQsmUxv
CF8AsZeqoUFvSixN6R
ToInt32
pWmUcytvQ9maVqVdsZ
bSMJWPqSYdSipTuuMT
HbHE6ccJrfx0Volp9C
SM0hxSndQZwfGI5uoH
kTCHkyZC0Q4i1w1O2sT
QWOnbaZdIIGnPEwghoy
D4r4O0AxSI
CreateEncryptor
POhFUrZv9oQJAdb9hw4
EN3qTMZppivAV71E4Af
zkWqpqZMCpPsG1VeeLN
ToBase64String
classthis
flags
nativeEntry
nativeSizeOfCode
bV44XU8KQo
Uu349Vtr47
value__
ywq4VEynyU
jQFQUh1zfobUa
CCw4Tb9h3V
n3x46T2MQ2
WP947UZNwy
Fko4i7KTuh
pfJ40gjxwv
eBxqprrF8
GetManifestResourceNames
AddRange
Ypf4J7ba8u
ResolveEventArgs
get_CurrentDomain
ResolveEventHandler
add_ResourceResolve
kLjw4iIsCLsZtxc4lksN0j
igkKkS99eNel5i4CDH
zAJifMLldn05lTjUK0
lIessHvYUxHkm0rjsk
w2MJKkdtsQxjhsIbUs
JUE0bSTXXIpl4Jv9A3
Nc6RUaQZ79LIElIU8W
fdwrJQqnyiBgDj1vrN
CdyIKNi92l0A4Wv9yr
v41y5LgCvtQuU9Gjvg
K0V1eQUsJReShmKNL1
MUXSRrB5TxFMxqYjob
IWZ4FNxMCV
IsLittleEndian
X4o4BaXNNW
ReR4PkWY9i
XZO4yOqtpA
pcT48wm9UY
Y9l4jroko9
OY84tBcMwd
JrQ4qkE5mX
iRM4R10ean
AGe45CEX5X
Goe4rkO7Su
Tt04cJf5Ud
wDU4ucXGpO
HGp4Q5R9ww
FvC4mE2qIR
iv04SsOrFF
zBi4wdjAN2
PN14D93Kyx
ulr41vALu8
lQp4gbkEqU
IRA4KTlYfd
bM9vP4Z5pradyHxq9nV
get_ASCII
TOyMnMZSfhIeRZY16bX
BWlodqZLwaTERash9Wh
EYrpMmZyr84NlKRr6GF
ToUInt32
$$method0x6000007-1
$$method0x6000020-1
$$method0x6000020-2
$$method0x600002a-1
$$method0x600002a-2
$$method0x6000039-1
$$method0x600005f-1
$$method0x600027b-1
Rt5Jgr8logkXAp8Jlx.sDAtv1jgHrXMUs59o9
SrHCLlUAV0KngkjdSA.rfGOn6AHsRQgkefwMn
DebuggerBrowsableAttribute
DebuggerBrowsableState
CompilerGeneratedAttribute
STAThreadAttribute
GeneratedCodeAttribute
System.CodeDom.Compiler
DebuggerNonUserCodeAttribute
EditorBrowsableAttribute
EditorBrowsableState
UnmanagedFunctionPointerAttribute
CallingConvention
FlagsAttribute
2015
CycloidGenerator
1.0.0.0
$19a25093-e9fe-4707-bdfb-716817c09a3b
ConfuserEx v1.0.0-custom
16.0.0.0
16.1.0.0
vJiGl01UUJfXfNWas3.DyyVDbaRvM1YfIq9il+AXBrnIFfMAfABnJrF9+z0oyxsqySXMDuI4ZyY`1[[System.Object, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]][]
@eX-9
-)P,B
A90(pnk
_CorExeMain
mscoree.dll
8-$Y<o
9-bo\e
u{Zn@
</assembly>
!""$#&$(%*
)(+*,+-*.*/*0*1*4353768696:6;6<6=6
{11111-22222-40001-00002}
VS_VERSION_INFO
StringFileInfo
040904b0
CompanyName
Adobe
FileVersion
12.1.2.69
InternalName
Adobe Premiere Pro
LegalCopyright
Copyright 1991-2018 Adobe. All rights reserved.
OriginalFilename
Adobe Premiere Pro.exe
FileDescription
Adobe Premiere Pro CC 2018
ProductName
Adobe Premiere Pro CC 2018
ProductVersion
12.1.2
Build Number
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree

  • 9Q8Xfdz3NC.exe 1444
    • schtasks.exe 976 "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xPVgBllqedb" /XML "C:\Users\user\AppData\Local\Temp\tmpE456.tmp"
  • svchost.exe 816 C:\Windows\system32\svchost.exe -k netsvcs

9Q8Xfdz3NC.exe, PID: 1444, Parent PID: 1512
Full Path: C:\Users\user\AppData\Local\Temp\9Q8Xfdz3NC.exe
Command Line: "C:\Users\user\AppData\Local\Temp\9Q8Xfdz3NC.exe"
schtasks.exe, PID: 976, Parent PID: 1444
Full Path: C:\Windows\SysWOW64\schtasks.exe
Command Line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xPVgBllqedb" /XML "C:\Users\user\AppData\Local\Temp\tmpE456.tmp"
svchost.exe, PID: 816, Parent PID: 464
Full Path: C:\Windows\sysnative\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k netsvcs

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name GDIPFONTCACHEV1.DAT
Associated Filenames
C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT
File Size 86096 bytes
File Type data
MD5 1bba2e8a1b56ec52dd7805093b4839d3
SHA1 8d507ec6e5c4af348304f38c85227cbdca17a1f3
SHA256 2df0e9bc46893be214dc9da3ce78ba97b4176ee761ec3f38f0139297490f5341
CRC32 AEF024B5
Ssdeep 768:3v4h0tHgTlF1AphohIqrT43MTxK8PU/NBxZysNAp:Qh0tHgTlF1AphADhTxK8PU/NBD6p
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name xPVgBllqedb.exe
Associated Filenames
C:\Users\user\AppData\Roaming\xPVgBllqedb.exe
File Size 524800 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 6ff17990285074461912af748e758a7a
SHA1 046d68ca1147af82045037a9ba98097bc274b2b7
SHA256 4a6d39c3ae498c2a17d6ede7361ed53c09722a52b2f2a47cf0e9561c860e4054
CRC32 CC7CB6F1
Ssdeep 6144:qt8RvskcN4ZfqRPsbJ19DMgJyxtyc916dWdWUAHzZxOXzt/LEgSh/iEExV6WC:sEd6Yeg2yXdWdWUKZxuMdiEO
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
File name tmpE456.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\tmpE456.tmp
File Size 1640 bytes
File Type XML 1.0 document, ASCII text, with CRLF line terminators
MD5 ae5992c2398d8aeaa2e8ffbf3263bcb5
SHA1 fe70765111526c8deb2e02e06520876f5ab5b4e7
SHA256 7b603e4dba9ca68172c2b2810b4db3eb7d4476d483a72bfcffc5232c0accae64
CRC32 CAC60791
Ssdeep 24:2dH4+SEqCMm7slNMFM/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB5ROtn:cbhL7slNQM/rydbz9I3YODOLNdq3+
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file Display Text
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2014-10-25T14:27:44.8929027</Date>
    <Author>WIN7-X64-CUCKOO\user</Author>
  </RegistrationInfo>
  <Triggers>
    <LogonTrigger>
      <Enabled>true</Enabled>
      <UserId>WIN7-X64-CUCKOO\user</UserId>
    </LogonTrigger>
    <RegistrationTrigger>
      <Enabled>false</Enabled>
    </RegistrationTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>WIN7-X64-CUCKOO\user</UserId>
      <LogonType>InteractiveToken</LogonType>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>false</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>C:\Users\user\AppData\Roaming\xPVgBllqedb.exe</Command>
    </Exec>
  </Actions>
</Task>
Type Extracted Shellcode
Size 24576 bytes
Virtual Address 0x00430000
Process 9Q8Xfdz3NC.exe
PID 1444
Path C:\Users\user\AppData\Local\Temp\9Q8Xfdz3NC.exe
MD5 d7285b354aaa21161cdf7490ed1b699a
SHA1 740654c1d2fd9ca78dcf9ee50888f0c046aab55b
SHA256 d45ee3eb3084832f311ae0b9926769707327afa402e6d2fa4854c354e5963545
CRC32 9A8EA733
Ssdeep 384:Zfn6DGmI8eF6mwz6pNjjq46sTmCsmlf63T32L0WCR15cti5jTOvB/kv5p1nVP2ln:BaG58WfpNjb6TCnN672QWChvjSJ8v5pq
Yara None matched
CAPE Yara None matched
Download Download ZIP
Process Name schtasks.exe
PID 976
Dump Size 171520 bytes
Module Path C:\Windows\SysWOW64\schtasks.exe
Type PE image: 32-bit executable
MD5 29c9241a865effc5d7cda65577a697c0
SHA1 52ed34bf0b16ea79493d3cd94511976884a28885
SHA256 3b5d103f7bc0b35690c49b20f30e5eb0ae6943beb93c8b5b2ba63a2e86cfa0e6
CRC32 95B8494D
Ssdeep 3072:RCxcmlEeNW9FxoWhKughXD8tXU/0aGsxNDbPIKhC3lzGHr7REUGBGA2V:RUcmlEzvReak/VGcPIKlWGA2
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 3b5d103f7bc0b35690c49b20f30e5eb0ae6943beb93c8b5b2ba63a2e86cfa0e6

Comments



No comments posted

Processing ( 2.445 seconds )

  • 0.728 CAPE
  • 0.392 BehaviorAnalysis
  • 0.39 Static
  • 0.305 Dropped
  • 0.239 TargetInfo
  • 0.16 ProcDump
  • 0.11 TrID
  • 0.04 static_dotnet
  • 0.036 Strings
  • 0.032 Deduplicate
  • 0.007 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug

Signatures ( 0.242 seconds )

  • 0.019 antiav_detectreg
  • 0.013 stealth_timeout
  • 0.012 api_spamming
  • 0.012 decoy_document
  • 0.011 NewtWire Behavior
  • 0.01 stealth_file
  • 0.01 infostealer_ftp
  • 0.009 antiav_detectfile
  • 0.008 ransomware_files
  • 0.007 InjectionCreateRemoteThread
  • 0.006 Doppelganging
  • 0.006 injection_createremotethread
  • 0.006 infostealer_bitcoin
  • 0.006 infostealer_im
  • 0.005 injection_runpe
  • 0.005 InjectionProcessHollowing
  • 0.004 mimics_filetime
  • 0.004 antivm_generic_disk
  • 0.004 antianalysis_detectreg
  • 0.004 infostealer_mail
  • 0.004 ransomware_extensions
  • 0.003 malicious_dynamic_function_loading
  • 0.003 InjectionInterProcess
  • 0.003 bootkit
  • 0.003 antiemu_wine_func
  • 0.003 reads_self
  • 0.003 dynamic_function_loading
  • 0.003 persistence_autorun
  • 0.003 virus
  • 0.003 antivm_vbox_files
  • 0.003 masquerade_process_name
  • 0.002 antidebug_guardpages
  • 0.002 exploit_heapspray
  • 0.002 exploit_getbasekerneladdress
  • 0.002 infostealer_browser_password
  • 0.002 antidbg_windows
  • 0.002 kovter_behavior
  • 0.002 hancitor_behavior
  • 0.002 antianalysis_detectfile
  • 0.002 antivm_vbox_keys
  • 0.002 geodo_banking_trojan
  • 0.002 browser_security
  • 0.001 tinba_behavior
  • 0.001 hawkeye_behavior
  • 0.001 network_tor
  • 0.001 antivm_vbox_libs
  • 0.001 rat_nanocore
  • 0.001 antiav_avast_libs
  • 0.001 stack_pivot
  • 0.001 antivm_generic_services
  • 0.001 betabot_behavior
  • 0.001 exploit_gethaldispatchtable
  • 0.001 antisandbox_sunbelt_libs
  • 0.001 kibex_behavior
  • 0.001 antivm_generic_scsi
  • 0.001 Extraction
  • 0.001 ransomware_message
  • 0.001 cerber_behavior
  • 0.001 antidbg_devices
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vmware_files
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_xen_keys
  • 0.001 ketrican_regkeys
  • 0.001 modify_proxy
  • 0.001 disables_browser_warn
  • 0.001 rat_pcclient

Reporting ( 0.05 seconds )

  • 0.047 SubmitCAPE
  • 0.003 CompressResults
Task ID 131477
Mongo ID 5e79de3a22fb4f13386d7151
Cuckoo release 1.3-CAPE
Delete