Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2020-03-24 10:17:22 2020-03-24 10:21:30 248 seconds Show Options Show Log
route = internet
procdump = 0
2020-03-24 10:17:22,015 [root] INFO: Date set to: 03-24-20, time set to: 10:17:22, timeout set to: 200
2020-03-24 10:17:22,404 [root] DEBUG: Starting analyzer from: C:\huqqiyohb
2020-03-24 10:17:22,404 [root] DEBUG: Storing results at: C:\TMydAIS
2020-03-24 10:17:22,404 [root] DEBUG: Pipe server name: \\.\PIPE\ePenqzbfhL
2020-03-24 10:17:22,404 [root] INFO: Analysis package "Extraction" has been specified.
2020-03-24 10:17:31,625 [root] DEBUG: Started auxiliary module Browser
2020-03-24 10:17:31,625 [root] DEBUG: Started auxiliary module Curtain
2020-03-24 10:17:31,625 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-03-24 10:17:34,121 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-03-24 10:17:34,121 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-03-24 10:17:34,121 [root] DEBUG: Started auxiliary module DigiSig
2020-03-24 10:17:34,121 [root] DEBUG: Started auxiliary module Disguise
2020-03-24 10:17:34,121 [root] DEBUG: Started auxiliary module Human
2020-03-24 10:17:34,121 [root] DEBUG: Started auxiliary module Screenshots
2020-03-24 10:17:34,121 [root] DEBUG: Started auxiliary module Sysmon
2020-03-24 10:17:34,135 [root] DEBUG: Started auxiliary module Usage
2020-03-24 10:17:34,135 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2020-03-24 10:17:34,135 [root] INFO: Analyzer: DLL_64 set to Extraction_x64.dll from package modules.packages.Extraction
2020-03-24 10:17:34,151 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\odwPGonj3s3D.exe" with arguments "" with pid 1328
2020-03-24 10:17:34,151 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:34,151 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:34,230 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:34,230 [root] DEBUG: Loader: Injecting process 1328 (thread 1836) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:34,230 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:34,230 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:34,230 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:34,230 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:34,230 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1328
2020-03-24 10:17:36,242 [lib.api.process] INFO: Successfully resumed process with pid 1328
2020-03-24 10:17:36,242 [root] INFO: Added new process to list with pid: 1328
2020-03-24 10:17:37,085 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 10:17:37,085 [root] DEBUG: Process dumps disabled.
2020-03-24 10:17:37,319 [root] INFO: Disabling sleep skipping.
2020-03-24 10:17:37,319 [root] INFO: Disabling sleep skipping.
2020-03-24 10:17:37,319 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 10:17:37,319 [root] INFO: Disabling sleep skipping.
2020-03-24 10:17:37,319 [root] INFO: Disabling sleep skipping.
2020-03-24 10:17:37,319 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x0, NtSetContextThread: 0x7716124a, Wow64PrepareForException: 0x0
2020-03-24 10:17:37,334 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x230000
2020-03-24 10:17:37,334 [root] DEBUG: Debugger initialised.
2020-03-24 10:17:37,334 [root] DEBUG: CAPE initialised: 32-bit Extraction package loaded in process 1328 at 0x74870000, image base 0x400000, stack from 0x186000-0x190000
2020-03-24 10:17:37,334 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Users\user\AppData\Local\Temp\odwPGonj3s3D.exe".
2020-03-24 10:17:37,334 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00400000) returned 0x00000000.
2020-03-24 10:17:37,334 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 10:17:37,334 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00400000) -> AllocationBase 0x00400000 RegionSize 0x4096.
2020-03-24 10:17:37,334 [root] DEBUG: AddTrackedRegion: EntryPoint 0x1254, Entropy 5.107124e+00
2020-03-24 10:17:37,334 [root] DEBUG: AddTrackedRegion: New region at 0x00400000 size 0x1000 added to tracked regions.
2020-03-24 10:17:37,334 [root] DEBUG: ExtractionInit: Adding main image base to tracked regions.
2020-03-24 10:17:37,334 [root] INFO: Monitor successfully loaded in process with pid 1328.
2020-03-24 10:17:37,631 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:37,645 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:37,645 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy 5.107124e+00.
2020-03-24 10:17:37,645 [root] DEBUG: ProtectionHandler: Adding region at 0x00240000 to tracked regions.
2020-03-24 10:17:37,645 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00240000) returned 0x00000000.
2020-03-24 10:17:37,645 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 10:17:37,645 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00240000) -> AllocationBase 0x00240000 RegionSize 0x24576.
2020-03-24 10:17:37,645 [root] DEBUG: AddTrackedRegion: New region at 0x00240000 size 0x6000 added to tracked regions.
2020-03-24 10:17:37,645 [root] DEBUG: ProtectionHandler: Address: 0x00240000 (alloc base 0x00240000), NumberOfBytesToProtect: 0x6000, NewAccessProtection: 0x20
2020-03-24 10:17:37,645 [root] DEBUG: ProtectionHandler: New code detected at (0x00240000), scanning for PE images.
2020-03-24 10:17:37,645 [root] DEBUG: DumpPEsInRange: Scanning range 0x240000 - 0x246000.
2020-03-24 10:17:37,645 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x240000-0x246000.
2020-03-24 10:17:37,645 [root] DEBUG: DumpPEsInRange: Scanning range 0x240000 - 0x246000.
2020-03-24 10:17:37,645 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x240000-0x246000.
2020-03-24 10:17:37,645 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00240000, TrackedRegion->RegionSize: 0x6000, thread 1836
2020-03-24 10:17:37,645 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xd8, Size=0x2, Address=0x00240000 and Type=0x1.
2020-03-24 10:17:37,661 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1836 type 1 at address 0x00240000, size 2 with Callback 0x74877510.
2020-03-24 10:17:37,661 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00240000
2020-03-24 10:17:37,677 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xd8, Size=0x4, Address=0x0024003C and Type=0x1.
2020-03-24 10:17:37,677 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1836 type 1 at address 0x0024003C, size 4 with Callback 0x748771a0.
2020-03-24 10:17:37,677 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0024003C
2020-03-24 10:17:37,677 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x00240000.
2020-03-24 10:17:37,740 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\system32\SXS (0x5f000 bytes).
2020-03-24 10:17:38,364 [root] DEBUG: ProtectionHandler: Address 0x00240000 already in tracked region at 0x00240000, size 0x6000
2020-03-24 10:17:38,364 [root] DEBUG: ProtectionHandler: Address: 0x00240000 (alloc base 0x00240000), NumberOfBytesToProtect: 0xa000, NewAccessProtection: 0x20
2020-03-24 10:17:38,364 [root] DEBUG: ProtectionHandler: Increased region size at 0x00240000 to 0xa000.
2020-03-24 10:17:38,364 [root] DEBUG: ProtectionHandler: New code detected at (0x00240000), scanning for PE images.
2020-03-24 10:17:38,364 [root] DEBUG: DumpPEsInRange: Scanning range 0x240000 - 0x24a000.
2020-03-24 10:17:38,364 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x240000-0x24a000.
2020-03-24 10:17:38,364 [root] DEBUG: DumpPEsInRange: Scanning range 0x240000 - 0x24a000.
2020-03-24 10:17:38,364 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x240000-0x24a000.
2020-03-24 10:17:38,364 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00240000, TrackedRegion->RegionSize: 0xa000, thread 1836
2020-03-24 10:17:38,364 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xd8, Size=0x2, Address=0x00240000 and Type=0x1.
2020-03-24 10:17:38,364 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1836 type 1 at address 0x00240000, size 2 with Callback 0x74877510.
2020-03-24 10:17:38,364 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00240000
2020-03-24 10:17:38,364 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xd8, Size=0x4, Address=0x0024003C and Type=0x1.
2020-03-24 10:17:38,364 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1836 type 1 at address 0x0024003C, size 4 with Callback 0x748771a0.
2020-03-24 10:17:38,364 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0024003C
2020-03-24 10:17:38,364 [root] DEBUG: ProtectionHandler: Breakpoints set on executable region at: 0x00240000.
2020-03-24 10:17:40,687 [root] DEBUG: Allocation: 0x00420000 - 0x00428000, size: 0x8000, protection: 0x40.
2020-03-24 10:17:40,687 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:40,687 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:40,687 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy 5.331891e+00.
2020-03-24 10:17:40,687 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:40,687 [root] DEBUG: AllocationHandler: Adding allocation to tracked region list: 0x00420000, size: 0x8000.
2020-03-24 10:17:40,687 [root] DEBUG: AddTrackedRegion: GetTrackedRegion(0x00420000) returned 0x00000000.
2020-03-24 10:17:40,687 [root] DEBUG: AddTrackedRegion: Created new tracked region: TrackedRegion->AllocationBase 0x00000000.
2020-03-24 10:17:40,687 [root] DEBUG: AddTrackedRegion: VirtualQuery(0x00420000) -> AllocationBase 0x00420000 RegionSize 0x32768.
2020-03-24 10:17:40,687 [root] DEBUG: AddTrackedRegion: New region at 0x00420000 size 0x8000 added to tracked regions.
2020-03-24 10:17:40,687 [root] DEBUG: ActivateBreakpoints: TrackedRegion->AllocationBase: 0x00420000, TrackedRegion->RegionSize: 0x8000, thread 1836
2020-03-24 10:17:40,687 [root] DEBUG: ActivateBreakpoints: Switching breakpoints from region 0x00240000 to 0x00420000.
2020-03-24 10:17:40,687 [root] DEBUG: DumpPEsInRange: Scanning range 0x240000 - 0x24a000.
2020-03-24 10:17:40,687 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x240000-0x24a000.
2020-03-24 10:17:40,703 [root] DEBUG: DumpPEsInTrackedRegion: No PE images found in range range 0x00240000 - 0x0024A000.
2020-03-24 10:17:40,703 [root] DEBUG: DumpMemory: CAPE output file C:\TMydAIS\CAPE\1328_110924684840171024232020 successfully created, size 0x10000
2020-03-24 10:17:40,734 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x240000
2020-03-24 10:17:40,734 [root] DEBUG: DumpRegion: Failed to dump entire allocation from 0x00240000 size 0x10000.
2020-03-24 10:17:40,734 [root] DEBUG: DumpMemory: CAPE output file C:\TMydAIS\CAPE\1328_38185464840171024232020 successfully created, size 0xa000
2020-03-24 10:17:40,766 [root] INFO: Added new CAPE file to list with path: C:\TMydAIS\CAPE\1328_38185464840171024232020
2020-03-24 10:17:40,766 [root] DEBUG: DumpRegion: Dumped stack region from 0x00240000, size 0xa000.
2020-03-24 10:17:40,766 [root] DEBUG: ProcessTrackedRegion: dumped executable memory range at 0x00240000.
2020-03-24 10:17:40,766 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x240000 - 0x24a000.
2020-03-24 10:17:40,766 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xd8, Size=0x2, Address=0x00420000 and Type=0x1.
2020-03-24 10:17:40,766 [root] DEBUG: SetThreadBreakpoint: Set bp 0 thread id 1836 type 1 at address 0x00420000, size 2 with Callback 0x74877510.
2020-03-24 10:17:40,766 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on empty protect address: 0x00420000
2020-03-24 10:17:40,766 [root] DEBUG: SetDebugRegister: Setting breakpoint 1 hThread=0xd8, Size=0x4, Address=0x0042003C and Type=0x1.
2020-03-24 10:17:40,766 [root] DEBUG: SetThreadBreakpoint: Set bp 1 thread id 1836 type 1 at address 0x0042003C, size 4 with Callback 0x748771a0.
2020-03-24 10:17:40,766 [root] DEBUG: ActivateBreakpoints: Set write breakpoint on e_lfanew address: 0x0042003C
2020-03-24 10:17:40,766 [root] DEBUG: AllocationHandler: Breakpoints set on newly-allocated executable region at: 0x00420000 (size 0x8000).
2020-03-24 10:17:40,766 [root] DEBUG: DLL unloaded from 0x772F0000.
2020-03-24 10:17:40,766 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004096A0 (thread 1836)
2020-03-24 10:17:40,766 [root] DEBUG: BaseAddressWriteCallback: Breakpoint 0 at Address 0x00420000.
2020-03-24 10:17:40,766 [root] DEBUG: ContextSetDebugRegister: Setting breakpoint 2 within Context, Size=0x0, Address=0x00420000 and Type=0x0.
2020-03-24 10:17:40,766 [root] DEBUG: BaseAddressWriteCallback: byte written to 0x420000: 0x81.
2020-03-24 10:17:40,766 [root] DEBUG: BaseAddressWriteCallback: Exec bp set on tracked region protect address.
2020-03-24 10:17:40,766 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x004096A0 (thread 1836)
2020-03-24 10:17:40,766 [root] DEBUG: PEPointerWriteCallback: Breakpoint 1 at Address 0x0042003C.
2020-03-24 10:17:40,766 [root] DEBUG: PEPointerWriteCallback: candidate pointer to PE header too big: 0x59f80000 (at 0x0042003C).
2020-03-24 10:17:40,782 [root] DEBUG: ContextSetNextAvailableBreakpoint: An identical breakpoint (2) at 0x00420000 already exists for thread 1836 (process 1328), skipping.
2020-03-24 10:17:40,782 [root] DEBUG: PEPointerWriteCallback: set write bp on AddressOfEntryPoint at 0x00420000.
2020-03-24 10:17:40,782 [root] DEBUG: CAPEExceptionFilter: breakpoint hit by instruction at 0x00420000 (thread 1836)
2020-03-24 10:17:40,782 [root] DEBUG: ShellcodeExecCallback: Breakpoint 2 at Address 0x00420000 (allocation base 0x00420000).
2020-03-24 10:17:40,782 [root] DEBUG: ShellcodeExecCallback: Debug: About to scan region for a PE image (base 0x00420000, size 0x8000).
2020-03-24 10:17:40,782 [root] DEBUG: DumpPEsInRange: Scanning range 0x420000 - 0x428000.
2020-03-24 10:17:40,782 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x420000-0x428000.
2020-03-24 10:17:40,782 [root] DEBUG: DumpMemory: CAPE output file C:\TMydAIS\CAPE\1328_143924999040371224232020 successfully created, size 0x8000
2020-03-24 10:17:40,782 [root] INFO: Added new CAPE file to list with path: C:\TMydAIS\CAPE\1328_143924999040371224232020
2020-03-24 10:17:40,782 [root] DEBUG: ShellcodeExecCallback: successfully dumped memory range at 0x00420000 (size 0x8000).
2020-03-24 10:17:40,782 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x420000 - 0x428000.
2020-03-24 10:17:40,782 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x00420000.
2020-03-24 10:17:40,782 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 1 address 0x0042003C.
2020-03-24 10:17:40,782 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 2 address 0x00420000.
2020-03-24 10:17:40,782 [root] DEBUG: set_caller_info: Adding region at 0x00420000 to caller regions list (ntdll::LdrLoadDll).
2020-03-24 10:17:40,782 [root] DEBUG: set_caller_info: Caller at 0x004229C5 in tracked regions.
2020-03-24 10:17:40,782 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:40,782 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:40,782 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy 5.331891e+00.
2020-03-24 10:17:40,782 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:40,782 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:41,094 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\shell32 (0xc4a000 bytes).
2020-03-24 10:17:41,219 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2648
2020-03-24 10:17:41,219 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,219 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,219 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,219 [root] DEBUG: Loader: Injecting process 2648 (thread 2780) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,219 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,219 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,219 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:41,219 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,219 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2648
2020-03-24 10:17:41,219 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-03-24 10:17:41,233 [root] DEBUG: DLL unloaded from 0x00400000.
2020-03-24 10:17:41,233 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2648
2020-03-24 10:17:41,233 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,233 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,233 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,233 [root] DEBUG: Loader: Injecting process 2648 (thread 2780) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,233 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,233 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,233 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:41,233 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,233 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2648
2020-03-24 10:17:41,233 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:41,233 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:41,250 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:41,250 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:41,250 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:41,250 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:41,266 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 3032
2020-03-24 10:17:41,266 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,266 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,266 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,266 [root] DEBUG: Loader: Injecting process 3032 (thread 2108) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,266 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,266 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,266 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:41,266 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,266 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3032
2020-03-24 10:17:41,280 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 3032
2020-03-24 10:17:41,280 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,280 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,280 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,280 [root] DEBUG: Loader: Injecting process 3032 (thread 2108) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,280 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,280 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,280 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:41,280 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,280 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3032
2020-03-24 10:17:41,296 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:41,296 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:41,296 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:41,296 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:41,296 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:41,296 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:41,312 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2732
2020-03-24 10:17:41,312 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,312 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,312 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,312 [root] DEBUG: Loader: Injecting process 2732 (thread 2776) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,312 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,312 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,312 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:41,312 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,312 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2732
2020-03-24 10:17:41,328 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2732
2020-03-24 10:17:41,328 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,328 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,328 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,328 [root] DEBUG: Loader: Injecting process 2732 (thread 2776) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,328 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,328 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,328 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:41,328 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,328 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2732
2020-03-24 10:17:41,328 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:41,328 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:41,344 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:41,344 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:41,344 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:41,344 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:41,358 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 1988
2020-03-24 10:17:41,358 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,358 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,358 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,358 [root] DEBUG: Loader: Injecting process 1988 (thread 1332) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,358 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,358 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,358 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:41,358 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,358 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1988
2020-03-24 10:17:41,375 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 1988
2020-03-24 10:17:41,375 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,375 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,375 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,375 [root] DEBUG: Loader: Injecting process 1988 (thread 1332) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,375 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,375 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,375 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:41,375 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,375 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1988
2020-03-24 10:17:41,375 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:41,390 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:41,390 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:41,390 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:41,390 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:41,390 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:41,405 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2680
2020-03-24 10:17:41,405 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,405 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,405 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,405 [root] DEBUG: Loader: Injecting process 2680 (thread 1220) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,405 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,405 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,405 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:41,405 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,405 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2680
2020-03-24 10:17:41,421 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2680
2020-03-24 10:17:41,421 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,421 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,421 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,421 [root] DEBUG: Loader: Injecting process 2680 (thread 1220) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,421 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,421 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,421 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:41,421 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,421 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2680
2020-03-24 10:17:41,421 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:41,421 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:41,421 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:41,421 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:41,421 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:41,421 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:41,453 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2072
2020-03-24 10:17:41,453 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,453 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,453 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,453 [root] DEBUG: Loader: Injecting process 2072 (thread 2076) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,453 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,453 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,453 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:41,453 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,453 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2072
2020-03-24 10:17:41,467 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2072
2020-03-24 10:17:41,467 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,467 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,467 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,467 [root] DEBUG: Loader: Injecting process 2072 (thread 2076) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,467 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,467 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,467 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:41,467 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,467 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2072
2020-03-24 10:17:41,467 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:41,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:41,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:41,483 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:41,483 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:41,483 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:41,500 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 1540
2020-03-24 10:17:41,500 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,500 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,500 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,500 [root] DEBUG: Loader: Injecting process 1540 (thread 1016) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,500 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,500 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,500 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:41,500 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,500 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1540
2020-03-24 10:17:41,515 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 1540
2020-03-24 10:17:41,515 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,515 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,515 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,515 [root] DEBUG: Loader: Injecting process 1540 (thread 1016) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,515 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,515 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,515 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:41,515 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,515 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1540
2020-03-24 10:17:41,515 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:41,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:41,515 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:41,515 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:41,530 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:41,530 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:41,546 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 624
2020-03-24 10:17:41,546 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,546 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,546 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,546 [root] DEBUG: Loader: Injecting process 624 (thread 812) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,546 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,546 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,546 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:41,546 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,546 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 624
2020-03-24 10:17:41,562 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 624
2020-03-24 10:17:41,562 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,562 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,562 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,562 [root] DEBUG: Loader: Injecting process 624 (thread 812) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,562 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,562 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,562 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:41,562 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,562 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 624
2020-03-24 10:17:41,562 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:41,562 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:41,562 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:41,562 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:41,562 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:41,562 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:41,578 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2656
2020-03-24 10:17:41,578 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,578 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,578 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,578 [root] DEBUG: Loader: Injecting process 2656 (thread 2036) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,578 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,578 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,578 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:41,578 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,578 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2656
2020-03-24 10:17:41,592 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2656
2020-03-24 10:17:41,592 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,592 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,592 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,592 [root] DEBUG: Loader: Injecting process 2656 (thread 2036) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,592 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,592 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,592 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:41,592 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,592 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2656
2020-03-24 10:17:41,592 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:41,592 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:41,592 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:41,592 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:41,592 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:41,592 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:41,608 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 1644
2020-03-24 10:17:41,608 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,608 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,608 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,608 [root] DEBUG: Loader: Injecting process 1644 (thread 2876) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,608 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,608 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,608 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:41,608 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,608 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1644
2020-03-24 10:17:41,624 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 1644
2020-03-24 10:17:41,624 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,624 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,624 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,624 [root] DEBUG: Loader: Injecting process 1644 (thread 2876) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,624 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,624 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,624 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:41,624 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,624 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1644
2020-03-24 10:17:41,624 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:41,624 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:41,624 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:41,624 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:41,624 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:41,624 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:41,640 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2724
2020-03-24 10:17:41,640 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,640 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,640 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,640 [root] DEBUG: Loader: Injecting process 2724 (thread 2552) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,640 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,640 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,640 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:41,640 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,640 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2724
2020-03-24 10:17:41,655 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2724
2020-03-24 10:17:41,655 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,655 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,655 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,655 [root] DEBUG: Loader: Injecting process 2724 (thread 2552) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,655 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,655 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,655 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:41,655 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,655 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2724
2020-03-24 10:17:41,655 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:41,655 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:41,655 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:41,671 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:41,671 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:41,671 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:41,687 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 1460
2020-03-24 10:17:41,687 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,687 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,687 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,687 [root] DEBUG: Loader: Injecting process 1460 (thread 576) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,687 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,687 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,687 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:41,687 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,687 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1460
2020-03-24 10:17:41,701 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 1460
2020-03-24 10:17:41,701 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,701 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,701 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,701 [root] DEBUG: Loader: Injecting process 1460 (thread 576) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,701 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,701 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,701 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:41,701 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,701 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1460
2020-03-24 10:17:41,701 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:41,701 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:41,701 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:41,717 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:41,717 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:41,717 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:41,733 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 996
2020-03-24 10:17:41,733 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,733 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,733 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,733 [root] DEBUG: Loader: Injecting process 996 (thread 2088) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,733 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,733 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,733 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:41,733 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,733 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 996
2020-03-24 10:17:41,749 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 996
2020-03-24 10:17:41,749 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,749 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,749 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,749 [root] DEBUG: Loader: Injecting process 996 (thread 2088) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,749 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,749 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,765 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:41,765 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,765 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 996
2020-03-24 10:17:41,765 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:41,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:41,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:41,765 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:41,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:41,765 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:41,779 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 1200
2020-03-24 10:17:41,779 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,779 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,779 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,779 [root] DEBUG: Loader: Injecting process 1200 (thread 1940) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,779 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,779 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,779 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:41,779 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,779 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1200
2020-03-24 10:17:41,796 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 1200
2020-03-24 10:17:41,796 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,796 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,796 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,796 [root] DEBUG: Loader: Injecting process 1200 (thread 1940) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,796 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,796 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,796 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:41,796 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,796 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1200
2020-03-24 10:17:41,796 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:41,796 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:41,796 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:41,796 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:41,796 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:41,796 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:41,812 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 1788
2020-03-24 10:17:41,812 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,812 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,812 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,812 [root] DEBUG: Loader: Injecting process 1788 (thread 1648) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,812 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,812 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,812 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:41,812 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,812 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1788
2020-03-24 10:17:41,826 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 1788
2020-03-24 10:17:41,826 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,826 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,826 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,826 [root] DEBUG: Loader: Injecting process 1788 (thread 1648) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,826 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,826 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,826 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:41,826 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,826 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1788
2020-03-24 10:17:41,842 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:41,842 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:41,842 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:41,842 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:41,842 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:41,842 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:41,858 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2292
2020-03-24 10:17:41,858 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,858 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,858 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,858 [root] DEBUG: Loader: Injecting process 2292 (thread 2296) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,858 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,858 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,858 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:41,858 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,858 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2292
2020-03-24 10:17:41,874 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2292
2020-03-24 10:17:41,874 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,874 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,874 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,874 [root] DEBUG: Loader: Injecting process 2292 (thread 2296) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,874 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,874 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,874 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:41,874 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,874 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2292
2020-03-24 10:17:41,874 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:41,874 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:41,874 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:41,874 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:41,874 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:41,890 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:41,904 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2924
2020-03-24 10:17:41,904 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,904 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,904 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,904 [root] DEBUG: Loader: Injecting process 2924 (thread 3008) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,904 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,904 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,904 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:41,904 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,904 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2924
2020-03-24 10:17:41,921 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2924
2020-03-24 10:17:41,921 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,921 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,936 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,936 [root] DEBUG: Loader: Injecting process 2924 (thread 3008) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,936 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,936 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,936 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:41,936 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,936 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2924
2020-03-24 10:17:41,936 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:41,936 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:41,936 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:41,936 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:41,936 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:41,936 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:41,951 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2820
2020-03-24 10:17:41,951 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,951 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,951 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,951 [root] DEBUG: Loader: Injecting process 2820 (thread 2716) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,951 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,951 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,951 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:41,951 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,951 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2820
2020-03-24 10:17:41,967 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2820
2020-03-24 10:17:41,967 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,967 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,983 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,983 [root] DEBUG: Loader: Injecting process 2820 (thread 2716) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,983 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,983 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,983 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:41,983 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,983 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2820
2020-03-24 10:17:41,983 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:41,983 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:41,983 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:41,983 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:41,983 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:41,983 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:41,999 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2652
2020-03-24 10:17:41,999 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:41,999 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:41,999 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:41,999 [root] DEBUG: Loader: Injecting process 2652 (thread 532) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,999 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:41,999 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,999 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:41,999 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:41,999 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2652
2020-03-24 10:17:42,013 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2652
2020-03-24 10:17:42,013 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,013 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,013 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,013 [root] DEBUG: Loader: Injecting process 2652 (thread 532) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,013 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,013 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,013 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:42,013 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,013 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2652
2020-03-24 10:17:42,029 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:42,029 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:42,029 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:42,029 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:42,029 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:42,029 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:42,046 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2128
2020-03-24 10:17:42,046 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,046 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,046 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,046 [root] DEBUG: Loader: Injecting process 2128 (thread 2068) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,046 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,046 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,046 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:42,046 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,046 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2128
2020-03-24 10:17:42,061 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2128
2020-03-24 10:17:42,061 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,061 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,061 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,061 [root] DEBUG: Loader: Injecting process 2128 (thread 2068) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,061 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,061 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,061 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:42,061 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,076 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2128
2020-03-24 10:17:42,076 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:42,076 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:42,076 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:42,076 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:42,076 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:42,076 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:42,092 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 512
2020-03-24 10:17:42,092 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,092 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,092 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,092 [root] DEBUG: Loader: Injecting process 512 (thread 2180) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,092 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,092 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,092 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:42,092 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,092 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 512
2020-03-24 10:17:42,108 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 512
2020-03-24 10:17:42,108 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,108 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,108 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,108 [root] DEBUG: Loader: Injecting process 512 (thread 2180) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,108 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,108 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,108 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:42,108 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,108 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 512
2020-03-24 10:17:42,108 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:42,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:42,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:42,108 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:42,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:42,108 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:42,124 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 844
2020-03-24 10:17:42,124 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,124 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,124 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,124 [root] DEBUG: Loader: Injecting process 844 (thread 2308) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,124 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,124 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,124 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:42,124 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,124 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 844
2020-03-24 10:17:42,138 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 844
2020-03-24 10:17:42,138 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,138 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,138 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,138 [root] DEBUG: Loader: Injecting process 844 (thread 2308) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,138 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,138 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,138 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:42,138 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,138 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 844
2020-03-24 10:17:42,154 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:42,154 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:42,154 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:42,154 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:42,154 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:42,154 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:42,170 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2896
2020-03-24 10:17:42,170 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,170 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,170 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,170 [root] DEBUG: Loader: Injecting process 2896 (thread 3012) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,170 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,170 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,170 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:42,170 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,170 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2896
2020-03-24 10:17:42,186 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2896
2020-03-24 10:17:42,186 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,186 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,186 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,186 [root] DEBUG: Loader: Injecting process 2896 (thread 3012) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,186 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,186 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,186 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:42,186 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,186 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2896
2020-03-24 10:17:42,186 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:42,186 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:42,186 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:42,186 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:42,186 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:42,186 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:42,201 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2816
2020-03-24 10:17:42,201 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,201 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,201 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,201 [root] DEBUG: Loader: Injecting process 2816 (thread 1728) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,201 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,201 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,201 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:42,201 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,201 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2816
2020-03-24 10:17:42,217 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2816
2020-03-24 10:17:42,217 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,217 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,217 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,217 [root] DEBUG: Loader: Injecting process 2816 (thread 1728) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,217 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,217 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,217 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:42,217 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,217 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2816
2020-03-24 10:17:42,217 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:42,217 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:42,217 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:42,217 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:42,217 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:42,217 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:42,247 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2092
2020-03-24 10:17:42,247 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,247 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,247 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,247 [root] DEBUG: Loader: Injecting process 2092 (thread 2148) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,247 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,247 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,247 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:42,247 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,247 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2092
2020-03-24 10:17:42,263 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2092
2020-03-24 10:17:42,263 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,263 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,263 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,263 [root] DEBUG: Loader: Injecting process 2092 (thread 2148) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,263 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,263 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,263 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:42,263 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,263 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2092
2020-03-24 10:17:42,263 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:42,263 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:42,263 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:42,263 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:42,263 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:42,263 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:42,279 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2288
2020-03-24 10:17:42,279 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,279 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,279 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,279 [root] DEBUG: Loader: Injecting process 2288 (thread 2228) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,279 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,279 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,279 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:42,279 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,279 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2288
2020-03-24 10:17:42,295 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2288
2020-03-24 10:17:42,295 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,295 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,295 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,295 [root] DEBUG: Loader: Injecting process 2288 (thread 2228) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,295 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,295 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,295 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:42,295 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,295 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2288
2020-03-24 10:17:42,295 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:42,295 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:42,295 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:42,295 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:42,295 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:42,295 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:42,311 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 856
2020-03-24 10:17:42,311 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,311 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,311 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,311 [root] DEBUG: Loader: Injecting process 856 (thread 596) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,311 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,311 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,311 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:42,311 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,311 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 856
2020-03-24 10:17:42,325 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 856
2020-03-24 10:17:42,325 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,325 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,325 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,325 [root] DEBUG: Loader: Injecting process 856 (thread 596) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,325 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,325 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,325 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:42,325 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,325 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 856
2020-03-24 10:17:42,325 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:42,325 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:42,325 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:42,325 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:42,325 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:42,325 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:42,342 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2844
2020-03-24 10:17:42,342 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,342 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,342 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,342 [root] DEBUG: Loader: Injecting process 2844 (thread 2900) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,342 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,342 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,342 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:42,342 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,342 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2844
2020-03-24 10:17:42,358 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2844
2020-03-24 10:17:42,358 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,358 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,358 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,358 [root] DEBUG: Loader: Injecting process 2844 (thread 2900) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,358 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,358 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,358 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:42,358 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,358 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2844
2020-03-24 10:17:42,358 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:42,358 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:42,358 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:42,372 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:42,372 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:42,372 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:42,388 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2200
2020-03-24 10:17:42,388 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,388 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,388 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,388 [root] DEBUG: Loader: Injecting process 2200 (thread 732) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,388 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,388 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,388 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:42,388 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,388 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2200
2020-03-24 10:17:42,404 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2200
2020-03-24 10:17:42,404 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,404 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,404 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,404 [root] DEBUG: Loader: Injecting process 2200 (thread 732) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,404 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,404 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,404 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:42,404 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,404 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2200
2020-03-24 10:17:42,404 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:42,404 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:42,404 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:42,404 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:42,404 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:42,404 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:42,420 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2668
2020-03-24 10:17:42,420 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,420 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,420 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,420 [root] DEBUG: Loader: Injecting process 2668 (thread 2096) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,420 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,420 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,420 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:42,420 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,420 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2668
2020-03-24 10:17:42,436 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2668
2020-03-24 10:17:42,436 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,436 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,436 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,436 [root] DEBUG: Loader: Injecting process 2668 (thread 2096) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,436 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,436 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,436 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:42,436 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,436 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2668
2020-03-24 10:17:42,436 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:42,436 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:42,436 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:42,436 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:42,436 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:42,436 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:42,450 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 1776
2020-03-24 10:17:42,450 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,450 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,450 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,450 [root] DEBUG: Loader: Injecting process 1776 (thread 2324) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,450 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,450 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,450 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:42,450 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,450 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1776
2020-03-24 10:17:42,467 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 1776
2020-03-24 10:17:42,467 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,467 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,467 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,467 [root] DEBUG: Loader: Injecting process 1776 (thread 2324) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,467 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,467 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,467 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:42,467 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,467 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1776
2020-03-24 10:17:42,467 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:42,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:42,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:42,467 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:42,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:42,467 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:42,482 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2640
2020-03-24 10:17:42,482 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,482 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,482 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,482 [root] DEBUG: Loader: Injecting process 2640 (thread 2376) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,482 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,482 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,482 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:42,482 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,482 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2640
2020-03-24 10:17:42,497 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2640
2020-03-24 10:17:42,497 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,497 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,497 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,497 [root] DEBUG: Loader: Injecting process 2640 (thread 2376) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,497 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,497 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,497 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:42,497 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,497 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2640
2020-03-24 10:17:42,497 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:42,497 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:42,513 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:42,513 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:42,513 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:42,513 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:42,529 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2884
2020-03-24 10:17:42,529 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,529 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,529 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,529 [root] DEBUG: Loader: Injecting process 2884 (thread 2728) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,529 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,529 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,529 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:42,529 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,529 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2884
2020-03-24 10:17:42,545 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2884
2020-03-24 10:17:42,545 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,545 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,545 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,545 [root] DEBUG: Loader: Injecting process 2884 (thread 2728) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,545 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,545 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,545 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:42,545 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,545 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2884
2020-03-24 10:17:42,545 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:42,559 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:42,559 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:42,559 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:42,559 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:42,559 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:42,575 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 1924
2020-03-24 10:17:42,575 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,575 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,575 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,575 [root] DEBUG: Loader: Injecting process 1924 (thread 2224) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,575 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,575 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,575 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:42,575 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,575 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1924
2020-03-24 10:17:42,592 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 1924
2020-03-24 10:17:42,592 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,592 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,592 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,592 [root] DEBUG: Loader: Injecting process 1924 (thread 2224) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,592 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,592 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,592 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:42,592 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,592 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1924
2020-03-24 10:17:42,592 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:42,592 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:42,607 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:42,607 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:42,607 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:42,607 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:42,622 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 1500
2020-03-24 10:17:42,622 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,622 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,622 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,622 [root] DEBUG: Loader: Injecting process 1500 (thread 1672) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,622 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,622 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,622 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:42,622 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,622 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1500
2020-03-24 10:17:42,638 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 1500
2020-03-24 10:17:42,638 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,638 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,638 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,638 [root] DEBUG: Loader: Injecting process 1500 (thread 1672) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,654 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,654 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,654 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:42,654 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,654 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1500
2020-03-24 10:17:42,654 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:42,654 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:42,654 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:42,654 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:42,654 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:42,654 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:42,670 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2772
2020-03-24 10:17:42,670 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,670 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,670 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,670 [root] DEBUG: Loader: Injecting process 2772 (thread 2124) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,670 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,670 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,670 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:42,670 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,670 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2772
2020-03-24 10:17:42,684 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2772
2020-03-24 10:17:42,684 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,684 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,700 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,700 [root] DEBUG: Loader: Injecting process 2772 (thread 2124) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,700 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,700 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,700 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:42,700 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,700 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2772
2020-03-24 10:17:42,700 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:42,700 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:42,700 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:42,700 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:42,700 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:42,700 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:42,716 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2788
2020-03-24 10:17:42,716 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,716 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,716 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,716 [root] DEBUG: Loader: Injecting process 2788 (thread 2604) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,716 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,716 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,716 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 10:17:42,716 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,716 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2788
2020-03-24 10:17:42,732 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 2788
2020-03-24 10:17:42,732 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-03-24 10:17:42,732 [lib.api.process] INFO: 32-bit DLL to inject is C:\huqqiyohb\dll\XBaSnV.dll, loader C:\huqqiyohb\bin\QsFbyII.exe
2020-03-24 10:17:42,732 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\ePenqzbfhL.
2020-03-24 10:17:42,732 [root] DEBUG: Loader: Injecting process 2788 (thread 2604) with C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,732 [root] DEBUG: Process image base: 0x00400000
2020-03-24 10:17:42,732 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,732 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-03-24 10:17:42,732 [root] DEBUG: Successfully injected DLL C:\huqqiyohb\dll\XBaSnV.dll.
2020-03-24 10:17:42,732 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2788
2020-03-24 10:17:42,732 [root] DEBUG: NtTerminateProcess hook: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:17:42,732 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:17:42,732 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:17:42,732 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy -nan(ind).
2020-03-24 10:17:42,732 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:17:42,747 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:17:42,763 [root] INFO: Announced 32-bit process name: odwPGonj3s3D.exe pid: 1676
2020-03-24 10:18:03,869 [root] ERROR: Traceback (most recent call last):
  File "C:\huqqiyohb\analyzer.py", line 720, in run
    res = proc.inject(INJECT_QUEUEUSERAPC, interest)
  File "C:\huqqiyohb\lib\api\process.py", line 565, in inject
    self.write_monitor_config(interest, nosleepskip)
  File "C:\huqqiyohb\lib\api\process.py", line 486, in write_monitor_config
    LOGSERVER_POOL[logserver_path] = LogServer(self.config.ip, self.config.port, logserver_path)
  File "C:\huqqiyohb\lib\core\log.py", line 117, in __init__
    logserver = LogServerThread(h_pipe, result_ip, result_port)
  File "C:\huqqiyohb\lib\core\log.py", line 41, in __init__
    self.resultserver_socket.connect((self.resultserver_ip, self.resultserver_port))
  File "C:\Python27\lib\socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
error: [Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
Traceback (most recent call last):
  File "C:\huqqiyohb\analyzer.py", line 720, in run
    res = proc.inject(INJECT_QUEUEUSERAPC, interest)
  File "C:\huqqiyohb\lib\api\process.py", line 565, in inject
    self.write_monitor_config(interest, nosleepskip)
  File "C:\huqqiyohb\lib\api\process.py", line 486, in write_monitor_config
    LOGSERVER_POOL[logserver_path] = LogServer(self.config.ip, self.config.port, logserver_path)
  File "C:\huqqiyohb\lib\core\log.py", line 117, in __init__
    logserver = LogServerThread(h_pipe, result_ip, result_port)
  File "C:\huqqiyohb\lib\core\log.py", line 41, in __init__
    self.resultserver_socket.connect((self.resultserver_ip, self.resultserver_port))
  File "C:\Python27\lib\socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
error: [Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
2020-03-24 10:20:57,029 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2020-03-24 10:20:57,029 [root] INFO: Created shutdown mutex.
2020-03-24 10:20:58,043 [lib.api.process] INFO: Terminate event set for process 1328
2020-03-24 10:20:58,043 [root] DEBUG: Terminate Event: Processing tracked regions before shutdown (process 1328).
2020-03-24 10:20:58,043 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00000000.
2020-03-24 10:20:58,043 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00400000.
2020-03-24 10:20:58,043 [root] DEBUG: ProcessImageBase: EP 0x00001254 image base 0x00400000 size 0x0 entropy 5.331891e+00.
2020-03-24 10:20:58,043 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00240000.
2020-03-24 10:20:58,043 [root] DEBUG: ProcessTrackedRegions: Processing region at 0x00420000.
2020-03-24 10:20:58,043 [lib.api.process] INFO: Termination confirmed for process 1328
2020-03-24 10:20:58,043 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1328
2020-03-24 10:20:58,043 [root] INFO: Terminate event set for process 1328.
2020-03-24 10:20:58,043 [root] INFO: Terminating process 1328 before shutdown.
2020-03-24 10:20:58,043 [root] INFO: Waiting for process 1328 to exit.
2020-03-24 10:20:59,058 [root] INFO: Shutting down package.
2020-03-24 10:20:59,058 [root] INFO: Stopping auxiliary modules.
2020-03-24 10:20:59,058 [root] INFO: Finishing auxiliary modules.
2020-03-24 10:20:59,058 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-03-24 10:20:59,058 [root] WARNING: File at path "C:\TMydAIS\debugger" does not exist, skip.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 2648.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 3032.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 2732.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 1988.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 2680.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 2072.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 1540.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 624.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 2656.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 1644.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 2724.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 1460.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 996.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 1200.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 1788.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 2292.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 2924.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 2820.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 2652.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 2128.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 512.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 844.
2020-03-24 10:20:59,058 [root] WARNING: Monitor injection attempted but failed for process 2896.
2020-03-24 10:20:59,073 [root] WARNING: Monitor injection attempted but failed for process 2816.
2020-03-24 10:20:59,073 [root] WARNING: Monitor injection attempted but failed for process 2092.
2020-03-24 10:20:59,073 [root] WARNING: Monitor injection attempted but failed for process 2288.
2020-03-24 10:20:59,073 [root] WARNING: Monitor injection attempted but failed for process 856.
2020-03-24 10:20:59,073 [root] WARNING: Monitor injection attempted but failed for process 2844.
2020-03-24 10:20:59,073 [root] WARNING: Monitor injection attempted but failed for process 2200.
2020-03-24 10:20:59,073 [root] WARNING: Monitor injection attempted but failed for process 2668.
2020-03-24 10:20:59,073 [root] WARNING: Monitor injection attempted but failed for process 1776.
2020-03-24 10:20:59,073 [root] WARNING: Monitor injection attempted but failed for process 2640.
2020-03-24 10:20:59,073 [root] WARNING: Monitor injection attempted but failed for process 2884.
2020-03-24 10:20:59,073 [root] WARNING: Monitor injection attempted but failed for process 1924.
2020-03-24 10:20:59,073 [root] WARNING: Monitor injection attempted but failed for process 1500.
2020-03-24 10:20:59,073 [root] WARNING: Monitor injection attempted but failed for process 2772.
2020-03-24 10:20:59,073 [root] WARNING: Monitor injection attempted but failed for process 2788.
2020-03-24 10:20:59,073 [root] WARNING: Monitor injection attempted but failed for process 1676.
2020-03-24 10:20:59,073 [root] INFO: Analysis completed.

MalScore

6.0

Suspicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2020-03-24 10:17:22 2020-03-24 10:21:30

File Details

File Name 2dbbdb7d2ab48baacd482d2002a4438fdc62bafed134cf0548004fa2141934fa
File Size 57344 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 f5e1972586f13a16874531fec7b738c7
SHA1 23ab7324a815964c0c0ec17bd1bbb18bd42be512
SHA256 2dbbdb7d2ab48baacd482d2002a4438fdc62bafed134cf0548004fa2141934fa
SHA512 6751cb3e1666d58f569bfb4ba09204ba5c299bffb058cf748c0292f2e9c662f8db9bbf1ce55e805b1d6529ac65544a0bda6708f2df3d33ca9aa99cc06dee81d4
CRC32 B4641874
Ssdeep 768:sK0avuIWN/uYWtUSQxlIZqyfX47c2CUXzMuZps5:sKHtCvuUSQxlMqyf4clUXzMuZK5
TrID
  • 42.7% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 19.2% (.EXE) OS/2 Executable (generic) (2029/13)
  • 18.9% (.EXE) Generic Win/DOS Executable (2002/3)
  • 18.9% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Behavioural detection: Executable code extraction
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 1328 trigged the Yara rule 'HeavensGate'
Hit: PID 1328 trigged the Yara rule 'shellcode_patterns'
Hit: PID 1328 trigged the Yara rule 'shellcode_get_eip'
Hit: PID 1328 trigged the Yara rule 'shellcode_peb_parsing'
NtSetInformationThread: attempt to hide thread from debugger
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: SXS.DLL/SxsOleAut32MapIIDOrCLSIDToTypeLibrary
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: kernel32.dll/GetCalendarInfoW
CAPE extracted potentially suspicious content
odwPGonj3s3D.exe: Extracted Shellcode
odwPGonj3s3D.exe: Extracted Shellcode
Behavioural detection: Injection (inter-process)

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Users\user\AppData\Local\Temp\odwPGonj3s3D.exe.cfg
C:\Windows\sysnative\C_932.NLS
C:\Windows\sysnative\C_949.NLS
C:\Windows\sysnative\C_950.NLS
C:\Windows\sysnative\C_936.NLS
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\msvbvm60.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
\Device\KsecDD
C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\msvbvm60.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Codepage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\odwPGonj3s3D.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xe3\xa9\xa0\xc8\x98EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Sans Serif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\odwPGonj3s3D.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000809
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
DisableUserModeCallbackFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\932
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\949
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\936
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
\xe3\xa9\xa0\xc8\x98EY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
cryptbase.dll.SystemFunction036
oleaut32.dll.OleLoadPictureEx
oleaut32.dll.DispCallFunc
oleaut32.dll.LoadTypeLibEx
oleaut32.dll.UnRegisterTypeLib
oleaut32.dll.CreateTypeLib2
oleaut32.dll.VarDateFromUdate
oleaut32.dll.VarUdateFromDate
oleaut32.dll.GetAltMonthNames
oleaut32.dll.VarNumFromParseNum
oleaut32.dll.VarParseNumFromStr
oleaut32.dll.VarDecFromR4
oleaut32.dll.VarDecFromR8
oleaut32.dll.VarDecFromDate
oleaut32.dll.VarDecFromI4
oleaut32.dll.VarDecFromCy
oleaut32.dll.VarR4FromDec
oleaut32.dll.GetRecordInfoFromTypeInfo
oleaut32.dll.GetRecordInfoFromGuids
oleaut32.dll.SafeArrayGetRecordInfo
oleaut32.dll.SafeArraySetRecordInfo
oleaut32.dll.SafeArrayGetIID
oleaut32.dll.SafeArraySetIID
oleaut32.dll.SafeArrayCopyData
oleaut32.dll.SafeArrayAllocDescriptorEx
oleaut32.dll.SafeArrayCreateEx
oleaut32.dll.VarFormat
oleaut32.dll.VarFormatDateTime
oleaut32.dll.VarFormatNumber
oleaut32.dll.VarFormatPercent
oleaut32.dll.VarFormatCurrency
oleaut32.dll.VarWeekdayName
oleaut32.dll.VarMonthName
oleaut32.dll.VarAdd
oleaut32.dll.VarAnd
oleaut32.dll.VarCat
oleaut32.dll.VarDiv
oleaut32.dll.VarEqv
oleaut32.dll.VarIdiv
oleaut32.dll.VarImp
oleaut32.dll.VarMod
oleaut32.dll.VarMul
oleaut32.dll.VarOr
oleaut32.dll.VarPow
oleaut32.dll.VarSub
oleaut32.dll.VarXor
oleaut32.dll.VarAbs
oleaut32.dll.VarFix
oleaut32.dll.VarInt
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarRound
oleaut32.dll.VarCmp
oleaut32.dll.VarDecAdd
oleaut32.dll.VarDecCmp
oleaut32.dll.VarBstrCat
oleaut32.dll.VarCyMulI4
oleaut32.dll.VarBstrCmp
ole32.dll.CoCreateInstanceEx
ole32.dll.CLSIDFromProgIDEx
sxs.dll.SxsOleAut32MapIIDOrCLSIDToTypeLibrary
user32.dll.GetSystemMetrics
user32.dll.MonitorFromWindow
user32.dll.MonitorFromRect
user32.dll.MonitorFromPoint
user32.dll.EnumDisplayMonitors
user32.dll.GetMonitorInfoA
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextFaceAliasW
gdi32.dll.GetTextExtentExPointWPri
kernel32.dll.NlsGetCacheUpdateCount
kernel32.dll.GetCalendarInfoW
"C:\Users\user\AppData\Local\Temp\odwPGonj3s3D.exe"
Local\MSCTF.Asm.MutexDefault1

PE Information

Image Base 0x00400000
Entry Point 0x00401254
Reported Checksum 0x0001026d
Actual Checksum 0x0001026d
Minimum OS Version 4.0
Compile Time 2011-12-01 10:09:23
Import Hash 59e83e8f552788c1b95a5475717e75a8

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x0000a7c8 0x0000b000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.88
.data 0x0000c000 0x00000b18 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x0000d000 0x000008b0 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 1.86

Imports

Library MSVBVM60.DLL:
0x401000 _CIcos
0x401004 _adj_fptan
0x401008 __vbaFreeVar
0x40100c __vbaStrVarMove
0x401010 __vbaFreeVarList
0x401014 _adj_fdiv_m64
0x401018 __vbaFreeObjList
0x40101c _adj_fprem1
0x401020 __vbaStrCat
0x401028 _adj_fdiv_m32
0x40102c None
0x401030 None
0x401034 None
0x401038 _adj_fdiv_m16i
0x40103c _adj_fdivr_m16i
0x401040 __vbaFpR8
0x401044 _CIsin
0x401048 None
0x40104c __vbaChkstk
0x401050 EVENT_SINK_AddRef
0x401054 None
0x401058 __vbaStrCmp
0x40105c None
0x401060 _adj_fpatan
0x401064 None
0x401068 EVENT_SINK_Release
0x40106c None
0x401070 _CIsqrt
0x401078 __vbaExceptHandler
0x40107c None
0x401080 _adj_fprem
0x401084 _adj_fdivr_m64
0x401088 __vbaFPException
0x40108c _CIlog
0x401090 None
0x401094 __vbaNew2
0x401098 _adj_fdiv_m32i
0x40109c _adj_fdivr_m32i
0x4010a0 __vbaVarSetObj
0x4010a4 _adj_fdivr_m32
0x4010a8 _adj_fdiv_r
0x4010ac None
0x4010b0 __vbaVarDup
0x4010b4 __vbaFpI2
0x4010b8 _CIatan
0x4010bc __vbaStrMove
0x4010c0 None
0x4010c4 _allmul
0x4010c8 _CItan
0x4010cc _CIexp
0x4010d0 __vbaFreeObj
0x4010d4 __vbaFreeStr

.text
`.data
.rsrc
MSVBVM60.DLL
Raastoffo8
VB5!6&*
Pumpsmante
Raastoffo8
Raastoffo8
Antiep8
arbour
wemind
Trans
Raastoffo8
kanukal
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Vierte2
Aromatis8
Agtende2
Indiff7
Oldtidsku
Deduct7
VBA6.DLL
__vbaFreeObjList
__vbaVarSetObj
__vbaStrCat
__vbaFreeVarList
__vbaFpR8
__vbaStrVarMove
__vbaFreeStr
__vbaFpI2
__vbaStrMove
__vbaFreeObj
__vbaVarDup
__vbaFreeVar
__vbaHresultCheckObj
__vbaNew2
__vbaStrCmp
Antiep8
REFERENCE
REFERENCE
Vierte2
RAAVILD
Agtende2
Byrindep
Oldtidsku
HYDROGENIS
Deduct7
TODDI
Indiff7
Granumtemp
kanukal
Aromatis8
gggggggggggggggggggggggggggggggggggggggggggggggggg(
gqqqgdddg```gmmmgiiig
gyrzgggggggggggggfffgcccgaaagmmmgjlmg(
DONg}~~guuugnoog
g_'+gggggggggggggGCMgZ?
E^'7{{{gHS\g*0
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaFreeVar
__vbaStrVarMove
__vbaFreeVarList
_adj_fdiv_m64
__vbaFreeObjList
_adj_fprem1
__vbaStrCat
__vbaHresultCheckObj
_adj_fdiv_m32
_adj_fdiv_m16i
_adj_fdivr_m16i
__vbaFpR8
_CIsin
__vbaChkstk
EVENT_SINK_AddRef
__vbaStrCmp
_adj_fpatan
EVENT_SINK_Release
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
_adj_fprem
_adj_fdivr_m64
__vbaFPException
_CIlog
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaVarSetObj
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarDup
__vbaFpI2
_CIatan
__vbaStrMove
_allmul
_CItan
_CIexp
__vbaFreeObj
__vbaFreeStr
angivelsesenhedfortrsteleavewidegapst
Reducementhidebehindgrubesturistbus1
entremes
Bouboustuppelb
Besvaerliglnne
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
040904B0
ProductName
Raastoffo8
FileVersion
ProductVersion
InternalName
Pumpsmante
OriginalFilename
Pumpsmante.exe
This file is not on VirusTotal.

Process Tree


odwPGonj3s3D.exe, PID: 1328, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\odwPGonj3s3D.exe
Command Line: "C:\Users\user\AppData\Local\Temp\odwPGonj3s3D.exe"

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Type Extracted Shellcode
Size 40960 bytes
Virtual Address 0x00240000
Process odwPGonj3s3D.exe
PID 1328
Path C:\Users\user\AppData\Local\Temp\odwPGonj3s3D.exe
MD5 1788f9f8545675ad07b7d92e60f50f6d
SHA1 3663bf898bf65fe4be6c69e19d90303ee4d9db10
SHA256 012923cb0d427b1f5e9ba1c8a931a5ccd4ba45942aec4786f89be25ad0ed4604
CRC32 E11CB357
Ssdeep 192:ezlZwJw4R8Zc2yRLugOJ2cUUj4B701ZG0cY0jTd2KO9Lu7CWmSjl9Fkzp3l/b7Uo:ezYRF2yRR15Uj4B7017cdO67nUddUo
Yara None matched
CAPE Yara None matched
Download Download ZIP
Type Extracted Shellcode
Size 32768 bytes
Virtual Address 0x00420000
Process odwPGonj3s3D.exe
PID 1328
Path C:\Users\user\AppData\Local\Temp\odwPGonj3s3D.exe
MD5 019075fc28a82468bc0b6a1572eb2b3c
SHA1 6cc8ccbf31f0128e40c654c3b04b3df7446f8c91
SHA256 195e1aa0f23396385e622a35582b35c660db9a6a4ae3c7d43d57249e91288660
CRC32 F2C2D071
Ssdeep 192:ciVW+NrM0M1iFLLctMoANRi2N6ry+WmkYwSDZLFdl5IISXxm:zMiFL4GPz6ry+W4wihl
Yara
  • HeavensGate - Heaven's Gate: Switch from 32-bit to 64-mode
  • shellcode_patterns - Matched shellcode byte patterns
  • shellcode_get_eip - Match x86 that appears to fetch $PC.
  • shellcode_peb_parsing - Match x86 that appears to manually traverse the TEB/PEB/LDR data.
CAPE Yara None matched
Download Download ZIP
Sorry! No process dumps.

Comments



No comments posted

Processing ( 0.581 seconds )

  • 0.156 BehaviorAnalysis
  • 0.133 CAPE
  • 0.11 TrID
  • 0.072 TargetInfo
  • 0.054 Static
  • 0.036 Deduplicate
  • 0.007 AnalysisInfo
  • 0.007 NetworkAnalysis
  • 0.005 Strings
  • 0.001 Debug

Signatures ( 0.124 seconds )

  • 0.012 antiav_detectreg
  • 0.009 infostealer_ftp
  • 0.008 ransomware_files
  • 0.007 stealth_timeout
  • 0.005 NewtWire Behavior
  • 0.005 api_spamming
  • 0.005 InjectionCreateRemoteThread
  • 0.005 decoy_document
  • 0.004 injection_createremotethread
  • 0.004 antidbg_windows
  • 0.004 antianalysis_detectreg
  • 0.004 browser_security
  • 0.004 infostealer_bitcoin
  • 0.003 injection_runpe
  • 0.003 InjectionProcessHollowing
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 disables_browser_warn
  • 0.003 infostealer_im
  • 0.003 ransomware_extensions
  • 0.002 Doppelganging
  • 0.002 antivm_generic_disk
  • 0.002 antianalysis_detectfile
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 antivm_vbox_libs
  • 0.001 InjectionInterProcess
  • 0.001 bootkit
  • 0.001 rat_nanocore
  • 0.001 stealth_file
  • 0.001 betabot_behavior
  • 0.001 mimics_filetime
  • 0.001 reads_self
  • 0.001 cerber_behavior
  • 0.001 virus
  • 0.001 hancitor_behavior
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 browser_addon
  • 0.001 modify_proxy
  • 0.001 disables_system_restore
  • 0.001 masquerade_process_name

Reporting ( 0.001 seconds )

  • 0.001 CompressResults
Task ID 131478
Mongo ID 5e79df2d22fb4f13386d7162
Cuckoo release 1.3-CAPE
Delete